CVE-2023-33192

Published: May 27, 2023

Modified: Jan 14, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3.

Vendor	Product	Versions
pendulum-project	ntpd-rs	affected `>= 0.3.0, < 0.3.3`

Weaknesses (CWE)

CWE-130

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-qwhm-h7v3-mrjx

x_refsource_CONFIRM

https://github.com/pendulum-project/ntpd-rs/pull/752

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-33192

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References