CVE-2023-26553

Name of the Vulnerable Software and Affected Versions NTP version 4.2.8p15

Description The issue is related to an out-of-bounds write when copying the trailing number in the mstolfp() function in libntp/mstolfp.c. This can be exploited by sending a specially crafted request, potentially allowing a remote attacker to execute arbitrary code or cause a denial of service. The vulnerability specifically affects the ntpq process, a client program for monitoring NTP operations, but does not affect the ntpd process.

Recommendations For NTP version 4.2.8p15, consider disabling the mstolfp() function as a temporary workaround until a patch is available. Restrict access to the libntp/mstolfp.c module to minimize the risk of exploitation. Avoid using the mstolfp() function in the affected ntpq process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.