CVE-2024-38528

Name of the Vulnerable Software and Affected Versions nptd-rs versions prior to 1.1.3

Description The issue is related to a missing limit for accepted NTS-KE connections in nptd-rs, a tool for synchronizing computer clocks that implements the NTP and NTS protocols. This allows an unauthenticated remote attacker to crash nptd-rs when an NTS-KE server is configured. Configurations without an NTS-KE server, such as the default ntpd-rs configuration or NTP only configurations, are unaffected. A remote attacker can trigger this crash by opening a large number of parallel TCP connections to the server, potentially making the ntpd-rs daemon completely unavailable.

Recommendations For versions prior to 1.1.3, update to version 1.1.3 to resolve the issue. As a temporary workaround, consider disabling the NTS-KE server functionality to prevent exploitation. Additionally, increasing system resource limits (RLIMIT NOFILE) or lowering the key-exchange-timeout-ms configuration setting can make the attack more difficult.