Name of the Vulnerable Software and Affected Versions ntpd-rs versions prior to 1.5.0

Description Two denial of service issues were found in the handling of NTS cookies in the client functionality. These issues can cause ntpd-rs to crash when an NTS source is configured and the server sends zero-sized cookies or cookies larger than the buffer size. The issues can only be exploited by configured NTS sources. For zero-sized cookies, a division by zero error occurs when calculating the number of new cookies to request. For large cookies, the buffer is too small to handle the cookie, causing an exit when attempting to write to the buffer.

Recommendations For versions prior to 1.5.0, update to the latest version to resolve the issue. If an update is impossible, only add trusted NTS sources to ntpd-rs to minimize the risk of exploitation.