ntpd vulnerability

Daniel Thompson daniel.thompson at linaro.org
Tue Dec 20 12:15:59 UTC 2016 

On 19/12/16 18:24, Nounou Dadoun wrote:
> Just saw this vulnerability come across the CERT mailing list this morning:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6301
>
> The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.
>
> Any plans for a patch? ... N

I am a bit puzzled by this question. There are links on the CERT page 
you highlight that directly linking to a patch that has been applied to 
the codebase since August.

What plans for a patch do expect?


Daniel.


> -----Original Message-----
> From: busybox [mailto:busybox-bounces at busybox.net] On Behalf Of Nounou Dadoun
> Sent: Tuesday, November 22, 2016 2:05 PM
> To: busybox at busybox.net
> Subject: ntpd vulnerability
>
> Hi folks, we use BusyBox v1.22.1 currently and I'm just trying to determine whether or not busybox has the recently announced ntpd DoS vulnerability (http://www.kb.cert.org/vuls/id/633847 ) - it looks like ntpd.c is "based on" openNTPD so it's not entirely clear.  Anybody know?  Thanks .. N
>
>
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
>
>
> Office: 604.629.5182 ext 2632
> Support: 888.281.5182  |  avigilon.com
> Follow Twitter  |  Follow LinkedIn
>
>
> This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.
>
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
>

More information about the busybox mailing list