ntpd vulnerability

Nounou Dadoun nounou.dadoun at avigilon.com
Mon Dec 19 18:24:31 UTC 2016 

Just saw this vulnerability come across the CERT mailing list this morning:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6301

The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.

Any plans for a patch? ... N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.



-----Original Message-----
From: busybox [mailto:busybox-bounces at busybox.net] On Behalf Of Nounou Dadoun
Sent: Tuesday, November 22, 2016 2:05 PM
To: busybox at busybox.net
Subject: ntpd vulnerability

Hi folks, we use BusyBox v1.22.1 currently and I'm just trying to determine whether or not busybox has the recently announced ntpd DoS vulnerability (http://www.kb.cert.org/vuls/id/633847 ) - it looks like ntpd.c is "based on" openNTPD so it's not entirely clear.  Anybody know?  Thanks .. N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.


_______________________________________________
busybox mailing list
busybox at busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

More information about the busybox mailing list