CVE-2023-33192

Description

### Impact ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. ntpd-rs running purely as an ntp client is not affected. ### Patches The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3 ### Workarounds ntpd-rs running purely as an ntp client is not affected. By default, ntpd-rs packages are not configured to run as a server. For machines where serving the time is required, there is no known workaround. Users are recommended to upgrade ntpd-rs as soon as possible. ### References https://github.com/pendulum-project/ntpd-rs/pull/752 We would like to thank @mlichvar for identifying this issue

How to fix CVE-2023-33192

To remediate CVE-2023-33192, upgrade the affected package to a fixed version below.

• —upgrade to 0.3.3 or later

Is CVE-2023-33192 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.3.0, < 0.3.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33192
• PATCHgithub.com/pendulum-project/ntpd-rs
• WEBgithub.com/pendulum-project/ntpd-rs/pull/752
• WEBgithub.com/pendulum-project/ntpd-rs/releases/tag/v0.3.3