CVE-2025-58066

描述

# Summary A denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running ntpd-rs. # Details Since ntpd-rs version 1.2.0, when configured as a server, incorrectly responded to all NTP messages sent to the server's port with a time reply, including to responses from other servers. As a consequence, a message with a spoofed IP address of another server could cause two servers running ntpd-rs to continually respond to each other, consuming significant amounts of resources. # Impact Any time server running ntpd-rs with version between 1.2.0 and 1.6.1 inclusive which allows non-NTS traffic is affected. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible. # Workarounds Should upgrading not be possible, the impact of the issue can be mitigated by: - Whitelisting access to only IP addresses of clients using the server, using the ignore filter method. - Blocking incoming non-request traffic on the NTP server port using a firewall. - Disabling public access to the vulnerable NTP server - Disabling the server functionality by removing any [server] sections from the configuration. # Acknowledgements The ntpd-rs authors thank Eric Sesterhenn from X41 D-Sec GmbH for finding and reporting this issue.

受影響套件(2)

• crates.io/ntpd-rs>= 1.2.0, < 1.6.2
• Debian/rust-ntpdfrom 0

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58066
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-58066
• PATCHhttps://github.com/pendulum-project/ntpd-rs
• WEBhttps://github.com/pendulum-project/ntpd-rs/commit/da37cf167736cbd4d7804b1ed7ceb572468298e0
• WEBhttps://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-4855-q42w-5vr4