CVE-2024-38528: Unlimited number of NTS-KE connections can crash ntpd-rs server

June 28, 2024 (updated July 2, 2024)

Missing limit for accepted NTS-KE connections allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such as the default ntpd-rs configuration, are unaffected.

References

github.com/advisories/GHSA-2xpx-vcmq-5f72
github.com/pendulum-project/ntpd-rs
github.com/pendulum-project/ntpd-rs/commit/6049687006ea5b26eeac927964b5fcc80d7bde50
github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-2xpx-vcmq-5f72
nvd.nist.gov/vuln/detail/CVE-2024-38528

Code Behaviors & Features

Detect and mitigate CVE-2024-38528 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →