Network Time Protocol Daemon (ntpd) readvar Variable Overflow RCE

Critical Nessus Plugin ID 10647


The remote NTP server is affected by a remote code execution vulnerability.


The remote NTP server is affected by a buffer overflow condition due to improper bounds checking on the 'readvar' argument. An unauthenticated, remote attacker can exploit this, via a specially crafted request that uses an overly long argument, to execute arbitrary code with root privileges.


Disable this service if you do not use it, or check with the vendor for an upgrade to a fixed version.

Plugin Details

Severity: Critical

ID: 10647

File Name: ntp_overflow.nasl

Version: $Revision: 1.36 $

Type: remote

Published: 2001/04/10

Modified: 2016/12/07

Dependencies: 10884

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2001/04/04

Exploitable With

Metasploit (NTP Daemon readvar Buffer Overflow)

Reference Information

CVE: CVE-2001-0414

BID: 2540

OSVDB: 805

CERT: 970472

EDB-ID: 20727