CVE-2024-42861: 
NixOS vulnerability analysis and mitigation

An issue was discovered in IEEE 802.1AS linuxptp version 4.2 and earlier versions that allows a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function. The vulnerability affects the gPTP (IEEE 802.1AS) protocol implementation when a port receives two Pdelay_Req messages with different clockID (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack requires network access but no privileges or user interaction. When exploited, it affects only the availability of the system with no impact on confidentiality or integrity (NVD).

When successfully exploited, the vulnerability causes the target's port to automatically terminate clock synchronization communication with the peer port, making the clock synchronization function unavailable for a period of time. This affects devices implementing the IEEE 802.1AS standard, particularly the time synchronization capabilities (GitHub Advisory).

Currently, there are no official fixes available for this vulnerability. The issue has been reported to affect multiple Linux distributions including Debian's bullseye, bookworm, sid, and trixie releases (Debian Tracker).

The upstream linuxptp developers have disputed the credibility of this vulnerability report (Ubuntu Security). The issue has been marked as having negligible impact by some distributions, suggesting it might be a non-security issue.