GHSA-v83q-83hj-rw38: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-v83q-83hj-rw38) affects ntpd-rs versions prior to 1.5.0, specifically related to the Network Time Security (NTS) client functionality. The issue was discovered and disclosed on February 28, 2025, affecting the cargo package ntpd (Rust). The vulnerability involves two denial of service conditions that can occur when handling NTS cookies in the client functionality (GitHub Advisory).

The vulnerability consists of two distinct issues: 1) A division by zero vulnerability that occurs when processing zero-sized cookies during the calculation of new cookies to be requested, and 2) A buffer overflow condition that occurs when handling cookies larger than the buffer size. The vulnerability has been assigned a CVSS v4 score of 5.3 (Moderate), with attack vector being Network, attack complexity Low, and requiring no privileges or special requirements (GitHub Advisory).

When successfully exploited, these vulnerabilities can cause ntpd-rs to crash, resulting in a denial of service condition. The impact is limited to availability, with no effects on confidentiality or integrity. It's important to note that only configured NTS sources can exploit these vulnerabilities, while regular NTP sources or non-configured third parties cannot (GitHub Advisory).

The vulnerabilities have been patched in ntpd-rs version 1.5.0. The fix includes adding a check to prevent division by zero for zero-sized cookies and implementing a limit that prevents accepting cookies larger than 350 bytes. For users unable to update, it is recommended to only add trusted NTS sources to ntpd-rs to prevent potential abuse (GitHub Advisory).