Vulnerability Note VU#853097

ntpd autokey stack buffer overflow

Original Release date: 18 May 2009 | Last revised: 12 Aug 2009

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.


Disable autokey

This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected06 May 200911 May 2009
FreeBSD, Inc.Affected06 May 200915 May 2009
Gentoo LinuxAffected07 May 200920 May 2009
Red Hat, Inc.Affected06 May 200918 May 2009
SUSE LinuxAffected06 May 200931 Jul 2009
UbuntuAffected06 May 200920 May 2009
Cray Inc.Not Affected06 May 200908 May 2009
DragonFly BSD ProjectNot Affected06 May 200907 May 2009
Hewlett-Packard CompanyNot Affected06 May 200912 Aug 2009
Juniper Networks, Inc.Not Affected06 May 200915 May 2009
Microsoft CorporationNot Affected06 May 200907 May 2009
SafeNetNot Affected12 May 200915 May 2009
The SCO GroupNot Affected06 May 200912 May 2009
Apple Computer, Inc.Unknown06 May 200906 May 2009
Conectiva Inc.Unknown06 May 200906 May 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2009-1252
  • Date Public: 18 May 2009
  • Date First Published: 18 May 2009
  • Date Last Updated: 12 Aug 2009
  • Severity Metric: 9.45
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.