SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Overview

There is a buffer overflow defect in the ctl_getitem() function of the Network Time Protocol (NTP) daemon responsible for providing accurate time reports used for synchronizing the clocks on installed systems. All NTP daemons based on code maintained at the University of Delaware since NTPv2 are assumed at risk.

I. Description

The buffer overflow condition appears in the ctl_getitem() function in ntp_control.c, the NTP control code. Because the ntp protocol uses UDP, attacks attempting to exploit this vulnerability will likely be spoofed.

II. Impact

It has been reported that a remote intruder can execute arbitrary code with the default privileges on the running daemon, typically root. While this report is still being evaluated, crashing of the NTP daemon has been confirmed.

III. Solution

Apply patches supplied by your vendor

Until patches can be applied, the CERT/CC strongly urges affected sites to block ntp requests (123/{tcp,udp}) at their network perimeter or disable ntpd altogether. It is unclear at this time if using secured NTP services provides a full defense against all attacks attempting to exploit this vulnerability.

Systems Affected

VendorStatusDate NotifiedDate Updated
Berkeley Software Design, Inc.Vulnerable10-Apr-2001
Cisco Systems, Inc.Unknown13-Apr-2001
Compaq Computer CorporationVulnerable3-May-2001
Debian LinuxVulnerable10-Apr-2001
FreeBSD, Inc.Vulnerable13-Apr-2001
FujitsuNot Vulnerable6-Apr-2001
Hewlett-Packard CompanyVulnerable9-Apr-2001
IBM CorporationVulnerable21-May-2008
Mandriva, Inc.Vulnerable6-Apr-2001
NetBSDVulnerable5-Apr-2001
OpenBSDVulnerable6-Apr-2001
Red Hat, Inc.Vulnerable9-Apr-2001
SlackwareVulnerable9-Apr-2001
Sun Microsystems, Inc.Vulnerable31-Oct-2001
SUSE LinuxVulnerable16-Apr-2001
The SCO Group (SCO Linux)Vulnerable9-Apr-2001
The SCO Group (SCO Unix)Vulnerable16-Apr-2001
University of DelawareVulnerable9-Apr-2001

References

https://www.kb.cert.org/vuls/970472
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc
http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c?r1+=1.1&r2=1.2
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/net/ntp/files/patch-ntp_control.c (patch for ntp-4.0.99k)
http://www.faqs.org/rfcs/rfc1305.html
http://www.ntp.org/
http://www.securityfocus.com/bid/2540
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?type=0&doc=secbull%2F211&display=plain

Credit

The CERT/CC thanks Przemyslaw Frasunek for reporting this issue.

This document was written by Jeffrey S. Havrilla

Other Information

Date Public:2001-04-04
Date First Published:2001-04-05
Date Last Updated:2008-05-22
CERT Advisory: 
CVE-ID(s):CVE-2001-0414
NVD-ID(s):CVE-2001-0414
US-CERT Technical Alerts: 
Metric:79.65
Document Revision:35

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader