Hewlett-Packard Company Information for VU#970472
Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 09 Apr 2001
HP is vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
HP has published HPSBUX0104-148 Sec. Vulnerability in xntpd(1M) which includes workarounds to protect users of HP systems running xntpd.
An except from HPSBUX0104-148 is included here:
A buffer overflow has been discovered on various Unix-derived
operating systems in its NTP daemon. Hewlett-Packard Company
ships xntpd on HP-UX releases and has determined that it too,
B. Recommended solution
Hewlett-Packard Company recommends that xntpd be shut down
on all systems not absolutely needing time-of-day synchronization
with Internet standard time servers.
On those remaining time-sensitive systems modify the default
configuration file (/etc/ntp.conf) to use the "restrict" clause,
to restrict all but allow some.
We provide an example of a simple configuration. Please refer
to the man (1M) xntpd for further configuration details.
# This server syncs from server 220.127.116.11 and provides
# time services to client 18.104.22.168, yet
# blocks all others.
server 22.214.171.124 prefer
# allow this client full access
# allow this server full access
# you need both of the following for the localhost
# block everything else
restrict default ignore
NOTE: Patches are currently in development.
If you have feedback, comments, or additional information about this vulnerability, please send us email.