Hewlett-Packard Company Information for VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Status

Affected

Vendor Statement

HP is vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

HP has published HPSBUX0104-148   Sec. Vulnerability in xntpd(1M) which includes workarounds to protect users of HP systems running xntpd.

An except from HPSBUX0104-148 is included here:

   A. Background
     A buffer overflow has been discovered on various Unix-derived
     operating systems in its NTP daemon.  Hewlett-Packard Company
     ships xntpd on HP-UX releases and has determined that it too,
     is vulnerable.

   B. Recommended solution
     Hewlett-Packard Company recommends that xntpd be shut down
     on all systems not absolutely needing time-of-day synchronization
     with Internet standard time servers.

      On those remaining time-sensitive systems modify the default
     configuration file (/etc/ntp.conf) to use the "restrict" clause,
     to restrict all but allow some.

      We provide an example of a simple configuration.  Please refer
     to the man (1M) xntpd for further configuration details.

        # This server syncs from server 192.255.2.3 and provides
       # time services to client 192.27.16.30,  yet
       # blocks all others.

        server 192.255.2.3 prefer
       server 127.127.1.1

        # allow this client full access
       restrict 192.27.16.30

        # allow this server full access
       restrict 192.255.2.3

        # you need both of the following for the localhost
       restrict 127.0.0.1
       restrict 127.127.1.1

        # block everything else
       restrict default ignore

      NOTE:  Patches are currently in development.

If you have feedback, comments, or additional information about this vulnerability, please send us email.