Vulnerability Note VU#853097
ntpd autokey stack buffer overflow
ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.
A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.
Apply an update
This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||06 May 2009||11 May 2009|
|FreeBSD, Inc.||Affected||06 May 2009||15 May 2009|
|Gentoo Linux||Affected||07 May 2009||20 May 2009|
|Red Hat, Inc.||Affected||06 May 2009||18 May 2009|
|SUSE Linux||Affected||06 May 2009||31 Jul 2009|
|Ubuntu||Affected||06 May 2009||20 May 2009|
|Cray Inc.||Not Affected||06 May 2009||08 May 2009|
|DragonFly BSD Project||Not Affected||06 May 2009||07 May 2009|
|Hewlett-Packard Company||Not Affected||06 May 2009||12 Aug 2009|
|Juniper Networks, Inc.||Not Affected||06 May 2009||15 May 2009|
|Microsoft Corporation||Not Affected||06 May 2009||07 May 2009|
|SafeNet||Not Affected||12 May 2009||15 May 2009|
|The SCO Group||Not Affected||06 May 2009||12 May 2009|
|Apple Computer, Inc.||Unknown||06 May 2009||06 May 2009|
|Conectiva Inc.||Unknown||06 May 2009||06 May 2009|
CVSS Metrics (Learn More)
This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.
This document was written by Will Dormann.
- CVE IDs: CVE-2009-1252
- Date Public: 18 May 2009
- Date First Published: 18 May 2009
- Date Last Updated: 12 Aug 2009
- Severity Metric: 9.45
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.