search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ntpd autokey stack buffer overflow

Vulnerability Note VU#853097

Original Release Date: 2009-05-18 | Last Revised: 2009-08-12

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.


Disable autokey

This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Vendor Information

853097
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  May 06, 2009 Updated:  May 11, 2009

Statement Date:   May 11, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  May 06, 2009 Updated:  May 15, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  May 07, 2009 Updated:  May 20, 2009

Statement Date:   May 20, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see http://bugs.gentoo.org/show_bug.cgi?id=268962

Red Hat, Inc.

Notified:  May 06, 2009 Updated:  May 18, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see RHSA-2009-1039.

Vendor References

Addendum

NTP authentication is not enabled by default.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  May 06, 2009 Updated:  July 31, 2009

Statement Date:   July 31, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SUSE Linux is affected by the by the ntpd auto key remote overflow issue. We have released updated packages to fix this problem.

Vendor References

Ubuntu

Notified:  May 06, 2009 Updated:  May 20, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see USN-777-1.

Cray Inc.

Notified:  May 06, 2009 Updated:  May 08, 2009

Statement Date:   May 08, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Default cray configurations do not utilize autokeys and not not vulnerable.

However, the xntp rpm provided in the OS release is vulnerable if sites locally enable autokeys.

DragonFly BSD Project

Notified:  May 06, 2009 Updated:  May 07, 2009

Statement Date:   May 07, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

DragonFly ships with its own homebrew client-only version.

Hewlett-Packard Company

Notified:  May 06, 2009 Updated:  August 12, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  May 06, 2009 Updated:  May 15, 2009

Statement Date:   May 15, 2009

Status

  Not Vulnerable

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

For additional information about this or any other vulnerability report, or to report a potential security vulnerability, please contact the Juniper Security Incident Response Team at sirt@juniper.net

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  May 06, 2009 Updated:  May 07, 2009

Statement Date:   May 07, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has indicated that they do not support the Autokey feature.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  May 12, 2009 Updated:  May 15, 2009

Statement Date:   May 15, 2009

Status

  Not Vulnerable

Vendor Statement

SafeNet has confirmed that none of its products are subject to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  May 06, 2009 Updated:  May 12, 2009

Statement Date:   May 12, 2009

Status

  Not Vulnerable

Vendor Statement

We have checked our implementations of npt and our versions do not contain this vlunerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  May 06, 2009 Updated:  May 13, 2009

Statement Date:   May 14, 2009

Status

  Unknown

Vendor Statement

Solaris NTP implementation is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  May 06, 2009 Updated:  May 06, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 39 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC ( ntpforum.isc.org ), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2009-1252
Severity Metric: 9.45
Date Public: 2009-05-18
Date First Published: 2009-05-18
Date Last Updated: 2009-08-12 19:01 UTC
Document Revision: 31

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.