Hewlett-Packard Company Information for VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function



Vendor Statement

HP is vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



HP has published HPSBUX0104-148   Sec. Vulnerability in xntpd(1M) which includes workarounds to protect users of HP systems running xntpd.

An except from HPSBUX0104-148 is included here:

   A. Background
     A buffer overflow has been discovered on various Unix-derived
     operating systems in its NTP daemon.  Hewlett-Packard Company
     ships xntpd on HP-UX releases and has determined that it too,
     is vulnerable.

   B. Recommended solution
     Hewlett-Packard Company recommends that xntpd be shut down
     on all systems not absolutely needing time-of-day synchronization
     with Internet standard time servers.

      On those remaining time-sensitive systems modify the default
     configuration file (/etc/ntp.conf) to use the "restrict" clause,
     to restrict all but allow some.

      We provide an example of a simple configuration.  Please refer
     to the man (1M) xntpd for further configuration details.

        # This server syncs from server and provides
       # time services to client,  yet
       # blocks all others.

        server prefer

        # allow this client full access

        # allow this server full access

        # you need both of the following for the localhost

        # block everything else
       restrict default ignore

      NOTE:  Patches are currently in development.

If you have feedback, comments, or additional information about this vulnerability, please send us email.