Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-138: NTP 'ntpd' Autokey and ntpq Stack Buffer Overflow Vulnerability

[CVE-2009-1252]

May 19, 2009 14:00 GMT
PROBLEM: NTPd and NTPq suffer from a stack buffer overflow vulnerability.
PLATFORM: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux EUS (v. 5.3.z server) and earlier versions.
ABSTRACT: ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-138.shtml
  OTHER LINKS: http://www.doecirc.energy.gov/bulletins/t-138.shtml Red Hat Website
https://rhn.redhat.com/errata/RHSA-2009-1039.html
Security Focus Website
http://www.securityfocus.com/bid/35017/info
http://www.securityfocus.com/bid/34481/info
CVE: CVE-2009-1252
IMPACT ASSESSMENT: The rating is medium. While no exploit is known in the wild at this time, NTP is widely deployed. Redhat rates the updates as critical. 
[***** Start CVE-2009-1252 *****]

Discussion:
NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference
server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The
vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is
reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in
the ntp.conf file, where password is the password that has been configured.

A buffer overflow flaw was found in the ntpq diagnostic command. A
malicious, remote server could send a specially-crafted reply to an ntpq
request that could crash ntpq or, potentially, execute arbitrary code with
the privileges of the user running the ntpq command. (CVE-2009-0159)

Note:
This vulnerability has been reported earlier (May 6, 2009) and most Linux distributions released patched versions at that
time. Redhat has now released patches for RHEL 5 and RHEL 4. Prompt patching is advised as the patch code has been
available to reverse engineer for nearly two weeks.


Solution:
Vendor patch is now available.

RHEL 5
https://rhn.redhat.com/errata/RHSA-2009-1039.html

RHEL 4
http://rhn.redhat.com/errata/RHSA-2009-1040.html


[***** End CVE-2009-1252 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788