search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

ntpd autokey stack buffer overflow

Vulnerability Note VU#853097

Original Release Date: 2009-05-18 | Last Revised: 2009-08-12

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.


Disable autokey

This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Vendor Information

853097
 
Expand all

Debian GNU/Linux Affected

Notified:  May 06, 2009 Updated: May 11, 2009

Statement Date:   May 11, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Affected

Notified:  May 06, 2009 Updated: May 15, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Affected

Notified:  May 07, 2009 Updated: May 20, 2009

Statement Date:   May 20, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see http://bugs.gentoo.org/show_bug.cgi?id=268962

Red Hat, Inc. Affected

Notified:  May 06, 2009 Updated: May 18, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see RHSA-2009-1039.

Vendor References

Addendum

NTP authentication is not enabled by default.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Notified:  May 06, 2009 Updated: July 31, 2009

Statement Date:   July 31, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

SUSE Linux is affected by the by the ntpd auto key remote overflow issue. We have released updated packages to fix this problem.

Vendor References

Ubuntu Affected

Notified:  May 06, 2009 Updated: May 20, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see USN-777-1.

Cray Inc. Not Affected

Notified:  May 06, 2009 Updated: May 08, 2009

Statement Date:   May 08, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Default cray configurations do not utilize autokeys and not not vulnerable.

However, the xntp rpm provided in the OS release is vulnerable if sites locally enable autokeys.

DragonFly BSD Project Not Affected

Notified:  May 06, 2009 Updated: May 07, 2009

Statement Date:   May 07, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

DragonFly ships with its own homebrew client-only version.

Hewlett-Packard Company Not Affected

Notified:  May 06, 2009 Updated: August 12, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Not Affected

Notified:  May 06, 2009 Updated: May 15, 2009

Statement Date:   May 15, 2009

Status

Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

For additional information about this or any other vulnerability report, or to report a potential security vulnerability, please contact the Juniper Security Incident Response Team at sirt@juniper.net

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified:  May 06, 2009 Updated: May 07, 2009

Statement Date:   May 07, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has indicated that they do not support the Autokey feature.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet Not Affected

Notified:  May 12, 2009 Updated: May 15, 2009

Statement Date:   May 15, 2009

Status

Not Affected

Vendor Statement

SafeNet has confirmed that none of its products are subject to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Not Affected

Notified:  May 06, 2009 Updated: May 12, 2009

Statement Date:   May 12, 2009

Status

Not Affected

Vendor Statement

We have checked our implementations of npt and our versions do not contain this vlunerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified:  May 06, 2009 Updated: May 13, 2009

Statement Date:   May 14, 2009

Status

Unknown

Vendor Statement

Solaris NTP implementation is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  May 06, 2009 Updated: May 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 39 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental 0 CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

Acknowledgements

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2009-1252
Severity Metric: 9.45
Date Public: 2009-05-18
Date First Published: 2009-05-18
Date Last Updated: 2009-08-12 19:01 UTC
Document Revision: 31

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis