Updated: April 10, 2001
Affected
The version of ntp shipped with BSD/OS is vulnerable to this problem so sites which have configured ntpd should update to the patched version available from BSDI's web, ftp or patches servers.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 13, 2001
Unknown
IOS is not vulnerable to the ntpdx exploit as it is posted to the Bugtraq. However, to be on the safe side, we recommend that you include this line in your config: ntp access-group serve-only This will allow only time requests but ignore control queries.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 05, 2001 Updated: May 03, 2001
Affected
TITLE: SSRT1-85U - xntpd potential buffer overflow SOURCE: Compaq Computer Corporation, Software Security Response Team Date: 02-MAY-2001 SEVERITY: HIGH PROBLEM STATEMENT SUMMARY: Compaq continues to take a serious approach to the quality and security of all its software products and makes every effort to address issues and provide solutions in a timely manner. In line with this commitment, Compaq is responding to recent concerns of a potential buffer overflow with xntpd. The Network Time Protocol daemon for Compaq Tru64 UNIX contains a potential buffer overflow (even though it would be difficult to exploit) that may allow unauthorized access to bin privileges. IMPACT: Compaq's Tru64 UNIX V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1 SOLUTION: Compaq Tru64 UNIX engineering has provided a fix for this potential problem. NOTE: The solutions will be included in future releases of Tru64 UNIX aggregate patch kits. Until that has happened the kits identified should be reinstalled accordingly after an upgrade to any affected version listed. The patches identified are available from the Compaq FTP site http://ftp1.support.compaq.com/public/dunix/ then choose the version directory needed and search for the patch by name. Please review the applicable readme and install files prior to installation. Patches: V4.0D: DUV40D16-C0058302-10580-20010430.tar V4.0F: DUV40F16-C0042002-10579-20010430.tar V4.0G: T64V40G16-C0003502-10577-20010430.tar V5.0: T64V5016-C0006102-10575-20010430.tar V5.0A: T64V50A16-C0010402-10574-20010430.tar V5.1: T64V513-C0027202-10573-20010430.tar NOTE: A patch for Compaq Tru64 UNIX V4.0e is not available as it is no longer supported by Compaq. If you require a patch for V4.0e please contact your normal Compaq Services channel. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. (c) Copyright 2001 Compaq Computer Corporation. All rights reserved To subscribe to automatically receive future NEW Security Advisories from the Compaq's Software Security Response Team via electronic mail, Use your browser select the URL http://www.support.compaq.com/patches/mailing-list.shtml Select "Security and Individual Notices" for immediate dispatch notifications directly to your mailbox. To report new Security Vulnerabilities, send mail to: security-ssrt@compaq.com COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The vendor has not provided us with any further information regarding this vulnerability.
Previously is was reported Tru64 and OpenVMS were not vulnerable to this probem.
Updated: April 10, 2001
Affected
Debian has released an advisory on this issue: Debian Security Advisory 045-2: Przemyslaw Frasunek
The vendor has not provided us with any further information regarding this vulnerability.
Debian Security Advisory 045-2 is available at: http://www.debian.org/security/2001/dsa-045
Notified: April 05, 2001 Updated: April 13, 2001
Affected
FreeBSD has released FreeBSD-SA-01:31 at: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3a31.ntpd.asc
The vendor has not provided us with any further information regarding this vulnerability.
The FreeBSD ports collection does contain a vulnerable version of ntpd. A patch has been made available at: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c?r1+=1.1&r2=1.2 This was in response to Problem Report 26358: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26358
Updated: April 06, 2001
Not Affected
Regarding the ntpd buffer overflow vulnerability, Fujitsu's UXP/V operating system is not vulnerable because it doesn't support ntpd.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 09, 2001
Affected
HP is vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
HP has published HPSBUX0104-148 Sec. Vulnerability in xntpd(1M) which includes workarounds to protect users of HP systems running xntpd. An except from HPSBUX0104-148 is included here: A. Background A buffer overflow has been discovered on various Unix-derived operating systems in its NTP daemon. Hewlett-Packard Company ships xntpd on HP-UX releases and has determined that it too, is vulnerable. B. Recommended solution Hewlett-Packard Company recommends that xntpd be shut down on all systems not absolutely needing time-of-day synchronization with Internet standard time servers. On those remaining time-sensitive systems modify the default configuration file (/etc/ntp.conf) to use the "restrict" clause, to restrict all but allow some. We provide an example of a simple configuration. Please refer to the man (1M) xntpd for further configuration details. # This server syncs from server 192.255.2.3 and provides # time services to client 192.27.16.30, yet # blocks all others. server 192.255.2.3 prefer server 127.127.1.1 # allow this client full access restrict 192.27.16.30 # allow this server full access restrict 192.255.2.3 # you need both of the following for the localhost restrict 127.0.0.1 restrict 127.127.1.1 # block everything else restrict default ignore NOTE: Patches are currently in development.
Notified: April 05, 2001 Updated: May 21, 2008
Affected
IBM AIX APAR #IY18265 is the fix for this vulnerability for AIX 4.3 IBM AIX APAR #IY19744 is the fix for this vulnerability for AIX 5.1 Future releases of AIX such as 5.2 and 5.3 are not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 06, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MDKSA-2001:036: ntp/xntp3 at: http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3
Notified: April 05, 2001 Updated: April 05, 2001
Affected
Please see NetBSD Security Advisory 2001-004 at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 05, 2001 Updated: April 06, 2001
Affected
No statement from the vendor is available at this time.
The vendor has not provided us with any further information regarding this vulnerability.
The OpenBSD ports collection does contain a vulnerable version of xntp. The following extract was taken from the GNATs bug report about this issue: http://cvs.openbsd.org/cgi-bin/wwwgnats.pl/full?pr=1758 Here is an addition to the OpenBSD xntpd port that applies NAKAMURA Kazushi's patch. How to apply: # Add the new file: /usr/ports/sysutils/xntpd/patches/patch-ntp_control.c cd /usr/ports/sysutils/xntpd make uninstall && make clean && make && make install reboot # necessary because tickadj is run before system securelevel is changed Caveats: The new file /usr/ports/sysutils/xntpd/patches/patch-ntp_control.c is NAKAMURA Kazushi's patch -- nothing more. It comes directly from the FreeBSD tree. It may not be OpenBSD's preferred way of doing things, but it will close the hole until OpenBSD has it fixed.
Notified: April 05, 2001 Updated: April 09, 2001
Affected
No direct statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
RedHat has issued an advisory regarding this issue at: http://www.redhat.com/support/errata/RHSA-2001-045.html An excerpt: The Network Time Daemon (xntpd on Red Hat Linux 6.2 and earlier, ntpd on Red Hat Linux 7.0) does not properly check the size of a buffer used to hold incoming data from the network. Potentially, an attacker could gain root access by exploiting this weakness. Potential damage is mitigated by the fact that the Network Time Daemon is not enabled by default. If you are not using network time services, it may not even be installed. As a general rule, Red Hat encourages users to enable only those network services they actually need.
Updated: April 09, 2001
Affected
No direct statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Slackware has issued the following advisory regarding this problem: http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2001&m=slackware-security.384116 An excerpt: The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release. The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work.
Notified: April 05, 2001 Updated: October 31, 2001
Affected
Please see Sun Security Bulletin #00211, also available for download at: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?type=0&doc=secbull%2F211&display=plain
The vendor has not provided us with any further information regarding this vulnerability.
Download: -----BEGIN PGP SIGNED MESSAGE----- Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00211 Date: October 23, 2001 Cross-Ref: CERT Vulnerability Note VU#970472 Title: xntpd The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. 1. Bulletins Topics Sun announces the release of patches for Solaris(tm) 8, 7, and 2.6 (SunOS(tm) 5.8, 5.7, and 5.6) which relate to a vulnerability in xntpd(1M), the Network Time Protocol daemon. Sun recommends that you install the patches listed in section 4 on systems running SunOS 5.8, 5.7, and 5.6 which use xntpd. 2. Who is Affected Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6, 5.6_x86 The xntpd(1M) daemon was not shipped by Sun for earlier releases than Solaris 2.6. 3. Understanding the Vulnerability The xntpd is a daemon which sets and maintains a UNIX system time-of-day in agreement with Internet standard time servers. xntpd is a complete implementation of the Network Time Protocol (NTP) version 3 standard, as defined by RFC 1305. CERT Vulnerability Note VU#970472 is available from: http://www.kb.cert.org/vuls/id/970472 4. List of Patches The following patches are available in relation to the above issue. OS Version Patch ID SunOS 5.8 109667-04 SunOS 5.8_x86 109668-04 SunOS 5.7 109409-04 SunOS 5.7_x86 109410-03 SunOS 5.6 107298-03 SunOS 5.6_x86 107299-03 APPENDICES A. Patches listed in this bulletin are available to all Sun customers at: http://sunsolve.sun.com/securitypatch B. Checksums for the patches listed in this bulletin are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS C. Sun security bulletins are available at: http://sunsolve.sun.com/security D. Sun Security Coordination Team's PGP key is available at: http://sunsolve.sun.com/pgpkey.txt E. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com F. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBO9XChbdzzzOFBFjJAQElsAP+MZjJdkGGRAiIIxMqQ2uMN3c6fnOuj0aQ RPdePjnB7shoiRIAm2tYaJdwh8+d8m5PlQFCdOk+VVn50x6qRTsMWea8wCSD/Zzp osIjqZePvryLFkV0wiira4vz2ify5gzjPm4OOvGjMbEn1jP9EJB2SMn7vk3XnpKC aw+Kk5BHoN8= =8C0I -----END PGP SIGNATURE-----
Updated: April 16, 2001
Affected
No statement has been directly received from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
SuSE has released a Security Announcement on this issue: SuSE-SA:2001:10 at http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.html -----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: xntp
Announcement-ID: SuSE-SA:2001:10
Date: Monday, April 9th 22:30 MEST
Affected SuSE versions: (6.0, 6.1, 6.2), 6.3, 6.4, 7.0, 7.1
Vulnerability Type: remote root compromise
Severity (1-10): 8
SuSE default package: no
Other affected systems: systems using xntp in newer versions Content of this advisory: 1) security vulnerability resolved: xntp
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information xntp is the network time protocol package widely used with many unix
and linux systems for system time synchronization over a network. An exploit published by Przemyslaw Frasunek demonstrates a buffer
overflow in the control request parsing code. The exploit allows a
remote attacker to execute arbitrary commands as root. All versions as
shipped with SuSE Linux are affected by the buffer overflow problem. A temporary workaround is to kill the daemon and to set the variable
START_XNTPD in the file /etc/rc.config to "no" so that the daemon
will not be started again upon reboot of the system. Correct the system
time manually if necessary or adjust the time by running ntpdate from
a cron job on a regular basis. We believe that this problem is generally underestimated since the
xntpd daemon tends to get forgotten over the years of a system's life-
time once installed and configured. The xntpd daemon is not started by
default in SuSE Linux distributions. We strongly recommend to immediately
update the xntp package on each system where the daemon is installed,
configured and running. Note: The xntp update packages for most distributions have been available
for download since Friday last week. The packages for all 6.4 and 7.0
version distributions had to be rebuilt due to a specfile bug that
did not show up earlier and that caused a delay in building packages. This bug causes the rpm subsystem to complain about the release number
of the package. Now that this bug is corrected, you might find yourself
having installed a package where there is a newer version of the package
on the ftp server. However, regardless of the package release number,
all published packages fix the currently known security problems in the
xntpd network time daemon. Note: The source rpm of xntp in newer distributions generates two packages: xntp.rpm and xntpdoc.rpm. It is not necessary to update the xntpdoc
package which is why we do not provide the update packages on our ftp
server. The xntpdoc package only contains the documentation for the
xntp package and did not change in this updated package. Download the update package from locations desribed below and install
the package with the command `rpm -Uhv file.rpm'. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm --checksig --nogpg file.rpm',
independently from the md5 signatures below. SPECIAL INSTALL INSTRUCTIONS: The xntpd daemon must be restarted for the new package to become
active after the installation of the update rpm. You can do this
by running the command
kill -15 `pidof xntpd`
as root. After performing the upgrade using the rpm command above,
you can restart the xntpd: rcxntpd start
You should now see the new daemon synchronizing in your syslogs,
depending on where you configured the daemon to write its logs to. i386 Intel Platform: SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/xntp-4.0.99f-34.i386.rpm
9e39ca8f7b01fef22766463b8295e25d
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/xntp-4.0.99f-34.src.rpm
dfa51b46c92b917353f52e5d83863478 SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/xntp-4.0.99f-37.i386.rpm
4293ad8a3e084ec5d773bbcab8380c08
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/xntp-4.0.99f-37.src.rpm
745b894dcb6a97caa36f97858a51e279 SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/xntp-4.0.99f-38.i386.rpm
8001ac19d0ee812be82b6b066b4313d5
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/xntp-4.0.99f-38.src.rpm
7d56618cba3d768aa53246f39158987d SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/xntp-4.0.98d-1.i386.rpm
2f5d7b43b167c6acf13f68b13b1b7989
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/xntp-4.0.98d-1.src.rpm
11182e5e8c3769e6f9498ade9fcbe1fc SuSE-6.2 (unsupported platform)
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/xntp-4.0.93a-18.i386.rpm
5b55d179e3d4a0c57513bed03013c1a9
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/xntp-4.0.93a-18.src.rpm
dbb7c833ddc25b0bde406b4319d4106f SuSE-6.1 (unsupported platform)
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/xntp-4.0.92c-1.i386.rpm
baa93b55a4eaa486968fa6285f04c865
source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/xntp-4.0.92c-1.src.rpm
06f0174e8934e3ce6f419284564a7c91 Sparc Platform: SuSE-7.1
The xntp packages for the SuSE-7.1 sparc distribution are currently
pending for being built. They will be available on the ftp server
as soon as they are built. The packages are gpg-signed using the key
Notified: April 05, 2001 Updated: April 09, 2001
Affected
We have now released updated packages: Caldera OpenLinux 2.3 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/ 19e51b89951b435061450398e764b753 RPMS/xntp-3.5.93e-5.i386.rpm 08a990b5034679c0a37ebbe20e162d05 SRPMS/xntp-3.5.93e-5.src.rpm Caldera OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/ df892fae73626a11107552d7d1a68e6e RPMS/xntp-3.5.93e-5.i386.rpm 663eb55d629cdcc0212583e92be15d11 SRPMS/xntp-3.5.93e-5.src.rpm Caldera OpenLinux eDesktop 2.4 ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/ fe7cffdf379ee9b69890f9fa9ff0f320 RPMS/xntp-4.0.97-2.i386.rpm ff34841b2f01a252e6e31cb91ffcada5 SRPMS/xntp-4.0.97-2.src.rpm
The vendor has not provided us with any further information regarding this vulnerability.
Further details can be found in CSSA-2001-013 remote root exploit in ntpd available at: http://www.caldera.com/support/security/advisories/CSSA-2001-013.0.txt
Updated: April 16, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has read but not verified the following statement from SCO posted on BUGTRAQ: Message-Id: <3AD4B69C.913A849D@sco.com>
Date: Wed, 11 Apr 2001 12:55:08 -0700
From: Albert Fu
Updated: April 09, 2001
Affected
The patch I sent out applies to the NTPv4 99k distribution which for safety I fetched directly from its public place. For record: --- ntp_control.c.1 Thu Apr 5 21:41:56 2001 +++ ntp_control.c Thu Apr 5 21:43:02 2001 @@ -1824,6 +1824,8 @@ while (cp < reqend && *cp != *tp++ = *cp++; + if (tp >= buf + sizeof(buf)) + return (0); if (cp < reqend) cp++; *tp = '\0'; Not fancy; it's been a long day.
The vendor has not provided us with any further information regarding this vulnerability.
Target CVS repository: http://maccarony.ntp.org/cgi-bin/cvsweb.cgi/ntp/ntpd/ntp_control.c?rev=1.33&content-type=text/x-cvsweb-markup Target patched version: ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz