Bug 1593580 (CVE-2018-12327)
| Summary: | CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jlyle, linville, mlichvar, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:29:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1593581, 1599624, 1624891, 1657290, 1819706, 1819707 | ||
| Bug Blocks: | 1593582 | ||
|
Description
Adam Mariš
2018-06-21 07:04:22 UTC
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1593581] Vulnerable code:
623 static int
624 openhost(
625 const char *hname
626 )
627 {
628 char temphost[LENHOSTNAME];
629 int a_info, i;
630 struct addrinfo hints, *ai = NULL;
631 register const char *cp;
632 char name[LENHOSTNAME];
633 char service[5];
634
635 /*
636 * We need to get by the [] if they were entered
637 */
638
639 cp = hname;
640
641 if (*cp == '[') {
642 cp++;
643 for (i = 0; *cp && *cp != ']'; cp++, i++)
644 name[i] = *cp;
645 if (*cp == ']') {
646 name[i] = '\0';
647 hname = name;
648 } else {
649 return 0;
650 }
651 }
The memory corruption happens in openhost() function which takes the hostname as given on the input and then it copies it into an array allocated on stack called 'name' with a fixed size LENHOSTNAME defined as 256. It doesn't check bounds when doing the copy. The same vulnerable pattern can be found in both ntpq.c and ntpdc.c files. Our builds have stack smashing protection which detects the overflow and terminates the program, making the exploitation (i.e. arbitrary code execution) more difficult.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:3853 https://access.redhat.com/errata/RHSA-2018:3853 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3854 https://access.redhat.com/errata/RHSA-2018:3854 Statement: This issue affects the versions of ntp as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of ntp as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2077 https://access.redhat.com/errata/RHSA-2019:2077 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1470 https://access.redhat.com/errata/RHSA-2020:1470 |