Bug 490617 (CVE-2009-0159)
| Summary: | CVE-2009-0159 ntp: buffer overflow in ntpq | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | jrusnack, kreilly, mcermak, mlichvar, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-12-14 09:31:00 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 500781, 500782, 500783, 500784, 532641 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2009-03-17 10:44:46 UTC
Created attachment 335503 [details]
Patch proposed by Apple
This issue only affects ntpq diagnostic tool, not the NTP server. Overflow can be triggered by malicious server being queried using ntpq, or if attacker is able to control communication channel between ntpq and the NTP server, and hence spoof malicious replies for queries to trusted NTP server. Queries to trusted server using untrusted NTP peer are not affected. Affected code is only reached when ntpq is using "cooked" output mode (which is default). Always using "raw" output mode mitigates this problem. The overflow itself is limited to 2 bytes (due to the maximum possible value that ntpq can read to uval) - one byte is an ascii representation of the attacker-controlled octal value '0' - '7', followed by a NULL byte. ntpq is most commonly used to query ntpd running on the local machine (hence trusted). localhost is the default host it queries unless some other host was explicitly specified. Default ntpd server configuration only allows ntpq queries from localhosts too. On Red Hat Enterprise Linux 5 and later (including current Fedora versions), this overflow is caught by _FORTIFY_SOURCE, causing ntpq to abort instead of overflowing the buffer. For those versions, this is not a security flaw. Upstream bug report: https://support.ntp.org/bugs/show_bug.cgi?id=1144 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Public now, fixed upstream in 4.2.4p7-RC2: https://support.ntp.org/bugs/show_bug.cgi?id=1144 http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9 ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10 ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1651 https://rhn.redhat.com/errata/RHSA-2009-1651.html |