Bug 499694 (CVE-2009-1252)
Summary: | CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | Jan Ščotka <jscotka> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | jlieskov, jrusnack, jscotka, kreilly, mcermak, mjc, mlichvar, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1252 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-05-31 11:21:52 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 500781, 500782, 500783, 500784 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Vincent Danen
2009-05-07 17:27:59 UTC
Created attachment 343833 [details]
patch to correct the issue
This patch changes all "sprintf(statstr" to "snprintf(statstr, NTP_MAXSTRLEN", which corrects the issue.
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 because the version of ntpd does not make use of the sprintf() function in ntpd/ntp_crypto.c. The insecure use of sprintf does affect Red Hat Enterprise Linux 4 and 5, however on RHEL5 no code execution is possible due to the use of FORTIFY_SOURCE, making this a denial of service issue on that platform. As well, in order for this flaw to be exploited, you must have autokey / public key cryptography authentication enabled, which is not the default. Successful exploitation will also have a smaller impact due to the fact that ntpd runs with user/group ntp privileges, not root privileges, and is further confined by SELinux policies. Fixed now upstream in 4.2.4p7. Upstream ChangeLog: (4.2.4p7) 2009/05/18 Released by Harlan Stenn <stenn> * [Sec 1151] Remote exploit if autokey is enabled - CVE-2009-1252. Upstream NEWS file: * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 See http://support.ntp.org/security for more information. If autokey is enabled (if ntp.conf contains a "crypto pw whatever" line) then a carefully crafted packet sent to the machine will cause a buffer overflow and possible execution of injected code, running with the privileges of the ntpd process (often root). Credit for finding this vulnerability goes to Chris Ries of CMU. Upstream bug report: https://support.ntp.org/bugs/show_bug.cgi?id=1151 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9 ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10 ntp-4.2.4p7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc11 CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 https://launchpad.net/bugs/cve/2009-1252 https://support.ntp.org/bugs/show_bug.cgi?id=1151 http://www.kb.cert.org/vuls/id/853097 http://www.securityfocus.com/bid/35017 ntp-4.2.4p7-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-2.fc11 ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.4p7-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |