Bug 499694 (CVE-2009-1252)

Summary: CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Jan Ščotka <jscotka>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jlieskov, jrusnack, jscotka, kreilly, mcermak, mjc, mlichvar, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1252
Whiteboard: impact=important,source=cert,reported=20090506,public=20090518,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,mitigate=fortify,cwe=CWE-121
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-31 07:21:52 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 500781, 500782, 500783, 500784    
Bug Blocks:    
Attachments:
Description Flags
patch to correct the issue none

Description Vincent Danen 2009-05-07 13:27:59 EDT
CERT has reported a vulnerability in ntp (VU#853097).  If autokey is enabled, a remote attacker can send a carefully crafted packet that can overflow a stack buffer, potentially allowing for the execution of arbitrary code with the privileges of the ntpd process.

This is corrected upstream in versions 4.2.4p7 and 4.2.5p74, and affects ntp 4.2.4 (and possibly earlier).  This issue can also be mitigated by ensuring autokey support is not enabled.

By default, Red Hat Enterprise Linux defaults to running ntpd unprivileged with the ntpd user.

This issue has been assigned CVE-2009-1252.
Comment 9 Vincent Danen 2009-05-13 13:58:34 EDT
Created attachment 343833 [details]
patch to correct the issue

This patch changes all "sprintf(statstr" to "snprintf(statstr, NTP_MAXSTRLEN", which corrects the issue.
Comment 19 Vincent Danen 2009-05-14 12:26:34 EDT
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 because the version of ntpd does not make use of the sprintf() function in ntpd/ntp_crypto.c.

The insecure use of sprintf does affect Red Hat Enterprise Linux 4 and 5, however on RHEL5 no code execution is possible due to the use of FORTIFY_SOURCE, making this a denial of service issue on that platform.

As well, in order for this flaw to be exploited, you must have autokey / public key cryptography authentication enabled, which is not the default.  Successful exploitation will also have a smaller impact due to the fact that ntpd runs with user/group ntp privileges, not root privileges, and is further confined by SELinux policies.
Comment 20 Tomas Hoger 2009-05-18 10:06:18 EDT
Fixed now upstream in 4.2.4p7.


Upstream ChangeLog:

(4.2.4p7) 2009/05/18 Released by Harlan Stenn <stenn@ntp.org>

* [Sec 1151] Remote exploit if autokey is enabled - CVE-2009-1252.


Upstream NEWS file:

* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252

  See http://support.ntp.org/security for more information.

  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
  line) then a carefully crafted packet sent to the machine will cause
  a buffer overflow and possible execution of injected code, running
  with the privileges of the ntpd process (often root).

  Credit for finding this vulnerability goes to Chris Ries of CMU.


Upstream bug report:
  https://support.ntp.org/bugs/show_bug.cgi?id=1151
Comment 21 errata-xmlrpc 2009-05-18 16:35:10 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html
Comment 22 errata-xmlrpc 2009-05-18 16:54:23 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html
Comment 23 Fedora Update System 2009-05-19 12:22:19 EDT
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9
Comment 24 Fedora Update System 2009-05-19 12:23:10 EDT
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10
Comment 25 Fedora Update System 2009-05-19 12:23:47 EDT
ntp-4.2.4p7-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc11
Comment 26 Jan Lieskovsky 2009-05-19 15:47:45 EDT
CVE-2009-1252:

Stack-based buffer overflow in the crypto_recv function in
ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74,
when OpenSSL and autokey are enabled, allows remote attackers to
execute arbitrary code via a crafted packet containing an extension
field.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
https://launchpad.net/bugs/cve/2009-1252
https://support.ntp.org/bugs/show_bug.cgi?id=1151
http://www.kb.cert.org/vuls/id/853097
http://www.securityfocus.com/bid/35017
Comment 27 Fedora Update System 2009-05-28 15:00:33 EDT
ntp-4.2.4p7-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-2.fc11
Comment 28 Fedora Update System 2009-05-29 22:28:00 EDT
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2009-05-29 22:32:50 EDT
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2009-06-15 21:33:29 EDT
ntp-4.2.4p7-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.