|Summary:||CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:||Jan Ščotka <jscotka>|
|Version:||unspecified||CC:||jlieskov, jrusnack, jscotka, kreilly, mcermak, mjc, mlichvar, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-05-31 11:21:52 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||500781, 500782, 500783, 500784|
Description Vincent Danen 2009-05-07 17:27:59 UTC
CERT has reported a vulnerability in ntp (VU#853097). If autokey is enabled, a remote attacker can send a carefully crafted packet that can overflow a stack buffer, potentially allowing for the execution of arbitrary code with the privileges of the ntpd process. This is corrected upstream in versions 4.2.4p7 and 4.2.5p74, and affects ntp 4.2.4 (and possibly earlier). This issue can also be mitigated by ensuring autokey support is not enabled. By default, Red Hat Enterprise Linux defaults to running ntpd unprivileged with the ntpd user. This issue has been assigned CVE-2009-1252.
Comment 9 Vincent Danen 2009-05-13 17:58:34 UTC
Created attachment 343833 [details] patch to correct the issue This patch changes all "sprintf(statstr" to "snprintf(statstr, NTP_MAXSTRLEN", which corrects the issue.
Comment 19 Vincent Danen 2009-05-14 16:26:34 UTC
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 because the version of ntpd does not make use of the sprintf() function in ntpd/ntp_crypto.c. The insecure use of sprintf does affect Red Hat Enterprise Linux 4 and 5, however on RHEL5 no code execution is possible due to the use of FORTIFY_SOURCE, making this a denial of service issue on that platform. As well, in order for this flaw to be exploited, you must have autokey / public key cryptography authentication enabled, which is not the default. Successful exploitation will also have a smaller impact due to the fact that ntpd runs with user/group ntp privileges, not root privileges, and is further confined by SELinux policies.
Comment 20 Tomas Hoger 2009-05-18 14:06:18 UTC
Fixed now upstream in 4.2.4p7. Upstream ChangeLog: (4.2.4p7) 2009/05/18 Released by Harlan Stenn <email@example.com> * [Sec 1151] Remote exploit if autokey is enabled - CVE-2009-1252. Upstream NEWS file: * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 See http://support.ntp.org/security for more information. If autokey is enabled (if ntp.conf contains a "crypto pw whatever" line) then a carefully crafted packet sent to the machine will cause a buffer overflow and possible execution of injected code, running with the privileges of the ntpd process (often root). Credit for finding this vulnerability goes to Chris Ries of CMU. Upstream bug report: https://support.ntp.org/bugs/show_bug.cgi?id=1151
Comment 21 errata-xmlrpc 2009-05-18 20:35:10 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html
Comment 22 errata-xmlrpc 2009-05-18 20:54:23 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html
Comment 23 Fedora Update System 2009-05-19 16:22:19 UTC
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9
Comment 24 Fedora Update System 2009-05-19 16:23:10 UTC
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10
Comment 25 Fedora Update System 2009-05-19 16:23:47 UTC
ntp-4.2.4p7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc11
Comment 26 Jan Lieskovsky 2009-05-19 19:47:45 UTC
CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 https://launchpad.net/bugs/cve/2009-1252 https://support.ntp.org/bugs/show_bug.cgi?id=1151 http://www.kb.cert.org/vuls/id/853097 http://www.securityfocus.com/bid/35017
Comment 27 Fedora Update System 2009-05-28 19:00:33 UTC
ntp-4.2.4p7-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-2.fc11
Comment 28 Fedora Update System 2009-05-30 02:28:00 UTC
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2009-05-30 02:32:50 UTC
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2009-06-16 01:33:29 UTC
ntp-4.2.4p7-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.