Bug 1593580 (CVE-2018-12327) - CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution
Summary: CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows deni...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12327
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1593581 1599624 1624891 1657290 1819706 1819707
Blocks: 1593582
TreeView+ depends on / blocked
 
Reported: 2018-06-21 07:04 UTC by Adam Mariš
Modified: 2023-03-24 14:07 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:29:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3853 0 None None None 2018-12-19 17:37:16 UTC
Red Hat Product Errata RHSA-2018:3854 0 None None None 2018-12-19 17:37:30 UTC
Red Hat Product Errata RHSA-2019:2077 0 None None None 2019-08-06 12:10:54 UTC
Red Hat Product Errata RHSA-2020:1470 0 None None None 2020-04-14 17:40:57 UTC

Description Adam Mariš 2018-06-21 07:04:22 UTC
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.

References:

https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f

Comment 1 Adam Mariš 2018-06-21 07:04:47 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1593581]

Comment 5 Adam Mariš 2018-07-10 09:43:53 UTC
Vulnerable code:

 623 static  int
 624 openhost( 
 625     const char *hname
 626     )
 627 {
 628     char temphost[LENHOSTNAME];
 629     int a_info, i;
 630     struct addrinfo hints, *ai = NULL;
 631     register const char *cp;
 632     char name[LENHOSTNAME];
 633     char service[5];
 634 
 635     /*
 636      * We need to get by the [] if they were entered
 637      */
 638 
 639     cp = hname;
 640 
 641     if (*cp == '[') {
 642         cp++;
 643         for (i = 0; *cp && *cp != ']'; cp++, i++)
 644             name[i] = *cp;
 645         if (*cp == ']') {
 646             name[i] = '\0';
 647             hname = name;
 648         } else {
 649             return 0;
 650         }
 651     }

The memory corruption happens in openhost() function which takes the hostname as given on the input and then it copies it into an array allocated on stack called 'name' with a fixed size LENHOSTNAME defined as 256. It doesn't check bounds when doing the copy. The same vulnerable pattern can be found in both ntpq.c and ntpdc.c files. Our builds have stack smashing protection which detects the overflow and terminates the program, making the exploitation (i.e. arbitrary code execution) more difficult.

Comment 8 errata-xmlrpc 2018-12-19 17:37:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:3853 https://access.redhat.com/errata/RHSA-2018:3853

Comment 9 errata-xmlrpc 2018-12-19 17:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3854 https://access.redhat.com/errata/RHSA-2018:3854

Comment 11 Adam Mariš 2019-01-03 11:41:20 UTC
Statement:

This issue affects the versions of ntp as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of ntp as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 12 errata-xmlrpc 2019-08-06 12:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2077 https://access.redhat.com/errata/RHSA-2019:2077

Comment 15 errata-xmlrpc 2020-04-14 17:40:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1470 https://access.redhat.com/errata/RHSA-2020:1470


Note You need to log in before you can comment on or make changes to this bug.