CERT has reported a vulnerability in ntp (VU#853097). If autokey is enabled, a remote attacker can send a carefully crafted packet that can overflow a stack buffer, potentially allowing for the execution of arbitrary code with the privileges of the ntpd process. This is corrected upstream in versions 4.2.4p7 and 4.2.5p74, and affects ntp 4.2.4 (and possibly earlier). This issue can also be mitigated by ensuring autokey support is not enabled. By default, Red Hat Enterprise Linux defaults to running ntpd unprivileged with the ntpd user. This issue has been assigned CVE-2009-1252.
Created attachment 343833 [details] patch to correct the issue This patch changes all "sprintf(statstr" to "snprintf(statstr, NTP_MAXSTRLEN", which corrects the issue.
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 because the version of ntpd does not make use of the sprintf() function in ntpd/ntp_crypto.c. The insecure use of sprintf does affect Red Hat Enterprise Linux 4 and 5, however on RHEL5 no code execution is possible due to the use of FORTIFY_SOURCE, making this a denial of service issue on that platform. As well, in order for this flaw to be exploited, you must have autokey / public key cryptography authentication enabled, which is not the default. Successful exploitation will also have a smaller impact due to the fact that ntpd runs with user/group ntp privileges, not root privileges, and is further confined by SELinux policies.
Fixed now upstream in 4.2.4p7. Upstream ChangeLog: (4.2.4p7) 2009/05/18 Released by Harlan Stenn <stenn> * [Sec 1151] Remote exploit if autokey is enabled - CVE-2009-1252. Upstream NEWS file: * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 See http://support.ntp.org/security for more information. If autokey is enabled (if ntp.conf contains a "crypto pw whatever" line) then a carefully crafted packet sent to the machine will cause a buffer overflow and possible execution of injected code, running with the privileges of the ntpd process (often root). Credit for finding this vulnerability goes to Chris Ries of CMU. Upstream bug report: https://support.ntp.org/bugs/show_bug.cgi?id=1151
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10
ntp-4.2.4p7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc11
CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 https://launchpad.net/bugs/cve/2009-1252 https://support.ntp.org/bugs/show_bug.cgi?id=1151 http://www.kb.cert.org/vuls/id/853097 http://www.securityfocus.com/bid/35017
ntp-4.2.4p7-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-2.fc11
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.4p7-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.