As per upstream NTP security advisory, multiple buffer overflows were reported in ntp daemon, details provided below * Buffer overflow in crypto_recv() When Autokey Authentication is enabled (i.e. the ntp.conf file contains a 'crypto pw ...' directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. This vulnerability was discovered by Stephen Roettger of the Google Security Team. Mitigation: Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file. * Buffer overflow in ctl_putdata() A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in configure() A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. This vulnerability was discovered by Stephen Roettger of the Google Security Team.
Upstream change to the NEWS file with details quoted in comment 0: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg * Buffer overflow in crypto_recv() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2667 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA * Buffer overflow in ctl_putdata() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2668 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg * Buffer overflow in configure() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2669 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g
External References: https://access.redhat.com/articles/1305723 http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv
There are three issues described by CVE-2014-9295. * Buffer overflow in crypto_recv() This is an issue when Autokey Authentication is enabled, which it is not by default. As this is a non default setting we rate this issue as having Important impact. * Buffer overflow in ctl_putdata() This issue is a problem if you allow control messages from untrusted hosts. By default these messages are allowed from localhost only. As this is a non default setting we rate this issue as having Important impact. * Buffer overflow in configure() Our analysis has shown this issue would be a denial of service and not allow remote code execution. The overflow is a single null byte in the data segment and will overwrite part of a local file descriptor variable, which will not result in code execution. As this is a denial of service we rate this issue as having Important impact.
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1176191]
Also note that the privileges yielded by the ntp user are quite limited (ntpd only has the net_bind_service and sys_time capabilities).
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:2025 https://rhn.redhat.com/errata/RHSA-2014-2025.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:2024 https://rhn.redhat.com/errata/RHSA-2014-2024.html
Statement: (none)
ntp-4.2.6p5-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Mitigation: Add these lines (included by default starting with Red Hat Enterprise Linux 5) to the configuration file /etc/ntp.conf: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 This restricts server-type functionality to localhost. If ntpd needs to perform time service for specific hosts and networks, you have to list them with suitable restrict statements.
ntp-4.2.6p5-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Blog post about this issue from the original reporter: http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0104 https://rhn.redhat.com/errata/RHSA-2015-0104.html
Test.