Bug 1176037 (CVE-2014-9295) - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
Summary: CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9295
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1176067 1176068 1176069 1176070 1176100 1176191 1176680 1180650
Blocks: 1176041
TreeView+ depends on / blocked
 
Reported: 2014-12-19 09:05 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 13:25 UTC (History)
12 users (show)

Fixed In Version: ntp 4.2.8
Doc Type: Bug Fix
Doc Text:
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.
Clone Of:
Environment:
Last Closed: 2014-12-20 02:45:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:2024 normal SHIPPED_LIVE Important: ntp security update 2014-12-20 07:40:29 UTC
Red Hat Product Errata RHSA-2014:2025 normal SHIPPED_LIVE Important: ntp security update 2014-12-20 05:43:37 UTC
Red Hat Product Errata RHSA-2015:0104 normal SHIPPED_LIVE Important: ntp security update 2015-01-28 23:52:05 UTC

Description Huzaifa S. Sidhpurwala 2014-12-19 09:05:47 UTC
As per upstream NTP security advisory, multiple buffer overflows were reported in ntp daemon, details provided below

* Buffer overflow in crypto_recv()

When Autokey Authentication is enabled (i.e. the ntp.conf file contains a 'crypto pw ...' directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
This vulnerability was discovered by Stephen Roettger of the Google Security Team. 

Mitigation: 
Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

* Buffer overflow in ctl_putdata()

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
This vulnerability was discovered by Stephen Roettger of the Google Security Team. 

* Buffer overflow in configure()

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious	code to be executed with the privilege level of the ntpd process.
This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Comment 2 Tomas Hoger 2014-12-19 09:20:17 UTC
Upstream change to the NEWS file with details quoted in comment 0:

http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg

* Buffer overflow in crypto_recv()

Upstream bug:
http://bugs.ntp.org/show_bug.cgi?id=2667

Upstream commit:
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA

* Buffer overflow in ctl_putdata()

Upstream bug:
http://bugs.ntp.org/show_bug.cgi?id=2668

Upstream commit:
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg

* Buffer overflow in configure()

Upstream bug:
http://bugs.ntp.org/show_bug.cgi?id=2669

Upstream commit:
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g

Comment 11 Huzaifa S. Sidhpurwala 2014-12-19 14:55:36 UTC
There are three issues described by CVE-2014-9295.
 
* Buffer overflow in crypto_recv()
This is an issue when Autokey Authentication is enabled, which it is not by default. As this is a non default setting we rate this issue as having Important impact.

* Buffer overflow in ctl_putdata()
This issue is a problem if you allow control messages from untrusted hosts. By default these messages are allowed from localhost only. As this is a non default setting we rate this issue as having Important impact.

* Buffer overflow in configure()
Our analysis has shown this issue would be a denial of service and not allow remote code execution. The overflow is a single null byte in the data segment and will overwrite part of a local file descriptor variable, which will not result in code execution. As this is a denial of service we rate this issue as having Important impact.

Comment 13 Tomas Hoger 2014-12-19 16:21:18 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1176191]

Comment 15 Vincent Danen 2014-12-19 20:50:45 UTC
Also note that the privileges yielded by the ntp user are quite limited (ntpd only has the net_bind_service and sys_time capabilities).

Comment 16 errata-xmlrpc 2014-12-20 00:44:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:2025 https://rhn.redhat.com/errata/RHSA-2014-2025.html

Comment 17 errata-xmlrpc 2014-12-20 02:40:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:2024 https://rhn.redhat.com/errata/RHSA-2014-2024.html

Comment 18 Vincent Danen 2014-12-20 02:51:01 UTC
Statement:

(none)

Comment 19 Fedora Update System 2014-12-22 02:37:34 UTC
ntp-4.2.6p5-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Florian Weimer 2014-12-23 13:54:36 UTC
Mitigation:

Add these lines (included by default starting with Red Hat Enterprise Linux 5) to the configuration file /etc/ntp.conf:

    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    restrict 127.0.0.1 
    restrict -6 ::1

This restricts server-type functionality to localhost.  If ntpd needs to perform time service for specific hosts and networks, you have to list them with suitable restrict statements.

Comment 21 Fedora Update System 2014-12-23 18:28:40 UTC
ntp-4.2.6p5-25.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2014-12-31 19:00:33 UTC
ntp-4.2.6p5-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Tomas Hoger 2015-01-07 12:07:13 UTC
Blog post about this issue from the original reporter:

http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html

Comment 27 errata-xmlrpc 2015-01-28 18:52:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0104 https://rhn.redhat.com/errata/RHSA-2015-0104.html

Comment 28 Vincent Danen 2018-08-15 01:20:47 UTC
Test.


Note You need to log in before you can comment on or make changes to this bug.