ntpd
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
this advisory.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-10:02.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd mode 7 denial of service
Category: contrib
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. vMA and Service Console package ntp updated to
ntp-4.2.2p1-9.el5_4.1.i386.rpm
A flaw was discovered in the way ntpd handled certain malformed NTP
packets. ntpd logged information about all such packets and replied
with an NTP packet that was treated as malformed when received by
another ntpd. A remote attacker could use this flaw to create an NTP
packet reply loop between two ntpd servers through a malformed packet
with a spoofed source IP address and port, causing ntpd on those
In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot's 'deliver' command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message 'Time just moved backwards
by X seconds. This might cause a lot of problems, so I'll just kill
myself now.' The update resolves both these problems. The default
permissions on dovecot.conf now allow the 'deliver' command to read the
Mandriva Linux Security Advisory MDVSA-2009:328
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ntp
Date : December 8, 2009
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2009:117
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ntp
Date : May 19, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2009:309
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ntp
Date : December 3, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
Description:
Previous versions of the ntp package contain an ntpd daemon which,
in a non-default configuration (using public key cryptography for
ntp packet authentication), a remote attacker could cause the ntpd
daemon to crash (or, in rPath Linux 1, possibly execute remote code).
http://wiki.rpath.com/Advisories:rPSA-2009-0092
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:11.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd stack-based buffer-overflow vulnerability
Category: contrib
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: NTP: Denial of Service
Date: January 03, 2010
Bugs: #290881
ID: 201001-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Network Time Protocol (NTP) is used to synchronize the time of
a computer client or server to another server or reference time
source.
A vulnerability in ntpd could allow a remote attacker to cause a
denial of service (CPU and bandwidth consumption) by using
MODE_PRIVATE to send a spoofed (1) request or (2) response packet
that triggers a continuous exchange of MODE_PRIVATE error responses
between two NTP daemons.
- the firewall is not activated by default but there are services running
even if you don't activate any sharing (as shown by netstat or lsof)
- if you set it to "Block all incoming connections" it still allows access
to certain system services. We could access the ntp daemon that is running
per default over the internet. In a LAN based scenario, we were able to
query the Netbios naming service even with full blocking enabled.
- if you set it to "Set access to specific services and programs" the
firewall permits access to listening processes startet by the user,
* Apple Product Security reported a boundary error in the
cookedprint() function in ntpq/ntpq.c, possibly leading to a
stack-based buffer overflow (CVE-2009-0159).
* Chris Ries of CMU reported a boundary error within the
crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a
stack-based buffer overflow (CVE-2009-1252).
Impact
======
denial of service attack or to execute arbitrary code via a crafted
response.
CVE-2009-1252
A buffer overflow in ntpd allows a remote attacker to create a
denial of service attack or to execute arbitrary code when the
autokey functionality is enabled.
For the old stable distribution (etch), these problems have been fixed in
version 4.2.2.p4+dfsg-2etch3.
Robin Park and Dmitri Vinokurov discovered that the daemon component of
the ntp package, a reference implementation of the NTP protocol, is
not properly reacting to certain incoming packets.
An unexpected NTP mode 7 packets (MODE_PRIVATE) with spoofed IP data can lead
ntpd to reply with a mode 7 response to the spoofed address. This may result
in the service playing packet ping-pong with other ntp servers or even itself
which causes CPU usage and excessive disk use due to logging. An attacker
can use this to conduct denial of service attacks.
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Robin Park and Dmitri Vinokurov discovered a logic error in ntpd. A remote
attacker could send a crafted NTP mode 7 packet with a spoofed IP address
of an affected server and cause a denial of service via CPU and disk
resource consumption.
|
