Bug 501632 (CVE-2009-1252) - VUL-0: CVE-2009-1252: xntp: buffer overflow if autokey is enabled (VU#853097)
Summary: VUL-0: CVE-2009-1252: xntp: buffer overflow if autokey is enabled (VU#853097)
Status: RESOLVED FIXED
Alias: CVE-2009-1252
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Deadline: 2009-06-04
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp2:24519
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-07 07:43 UTC by Thomas Biege
Modified: 2014-04-10 13:24 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2009-05-07 07:43:33 UTC 
Hi.
There is a security bug in 'xntp'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2009-1252
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252


Original posting:



----- Forwarded message from CERT Coordination Center <cert@cert.org> -----

Date: Wed, 6 May 2009 18:14:44 -0400
To: SuSE Security Team <security@suse.de>
From: CERT Coordination Center <cert@cert.org>
Old-Content-Type: text/plain
Cc: CERT Coordination Center <cert@cert.org>
Subject: [security@suse.de] Vendor Notification VU#853097 - suse
Errors-To: security-bounces+thomas=suse.de@suse.de


Hello Folks,

We've been made aware of a vulnerability in NTP in configurations
where autokey is enabled.  We've been working with the reporter and
have not yet decided on a specific release date for the vulnerability.

Here is the original information that was provided about the bug:

-----

The bug affects ntp-stable (4.2.4 and perhaps before), and ntp-dev up to
ntp-4.2.5p74 (near as I can instantly recall).

The patch is to look for lines in ntpd/ntp_crypto.c of the form:

sprintf(statstr,

and replace them with:

snprintf(statstr, NTP_MAXSTRLEN,

So far, only systems that have enabled autokey are vulnerable.

Autokey is enabled if there is a line of the form:

crypto pw whatever

in the ntp.conf file.

-----


Here is a draft of the vulnerability from the reporter:

-----

2009-05-04: Remote exploit if autokey is enabled.

* References: [Sec 1151] CVE-2009-1252
* Affected Versions:
Vulnerability introduced in 4.1.70(?), on 2001-08-15, through:
4.2.4 before 4.2.4p7 (fixed 2009-05-04)
4.2.5 before 4.2.5p74 (fixed 2007-09-10)
* Summary: If autokey is enabled (the ntp.conf file contains the line
"crypto pw whatever" a remote attacker can send a carefully crafted
packet that can overflow a stack buffer and potentially allow for
malicious code to be executed with the privilege level of the ntpd
process.
* Mitigation:
* Upgrade to 4.2.4p7 or 4.2.5p74, or later:

Get releases containing the fix from http://support.ntp.org/download

* Otherwise, be sure you are *not* enabling autokey - remove
'crypto pw whatever' from your ntp.conf file
* Credit: This vulnerability was discovered by Chis Ries of CMU.

When the NTP Project learned about this vulnerability and had implemented
a fix, the first people we notified were Premium Members of the NTP Forum
(http://ntpforum.isc.org).  CERT (http://cert.org) was notified next, and
we all agreed on the release date for the public announcement and the fix.


* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
Credit for finding this vulnerability goes to Geoff Keating of Apple.

* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
Credit for finding this issue goes to Dave Hart.

THIS IS A STRONGLY RECOMMENDED UPGRADE.


-----


The reporter has indicated that 4.2.4p7-RC5 currently contains the
fix, and that this version will be the same as the release version,
aside from the version number.  What's not clear at this point is when
p7 may officially be released, along with the vulnerability details.

Once we determine this timing, we'll send out another email with those
details.  We're sending out this message just to make sure that nobody
is caught offguard.


Thank you,
   Will Dormann

=============================
Vulnerability Analyst
CERT Coordination Center
4500 Fifth Ave.
Pittsburgh, PA 15213
1-412-268-7090
=============================




----- End forwarded message -----
Comment 1 Thomas Biege 2009-05-07 07:54:47 UTC 
bug is NOT PUBLIC, sorry.
Comment 2 Swamp Workflow Management 2009-05-07 07:56:40 UTC 
The SWAMPID for this issue is 24462.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/24462)
Comment 3 Thomas Biege 2009-05-07 09:59:52 UTC 
CRD not set yet
Comment 4 Peter Varkoly 2009-05-07 11:27:46 UTC 
patches submitted for:
SLES9, SLES10, SLE11, 10.3, 11.0, 11.1
Comment 5 Thomas Biege 2009-05-08 06:34:13 UTC 
Thanks.
Comment 6 Thomas Biege 2009-05-08 06:49:22 UTC 
CRD 18. may
Comment 11 Swamp Workflow Management 2009-05-18 22:08:33 UTC 
Update released for: ntp, ntp-debuginfo, ntp-debugsource, ntp-doc
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Comment 12 Swamp Workflow Management 2009-05-18 22:09:01 UTC 
Update released for: xntp, xntp-doc
Products:
Novell-Linux-Desktop 9 (i386, x86_64)
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Comment 13 Swamp Workflow Management 2009-05-18 22:09:21 UTC 
Update released for: xntp, xntp-doc
Products:
SLE-DEBUGINFO 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP2 (i386, x86_64)
SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Comment 14 Dirk Mueller 2009-05-22 09:33:08 UTC 
closing
Comment 15 Thomas Biege 2009-10-14 02:29:58 UTC 
CVE-2009-1252: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)