Network Time Protocol Daemon (ntpd) 4.x < 4.2.4p7 / 4.x < 4.2.5p74 crypto_recv() Function RCE

high Nessus Plugin ID 38831

Synopsis

The remote NTP server is affected by a remote code execution vulnerability.

Description

The version of the remote NTP server is 4.x prior to 4.2.4p7 or 4.x prior to 4.2.5p74. It is, therefore, affected by a stack-based buffer overflow condition due to the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

Note that this issue is exploitable only if ntpd was compiled with OpenSSL support and autokey authentication is enabled. The presence of the following line in ntp.conf indicates a vulnerable system :

crypto pw *password*

Nessus did not check if the system is configured in this manner.

Solution

Upgrade to NTP version 4.2.4p7 / 4.2.5p74 or later.

See Also

http://bugs.ntp.org/show_bug.cgi?id=1151

Plugin Details

Severity: High

ID: 38831

File Name: ntpd_autokey_overflow.nasl

Version: 1.18

Type: remote

Family: Misc.

Published: 5/20/2009

Updated: 7/16/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/18/2009

Reference Information

CVE: CVE-2009-1252

BID: 35017

CWE: 119

CERT: 853097

Secunia: 35130