Vulnerabilities > CVE-2005-2496 - Unspecified vulnerability in Dave Mills Ntpd
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN dave-mills
nessus
Summary
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Misc. NASL id NTP_INCORRECT_GROUP_PRIVS.NASL description According to its version number, the NTP (Network Time Protocol) server running on the remote host is affected by a flaw that causes it to run with the permissions of a privileged user if a group name rather than a group ID is specified on the command line. A local attacker, who has managed to compromise the application through some other means, can exploit this issue to gain elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 19517 published 2005-08-29 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19517 title Network Time Protocol Daemon (ntpd) < 4.2.1 -u Group Permission Weakness Privilege Escalation NASL family Fedora Local Security Checks NASL id FEDORA_2005-812.NASL description When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2496 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 19720 published 2005-09-17 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19720 title Fedora Core 3 : ntp-4.2.0.a.20040617-5.FC3 (2005-812) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-175-1.NASL description Thomas Biege discovered a flaw in the privilege dropping of the NTP server. When ntpd was configured to drop root privileges, and the group to run under was specified as a name (as opposed to a numeric group ID), ntpd changed to the wrong group. Depending on the actual group it changed to, this could either cause non-minimal privileges, or a malfunctioning ntp server if the group does not have the privileges that ntpd actually needs. On Ubuntu 4.10, ntpd does not use privilege dropping by default, so you are only affected if you manually activated it. In Ubuntu 5.04, privilege dropping is used by default, but this bug is already fixed. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20585 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20585 title Ubuntu 4.10 : ntp vulnerability (USN-175-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0393.NASL description Updated ntp packages that fix several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 22220 published 2006-08-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22220 title RHEL 4 : ntp (RHSA-2006:0393) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-156.NASL description When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. The updated packages have been patched to correct this problem. last seen 2017-10-29 modified 2012-09-07 plugin id 20424 published 2006-01-15 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=20424 title MDKSA-2005:156 : ntp NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0393.NASL description Updated ntp packages that fix several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 22275 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22275 title CentOS 4 : ntp (CESA-2006:0393) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-801.NASL description SuSE developers discovered that ntp confuses the given group id with the group id of the given user when called with a group id on the commandline that is specified as a string and not as a numeric gid, which causes ntpd to run with different privileges than intended. last seen 2020-06-01 modified 2020-06-02 plugin id 19571 published 2005-09-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19571 title Debian DSA-801-1 : ntp - programming error
Oval
| accepted | 2013-04-29T04:21:13.175-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9669 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://secunia.com/advisories/16602
- http://secunia.com/advisories/16602
- http://secunia.com/advisories/21464
- http://secunia.com/advisories/21464
- http://securitytracker.com/id?1016679
- http://securitytracker.com/id?1016679
- http://www.debian.org/security/2005/dsa-801
- http://www.debian.org/security/2005/dsa-801
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:156
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:156
- http://www.osvdb.org/19055
- http://www.osvdb.org/19055
- http://www.redhat.com/support/errata/RHSA-2006-0393.html
- http://www.redhat.com/support/errata/RHSA-2006-0393.html
- http://www.securityfocus.com/bid/14673
- http://www.securityfocus.com/bid/14673
- http://www.securityspace.com/smysecure/catid.html?id=55155
- http://www.securityspace.com/smysecure/catid.html?id=55155
- http://www.vupen.com/english/advisories/2005/1561
- http://www.vupen.com/english/advisories/2005/1561
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22035
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22035
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9669
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9669