Vulnerabilities > CVE-2009-0159 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NTP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Ntp
| 29 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0002.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - don last seen 2020-06-01 modified 2020-06-02 plugin id 80395 published 2015-01-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80395 title OracleVM 2.2 : ntp (OVMSA-2015-0002) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2015-0002. # include("compat.inc"); if (description) { script_id(80395); script_version("1.19"); script_cvs_date("Date: 2019/09/27 13:00:34"); script_cve_id("CVE-2009-0021", "CVE-2009-0159", "CVE-2009-1252", "CVE-2009-3563", "CVE-2014-9293", "CVE-2014-9294", "CVE-2014-9295"); script_bugtraq_id(33150, 34481, 35017, 37255, 71757, 71761, 71762); script_name(english:"OracleVM 2.2 : ntp (OVMSA-2015-0002)"); script_summary(english:"Checks the RPM output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing a security update." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000253.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb11e689" ); script_set_attribute(attribute:"solution", value:"Update the affected ntp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:ntp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"ntp-4.2.2p1-18.el5_11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1039.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 43750 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43750 title CentOS 5 : ntp (CESA-2009:1039) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1651.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 43072 published 2009-12-09 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43072 title CentOS 3 : ntp (CESA-2009:1651) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1651.NASL description From Red Hat Security Advisory 2009:1651 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67970 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67970 title Oracle Linux 3 : ntp (ELSA-2009-1651) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1040.NASL description From Red Hat Security Advisory 2009:1040 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67861 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67861 title Oracle Linux 4 : ntp (ELSA-2009-1040) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_39871.NASL description s700_800 11.11 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 40364 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40364 title HP-UX PHNE_39871 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2) NASL family Fedora Local Security Checks NASL id FEDORA_2009-5273.NASL description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38961 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38961 title Fedora 10 : ntp-4.2.4p7-1.fc10 (2009-5273) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1039.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 38820 published 2009-05-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38820 title RHEL 5 : ntp (RHSA-2009:1039) NASL family Fedora Local Security Checks NASL id FEDORA_2009-5275.NASL description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38962 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38962 title Fedora 9 : ntp-4.2.4p7-1.fc9 (2009-5275) NASL family SuSE Local Security Checks NASL id SUSE_11_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41441 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41441 title SuSE 11 Security Update : ntp (SAT Patch Number 863) NASL family SuSE Local Security Checks NASL id SUSE_XNTP-6231.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 38847 published 2009-05-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38847 title openSUSE 10 Security Update : xntp (xntp-6231) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_42470.NASL description s700_800 11.31 cumulative ARPA Transport patch : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS) or execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 66504 published 2013-05-19 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66504 title HP-UX PHNE_42470 : s700_800 11.31 cumulative ARPA Transport patch NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1039.NASL description From Red Hat Security Advisory 2009:1039 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67860 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67860 title Oracle Linux 5 : ntp (ELSA-2009-1039) NASL family SuSE Local Security Checks NASL id SUSE_XNTP-6232.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41601 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41601 title SuSE 10 Security Update : xntp (ZYPP Patch Number 6232) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200905-08.NASL description The remote host is affected by the vulnerability described in GLSA-200905-08 (NTP: Remote execution of arbitrary code) Multiple vulnerabilities have been found in the programs included in the NTP package: Apple Product Security reported a boundary error in the cookedprint() function in ntpq/ntpq.c, possibly leading to a stack-based buffer overflow (CVE-2009-0159). Chris Ries of CMU reported a boundary error within the crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a stack-based buffer overflow (CVE-2009-1252). Impact : A remote attacker might send a specially crafted package to a machine running ntpd, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: Successful exploitation requires the last seen 2020-06-01 modified 2020-06-02 plugin id 38920 published 2009-05-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38920 title GLSA-200905-08 : NTP: Remote execution of arbitrary code NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-777-1.NASL description A stack-based buffer overflow was discovered in ntpq. If a user were tricked into connecting to a malicious ntp server, a remote attacker could cause a denial of service in ntpq, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0159) Chris Ries discovered a stack-based overflow in ntp. If ntp was configured to use autokey, a remote attacker could send a crafted packet to cause a denial of service, or possibly execute arbitrary code. (CVE-2009-1252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38848 published 2009-05-20 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38848 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : ntp vulnerabilities (USN-777-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1651.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 43081 published 2009-12-09 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43081 title RHEL 3 : ntp (RHSA-2009:1651) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-309.NASL description Multiple vulnerabilities has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 42995 published 2009-12-04 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42995 title Mandriva Linux Security Advisory : ntp (MDVSA-2009:309) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1040.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 38821 published 2009-05-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38821 title RHEL 4 : ntp (RHSA-2009:1040) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_39873.NASL description s700_800 11.31 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 40366 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40366 title HP-UX PHNE_39873 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-092.NASL description A vulnerability has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37998 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37998 title Mandriva Linux Security Advisory : ntp (MDVSA-2009:092) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4175C811F690489887C5755B3CF1BAC6.NASL description US-CERT reports : ntpd contains a stack-based buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 38881 published 2009-05-26 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38881 title FreeBSD : ntp -- stack-based buffer overflow (4175c811-f690-4898-87c5-755b3cf1bac6) NASL family Scientific Linux Local Security Checks NASL id SL_20090518_NTP_ON_SL4_X.NASL description A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 60586 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60586 title Scientific Linux Security Update : ntp on SL4.x i386/x86_64 NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0016.NASL description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 42870 published 2009-11-23 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42870 title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components. NASL family Scientific Linux Local Security Checks NASL id SL_20090518_NTP_ON_SL5_X.NASL description A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 60587 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60587 title Scientific Linux Security Update : ntp on SL5.x i386/x86_64 NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2009-0011.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0159 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. CVE-2009-1252 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. - fix buffer overflow when parsing Autokey association message (#500783, CVE-2009-1252) - fix buffer overflow in ntpq (#500783, CVE-2009-0159) - fix check for malformed signatures (#479698, CVE-2009-0021) - fix selecting multicast interface (#444106) - disable kernel discipline when -x option is used (#431729) - avoid use of uninitialized floating-point values in clock_select (#250838) - generate man pages from html source, include config man pages (#307271) - add note about paths and exit codes to ntpd man page (#242925, #246568) - add section about exit codes to ntpd man page (#319591) - always return 0 in scriptlets - pass additional options to ntpdate (#240141) - fix broadcast client to accept broadcasts on 255.255.255.255 (#226958) - compile with crypto support on 64bit architectures (#239580) - add ncurses-devel to buildrequires (#239580) - exit with nonzero code if ntpd -q did not set clock (#240134) - fix return codes in init script (#240118) last seen 2020-06-01 modified 2020-06-02 plugin id 79458 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79458 title OracleVM 2.1 : ntp (OVMSA-2009-0011) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-154-01.NASL description New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39008 published 2009-06-04 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39008 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : ntp (SSA:2009-154-01) NASL family Scientific Linux Local Security Checks NASL id SL_20091208_NTP_ON_SL3_X.NASL description CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372) Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers via a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. (CVE-2009-3563) A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) SL3 Only After installing the update, the ntpd daemon will restart automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 60703 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60703 title Scientific Linux Security Update : ntp on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1801.NASL description Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. - CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 38833 published 2009-05-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38833 title Debian DSA-1801-1 : ntp - buffer overflows NASL family Misc. NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start last seen 2020-06-01 modified 2020-06-02 plugin id 89117 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89117 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check) NASL family SuSE Local Security Checks NASL id SUSE9_12415.NASL description This update fixes : - a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) - a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41298 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41298 title SuSE9 Security Update : xntp (YOU Patch Number 12415) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1040.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67066 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67066 title CentOS 4 : ntp (CESA-2009:1040) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0001.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Remove default ntp servers in ntp.conf [bug 14342986] - don last seen 2020-06-01 modified 2020-06-02 plugin id 80394 published 2015-01-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80394 title OracleVM 3.2 : ntp (OVMSA-2015-0001) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-002.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38743 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38743 title Mac OS X Multiple Vulnerabilities (Security Update 2009-002) NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_39872.NASL description s700_800 11.23 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 40365 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40365 title HP-UX PHNE_39872 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2) NASL family SuSE Local Security Checks NASL id SUSE_11_0_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 40083 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40083 title openSUSE Security Update : ntp (ntp-862) NASL family SuSE Local Security Checks NASL id SUSE_11_1_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 40285 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40285 title openSUSE Security Update : ntp (ntp-862)
Oval
accepted 2015-04-20T04:01:13.528-04:00 class vulnerability contributors name Ganesh Manal organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation
description Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. family unix id oval:org.mitre.oval:def:19392 status accepted submitted 2013-11-22T11:43:28.000-05:00 title HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code version 47 accepted 2015-05-18T04:00:14.531-04:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation name Jaikumar organization Hewlett-Packard
description Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. family unix id oval:org.mitre.oval:def:5411 status accepted submitted 2009-08-11T16:16:36.000-04:00 title HP-UX Running XNTP, Remote Execution of Arbitrary Code version 47 accepted 2014-01-20T04:01:38.968-05:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. family unix id oval:org.mitre.oval:def:8386 status accepted submitted 2010-03-19T16:57:59.000-04:00 title VMware ntpq stack-based buffer overflow vulnerability version 7 accepted 2014-01-20T04:01:41.556-05:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. family unix id oval:org.mitre.oval:def:8665 status accepted submitted 2010-03-19T16:57:59.000-04:00 title VMware ntpd stack-based buffer overflow vulnerability version 7 accepted 2013-04-29T04:20:53.699-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. family unix id oval:org.mitre.oval:def:9634 status accepted submitted 2010-07-09T03:56:16-04:00 title Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. version 27
Redhat
| advisories |
| ||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 34481 CVE(CAN) ID: CVE-2009-0159 NTP(Network Time Protocol)是用于通过网络同步计算机时钟的协议。 ntpq程序中存在栈溢出漏洞。如果用户使用ntpq命令从远程时间服务器请求了对等端信息且服务器返回了恶意响应的话,就可能触发这个溢出。由于溢出仅限于两个字节,因此最可能的结果是拒绝服务。 University of Delaware NTP 4.2.4 厂商补丁: University of Delaware ---------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://archive.ntp.org/ntp4/ntp-4.2.4p7.tar.gz target=_blank rel=external nofollow>http://archive.ntp.org/ntp4/ntp-4.2.4p7.tar.gz</a> |
| id | SSV:5041 |
| last seen | 2017-11-19 |
| modified | 2009-04-13 |
| published | 2009-04-13 |
| reporter | Root |
| title | NTP ntpq命令远程栈溢出溢出漏洞 |
References
- http://bugs.pardus.org.tr/show_bug.cgi?id=9532
- http://secunia.com/advisories/34608
- https://support.ntp.org/bugs/show_bug.cgi?id=1144
- http://www.securityfocus.com/bid/34481
- http://osvdb.org/53593
- http://www.securitytracker.com/id?1022033
- http://www.vupen.com/english/advisories/2009/0999
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:092
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2009/1297
- http://support.apple.com/kb/HT3549
- http://secunia.com/advisories/35074
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- https://bugzilla.redhat.com/show_bug.cgi?id=490617
- http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565
- http://rhn.redhat.com/errata/RHSA-2009-1040.html
- http://rhn.redhat.com/errata/RHSA-2009-1039.html
- http://secunia.com/advisories/35137
- http://www.debian.org/security/2009/dsa-1801
- http://secunia.com/advisories/35169
- http://secunia.com/advisories/35166
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01449.html
- http://secunia.com/advisories/35138
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01414.html
- http://www.gentoo.org/security/en/glsa/glsa-200905-08.xml
- http://secunia.com/advisories/35253
- http://secunia.com/advisories/35308
- http://secunia.com/advisories/35336
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566238
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
- http://secunia.com/advisories/35416
- http://secunia.com/advisories/35630
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.asc
- http://secunia.com/advisories/37471
- https://rhn.redhat.com/errata/RHSA-2009-1651.html
- http://www.vupen.com/english/advisories/2009/3316
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://marc.info/?l=bugtraq&m=136482797910018&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49838
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9634
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8665
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8386
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5411
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19392
- https://usn.ubuntu.com/777-1/
- http://www.securityfocus.com/archive/1/507985/100/0/threaded