Vulnerabilities > CVE-2009-0159 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in NTP

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
ntp
CWE-119
nessus

Summary

Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0002.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - don
    last seen2020-06-01
    modified2020-06-02
    plugin id80395
    published2015-01-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80395
    titleOracleVM 2.2 : ntp (OVMSA-2015-0002)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2015-0002.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80395);
      script_version("1.19");
      script_cvs_date("Date: 2019/09/27 13:00:34");
    
      script_cve_id("CVE-2009-0021", "CVE-2009-0159", "CVE-2009-1252", "CVE-2009-3563", "CVE-2014-9293", "CVE-2014-9294", "CVE-2014-9295");
      script_bugtraq_id(33150, 34481, 35017, 37255, 71757, 71761, 71762);
    
      script_name(english:"OracleVM 2.2 : ntp (OVMSA-2015-0002)");
      script_summary(english:"Checks the RPM output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - don't generate weak control key for resolver
        (CVE-2014-9293)
    
      - don't generate weak MD5 keys in ntp-keygen
        (CVE-2014-9294)
    
      - fix buffer overflows via specially-crafted packets
        (CVE-2014-9295)
    
      - increase memlock limit again (#1035198)
    
      - allow selection of cipher for private key files
        (#741573)
    
      - revert init script priority (#470945, #689636)
    
      - drop tentative patch (#489835)
    
      - move restorecon call to %posttrans
    
      - call restorecon on ntpd and ntpdate on start (#470945)
    
      - don't crash with more than 512 local addresses (#661934)
    
      - add -I option (#528799)
    
      - fix -L option to not require argument (#460434)
    
      - move ntpd and ntpdate to /sbin and start earlier on boot
        (#470945, #689636)
    
      - increase memlock limit (#575874)
    
      - ignore tentative addresses (#489835)
    
      - print synchronization distance instead of dispersion in
        ntpstat (#679034)
    
      - fix typos in ntpq and ntp-keygen man pages (#664524,
        #664525)
    
      - clarify ntpd -q description (#591838)
    
      - don't verify ntp.conf (#481151)
    
      - replace Prereq tag
    
      - fix DoS with mode 7 packets (#532640, CVE-2009-3563)
    
      - compile with -fno-strict-aliasing
    
      - fix buffer overflow when parsing Autokey association
        message (#500784, CVE-2009-1252)
    
      - fix buffer overflow in ntpq (#500784, CVE-2009-0159)
    
      - fix check for malformed signatures (#479699,
        CVE-2009-0021)"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000253.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?cb11e689"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:ntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS2.2", reference:"ntp-4.2.2p1-18.el5_11")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1039.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id43750
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43750
    titleCentOS 5 : ntp (CESA-2009:1039)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1651.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id43072
    published2009-12-09
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43072
    titleCentOS 3 : ntp (CESA-2009:1651)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1651.NASL
    descriptionFrom Red Hat Security Advisory 2009:1651 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id67970
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67970
    titleOracle Linux 3 : ntp (ELSA-2009-1651)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1040.NASL
    descriptionFrom Red Hat Security Advisory 2009:1040 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id67861
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67861
    titleOracle Linux 4 : ntp (ELSA-2009-1040)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_39871.NASL
    descriptions700_800 11.11 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id40364
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40364
    titleHP-UX PHNE_39871 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-5273.NASL
    descriptionThis update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38961
    published2009-06-01
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38961
    titleFedora 10 : ntp-4.2.4p7-1.fc10 (2009-5273)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1039.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id38820
    published2009-05-19
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38820
    titleRHEL 5 : ntp (RHSA-2009:1039)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-5275.NASL
    descriptionThis update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38962
    published2009-06-01
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38962
    titleFedora 9 : ntp-4.2.4p7-1.fc9 (2009-5275)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_NTP-090508.NASL
    descriptionThis update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id41441
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41441
    titleSuSE 11 Security Update : ntp (SAT Patch Number 863)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XNTP-6231.NASL
    descriptionThis update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id38847
    published2009-05-20
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38847
    titleopenSUSE 10 Security Update : xntp (xntp-6231)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_42470.NASL
    descriptions700_800 11.31 cumulative ARPA Transport patch : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS) or execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id66504
    published2013-05-19
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66504
    titleHP-UX PHNE_42470 : s700_800 11.31 cumulative ARPA Transport patch
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1039.NASL
    descriptionFrom Red Hat Security Advisory 2009:1039 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id67860
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67860
    titleOracle Linux 5 : ntp (ELSA-2009-1039)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XNTP-6232.NASL
    descriptionThis update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id41601
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41601
    titleSuSE 10 Security Update : xntp (ZYPP Patch Number 6232)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200905-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200905-08 (NTP: Remote execution of arbitrary code) Multiple vulnerabilities have been found in the programs included in the NTP package: Apple Product Security reported a boundary error in the cookedprint() function in ntpq/ntpq.c, possibly leading to a stack-based buffer overflow (CVE-2009-0159). Chris Ries of CMU reported a boundary error within the crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a stack-based buffer overflow (CVE-2009-1252). Impact : A remote attacker might send a specially crafted package to a machine running ntpd, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: Successful exploitation requires the
    last seen2020-06-01
    modified2020-06-02
    plugin id38920
    published2009-05-27
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38920
    titleGLSA-200905-08 : NTP: Remote execution of arbitrary code
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-777-1.NASL
    descriptionA stack-based buffer overflow was discovered in ntpq. If a user were tricked into connecting to a malicious ntp server, a remote attacker could cause a denial of service in ntpq, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0159) Chris Ries discovered a stack-based overflow in ntp. If ntp was configured to use autokey, a remote attacker could send a crafted packet to cause a denial of service, or possibly execute arbitrary code. (CVE-2009-1252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38848
    published2009-05-20
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38848
    titleUbuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : ntp vulnerabilities (USN-777-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1651.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id43081
    published2009-12-09
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43081
    titleRHEL 3 : ntp (RHSA-2009:1651)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-309.NASL
    descriptionMultiple vulnerabilities has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). A buffer overflow flaw was discovered in the ntpd daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id42995
    published2009-12-04
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42995
    titleMandriva Linux Security Advisory : ntp (MDVSA-2009:309)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1040.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id38821
    published2009-05-19
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38821
    titleRHEL 4 : ntp (RHSA-2009:1040)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_39873.NASL
    descriptions700_800 11.31 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id40366
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40366
    titleHP-UX PHNE_39873 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-092.NASL
    descriptionA vulnerability has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id37998
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37998
    titleMandriva Linux Security Advisory : ntp (MDVSA-2009:092)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4175C811F690489887C5755B3CF1BAC6.NASL
    descriptionUS-CERT reports : ntpd contains a stack-based buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id38881
    published2009-05-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38881
    titleFreeBSD : ntp -- stack-based buffer overflow (4175c811-f690-4898-87c5-755b3cf1bac6)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090518_NTP_ON_SL4_X.NASL
    descriptionA buffer overflow flaw was discovered in the ntpd daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id60586
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60586
    titleScientific Linux Security Update : ntp on SL4.x i386/x86_64
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2009-0016.NASL
    descriptiona. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id42870
    published2009-11-23
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42870
    titleVMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090518_NTP_ON_SL5_X.NASL
    descriptionA buffer overflow flaw was discovered in the ntpd daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id60587
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60587
    titleScientific Linux Security Update : ntp on SL5.x i386/x86_64
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2009-0011.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0159 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. CVE-2009-1252 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. - fix buffer overflow when parsing Autokey association message (#500783, CVE-2009-1252) - fix buffer overflow in ntpq (#500783, CVE-2009-0159) - fix check for malformed signatures (#479698, CVE-2009-0021) - fix selecting multicast interface (#444106) - disable kernel discipline when -x option is used (#431729) - avoid use of uninitialized floating-point values in clock_select (#250838) - generate man pages from html source, include config man pages (#307271) - add note about paths and exit codes to ntpd man page (#242925, #246568) - add section about exit codes to ntpd man page (#319591) - always return 0 in scriptlets - pass additional options to ntpdate (#240141) - fix broadcast client to accept broadcasts on 255.255.255.255 (#226958) - compile with crypto support on 64bit architectures (#239580) - add ncurses-devel to buildrequires (#239580) - exit with nonzero code if ntpd -q did not set clock (#240134) - fix return codes in init script (#240118)
    last seen2020-06-01
    modified2020-06-02
    plugin id79458
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79458
    titleOracleVM 2.1 : ntp (OVMSA-2009-0011)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_7.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen2020-06-01
    modified2020-06-02
    plugin id38744
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38744
    titleMac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2009-154-01.NASL
    descriptionNew ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id39008
    published2009-06-04
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39008
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : ntp (SSA:2009-154-01)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091208_NTP_ON_SL3_X.NASL
    descriptionCVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372) Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers via a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. (CVE-2009-3563) A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) SL3 Only After installing the update, the ntpd daemon will restart automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id60703
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60703
    titleScientific Linux Security Update : ntp on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1801.NASL
    descriptionSeveral remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. - CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id38833
    published2009-05-20
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38833
    titleDebian DSA-1801-1 : ntp - buffer overflows
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2009-0016_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start
    last seen2020-06-01
    modified2020-06-02
    plugin id89117
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89117
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12415.NASL
    descriptionThis update fixes : - a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) - a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id41298
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41298
    titleSuSE9 Security Update : xntp (YOU Patch Number 12415)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1040.NASL
    descriptionAn updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id67066
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67066
    titleCentOS 4 : ntp (CESA-2009:1040)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0001.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Remove default ntp servers in ntp.conf [bug 14342986] - don
    last seen2020-06-01
    modified2020-06-02
    plugin id80394
    published2015-01-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80394
    titleOracleVM 3.2 : ntp (OVMSA-2015-0001)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11
    last seen2020-06-01
    modified2020-06-02
    plugin id38743
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38743
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-002)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_39872.NASL
    descriptions700_800 11.23 NTP timeservices upgrade plus utilities : A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id40365
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40365
    titleHP-UX PHNE_39872 : HP-UX Running XNTP, Remote Execution of Arbitrary Code (HPSBUX02437 SSRT090038 rev.2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_NTP-090508.NASL
    descriptionThis update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id40083
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40083
    titleopenSUSE Security Update : ntp (ntp-862)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_NTP-090508.NASL
    descriptionThis update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen2020-06-01
    modified2020-06-02
    plugin id40285
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40285
    titleopenSUSE Security Update : ntp (ntp-862)

Oval

  • accepted2015-04-20T04:01:13.528-04:00
    classvulnerability
    contributors
    • nameGanesh Manal
      organizationHewlett-Packard
    • namePrashant Kumar
      organizationHewlett-Packard
    • nameMike Cokus
      organizationThe MITRE Corporation
    descriptionStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    familyunix
    idoval:org.mitre.oval:def:19392
    statusaccepted
    submitted2013-11-22T11:43:28.000-05:00
    titleHP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code
    version47
  • accepted2015-05-18T04:00:14.531-04:00
    classvulnerability
    contributors
    • namePai Peng
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • namePrashant Kumar
      organizationHewlett-Packard
    • nameMike Cokus
      organizationThe MITRE Corporation
    • nameJaikumar
      organizationHewlett-Packard
    descriptionStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    familyunix
    idoval:org.mitre.oval:def:5411
    statusaccepted
    submitted2009-08-11T16:16:36.000-04:00
    titleHP-UX Running XNTP, Remote Execution of Arbitrary Code
    version47
  • accepted2014-01-20T04:01:38.968-05:00
    classvulnerability
    contributors
    • namePai Peng
      organizationHewlett-Packard
    • nameChris Coffin
      organizationThe MITRE Corporation
    definition_extensions
    commentVMware ESX Server 4.0 is installed
    ovaloval:org.mitre.oval:def:6293
    descriptionStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    familyunix
    idoval:org.mitre.oval:def:8386
    statusaccepted
    submitted2010-03-19T16:57:59.000-04:00
    titleVMware ntpq stack-based buffer overflow vulnerability
    version7
  • accepted2014-01-20T04:01:41.556-05:00
    classvulnerability
    contributors
    • namePai Peng
      organizationHewlett-Packard
    • nameChris Coffin
      organizationThe MITRE Corporation
    definition_extensions
    commentVMware ESX Server 4.0 is installed
    ovaloval:org.mitre.oval:def:6293
    descriptionStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    familyunix
    idoval:org.mitre.oval:def:8665
    statusaccepted
    submitted2010-03-19T16:57:59.000-04:00
    titleVMware ntpd stack-based buffer overflow vulnerability
    version7
  • accepted2013-04-29T04:20:53.699-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    familyunix
    idoval:org.mitre.oval:def:9634
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleStack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
    version27

Redhat

advisories
  • rhsa
    idRHSA-2009:1039
  • rhsa
    idRHSA-2009:1040
  • rhsa
    idRHSA-2009:1651
rpms
  • ntp-0:4.2.2p1-9.el5_3.2
  • ntp-debuginfo-0:4.2.2p1-9.el5_3.2
  • ntp-0:4.2.0.a.20040617-8.el4_7.2
  • ntp-debuginfo-0:4.2.0.a.20040617-8.el4_7.2
  • ntp-0:4.1.2-6.el3
  • ntp-debuginfo-0:4.1.2-6.el3

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 34481 CVE(CAN) ID: CVE-2009-0159 NTP(Network Time Protocol)是用于通过网络同步计算机时钟的协议。 ntpq程序中存在栈溢出漏洞。如果用户使用ntpq命令从远程时间服务器请求了对等端信息且服务器返回了恶意响应的话,就可能触发这个溢出。由于溢出仅限于两个字节,因此最可能的结果是拒绝服务。 University of Delaware NTP 4.2.4 厂商补丁: University of Delaware ---------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://archive.ntp.org/ntp4/ntp-4.2.4p7.tar.gz target=_blank rel=external nofollow>http://archive.ntp.org/ntp4/ntp-4.2.4p7.tar.gz</a>
idSSV:5041
last seen2017-11-19
modified2009-04-13
published2009-04-13
reporterRoot
titleNTP ntpq命令远程栈溢出溢出漏洞

References