Vulnerabilities > CVE-2009-1252 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NTP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0002.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - don last seen 2020-06-01 modified 2020-06-02 plugin id 80395 published 2015-01-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80395 title OracleVM 2.2 : ntp (OVMSA-2015-0002) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2015-0002. # include("compat.inc"); if (description) { script_id(80395); script_version("1.19"); script_cvs_date("Date: 2019/09/27 13:00:34"); script_cve_id("CVE-2009-0021", "CVE-2009-0159", "CVE-2009-1252", "CVE-2009-3563", "CVE-2014-9293", "CVE-2014-9294", "CVE-2014-9295"); script_bugtraq_id(33150, 34481, 35017, 37255, 71757, 71761, 71762); script_name(english:"OracleVM 2.2 : ntp (OVMSA-2015-0002)"); script_summary(english:"Checks the RPM output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing a security update." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000253.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb11e689" ); script_set_attribute(attribute:"solution", value:"Update the affected ntp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:ntp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"ntp-4.2.2p1-18.el5_11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1039.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 43750 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43750 title CentOS 5 : ntp (CESA-2009:1039) NASL family Misc. NASL id NTPD_AUTOKEY_OVERFLOW.NASL description The version of the remote NTP server is 4.x prior to 4.2.4p7 or 4.x prior to 4.2.5p74. It is, therefore, affected by a stack-based buffer overflow condition due to the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that this issue is exploitable only if ntpd was compiled with OpenSSL support and autokey authentication is enabled. The presence of the following line in ntp.conf indicates a vulnerable system : crypto pw *password* Nessus did not check if the system is configured in this manner. last seen 2020-06-01 modified 2020-06-02 plugin id 38831 published 2009-05-20 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38831 title Network Time Protocol Daemon (ntpd) 4.x < 4.2.4p7 / 4.x < 4.2.5p74 crypto_recv() Function RCE NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1040.NASL description From Red Hat Security Advisory 2009:1040 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67861 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67861 title Oracle Linux 4 : ntp (ELSA-2009-1040) NASL family Fedora Local Security Checks NASL id FEDORA_2009-5273.NASL description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38961 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38961 title Fedora 10 : ntp-4.2.4p7-1.fc10 (2009-5273) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1039.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 38820 published 2009-05-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38820 title RHEL 5 : ntp (RHSA-2009:1039) NASL family Fedora Local Security Checks NASL id FEDORA_2009-5275.NASL description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38962 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38962 title Fedora 9 : ntp-4.2.4p7-1.fc9 (2009-5275) NASL family SuSE Local Security Checks NASL id SUSE_11_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41441 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41441 title SuSE 11 Security Update : ntp (SAT Patch Number 863) NASL family SuSE Local Security Checks NASL id SUSE_XNTP-6231.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 38847 published 2009-05-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38847 title openSUSE 10 Security Update : xntp (xntp-6231) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1039.NASL description From Red Hat Security Advisory 2009:1039 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67860 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67860 title Oracle Linux 5 : ntp (ELSA-2009-1039) NASL family SuSE Local Security Checks NASL id SUSE_XNTP-6232.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41601 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41601 title SuSE 10 Security Update : xntp (ZYPP Patch Number 6232) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200905-08.NASL description The remote host is affected by the vulnerability described in GLSA-200905-08 (NTP: Remote execution of arbitrary code) Multiple vulnerabilities have been found in the programs included in the NTP package: Apple Product Security reported a boundary error in the cookedprint() function in ntpq/ntpq.c, possibly leading to a stack-based buffer overflow (CVE-2009-0159). Chris Ries of CMU reported a boundary error within the crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a stack-based buffer overflow (CVE-2009-1252). Impact : A remote attacker might send a specially crafted package to a machine running ntpd, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: Successful exploitation requires the last seen 2020-06-01 modified 2020-06-02 plugin id 38920 published 2009-05-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38920 title GLSA-200905-08 : NTP: Remote execution of arbitrary code NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-777-1.NASL description A stack-based buffer overflow was discovered in ntpq. If a user were tricked into connecting to a malicious ntp server, a remote attacker could cause a denial of service in ntpq, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0159) Chris Ries discovered a stack-based overflow in ntp. If ntp was configured to use autokey, a remote attacker could send a crafted packet to cause a denial of service, or possibly execute arbitrary code. (CVE-2009-1252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38848 published 2009-05-20 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38848 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : ntp vulnerabilities (USN-777-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-309.NASL description Multiple vulnerabilities has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 42995 published 2009-12-04 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42995 title Mandriva Linux Security Advisory : ntp (MDVSA-2009:309) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1040.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 38821 published 2009-05-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38821 title RHEL 4 : ntp (RHSA-2009:1040) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4175C811F690489887C5755B3CF1BAC6.NASL description US-CERT reports : ntpd contains a stack-based buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 38881 published 2009-05-26 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38881 title FreeBSD : ntp -- stack-based buffer overflow (4175c811-f690-4898-87c5-755b3cf1bac6) NASL family Scientific Linux Local Security Checks NASL id SL_20090518_NTP_ON_SL4_X.NASL description A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 60586 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60586 title Scientific Linux Security Update : ntp on SL4.x i386/x86_64 NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0016.NASL description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 42870 published 2009-11-23 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42870 title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components. NASL family Scientific Linux Local Security Checks NASL id SL_20090518_NTP_ON_SL5_X.NASL description A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 60587 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60587 title Scientific Linux Security Update : ntp on SL5.x i386/x86_64 NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2009-0011.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0159 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. CVE-2009-1252 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. - fix buffer overflow when parsing Autokey association message (#500783, CVE-2009-1252) - fix buffer overflow in ntpq (#500783, CVE-2009-0159) - fix check for malformed signatures (#479698, CVE-2009-0021) - fix selecting multicast interface (#444106) - disable kernel discipline when -x option is used (#431729) - avoid use of uninitialized floating-point values in clock_select (#250838) - generate man pages from html source, include config man pages (#307271) - add note about paths and exit codes to ntpd man page (#242925, #246568) - add section about exit codes to ntpd man page (#319591) - always return 0 in scriptlets - pass additional options to ntpdate (#240141) - fix broadcast client to accept broadcasts on 255.255.255.255 (#226958) - compile with crypto support on 64bit architectures (#239580) - add ncurses-devel to buildrequires (#239580) - exit with nonzero code if ntpd -q did not set clock (#240134) - fix return codes in init script (#240118) last seen 2020-06-01 modified 2020-06-02 plugin id 79458 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79458 title OracleVM 2.1 : ntp (OVMSA-2009-0011) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-154-01.NASL description New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39008 published 2009-06-04 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39008 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : ntp (SSA:2009-154-01) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1801.NASL description Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. - CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 38833 published 2009-05-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38833 title Debian DSA-1801-1 : ntp - buffer overflows NASL family Misc. NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start last seen 2020-06-01 modified 2020-06-02 plugin id 89117 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89117 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-117.NASL description A vulnerability has been found and corrected in ntp : A buffer overflow flaw was discovered in the ntpd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 38844 published 2009-05-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38844 title Mandriva Linux Security Advisory : ntp (MDVSA-2009:117) NASL family SuSE Local Security Checks NASL id SUSE9_12415.NASL description This update fixes : - a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) - a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 41298 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41298 title SuSE9 Security Update : xntp (YOU Patch Number 12415) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1040.NASL description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 67066 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67066 title CentOS 4 : ntp (CESA-2009:1040) NASL family Fedora Local Security Checks NASL id FEDORA_2009-5674.NASL description This update fixes a denial of service issue if autokey is enabled (default is disabled). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39394 published 2009-06-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39394 title Fedora 11 : ntp-4.2.4p7-2.fc11 (2009-5674) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0001.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Remove default ntp servers in ntp.conf [bug 14342986] - don last seen 2020-06-01 modified 2020-06-02 plugin id 80394 published 2015-01-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80394 title OracleVM 3.2 : ntp (OVMSA-2015-0001) NASL family SuSE Local Security Checks NASL id SUSE_11_0_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 40083 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40083 title openSUSE Security Update : ntp (ntp-862) NASL family SuSE Local Security Checks NASL id SUSE_11_1_NTP-090508.NASL description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159) last seen 2020-06-01 modified 2020-06-02 plugin id 40285 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40285 title openSUSE Security Update : ntp (ntp-862)
Oval
accepted 2013-04-29T04:12:32.681-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. family unix id oval:org.mitre.oval:def:11231 status accepted submitted 2010-07-09T03:56:16-04:00 title Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. version 27 accepted 2015-05-18T04:00:14.852-04:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation name Jaikumar organization Hewlett-Packard
description Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. family unix id oval:org.mitre.oval:def:6307 status accepted submitted 2009-08-11T16:16:37.000-04:00 title HP-UX Running XNTP, Remote Execution of Arbitrary Code version 47
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | Bugraq ID: 35017 CVE ID:CVE-2009-1252 CNCVE ID:CNCVE-20091252 NTP (Network Time Protocol)是一款客户端用于与时间服务器同步日期和时间的协议。 NTPd在以OpenSSL支持的情况下编译时存在栈缓冲区溢出,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 ntpd/ntp_crypto.c中crypto_recv()函数使用sprintf()存在缓冲区溢出,此漏洞需要配置使用autokey才会触发(ntpd配置使用公钥加密进行NTP报文验证)。远程未授权攻击者可以以ntpd守护程序权限执行任意代码。 Ubuntu Ubuntu Linux 9.04 sparc Ubuntu Ubuntu Linux 9.04 powerpc Ubuntu Ubuntu Linux 9.04 lpia Ubuntu Ubuntu Linux 9.04 i386 Ubuntu Ubuntu Linux 9.04 amd64 Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux EUS 5.3.z server RedHat Enterprise Linux ES 4 RedHat Enterprise Linux Desktop 5 client RedHat Enterprise Linux AS 4 RedHat Enterprise Linux 5 server RedHat Desktop 4.0 NTP NTPd 4.2.1 NTP NTPd 4.2 .0b NTP NTPd 4.2 .0a NTP NTPd 4.2 NTP NTPd 4.1 NTP NTPd 4.0 NTP NTPd 3.0 NTP NTP 4.2.4 p7-RC2 NTP NTP 4.2.4 p6 NTP NTP 4.2.4 p5 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Linux Mandrake 2009.1 x86_64 MandrakeSoft Linux Mandrake 2009.1 MandrakeSoft Linux Mandrake 2009.0 x86_64 MandrakeSoft Linux Mandrake 2009.0 MandrakeSoft Linux Mandrake 2008.1 x86_64 MandrakeSoft Linux Mandrake 2008.1 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 FreeBSD FreeBSD 7.1-STABLE Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 armel Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 厂商解决方案 升级到ntp 4.2.4p7和4.2.5p74版本: <a href="http://www.ntp.org/" target="_blank" rel=external nofollow>http://www.ntp.org/</a> |
| id | SSV:11379 |
| last seen | 2017-11-19 |
| modified | 2009-05-21 |
| published | 2009-05-21 |
| reporter | Root |
| title | NTP 'ntpd' Autokey栈缓冲区溢出漏洞 |
References
- https://launchpad.net/bugs/cve/2009-1252
- http://www.kb.cert.org/vuls/id/853097
- https://bugzilla.redhat.com/show_bug.cgi?id=499694
- http://rhn.redhat.com/errata/RHSA-2009-1039.html
- http://rhn.redhat.com/errata/RHSA-2009-1040.html
- https://support.ntp.org/bugs/show_bug.cgi?id=1151
- http://www.securityfocus.com/bid/35017
- http://secunia.com/advisories/35137
- http://www.securitytracker.com/id?1022243
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:117
- http://www.vupen.com/english/advisories/2009/1361
- http://www.debian.org/security/2009/dsa-1801
- http://secunia.com/advisories/35169
- http://secunia.com/advisories/35166
- http://www.gentoo.org/security/en/glsa/glsa-200905-08.xml
- http://secunia.com/advisories/35253
- http://secunia.com/advisories/35243
- http://secunia.com/advisories/35138
- http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0092
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01449.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01414.html
- http://secunia.com/advisories/35308
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
- http://secunia.com/advisories/35336
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566238
- http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.asc
- http://secunia.com/advisories/35416
- https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00293.html
- http://secunia.com/advisories/35388
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.asc
- http://secunia.com/advisories/35630
- http://www.vupen.com/english/advisories/2009/3316
- http://secunia.com/advisories/37470
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://secunia.com/advisories/37471
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6307
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11231
- https://usn.ubuntu.com/777-1/
- http://www.securityfocus.com/archive/1/507985/100/0/threaded