Vigil@nce: NTP.org, two vulnerabilities
May 2009 by Vigil@nce
A local or remote attacker can use two vulnerabilities of NTP.org
in order to generate a denial of service or to execute code.
– Severity: 2/4
– Consequences: privileged access/rights, denial of service of
service
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Number of vulnerabilities in this bulletin: 2
– Creation date: 19/05/2009
IMPACTED PRODUCTS
– Debian Linux
– Mandriva Corporate
– Mandriva Linux
– Mandriva Multi Network Firewall
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The NTP daemon can be installed on a Unix or Windows environment,
and compiled with or without OpenSSL. Two vulnerabilities impact
these configurations.
Under Windows, the daemon does not use the SO_EXCLUSIVEADDRUSE
socket option. A local application can thus listen on the same
port as the NTP daemon. A local attacker can then create a denial
of service. [grav:1/4]
When NTP is compiled with OpenSSL, and uses a "crypto pw"
configuration, the ntp_crypto.x file uses the sprintf() function.
An attacker can therefore use a malicious extension in order to
generate a buffer overflow, to create a denial of service or to
execute code. [grav:2/4; BID-35017, CVE-2009-1252, VU#853097]
CHARACTERISTICS
– Identifiers: BID-35017, CVE-2009-1252, DSA 1801-1, MDVSA-2009:117,
RHSA-2009:1039-01, RHSA-2009:1040-02, VIGILANCE-VUL-8720, VU#853097
– Url: http://vigilance.fr/vulnerability/NTP-org-two-vulnerabilities-8720