-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2009-006
=================================
Topic: Buffer overflows in ntp
Version: NetBSD-current: source prior to May 21, 2009
NetBSD 5.0: source prior to May 27, 2009
NetBSD 4.0.1: source prior to May 27, 2009
NetBSD 4.0: source prior to May 27, 2009
Severity: Potential remote arbitrary code execution
Fixed: NetBSD-current: May 20, 2009
NetBSD-5 branch: May 27, 2008 (5.0.1 will include the fix)
NetBSD-4 branch: May 27, 2008 (4.1 will include the fix)
NetBSD-4-0 branch: May 27, 2008 (4.0.2 will include the fix)
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Two remote buffer overflow vulnerabilities have been found in the ntp
(Network Time Protocol) code.
The first, in ntpq, potentially allows arbitrary code execution (as
the user running ntpq) if a hostile ntp daemon is contacted.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
The second, in ntpd itself, allows remote arbitrary code execution as
the system ntp user if cryptographic authentication is enabled, which
is not the default. If ntpd is configured to run in a chroot area
(which is not the default) the arbitrary code execution should be
contained within the chroot.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
The second of these vulnerabilities makes the first considerably more
dangerous than it would be on its own.
Technical Details
=================
1. The cookedprint() function contains a stack-based buffer overflow
vulnerability that can be exploited by sending a properly crafted
response to ntpq.
2. The crypto_recv() function contains a stack-based buffer overflow
vulnerability that can be exploited by sending a properly crafted
packet to ntpd.
Solutions and Workarounds
=========================
Workarounds:
1. Avoid running ntpq until a fixed version has been installed.
2. Disable cryptographic authentication until a fixed version has been
installed. Or, disable ntpd entirely until a fixed version has been
installed. Either of these approaches is probably undesirable; it is
better to update immediately.
Enabling the rc.conf(5) option to run ntpd under chroot may mitigate
the impact of an attack but does not qualify as a real workaround.
Solutions:
For all affected NetBSD versions, obtain updated sources, and
rebuild and reinstall the ntp daemon and tools. If ntpd is running, be
sure to stop and restart it.
The fixed sources may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to update and
recompile your ntp binaries by updating your source tree and rebuilding
a new version of ntp.
* NetBSD-current:
Systems running NetBSD-current dated from before 2009-05-20
should be upgraded to NetBSD-current dated 2009-05-21 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/ntp/ntpd
dist/ntp/ntpq
To update from CVS, re-build, and re-install ntp:
# cd src
# cvs update -d -P dist/ntp/ntpd
# cvs update -d -P dist/ntp/ntpq
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start
* NetBSD 5.0:
The binary distribution of NetBSD 5.0 is vulnerable.
Systems running NetBSD 5.0 sources dated from before
2009-05-27 should be upgraded from NetBSD 5.0 sources
dated 2009-05-28 or later.
NetBSD 5.0.1 and 5.1 will include the fix.
The following directories need to be updated from the
netbsd-5-0 CVS branch:
dist/ntp/ntpd
dist/ntp/ntpq
To update from CVS, re-build, and re-install ntp:
# cd src
# cvs update -d -P -r netbsd-5-0 dist/ntp/ntpd
# cvs update -d -P -r netbsd-5-0 dist/ntp/ntpq
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start
* NetBSD 4.0, 4.0.1:
The binary distributions of NetBSD 4.0 and 4.0.1 are vulnerable.
Systems running NetBSD 4.0 sources dated from before
2009-05-27 should be upgraded from NetBSD 4.0 sources dated
2009-05-28 or later.
NetBSD 4.1 and 4.0.2 will include the fix.
The following directories need to be updated from the
netbsd-4-0 CVS branch:
dist/ntp/ntpd
dist/ntp/ntpq
To update from CVS, re-build, and re-install ntp:
# cd src
# cvs update -d -P -r netbsd-4-0 dist/ntp/ntpd
# cvs update -d -P -r netbsd-4-0 dist/ntp/ntpq
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start
Thanks To
=========
Christos Zoulas for providing the fixes.
Revision History
================
2009-06-30 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2009-006.txt,v 1.2 2009/06/30 18:30:27 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQIcBAEBAgAGBQJKSl6gAAoJEAZJc6xMSnBux40QALdvcTyn12pJ22i72eLn1aEh
UcXNvekD0yQFXF3xQ/2klcVCmUvFelSlkvelZ2csDxzetvNSRVY6SBgp3F6NdWC3
YxDAiDF/GeZyQi2hWdCqLVsW2kfDih8Bl+sL/51oxuIkzaSQzkQAhXCF3ggWl259
oLMeuR/Vdre6jqJpfXjq12vhNu7g/XvLyhH7b7WAMxqT/+7rEqmlPua5epjr43b2
RMt4zCRFga+NlU+iO78YvzEAUhk/kvFhDkXiPMQZ0puY4akuRAMYS1Il8YkK0o8K
rktvX9dMChnIFyh826vuiUpeUpN/UxHRUYTIkUhO8A4WoM6ffs3GuJ0IXZUQPmoV
mZ/ybpJWjRmAQnwK2vw/RJAhPQnojzZ0ZqFYry1zvlw8Ec59ShNO8XUXXMnxCeK6
kZsJ1pWuHc+m6aQ0lkItuV6zBnx4xjTSJ8bzE1qIkX9v0kFYkny8hzxNWRHrhZhu
qm4acnPdzWivfo1C9panMSI3oL8z0wAG6s5gkBJDglbdwtyaM+W3r3EAHvyaKmSV
1uubeTGTh8pqkTNsPAL8+OkFRCAlU2NQZWjbkjwJQfbHaRzdD/BJzO/9JFJ0aYhX
H0Eo0fBotfCcUhl5jzo5r4EnsFuSmeaLDLExVY7NNcqYylrlUnj31MUJh6TL/Gan
3vWY3qzD4Z2V7lwVgzwX
=zdxv
-----END PGP SIGNATURE-----
