NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 1151 - Remote exploit if autokey is enabled - CVE-2009-1252
Summary: Remote exploit if autokey is enabled - CVE-2009-1252
Status: VERIFIED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: crypto (show other bugs)
Version: 4.2.4
Hardware: All N/A
: P1 blocker
Assignee: Harlan Stenn
URL:
Depends on:
Blocks:
 
Reported: 2009-04-09 07:44 UTC by Harlan Stenn
Modified: 2009-10-15 16:17 UTC (History)
2 users (show)

See Also:
stenn: blocking4.2.4+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2009-04-09 07:44:41 UTC
 
Comment 1 Harlan Stenn 2009-04-09 07:46:30 UTC
Blocking 4.2.4 and 4.2.6.

Details in the morning...
Comment 2 Harlan Stenn 2009-04-22 22:02:05 UTC
This bug was fixed in -dev around p75 or so.
Comment 3 Harlan Stenn 2009-04-30 22:00:55 UTC
Due to the use of sprintf() calls in ntp_crypto.c it was possible to craft
a packet with an extension field that would either cause ntpd to crash or
result in the execution of arbitrary code (with the privileges of the ntp
daemon process).

This vulnerability exists in ntp-4.2.4p6 and before.  The fix for this
problem will be released in ntp-stable on 2009-05-04.

This vulnerability exists in ntp-4.2.5p73 and before.  This vulnerability
was fixed in ntp-dev as part of a code cleanup that was committed on
2007-09-10.

If ntpd was not built with OpenSSL the vulnerability does not exist.

If ntpd was build with OpenSSL but there is no "crypto pw whatever" line in
the ntp.conf file, the vulnerability is not exploitable.

This vulnerability was discovered by Chris Ries of CMU.
Comment 4 Harlan Stenn 2009-05-18 09:59:36 UTC
This bug has been fixed in 4.2.4p7.

Making this a "public" bug.