{"vuid":"VU#853097","idnumber":"853097","name":"ntpd autokey stack buffer overflow","keywords":["ntpd","autokey","OpenSSL","sprintf","buffer overflow"],"overview":"ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.","clean_desc":"NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.","resolution":"Apply an update\nThis issue is addressed in ntp 4.2.4p7 and 4.2.5p74.","workarounds":"Disable autokey This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.","sysaffected":"","thanks":"This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (\nntpforum.isc.org\n), who in turn credits Chris Ries of CMU.","author":"This document was written by Will Dormann.","public":["http://www.ntp.org/downloads.html","https://rhn.redhat.com/errata/RHSA-2009-1039.html","http://www.ubuntu.com/usn/usn-777-1","http://bugs.gentoo.org/show_bug.cgi?id=268962","http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/"],"cveids":["CVE-2009-1252"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-04-09T22:28:00Z","publicdate":"2009-05-18T00:00:00Z","datefirstpublished":"2009-05-18T21:36:16Z","dateupdated":"2009-08-12T19:01:48Z","revision":31,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"4","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"8","cam_impact":"15","cam_easeofexploitation":"10","cam_attackeraccessrequired":"20","cam_scorecurrent":"9.45","cam_scorecurrentwidelyknown":"16.65","cam_scorecurrentwidelyknownexploited":"25.65","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"Not Defined (ND)","cvss_reportconfidence":"Not Defined (ND)","cvss_collateraldamagepotential":"Not Defined (ND)","cvss_targetdistribution":"Not Defined (ND)","cvss_securityrequirementscr":"Not Defined (ND)","cvss_securityrequirementsir":"Not Defined (ND)","cvss_securityrequirementsar":"Not Defined (ND)","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)","metric":9.45,"vulnote":null}