The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of NTP.org: buffer overflow of ntpq

Synthesis of the vulnerability 

A malicious NTP server can generate an overflow in the ntpq client.
Vulnerable systems: Debian, Fedora, HP-UX, Mandriva Linux, Mandriva NF, Meinberg NTP Server, NetBSD, NLD, OES, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity of this threat: 2/4.
Creation date: 14/04/2009.
Références of this weakness: BID-34481, c01763606, c03714526, CERTA-2002-AVI-235, CERTA-2009-AVI-292, CVE-2009-0159, DSA-1801-1, FEDORA-2009-5273, FEDORA-2009-5674, HPSBUX02437, HPSBUX02859, MDVSA-2009:092, MDVSA-2009:309, NetBSD-SA2009-006, RHSA-2009:1039-01, RHSA-2009:1040-02, RHSA-2009:1651-01, SSA:2009-154-01, SSRT090038, SSRT101144, SUSE-SR:2009:011, TLSA-2009-17, VIGILANCE-VUL-8624, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability 

The ntpq program monitors the behaviour of the ntpd daemon, or obtains information about peers.

The cookedprint() function of the NTP.org:ntpq/ntpq.c file displays information about peers. However, this function uses sprintf() on a buffer shorter than data. A buffer overflow of two bytes thus occurs.

A malicious NTP server can therefore return a large value in order to generate an overflow in ntpq. This overflow leads to a denial of service, and may lead to code execution.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Debian, Fedora, HP-UX, Mandriva Linux, Mandriva NF, Meinberg NTP Server, NetBSD, NLD, OES, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet server.

An attacker with a expert ability can exploit this computer vulnerability.

Solutions for this threat 

NTP.org: version 4.2.4p7.
Version 4.2.4p7 is corrected:
  http://www.ntp.org/downloads.html

NTP.org: patch.
A patch is available in information sources.

VMware ESX, ESXi, VirtualCenter: solution.
Following version is corrected:
VirtualCenter 4.0 Update 1
  http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware Virtual Center 2.5 Update 6
  http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6
ESXi 4.0 Update 1
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip
ESXi 3.5
  http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip
ESX 4.0 Update 1
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-158-20091118-187517/ESX-4.0.0-update01.zip
  known problems: http://kb.vmware.com/kb/1016070
ESX 3.5
  http://download3.vmware.com/software/vi/ESX350-201002407-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201002402-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201002404-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
ESX 3.0.3
  http://download3.vmware.com/software/vi/ESX303-201002204-UG.zip
  http://download3.vmware.com/software/vi/ESX303-201002206-UG.zip
  http://download3.vmware.com/software/vi/ESX303-201002205-UG.zip

SPARC: patch for NTP.
A patch is available:
  Netra SPARC T3-1 : 147319-01
  Netra SPARC T3-1B : 147320-01
  SPARC T3-1 : 147315-01
  SPARC T3-1B : 147318-01
  SPARC T3-2 : 147316-01
  SPARC T3-4 : 147317-01

Debian: new ntp packages.
New packages are available:
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_*.deb
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_*.deb

Fedora: new ntp packages.
New packages are available:
  ntp-4.2.4p7-1.fc10
  ntp-4.2.4p7-2.fc11

HP-UX: patch for XNTP.
A patch is available:
http://itrc.hp.com/
HP-UX B.11.11 - InternetSrvcs.INETSVCS-BOOT
  PHNE_39871
HP-UX B.11.23 - InternetSrvcs.INETSVCS2-BOOT
  PHNE_39872
HP-UX B.11.31 - NTP.NTP-RUN
  PHNE_39873

HP-UX: XNTP version C.4.2.6.0.0.
The version C.4.2.6.0.0 is fixed:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-NTP
Patch PHNE_42470 also has to be installed.

Mandriva 2008.0: new ntp packages.
New packages are available:
  ntp-4.2.4-10.2mdv2008.0

Mandriva: new ntp packages.
New packages are available:
Mandriva Linux 2008.1: ntp-4.2.4-15.2mdv2008.1
Mandriva Linux 2009.0: ntp-4.2.4-18.2mdv2009.0
Corporate 3.0: ntp-4.2.0-2.2.C30mdk
Corporate 4.0: ntp-4.2.0-21.4.20060mlcs4
Multi Network Firewall 2.0: ntp-4.2.0-2.2.C30mdk

NetBSD: patch for ntp.
A patch is available in information sources.

RHEL 3: new ntp packages.
New packages are available:
  ntp-4.1.2-6.el3

RHEL: new ntp packages.
New packages are available:
Red Hat Enterprise Linux version 4: ntp-4.2.0.a.20040617-8.el4_7.2
Red Hat Enterprise Linux version 5: ntp-4.2.2p1-9.el5_3.2

Slackware: new ntp packages.
New packages are available:
Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ntp-4.2.2p3-i386-1_slack8.1.tgz
Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/ntp-4.2.2p3-i386-1_slack9.0.tgz
Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/ntp-4.2.2p3-i486-1_slack9.1.tgz
Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ntp-4.2.2p3-i486-1_slack10.0.tgz
Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/ntp-4.2.2p3-i486-1_slack10.1.tgz
Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ntp-4.2.2p3-i486-1_slack10.2.tgz
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ntp-4.2.2p3-i486-2_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ntp-4.2.4p7-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ntp-4.2.4p7-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ntp-4.2.4p7-i486-1_slack12.2.tgz

Sun SPARC: patch for NTP.
A patch is available for the firmware:
  SPARC T3-4 : 147317-01
  SPARC T3-2 : 147316-01
  SPARC T3-1B : 147318-01
  SPARC T3-1 : 147315-01
  Netra SPARC T3-1B : 147320-01
  Netra SPARC T3-1 : 147319-01
  Netra SPARC T3-1BA : 144609-07

SUSE: new packages (09/06/2009).
New packages are available.

Turbolinux: new ntp packages.
New packages are available.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability note. The Vigil@nce vulnerability database contains several thousand vulnerabilities.