ID CVE-2009-1252
Summary Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
References
Vulnerable Configurations
  • cpe:2.3:a:ntp:ntp:4.2.4p0
    cpe:2.3:a:ntp:ntp:4.2.4p0
  • cpe:2.3:a:ntp:ntp:4.2.4p1
    cpe:2.3:a:ntp:ntp:4.2.4p1
  • cpe:2.3:a:ntp:ntp:4.2.4p2
    cpe:2.3:a:ntp:ntp:4.2.4p2
  • cpe:2.3:a:ntp:ntp:4.2.4p3
    cpe:2.3:a:ntp:ntp:4.2.4p3
  • cpe:2.3:a:ntp:ntp:4.2.4p4
    cpe:2.3:a:ntp:ntp:4.2.4p4
  • cpe:2.3:a:ntp:ntp:4.2.4p5
    cpe:2.3:a:ntp:ntp:4.2.4p5
  • cpe:2.3:a:ntp:ntp:4.2.4p6
    cpe:2.3:a:ntp:ntp:4.2.4p6
  • cpe:2.3:a:ntp:ntp:4.2.5p0
    cpe:2.3:a:ntp:ntp:4.2.5p0
  • cpe:2.3:a:ntp:ntp:4.2.5p1
    cpe:2.3:a:ntp:ntp:4.2.5p1
  • cpe:2.3:a:ntp:ntp:4.2.5p2
    cpe:2.3:a:ntp:ntp:4.2.5p2
  • cpe:2.3:a:ntp:ntp:4.2.5p3
    cpe:2.3:a:ntp:ntp:4.2.5p3
  • cpe:2.3:a:ntp:ntp:4.2.5p4
    cpe:2.3:a:ntp:ntp:4.2.5p4
  • cpe:2.3:a:ntp:ntp:4.2.5p5
    cpe:2.3:a:ntp:ntp:4.2.5p5
  • cpe:2.3:a:ntp:ntp:4.2.5p6
    cpe:2.3:a:ntp:ntp:4.2.5p6
  • cpe:2.3:a:ntp:ntp:4.2.5p7
    cpe:2.3:a:ntp:ntp:4.2.5p7
  • cpe:2.3:a:ntp:ntp:4.2.5p8
    cpe:2.3:a:ntp:ntp:4.2.5p8
  • cpe:2.3:a:ntp:ntp:4.2.5p9
    cpe:2.3:a:ntp:ntp:4.2.5p9
  • cpe:2.3:a:ntp:ntp:4.2.5p10
    cpe:2.3:a:ntp:ntp:4.2.5p10
  • cpe:2.3:a:ntp:ntp:4.2.5p11
    cpe:2.3:a:ntp:ntp:4.2.5p11
  • cpe:2.3:a:ntp:ntp:4.2.5p12
    cpe:2.3:a:ntp:ntp:4.2.5p12
  • cpe:2.3:a:ntp:ntp:4.2.5p13
    cpe:2.3:a:ntp:ntp:4.2.5p13
  • cpe:2.3:a:ntp:ntp:4.2.5p14
    cpe:2.3:a:ntp:ntp:4.2.5p14
  • cpe:2.3:a:ntp:ntp:4.2.5p15
    cpe:2.3:a:ntp:ntp:4.2.5p15
  • cpe:2.3:a:ntp:ntp:4.2.5p16
    cpe:2.3:a:ntp:ntp:4.2.5p16
  • cpe:2.3:a:ntp:ntp:4.2.5p17
    cpe:2.3:a:ntp:ntp:4.2.5p17
  • cpe:2.3:a:ntp:ntp:4.2.5p18
    cpe:2.3:a:ntp:ntp:4.2.5p18
  • cpe:2.3:a:ntp:ntp:4.2.5p19
    cpe:2.3:a:ntp:ntp:4.2.5p19
  • cpe:2.3:a:ntp:ntp:4.2.5p20
    cpe:2.3:a:ntp:ntp:4.2.5p20
  • cpe:2.3:a:ntp:ntp:4.2.5p21
    cpe:2.3:a:ntp:ntp:4.2.5p21
  • cpe:2.3:a:ntp:ntp:4.2.5p23
    cpe:2.3:a:ntp:ntp:4.2.5p23
  • cpe:2.3:a:ntp:ntp:4.2.5p24
    cpe:2.3:a:ntp:ntp:4.2.5p24
  • cpe:2.3:a:ntp:ntp:4.2.5p25
    cpe:2.3:a:ntp:ntp:4.2.5p25
  • cpe:2.3:a:ntp:ntp:4.2.5p26
    cpe:2.3:a:ntp:ntp:4.2.5p26
  • cpe:2.3:a:ntp:ntp:4.2.5p27
    cpe:2.3:a:ntp:ntp:4.2.5p27
  • cpe:2.3:a:ntp:ntp:4.2.5p28
    cpe:2.3:a:ntp:ntp:4.2.5p28
  • cpe:2.3:a:ntp:ntp:4.2.5p29
    cpe:2.3:a:ntp:ntp:4.2.5p29
  • cpe:2.3:a:ntp:ntp:4.2.5p30
    cpe:2.3:a:ntp:ntp:4.2.5p30
  • cpe:2.3:a:ntp:ntp:4.2.5p31
    cpe:2.3:a:ntp:ntp:4.2.5p31
  • cpe:2.3:a:ntp:ntp:4.2.5p32
    cpe:2.3:a:ntp:ntp:4.2.5p32
  • cpe:2.3:a:ntp:ntp:4.2.5p33
    cpe:2.3:a:ntp:ntp:4.2.5p33
  • cpe:2.3:a:ntp:ntp:4.2.5p35
    cpe:2.3:a:ntp:ntp:4.2.5p35
  • cpe:2.3:a:ntp:ntp:4.2.5p36
    cpe:2.3:a:ntp:ntp:4.2.5p36
  • cpe:2.3:a:ntp:ntp:4.2.5p37
    cpe:2.3:a:ntp:ntp:4.2.5p37
  • cpe:2.3:a:ntp:ntp:4.2.5p38
    cpe:2.3:a:ntp:ntp:4.2.5p38
  • cpe:2.3:a:ntp:ntp:4.2.5p39
    cpe:2.3:a:ntp:ntp:4.2.5p39
  • cpe:2.3:a:ntp:ntp:4.2.5p40
    cpe:2.3:a:ntp:ntp:4.2.5p40
  • cpe:2.3:a:ntp:ntp:4.2.5p41
    cpe:2.3:a:ntp:ntp:4.2.5p41
  • cpe:2.3:a:ntp:ntp:4.2.5p42
    cpe:2.3:a:ntp:ntp:4.2.5p42
  • cpe:2.3:a:ntp:ntp:4.2.5p43
    cpe:2.3:a:ntp:ntp:4.2.5p43
  • cpe:2.3:a:ntp:ntp:4.2.5p44
    cpe:2.3:a:ntp:ntp:4.2.5p44
  • cpe:2.3:a:ntp:ntp:4.2.5p45
    cpe:2.3:a:ntp:ntp:4.2.5p45
  • cpe:2.3:a:ntp:ntp:4.2.5p46
    cpe:2.3:a:ntp:ntp:4.2.5p46
  • cpe:2.3:a:ntp:ntp:4.2.5p47
    cpe:2.3:a:ntp:ntp:4.2.5p47
  • cpe:2.3:a:ntp:ntp:4.2.5p48
    cpe:2.3:a:ntp:ntp:4.2.5p48
  • cpe:2.3:a:ntp:ntp:4.2.5p49
    cpe:2.3:a:ntp:ntp:4.2.5p49
  • cpe:2.3:a:ntp:ntp:4.2.5p50
    cpe:2.3:a:ntp:ntp:4.2.5p50
  • cpe:2.3:a:ntp:ntp:4.2.5p51
    cpe:2.3:a:ntp:ntp:4.2.5p51
  • cpe:2.3:a:ntp:ntp:4.2.5p52
    cpe:2.3:a:ntp:ntp:4.2.5p52
  • cpe:2.3:a:ntp:ntp:4.2.5p53
    cpe:2.3:a:ntp:ntp:4.2.5p53
  • cpe:2.3:a:ntp:ntp:4.2.5p54
    cpe:2.3:a:ntp:ntp:4.2.5p54
  • cpe:2.3:a:ntp:ntp:4.2.5p55
    cpe:2.3:a:ntp:ntp:4.2.5p55
  • cpe:2.3:a:ntp:ntp:4.2.5p56
    cpe:2.3:a:ntp:ntp:4.2.5p56
  • cpe:2.3:a:ntp:ntp:4.2.5p57
    cpe:2.3:a:ntp:ntp:4.2.5p57
  • cpe:2.3:a:ntp:ntp:4.2.5p58
    cpe:2.3:a:ntp:ntp:4.2.5p58
  • cpe:2.3:a:ntp:ntp:4.2.5p59
    cpe:2.3:a:ntp:ntp:4.2.5p59
  • cpe:2.3:a:ntp:ntp:4.2.5p60
    cpe:2.3:a:ntp:ntp:4.2.5p60
  • cpe:2.3:a:ntp:ntp:4.2.5p61
    cpe:2.3:a:ntp:ntp:4.2.5p61
  • cpe:2.3:a:ntp:ntp:4.2.5p62
    cpe:2.3:a:ntp:ntp:4.2.5p62
  • cpe:2.3:a:ntp:ntp:4.2.5p63
    cpe:2.3:a:ntp:ntp:4.2.5p63
  • cpe:2.3:a:ntp:ntp:4.2.5p64
    cpe:2.3:a:ntp:ntp:4.2.5p64
  • cpe:2.3:a:ntp:ntp:4.2.5p65
    cpe:2.3:a:ntp:ntp:4.2.5p65
  • cpe:2.3:a:ntp:ntp:4.2.5p66
    cpe:2.3:a:ntp:ntp:4.2.5p66
  • cpe:2.3:a:ntp:ntp:4.2.5p67
    cpe:2.3:a:ntp:ntp:4.2.5p67
  • cpe:2.3:a:ntp:ntp:4.2.5p68
    cpe:2.3:a:ntp:ntp:4.2.5p68
  • cpe:2.3:a:ntp:ntp:4.2.5p69
    cpe:2.3:a:ntp:ntp:4.2.5p69
  • cpe:2.3:a:ntp:ntp:4.2.5p70
    cpe:2.3:a:ntp:ntp:4.2.5p70
  • cpe:2.3:a:ntp:ntp:4.2.5p71
    cpe:2.3:a:ntp:ntp:4.2.5p71
  • cpe:2.3:a:ntp:ntp:4.2.5p73
    cpe:2.3:a:ntp:ntp:4.2.5p73
CVSS
Base: 6.8 (as of 20-05-2009 - 07:02)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1039.NASL
    description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 38820
    published 2009-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38820
    title RHEL 5 : ntp (RHSA-2009:1039)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-777-1.NASL
    description A stack-based buffer overflow was discovered in ntpq. If a user were tricked into connecting to a malicious ntp server, a remote attacker could cause a denial of service in ntpq, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0159) Chris Ries discovered a stack-based overflow in ntp. If ntp was configured to use autokey, a remote attacker could send a crafted packet to cause a denial of service, or possibly execute arbitrary code. (CVE-2009-1252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 38848
    published 2009-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38848
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : ntp vulnerabilities (USN-777-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1040.NASL
    description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 38821
    published 2009-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38821
    title RHEL 4 : ntp (RHSA-2009:1040)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-5275.NASL
    description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-21
    plugin id 38962
    published 2009-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38962
    title Fedora 9 : ntp-4.2.4p7-1.fc9 (2009-5275)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200905-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-200905-08 (NTP: Remote execution of arbitrary code) Multiple vulnerabilities have been found in the programs included in the NTP package: Apple Product Security reported a boundary error in the cookedprint() function in ntpq/ntpq.c, possibly leading to a stack-based buffer overflow (CVE-2009-0159). Chris Ries of CMU reported a boundary error within the crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a stack-based buffer overflow (CVE-2009-1252). Impact : A remote attacker might send a specially crafted package to a machine running ntpd, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: Successful exploitation requires the 'autokey' feature to be enabled. This feature is only available if NTP was built with the 'ssl' USE flag. Furthermore, a remote attacker could entice a user into connecting to a malicious server using ntpq, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : You can protect against CVE-2009-1252 by disabling the 'ssl' USE flag and recompiling NTP.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 38920
    published 2009-05-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38920
    title GLSA-200905-08 : NTP: Remote execution of arbitrary code
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-309.NASL
    description Multiple vulnerabilities has been found and corrected in ntp : Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution (CVE-2009-0159). A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd (CVE-2009-1252). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers The updated packages have been patched to prevent this.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 42995
    published 2009-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42995
    title Mandriva Linux Security Advisory : ntp (MDVSA-2009:309)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1040.NASL
    description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 67066
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67066
    title CentOS 4 : ntp (CESA-2009:1040)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0001.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Remove default ntp servers in ntp.conf [bug 14342986] - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 80394
    published 2015-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80394
    title OracleVM 3.2 : ntp (OVMSA-2015-0001)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1039.NASL
    description An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 43750
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43750
    title CentOS 5 : ntp (CESA-2009:1039)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090518_NTP_ON_SL5_X.NASL
    description A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60587
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60587
    title Scientific Linux Security Update : ntp on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_NTP-090508.NASL
    description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40285
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40285
    title openSUSE Security Update : ntp (ntp-862)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 89117
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89117
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1801.NASL
    description Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. - CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 38833
    published 2009-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38833
    title Debian DSA-1801-1 : ntp - buffer overflows
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12415.NASL
    description This update fixes : - a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) - a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2012-04-23
    plugin id 41298
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41298
    title SuSE9 Security Update : xntp (YOU Patch Number 12415)
  • NASL family Misc.
    NASL id NTPD_AUTOKEY_OVERFLOW.NASL
    description The version of the remote NTP server is 4.x prior to 4.2.4p7 or 4.x prior to 4.2.5p74. It is, therefore, affected by a stack-based buffer overflow condition due to the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that this issue is exploitable only if ntpd was compiled with OpenSSL support and autokey authentication is enabled. The presence of the following line in ntp.conf indicates a vulnerable system : crypto pw *password* Nessus did not check if the system is configured in this manner.
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 38831
    published 2009-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38831
    title Network Time Protocol Daemon (ntpd) 4.x < 4.2.4p7 / 4.x < 4.2.5p74 crypto_recv() Function RCE
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_NTP-090508.NASL
    description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40083
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40083
    title openSUSE Security Update : ntp (ntp-862)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XNTP-6231.NASL
    description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 38847
    published 2009-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38847
    title openSUSE 10 Security Update : xntp (xntp-6231)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XNTP-6232.NASL
    description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 41601
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41601
    title SuSE 10 Security Update : xntp (ZYPP Patch Number 6232)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-154-01.NASL
    description New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues.
    last seen 2019-01-16
    modified 2018-06-27
    plugin id 39008
    published 2009-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39008
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : ntp (SSA:2009-154-01)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1039.NASL
    description From Red Hat Security Advisory 2009:1039 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67860
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67860
    title Oracle Linux 5 : ntp (ELSA-2009-1039)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0011.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0159 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. CVE-2009-1252 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. - fix buffer overflow when parsing Autokey association message (#500783, CVE-2009-1252) - fix buffer overflow in ntpq (#500783, CVE-2009-0159) - fix check for malformed signatures (#479698, CVE-2009-0021) - fix selecting multicast interface (#444106) - disable kernel discipline when -x option is used (#431729) - avoid use of uninitialized floating-point values in clock_select (#250838) - generate man pages from html source, include config man pages (#307271) - add note about paths and exit codes to ntpd man page (#242925, #246568) - add section about exit codes to ntpd man page (#319591) - always return 0 in scriptlets - pass additional options to ntpdate (#240141) - fix broadcast client to accept broadcasts on 255.255.255.255 (#226958) - compile with crypto support on 64bit architectures (#239580) - add ncurses-devel to buildrequires (#239580) - exit with nonzero code if ntpd -q did not set clock (#240134) - fix return codes in init script (#240118)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79458
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79458
    title OracleVM 2.1 : ntp (OVMSA-2009-0011)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-5674.NASL
    description This update fixes a denial of service issue if autokey is enabled (default is disabled). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-21
    plugin id 39394
    published 2009-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39394
    title Fedora 11 : ntp-4.2.4p7-2.fc11 (2009-5674)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_NTP-090508.NASL
    description This update fixes a remote buffer overflow in xntp/ntp which can be exploited when autokey is enabled to execute arbitrary code. (CVE-2009-1252) This upfate fixes a buffer overflow in ntpd that can be triggered by a malicious server. (CVE-2009-0159)
    last seen 2019-01-16
    modified 2013-10-25
    plugin id 41441
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41441
    title SuSE 11 Security Update : ntp (SAT Patch Number 863)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4175C811F690489887C5755B3CF1BAC6.NASL
    description US-CERT reports : ntpd contains a stack-based buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 38881
    published 2009-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38881
    title FreeBSD : ntp -- stack-based buffer overflow (4175c811-f690-4898-87c5-755b3cf1bac6)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0016.NASL
    description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the following security issue. Note that the same security issue is present in the ESX Service Console as described in section d. of this advisory. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. The NTP security issue identified by CVE-2009-0159 is not relevant for ESXi 3.5 and ESXi 4.0. d. Service Console update for ntp Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. The Service Console present in ESX is affected by the following security issues. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. NTP authentication is not enabled by default on the Service Console. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue. e. Updated Service Console package kernel Updated Service Console package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues fixed in kernel 2.6.18-164. f. Updated Service Console package python Service Console package Python update to version 2.4.3-24.el5. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service. Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service. An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues. g. Updated Service Console package bind Service Console package bind updated to version 9.3.6-4.P1.el5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the 'ANY' record type. A remote attacker could use this flaw to send a specially crafted dynamic update packet that could cause named to exit with an assertion failure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue. h. Updated Service Console package libxml2 Service Console package libxml2 updated to version 2.6.26-2.1.2.8. libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues. i. Updated Service Console package curl Service Console package curl updated to version 7.15.5-2.1.el5_3.5 A cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue j. Updated Service Console package gnutls Service Console package gnutil updated to version 1.4.1-3.el5_3.5 A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 42870
    published 2009-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42870
    title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1040.NASL
    description From Red Hat Security Advisory 2009:1040 : An updated ntp package that fixes two security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67861
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67861
    title Oracle Linux 4 : ntp (ELSA-2009-1040)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-5273.NASL
    description This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-21
    plugin id 38961
    published 2009-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38961
    title Fedora 10 : ntp-4.2.4p7-1.fc10 (2009-5273)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0002.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 80395
    published 2015-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80395
    title OracleVM 2.2 : ntp (OVMSA-2015-0002)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090518_NTP_ON_SL4_X.NASL
    description A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) After installing the update, the ntpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60586
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60586
    title Scientific Linux Security Update : ntp on SL4.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-117.NASL
    description A vulnerability has been found and corrected in ntp : A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd (CVE-2009-1252). The updated packages have been patched to prevent this.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 38844
    published 2009-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38844
    title Mandriva Linux Security Advisory : ntp (MDVSA-2009:117)
oval via4
  • accepted 2013-04-29T04:12:32.681-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
    family unix
    id oval:org.mitre.oval:def:11231
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
    version 24
  • accepted 2015-05-18T04:00:14.852-04:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    • name Jaikumar
      organization Hewlett-Packard
    description Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
    family unix
    id oval:org.mitre.oval:def:6307
    status accepted
    submitted 2009-08-11T16:16:37.000-04:00
    title HP-UX Running XNTP, Remote Execution of Arbitrary Code
    version 43
redhat via4
advisories
  • bugzilla
    id 499694
    title CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • comment ntp is earlier than 0:4.2.2p1-9.el5_3.2
      oval oval:com.redhat.rhsa:tst:20091039002
    • comment ntp is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20090046006
    rhsa
    id RHSA-2009:1039
    released 2009-05-18
    severity Important
    title RHSA-2009:1039: ntp security update (Important)
  • bugzilla
    id 499694
    title CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • comment ntp is earlier than 0:4.2.0.a.20040617-8.el4_7.2
      oval oval:com.redhat.rhsa:tst:20091040002
    • comment ntp is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20090046003
    rhsa
    id RHSA-2009:1040
    released 2009-05-18
    severity Critical
    title RHSA-2009:1040: ntp security update (Critical)
rpms
  • ntp-0:4.2.2p1-9.el5_3.2
  • ntp-0:4.2.0.a.20040617-8.el4_7.2
refmap via4
bid 35017
bugtraq 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
cert-vn VU#853097
confirm
debian DSA-1801
fedora
  • FEDORA-2009-5273
  • FEDORA-2009-5275
  • FEDORA-2009-5674
freebsd FreeBSD-SA-09:11
gentoo GLSA-200905-08
mandriva MDVSA-2009:117
misc https://launchpad.net/bugs/cve/2009-1252
netbsd NetBSD-SA2009-006
sectrack 1022243
secunia
  • 35137
  • 35138
  • 35166
  • 35169
  • 35243
  • 35253
  • 35308
  • 35336
  • 35388
  • 35416
  • 35630
  • 37470
  • 37471
slackware SSA:2009-154-01
suse SUSE-SR:2009:011
ubuntu USN-777-1
vupen
  • ADV-2009-1361
  • ADV-2009-3316
Last major update 21-08-2010 - 01:31
Published 19-05-2009 - 15:30
Last modified 10-10-2018 - 15:35
Back to Top