Buffer Overflow in ntpd time protocol service
A buffer overflow in ntpd, the open source implementation of the Network Time Protocol, can allow an attacker to remotely crash or compromise a system. The problem is caused by the use of the unsafe C function sprintf
in crypto_recv
in ntpd/ntp_crypto.c
. With manipulated server responses, it is possible to provoke the buffer overflow. The attack only works if ntpd is run with OpenSSL support and Autokey enabled. According to the US-CERT, this vulnerable configuration is indicated by an entry crypto pw
password in the ntp.conf
file, where password is the configured password.
An update to the utility to ntp 4.2.4p7 fixes the error. This is an updated version of the NTP daemon which also fixes a buffer overflow in ntpq, the NTP query daemon. The US-CERT list that this fault in ntpd has been confirmed by Debian, Red Hat and FreeBSD. New packages are available, but not yet distributed and other manufacturers are probably affected. An alternative to updating is to switch off the Autokey function by removing the crypto pw
line from ntp.conf
.
See also:
- ntpd autokey stack buffer overflow, Report from US-CERT.
- NTP 4.2.4p7 Released, Announcement from ntp.org.
(djwm)