[ntp:security] [Bug 2655] Multiple vulnerabilities in ntpd

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Nov 2 05:44:25 UTC 2014


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
             Status|CONFIRMED                   |IN_PROGRESS

--- Comment #4 from Harlan Stenn <stenn at ntp.org> 2014-11-02 05:44:25 UTC ---
Stephen emailed me saying:

Let me enumerate the distinct issues again:
1) ntpd/ntp_config.c:1689 <config_auth> (weak default key)
 fix: remove this code
2) non-cryptographic random number generator with weak seed
 * util/ntp-keygen.c:724 <gen_md5> (weak symmetric keys)
 fix: use OS provided random numbers for crypto
3) ntpd/ntp_crypto.c:792 <crypto_recv> (buffer overflow)
 fix: dynamically allocate the buffer to decrypt into
4) ntpd/ntp_control.c:1027 <ctl_putdata> (buffer overflow, needs privileges)
 fix: check if dlen is greater than the buffer and either break it up or
bail out
5) ntpd/ntp_control.c:2495 <configure> (buffer overflow, needs privileges)
 fix: length check before memcpy
6) ntpd/ntp_proto.c:946 <receive> (missing return on error)
 fix: add return
7) Missing validation of vallen leading to various info leaks
* ntpd/ntp_crypto.c:571
* ntpd/ntp_crypto.c:1162
* ntpd/ntp_crypto.c:1559
* ntpd/ntp_crypto.c:2117
* ntpd/ntp_crypto.c:1461
 fix: verify that the packet format is valid right after it was received
8) Restrictions based on source IP can be bypassed
 fix: not sure if this is an issue that can be fixed reliably. Also
there are other access restrictions in place (symmetric keys). Checking
the source interface for "::1" packets could raise the bar.

The most serious issues in my opinion are 1), 4) and 5) and they seem
easy to fix. Maybe it makes sense to fix these issues first and release
a new version? Since right now, a lot of machines out there are
vulnerable to remote code execution and I'd like to change that as soon
as possible.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list