-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2009-006 ================================= Topic: Buffer overflows in ntp Version: NetBSD-current: source prior to May 21, 2009 NetBSD 5.0: source prior to May 27, 2009 NetBSD 4.0.1: source prior to May 27, 2009 NetBSD 4.0: source prior to May 27, 2009 Severity: Potential remote arbitrary code execution Fixed: NetBSD-current: May 20, 2009 NetBSD-5 branch: May 27, 2009 (5.0.1 will include the fix) NetBSD-4 branch: May 27, 2009 (4.1 will include the fix) NetBSD-4-0 branch: May 27, 2009 (4.0.2 will include the fix) Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Two remote buffer overflow vulnerabilities have been found in the ntp (Network Time Protocol) code. The first, in ntpq, potentially allows arbitrary code execution (as the user running ntpq) if a hostile ntp daemon is contacted. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 The second, in ntpd itself, allows remote arbitrary code execution as the system ntp user if cryptographic authentication is enabled, which is not the default. If ntpd is configured to run in a chroot area (which is not the default) the arbitrary code execution should be contained within the chroot. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 The second of these vulnerabilities makes the first considerably more dangerous than it would be on its own. Technical Details ================= 1. The cookedprint() function contains a stack-based buffer overflow vulnerability that can be exploited by sending a properly crafted response to ntpq. 2. The crypto_recv() function contains a stack-based buffer overflow vulnerability that can be exploited by sending a properly crafted packet to ntpd. Solutions and Workarounds ========================= Workarounds: 1. Avoid running ntpq until a fixed version has been installed. 2. Disable cryptographic authentication until a fixed version has been installed. Or, disable ntpd entirely until a fixed version has been installed. Either of these approaches is probably undesirable; it is better to update immediately. Enabling the rc.conf(5) option to run ntpd under chroot may mitigate the impact of an attack but does not qualify as a real workaround. Solutions: For all affected NetBSD versions, obtain updated sources, and rebuild and reinstall the ntp daemon and tools. If ntpd is running, be sure to stop and restart it. The fixed sources may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to update and recompile your ntp binaries by updating your source tree and rebuilding a new version of ntp. * NetBSD-current: Systems running NetBSD-current dated from before 2009-05-20 should be upgraded to NetBSD-current dated 2009-05-21 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/ntp/ntpd dist/ntp/ntpq To update from CVS, re-build, and re-install ntp: # cd src # cvs update -d -P dist/ntp/ntpd # cvs update -d -P dist/ntp/ntpq # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install # /etc/rc.d/ntpd stop # /etc/rc.d/ntpd start * NetBSD 5.0: The binary distribution of NetBSD 5.0 is vulnerable. Systems running NetBSD 5.0 sources dated from before 2009-05-27 should be upgraded from NetBSD 5.0 sources dated 2009-05-28 or later. NetBSD 5.0.1 and 5.1 will include the fix. The following directories need to be updated from the netbsd-5-0 CVS branch: dist/ntp/ntpd dist/ntp/ntpq To update from CVS, re-build, and re-install ntp: # cd src # cvs update -d -P -r netbsd-5-0 dist/ntp/ntpd # cvs update -d -P -r netbsd-5-0 dist/ntp/ntpq # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install # /etc/rc.d/ntpd stop # /etc/rc.d/ntpd start * NetBSD 4.0, 4.0.1: The binary distributions of NetBSD 4.0 and 4.0.1 are vulnerable. Systems running NetBSD 4.0 sources dated from before 2009-05-27 should be upgraded from NetBSD 4.0 sources dated 2009-05-28 or later. NetBSD 4.1 and 4.0.2 will include the fix. The following directories need to be updated from the netbsd-4-0 CVS branch: dist/ntp/ntpd dist/ntp/ntpq To update from CVS, re-build, and re-install ntp: # cd src # cvs update -d -P -r netbsd-4-0 dist/ntp/ntpd # cvs update -d -P -r netbsd-4-0 dist/ntp/ntpq # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install # /etc/rc.d/ntpd stop # /etc/rc.d/ntpd start Thanks To ========= Christos Zoulas for providing the fixes. Revision History ================ 2009-06-30 Initial release 2009-07-06 Fixed dates in the advisory header More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2009-006.txt,v 1.3 2009/07/06 09:28:03 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQIcBAEBAgAGBQJKUjvBAAoJEAZJc6xMSnBuFB8P/30BXsdKsJjOBWa3CyZBTyJY AwjYNDE55Z1PE/4kzFdTdlqiop6jCDOkcoxguDUTXBy+1NrGGbNUdFJPZ8cpBf1q ZdGcpT1y2bjG0FsCAuD8XeCIm5B1aS01uJ8xULlYu0WM3STXcLAQK/X972pHxqCC OWllx9MJ2Khjqnmmo34fIUyrIPmWdlLiY/CpjqYnf3hu/5N7CC2Ve8PObYAhEpmL c+9aktEeyJ9eYFRoWYOCL72FYC4PIEGYJPvPbH+9RKsbEtsUibf0VBFjxHMfNc0C A6dUrM5ZbYDWSxExXAx677TFQzpb6mAylgzwHR+iJSVwbXQzhoQdM/cS0JCMR9Xn dg09gjKNrB02L1d2NW7yk3oKtIzUMEm/QlruWdZ4Jy6OIJifAw0fhoL9p62cUL1n qogPAWXuTFrfpD914jTcmFOl5c4H8Z+PuuDK/h8hdmmK1qEqwsSTO2TCgGflBgO4 BEgDPWihTHvth6LJE6139y+XAkE9GAThrmizocnJWnH0GJWYTa8dYRhQQoYRxWaf qFhsjXZEMOFM5xRFF2p27EpWRhXQv/OBlBC/sLfv86QDB18bwGkoDZKQ+M8/mu1s zSsZoqzFKFRZf8jntP5BtqL7iwWHzHsYp0SdwBqP4EVHgAku958p/iswG7UF0fpu 3M5/S8Pt22MfYputBza8 =twhq -----END PGP SIGNATURE-----