[RHSA-2001:045-05] Network Time Daemon (ntpd) has potential remote root exploit

From: bugzilla@REDHAT.COM
Date: Sun Apr 08 2001 - 23:25:00 CEST

  • Next message: Thomas Lopatic: "A fragmentation attack against IP Filter"

    ---------------------------------------------------------------------
                       Red Hat, Inc. Red Hat Security Advisory

    Synopsis: Network Time Daemon (ntpd) has potential remote root exploit
    Advisory ID: RHSA-2001:045-05
    Issue date: 2001-04-05
    Updated on: 2001-04-08
    Product: Red Hat Linux
    Keywords: ntpd exploit buffer overflow
    Cross references:
    Obsoletes:
    ---------------------------------------------------------------------

    1. Topic:

    The Network Time Daemon (ntpd) supplied with all releases of Red Hat
    Linux is vulnerable to a buffer overflow, allowing a remote attacker to
    potentially gain root level access to a machine. All users of ntpd are
    strongly encouraged to upgrade.

    2. Relevant releases/architectures:

    Red Hat Linux 5.2 - alpha, i386, sparc

    Red Hat Linux 6.2 - alpha, i386, sparc

    Red Hat Linux 7.0 - alpha, i386

    3. Problem description:

    The Network Time Daemon (xntpd on Red Hat Linux 6.2 and earlier, ntpd on
    Red Hat Linux 7.0) does not properly check the size of a buffer used to
    hold incoming data from the network. Potentially, an attacker could gain
    root access by exploiting this weakness.

    Potential damage is mitigated by the fact that the Network Time Daemon is
    not enabled by default. If you are not using network time services, it
    may not even be installed. As a general rule, Red Hat encourages users to
    enable only those network services they actually need.

    4. Solution:

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directly *only* contains the
    desired RPMs.

    Please note that this update is also available via Red Hat Network. Many
    people find this an easier way to apply updates. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:

    up2date

    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.

    5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

    34813 - ntpd security hole

    6. RPMs required:

    Red Hat Linux 5.2:

    SRPMS:
    ftp://updates.redhat.com/5.2/en/os/SRPMS/xntp3-5.93-14.src.rpm

    alpha:
    ftp://updates.redhat.com/5.2/en/os/alpha/xntp3-5.93-14.alpha.rpm

    i386:
    ftp://updates.redhat.com/5.2/en/os/i386/xntp3-5.93-14.i386.rpm

    sparc:
    ftp://updates.redhat.com/5.2/en/os/sparc/xntp3-5.93-14.sparc.rpm

    Red Hat Linux 6.2:

    SRPMS:
    ftp://updates.redhat.com/6.2/en/os/SRPMS/xntp3-5.93-15.src.rpm

    alpha:
    ftp://updates.redhat.com/6.2/en/os/alpha/xntp3-5.93-15.alpha.rpm

    i386:
    ftp://updates.redhat.com/6.2/en/os/i386/xntp3-5.93-15.i386.rpm

    sparc:
    ftp://updates.redhat.com/6.2/en/os/sparc/xntp3-5.93-15.sparc.rpm

    Red Hat Linux 7.0:

    SRPMS:
    ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm

    alpha:
    ftp://updates.redhat.com/7.0/en/os/alpha/ntp-4.0.99k-15.alpha.rpm

    i386:
    ftp://updates.redhat.com/7.0/en/os/i386/ntp-4.0.99k-15.i386.rpm

    7. Verification:

    MD5 sum Package Name
    --------------------------------------------------------------------------
    0d3566d34cd5bc9990a15a41be99e4c7 5.2/en/os/SRPMS/xntp3-5.93-14.src.rpm
    aa851fdb72e9f6464e9688378617c9df 5.2/en/os/alpha/xntp3-5.93-14.alpha.rpm
    176041bd0364ca91b6d7db3869c4a0a0 5.2/en/os/i386/xntp3-5.93-14.i386.rpm
    9b224d8bd3640a6fbd37785c6c5d3ce2 5.2/en/os/sparc/xntp3-5.93-14.sparc.rpm
    a83add134f54dd4fbdcfd0cef5929b43 6.2/en/os/SRPMS/xntp3-5.93-15.src.rpm
    64d936dcf1fa8fe97a12b314923ae89c 6.2/en/os/alpha/xntp3-5.93-15.alpha.rpm
    af43bc024a00586ef97265c7bf2e63df 6.2/en/os/i386/xntp3-5.93-15.i386.rpm
    3f13de81debf2dc875d84c046596e27d 6.2/en/os/sparc/xntp3-5.93-15.sparc.rpm
    b7f60c57e74179913ebc2dc1da04f410 7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm
    6334b7ba31606cfe04d98967adbf3350 7.0/en/os/alpha/ntp-4.0.99k-15.alpha.rpm
    f67d135fd6ccadb9f36aeca4a429a9fa 7.0/en/os/i386/ntp-4.0.99k-15.i386.rpm

    These packages are GPG signed by Red Hat, Inc. for security. Our key
    is available at:
        http://www.redhat.com/corp/contact.html

    You can verify each package with the following command:
        rpm --checksig <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the md5sum with the following command:
        rpm --checksig --nogpg <filename>

    8. References:

    BugTraq Message-ID <20010404222701.X91913@riget.scene.pl>
    http://www.eecis.udel.edu/~ntp/

    Copyright(c) 2000, 2001 Red Hat, Inc.



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 21:19:15 CEST