TUCoPS :: Unix :: General :: ciacl071.txt

Network Time Protocol Vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Network Time Protocol (NTP) Vulnerabilities

April 17, 2001 18:00 GMT                                          Number L-071
______________________________________________________________________________
PROBLEM:       The Network Time Protocol (NTP) codes of certain vendors are 
               vulnerable to a buffer overflow attack. 
PLATFORM:      Hewlett-Packard:
                 HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX. 
               Red Hat:
                 Red Hat Linux 6.2 and earlier (for xntpd). 
                 Red Hat Linux 7.0 (for ntpd). 
               NetBSD:
                 NetBSD prior to 1.4. 
                 NetBSD 1.4 and 1.5. 
                 NetBSD-CURRENT prior to 2001-04-05.
               FreeBSD:
                 FreeBSD 3.x (all releases).
                 FreeBSD 4.x (all releases).
                 FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction 
                   date 2001-04-06. 
                 FreeBSD ports collection prior to the correction date 
                   20001-04-06. 
               Caldera:
                 OpenLinux 2.3 (All packages previous to xntp-3.5.93e-5)
                 OpenLinux eServer 2.3.1 and OpenLinux eBuilder (All packages 
                   previous to xntp-3.5.93e-5)
                 OpenLinux eDesktop 2.4 (All packages previous to 
                   xntp-4.0.97-2)
DAMAGE:        A remote intruder can use the buffer overflow to cause the NTP 
               code to crash. It is possible that the buffer overflow can be 
               used to execute arbritrary code. If the NTP daemon is running 
               as root, then this could lead to a root compromise. 
SOLUTION:      Obtain your particular vendor’s directions from the vendor’s 
               web site and follow the vendor’s suggestions.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The listed vendors have determined that their 
ASSESSMENT:    codes are vulnerable. The vulnerabilities and detailed exploits 
               have been discussed in public forums. 
______________________________________________________________________________

The NTP code sets and maintains a UNIX system’s time-of-day in agreement with 
Internet standard time servers.  NTP uses the Internet Protocol (IP) and User 
Datagram Protocol (UDP) for sending and receiving the time-of-day information.
There are buffer overflow attacks that can cause some NTP servers to crash, 
leading to a root compromise.

CIAC has included the vendor information we know about in this bulletin.  
While CIAC will add new vendor information as we receive it, you should always
check your vendor’s web site to insure you have the latest information.

Hewlett-Packard:

     Use your browser to get to the HP IT Resource Center page at:

     http://itrc.hp.com

     Under the Maintenance/Support menu, click on the "search technical 
     knowledge base" link.  Login using your ID and password.  Check with your
     system administrator to see if you have an existing login or click on the
     "register now" link in the "New Users - Please Register" section.  Once 
     you are in the "Technical Knowledge Base" page, select the "Security 
     Bulletins" link in the "HP-UX Software" section.  Do a "Search By 
     Keyword" for "xntpd", and look for "Security Advisory #0148, 06 Apr. ‘01"
     in the search results.  This is the bulletin "Sec. Vulnerability in 
     xntpd(1M)".

Red Hat Linux:

     Use your browser to get to the Red Hat Linux Errata page at:

     http://www.redhat.com/support/errata/

     Under the "General Red Hat Linux Errata" section, go to the "Version 7.0 
     (Guinness)" subsection and click on the "Security Advisories" link.  This
     will bring you to the "Red Hat Linux 7.0 Security Advisories" page.  
     Click on the "xntp3 (RSHA-2001-045)" link under the "Name" column to get 
     to the security bulletin "Network Time Daemon (ntpd) has potential remote
     root exploit."

NetBSD:

     Use your browser to get to the NetBSD Project’s "Security and NetBSD" 
     page at:

     http://www.netbsd.org/Security/

     Click on the "advisory archive" link to get to the advisory "NetBSD-
     SA2001-004 Buffer overflow in NTP daemon".

FreeBSD:

     Use your browser to get to the "FreeBSD Security Information" page at:

     http://www.freebsd.org/security/security.html

     Under the "Table of Contents" section, click on the "FreeBSD Security
     Advisories" link.  In the "FreeBSD Security Advisories" section, click on 
     the ""FTP_Site" link.  Double-click on the link 
     "FreeBSD-SA-01:31.ntpd.asc" to download the FreeBSD-SA-01:31 advisory
     "ntpd contains potential remote compromise".

Caldera:

     Use your browser to get to Caldera's "Security Advisories" page at:

     http://www.calderasystems.com/support/security/

     Click on the "CSSA-2001-013.0" link for the "Remote root exploit in 
     ntpd" security advisory.
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Hewlett-Packard, Red Hat, 
NetBSD, FreeBSD, and Caldera for the information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
l-064: The Lion Internet Worm DDOS Risk
L-065: Solaris Exploitation of snmpXdmid
L-066: Internet Explorer MIME Mime Header Vulnerability
L-067: Linux worm Adore
L-068: Cisco VPN3000 Concentrator TELNET Vulnerability
L-069: Cisco Content Services Switch User Account Vulnerability
L-070: FTP Filename Expansion Vulnerability

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOtxTgbnzJzdsy3QZAQFgfAP/TuPq1w38KBZjTmnOQYRGaH5pXZWnosJ7
IEp5tqGVSjeTIy6dBiTv+FcqaNcwpQ4JrRWMP1q+e2LwvhaP/8VNziz36SIvwCqf
gSDvkUVmpj2oz4I5SAj0YICgUhj9WoH5fKHmjquYSHbkWzPYotoHViUIgVxW+Hgj
NsNe7fcFI44=
=lplq
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH