Network Time Protocol (NTP) Vulnerabilities

Network Time Protocol (NTP) Vulnerabilities Privacy and Legal Notice INFORMATION BULLETIN L-071: Network Time Protocol (NTP) Vulnerabilities April 17, 2001 22:00 GMT
[Revision A 10/29/2001 Added Sun Bulletin #211]
[Revision B 11/21/2001 Modified Platform's FreeBSD section]


PROBLEM:	The Network Time Protocol (NTP) codes of certain vendors are vulnerable to a buffer overflow attack.
PLATFORM:	Hewlett-Packard: HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX. Red Hat: Red Hat Linux 6.2 and earlier (for xntpd). Red Hat Linux 7.0 (for ntpd). NetBSD: NetBSD prior to 1.4. NetBSD 1.4 and 1.5. NetBSD-CURRENT prior to 2001-04-05. FreeBSD: FreeBSD 3.x (all releases). FreeBSD 4.x (all releases prior to 4.3-RELEASE). FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date 2001-04-06. FreeBSD ports collection prior to the correction date 2001-04-06. Caldera: OpenLinux 2.3 (All packages previous to xntp-3.5.93e-5) OpenLinux eServer 2.3.1 and OpenLinux eBuilder (All packages previous to xntp-3.5.93e-5) OpenLinux eDesktop 2.4 (All packages previous to xntp-4.0.97-2) Sun: Solaris 8, 7, and 2.6. SunOS 5.8, 5.7, and 5.6.
DAMAGE:	A remote intruder can use the buffer overflow to cause the NTP code, and even the machine that is running NTP, to crash. It is possible that the buffer overflow can be used to execute arbritrary code. If the NTP daemon is running as root, then this could lead to a root compromise.
SOLUTION:	Obtain your particular vendor’s directions from the vendor’s web site and follow the vendor’s suggestions.

VULNERABILITY ASSESSMENT:	The risk is HIGH. The listed vendors have determined that their codes are vulnerable. The vulnerabilities and detailed exploits have been discussed in public forums.


The NTP code sets and maintains a UNIX system’s time-of-day in agreement with 
Internet standard time servers.  NTP uses the Internet Protocol (IP) and User 
Datagram Protocol (UDP) for sending and receiving the time-of-day information.
There are buffer overflow attacks that can cause some NTP servers to crash, 
leading to a root compromise.

CIAC has included the vendor information we know about in this bulletin.  
While CIAC will add new vendor information as we receive it, you should always
check your vendor’s web site to insure you have the latest information.

Hewlett-Packard:

     Use your browser to get to the HP IT Resource Center page at:

     http://itrc.hp.com

     Under the Maintenance/Support menu, click on the "search technical 
     knowledge base" link.  Login using your ID and password.  Check with your
     system administrator to see if you have an existing login or click on the
     "register now" link in the "New Users - Please Register" section.  Once 
     you are in the "Technical Knowledge Base" page, select the "Security 
     Bulletins" link in the "HP-UX Software" section.  Do a "Search By 
     Keyword" for "xntpd", and look for "Security Advisory #0148, 06 Apr. ‘01"
     in the search results.  This is the bulletin "Sec. Vulnerability in 
     xntpd(1M)".

Red Hat Linux:

     Use your browser to get to the Red Hat Linux Errata page at:

     http://www.redhat.com/support/errata/

     Under the "General Red Hat Linux Errata" section, go to the "Version 7.0 
     (Guinness)" subsection and click on the "Security Advisories" link.  This
     will bring you to the "Red Hat Linux 7.0 Security Advisories" page.  
     Click on the "xntp3 (RSHA-2001-045)" link under the "Name" column to get 
     to the security bulletin "Network Time Daemon (ntpd) has potential remote
     root exploit."

NetBSD:

     Use your browser to get to the NetBSD Project’s "Security and NetBSD" 
     page at:

     http://www.netbsd.org/Security/

     Click on the "advisory archive" link to get to the advisory "NetBSD-
     SA2001-004 Buffer overflow in NTP daemon".

FreeBSD:

     Use your browser to get to the "FreeBSD Security Information" page at:

     http://www.freebsd.org/security/security.html

     Under the "Table of Contents" section, click on the "FreeBSD Security
     Advisories" link.  In the "FreeBSD Security Advisories" section, click on 
     the ""FTP_Site" link.  Double-click on the link 
     "FreeBSD-SA-01:31.ntpd.asc" to download the FreeBSD-SA-01:31 advisory
     "ntpd contains potential remote compromise".

Caldera:

     Use your browser to get to Caldera's "Security Advisories" page at:

     http://www.calderasystems.com/support/security/

     Click on the "CSSA-2001-013.0" link for the "Remote root exploit in 
     ntpd" security advisory.

Sun:

     Use your browser to get to the "Sun Microsystems" page at:

     http://www.sun.com/

     Select the "Site Index" tab at the top of the page to get to the 
     "Sun.Com Site Index" page.  Select the letter "S" in the
     alphabetical listing at the top of the page.  Scroll down the 
     page to the "Sunsolve Online Support" entry, and click on it.  
     Once you are in the "SunSolve Online" page, go to the "SunSolve 
     Contents" page and click on the "Security Bulletin Archive".  
     Once you are in the "Security Information/Security Bulletin"
     page,  click on Bulletin numbered 211, topic "xntpd",

CIAC wishes to acknowledge the contributions of Hewlett-Packard, Red Hat, NetBSD, FreeBSD, Caldera, and Sun for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]