Multiple Vulnerabilities in Network Time Protocol daemon could allow Remote Code Execution

ITS Advisory Number: 
2014-114
Date(s) Issued: 
Monday, December 22, 2014
Subject: 
Multiple Vulnerabilities in Network Time Protocol daemon could allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the Network Time Protocol daemon (ntpd). The Network Time Protocol daemon is a time synchronization service commonly implemented in Linux based operating systems.

Successful exploitation could result in an attacker gaining the same privileges as the ntpd process. Depending on the privileges associated with the process, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

Systems Affected: 
  • ntpd versions 4.2.7 and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Three buffer overflow vulnerabilities exist that allow remote code execution:  one insufficient entropy security weakness, one predictable random number generator weakness, and one missing return on error issue in Network Time Protocol daemon (ntpd).

  • One buffer overflow vulnerability exists in the crypto_recv() function that may be exploited via a specially crafted packet when the ntp.conf file contains a “crypto pw” directive. This vulnerability can be exploited by a remote unauthenticated attacker. (CVE-2014-9295)
  • Two buffer overflow vulnerabilities exist, one in the ctl_pudata() function and one in the configure() function, that may be exploited via a specially crafted packet. These vulnerabilities can be exploited by a remote unauthenticated attacker. (CVE-2014-9295)
  • One weak default key vulnerability exists in the config_auth() function when the “auth” key is set in the configuration file that causes the generation of default keys with low entropy. This issue may be exploited by an attacker to guess the generated key, and possibly use it to send ntpdc query or configuration requests.   (CVE-2014-9294)
  • One predictable random number generator weakness exists that causes the generation of a weak seed which is used in generating MD5 keys. This issue is located in util/ntp-keygen.c and may exploited by an attacker to guess MD5 keys that could be used to spoof a NTP client or server (CVE-2014-9293)
  • One missing return on error issue exists in ntp_proto.c that allows for processing to continue when a specific rare error occurs. Little is known about this issue or its effects at this time. (CVE-2014-9296)

Successful exploitation of the buffer overflow vulnerabilities could result in the attacker gaining the same rights as the NTP process. Depending on the privileges associated with the process, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

We recommend the following actions be taken:

  • Update vulnerable products immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack