Network Time Protocol Daemon (ntpd) 4.x < 4.2.4p7 / 4.x < 4.2.5p74 crypto_recv() Function RCE

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by a remote code execution
vulnerability.

Description :

The version of the remote NTP server is 4.x prior to 4.2.4p7 or 4.x
prior to 4.2.5p74. It is, therefore, affected by a stack-based buffer
overflow condition due to the use of sprintf() in the crypto_recv()
function in ntpd/ntp_crypto.c. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or the execution
of arbitrary code.

Note that this issue is exploitable only if ntpd was compiled with
OpenSSL support and autokey authentication is enabled. The presence of
the following line in ntp.conf indicates a vulnerable system :

crypto pw *password*

Nessus did not check if the system is configured in this manner.

See also :

http://bugs.ntp.org/show_bug.cgi?id=1151

Solution :

Upgrade to NTP version 4.2.4p7 / 4.2.5p74 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 38831 ()

Bugtraq ID: 35017

CVE ID: CVE-2009-1252

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now