AIX NTP v3 Advisory : ntp_advisory9.asc (IV96305) (IV96306) (IV96307) (IV96308) (IV96309) (IV96310)
Medium Nessus Plugin ID 102130
SynopsisThe remote AIX host has a version of NTP installed that is affected by multiple vulnerabilities.
DescriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities :
- An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code.
However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451)
- Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file.
An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code.
- A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462)
- A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon.
SolutionA fix is available and can be downloaded from the IBM AIX website.