Multiple Vendors NTP Daemon Vulnerability
 |
 |
 |
 |
 |
Introduction
A buffer overflow vulnerability has been reported in the ntpd (NTP daemon). This vulnerability has been rated highly critical and the affected software is very common in enterprise environments. A remote attacker may exploit this issue to crash the service and execute arbitrary code.
Affected Products
Ntpd is an operating system daemon that synchronizes the local date and time with Internet standard time servers. Ntpd implements the Network Time Protocol (NTP) version 4 and is available with many major Linux distributions including:
- Debian GNU/Linux 4.0
- Debian GNU/Linux 5.0
- Red Hat Desktop
- Red Hat Linux WS 4
- Red Hat Linux EUS 5.3.z server
- Red Hat Linux ES 4
- Red Hat Linux AS 4
- Red Hat Linux 5 server
- FreeBSD BSD
- MandrakeSoft Linux Mandrake
- MandrakeSoft Multi Network Firewall
- Ubuntu Linux
Threat and Protections
The vulnerability is due to a boundary error in the ntpd when processing crafted packets sent to the daemon. A remote attacker may exploit this flaw to execute arbitrary code by sending a crafted message that will trigger the vulnerability when the affected ntpd server processes the malicious message. Successful exploitation will terminate the affected service and may allow execution of arbitrary code on the vulnerable system.
Check Point has provided a protection that detects and blocks crafted packets sent to the NTP daemon since June 1st. For more information, see CPAI-2009-134.