CVE-2005-2496
published 2005-09-02CVE-2005-2496: The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the…
PriorityP411medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.45%
35.5th percentile
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dave_mills | ntpd | <= 4.2.0.a.2004-06-17_4.fc3 | — |
| debian | ntp | < ntp 1:4.2.0a+stable-2sarge1 (bullseye) | ntp 1:4.2.0a+stable-2sarge1 (bullseye) |
| ntp | ntp | >= 0 < 1:4.2.0a+stable-2sarge1 | 1:4.2.0a+stable-2sarge1 |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6MEDIUM
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ntp server vulnerability
vendor_ubuntu·2005-09-02
CVE-2005-2496 ntp server vulnerability
Title: ntp server vulnerability
Summary: ntp server vulnerability
Thomas Biege discovered a flaw in the privilege dropping of the NTP
server. When ntpd was configured to drop root privileges, and the
group to run under was specified as a name (as opposed to a numeric
group ID), ntpd changed to the wrong group. Depending on the actual
group it changed to, this could either cause non-minimal privileges,
or a malfunctioning ntp server if the group does not have the
privileges that ntpd actually needs.
On Ubuntu 4.10, ntpd does not use privilege dropping by default, so
you are only affected if you manually activated it. In Ubuntu 5.04,
privilege dropping is used by default, but this bug is already fixed.
Instructions: In general, a standard system update will make all the necessary changes
Red Hat
security flaw
vendor_redhat·2005-08-25·CVSS 4.6
CVE-2005-2496 [MEDIUM] security flaw
security flaw
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
Debian
CVE-2005-2496: ntp - The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using...
vendor_debian·2005·CVSS 4.6
CVE-2005-2496 [MEDIUM] CVE-2005-2496: ntp - The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using...
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
Scope: local
bullseye: resolved (fixed in 1:4.2.0a+stable-2sarge1)
GHSA
GHSA-rr7w-f67q-fhr8: The xntpd ntp (ntpd) daemon before 4
ghsa_unreviewed·2022-05-01
CVE-2005-2496 [MEDIUM] GHSA-rr7w-f67q-fhr8: The xntpd ntp (ntpd) daemon before 4
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
OSV
CVE-2005-2496: The xntpd ntp (ntpd) daemon before 4
osv·2005-09-02·CVSS 4.6
CVE-2005-2496 [MEDIUM] CVE-2005-2496: The xntpd ntp (ntpd) daemon before 4
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2005-2496 security flaw
bugzilla·2018-08-16·CVSS 4.6
CVE-2005-2496 [MEDIUM] CVE-2005-2496 security flaw
CVE-2005-2496 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
Bugzilla
CVE-2005-2496 improper group set when running ntpd
bugzilla·2005-02-24·CVSS 4.6
CVE-2005-2496 [MEDIUM] CVE-2005-2496 improper group set when running ntpd
CVE-2005-2496 improper group set when running ntpd
+++ This bug was initially created as a clone of Bug #147743 +++
When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.
reproduce:
# rcxntpd start
# ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
verify given and real IDs
The fix for this is in attachment 110943.
Discussion:
Lifting embargo
---
Fixed (by [email protected]) on Thu Apr 14 2005
with help ([email protected]) in:
devel, FC-4, FC-3, RHEL-4.
Patch (RHEL-4): ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):
} else {
getgroup:
if ((gr = getgrnam(group)) != NULL) {
sw_gid = gr->gr_gid;
} else {
errno = 0;
msyslog(LOG_ERR, "Cannot find
CWE
Incorrect Privilege Assignment
mitre_cwe·CVSS 10.0
[CRITICAL] CWE-266 Incorrect Privilege Assignment
CWE-266: Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity. A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.
Potential Mitigations:
[Architecture and Design] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Run your code using the lowest privileges that are required to ac
CWE
Improper Privilege Management
mitre_cwe
CWE-269 Improper Privilege Management
CWE-269: Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Operation
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and contro
http://secunia.com/advisories/16602http://secunia.com/advisories/21464http://securitytracker.com/id?1016679http://www.debian.org/security/2005/dsa-801http://www.mandriva.com/security/advisories?name=MDKSA-2005:156http://www.osvdb.org/19055http://www.redhat.com/support/errata/RHSA-2006-0393.htmlhttp://www.securityfocus.com/bid/14673http://www.securityspace.com/smysecure/catid.html?id=55155http://www.vupen.com/english/advisories/2005/1561https://exchange.xforce.ibmcloud.com/vulnerabilities/22035https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9669http://secunia.com/advisories/16602http://secunia.com/advisories/21464http://securitytracker.com/id?1016679http://www.debian.org/security/2005/dsa-801http://www.mandriva.com/security/advisories?name=MDKSA-2005:156http://www.osvdb.org/19055http://www.redhat.com/support/errata/RHSA-2006-0393.htmlhttp://www.securityfocus.com/bid/14673http://www.securityspace.com/smysecure/catid.html?id=55155http://www.vupen.com/english/advisories/2005/1561https://exchange.xforce.ibmcloud.com/vulnerabilities/22035https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9669
2005-09-02
Published