cbcvebase.
CVE-2009-1252
published 2009-05-19

CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are…

PriorityP351medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
21.12%
97.3th percentile
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.

Affected

85 ranges· showing 25
VendorProductVersion rangeFixed in
debianntp< ntp 1:4.2.4p6+dfsg-2 (bullseye)ntp 1:4.2.4p6+dfsg-2 (bullseye)
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via a crafted NTP packet containing a malicious extension field sent to ntpd when autokey is enabled; monitor for anomalous NTP packets with unexpected extension fields on UDP port 123.
  • The root cause is an unsafe sprintf() call in ntp_crypto.c (crypto_recv function); detection of exploitation can focus on stack smashing signals or crashes in the ntpd process when autokey is configured.
  • Systems are only vulnerable if ntp.conf contains a 'crypto pw whatever' line (autokey enabled); audit ntp.conf for the presence of a 'crypto pw' directive as a detection/triage step.
  • Vulnerable NTP versions are before 4.2.4p7 and 4.2.5 before 4.2.5p74; version fingerprinting of ntpd can identify unpatched instances.
  • ·Exploitation requires autokey (public key cryptography authentication) to be explicitly enabled in ntp.conf; it is NOT enabled by default on FreeBSD or Red Hat Enterprise Linux.
  • ·On RHEL5, FORTIFY_SOURCE prevents code execution, reducing impact to denial-of-service only; code execution is possible on RHEL4 and earlier.
  • ·Impact is reduced on systems where ntpd runs as an unprivileged user (e.g., 'ntp' user on RHEL) and is further confined by SELinux policies.
  • ·RHEL 2.1 and 3 are not affected because their version of ntpd does not use the vulnerable sprintf() call in ntpd/ntp_crypto.c.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8HIGH
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.