CVE-2009-1252
published 2009-05-19CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are…
PriorityP351medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
21.12%
97.3th percentile
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ntp | < ntp 1:4.2.4p6+dfsg-2 (bullseye) | ntp 1:4.2.4p6+dfsg-2 (bullseye) |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a crafted NTP packet containing a malicious extension field sent to ntpd when autokey is enabled; monitor for anomalous NTP packets with unexpected extension fields on UDP port 123. ↗
- →The root cause is an unsafe sprintf() call in ntp_crypto.c (crypto_recv function); detection of exploitation can focus on stack smashing signals or crashes in the ntpd process when autokey is configured. ↗
- →Systems are only vulnerable if ntp.conf contains a 'crypto pw whatever' line (autokey enabled); audit ntp.conf for the presence of a 'crypto pw' directive as a detection/triage step. ↗
- →Vulnerable NTP versions are before 4.2.4p7 and 4.2.5 before 4.2.5p74; version fingerprinting of ntpd can identify unpatched instances. ↗
- ·Exploitation requires autokey (public key cryptography authentication) to be explicitly enabled in ntp.conf; it is NOT enabled by default on FreeBSD or Red Hat Enterprise Linux. ↗
- ·On RHEL5, FORTIFY_SOURCE prevents code execution, reducing impact to denial-of-service only; code execution is possible on RHEL4 and earlier. ↗
- ·Impact is reduced on systems where ntpd runs as an unprivileged user (e.g., 'ntp' user on RHEL) and is further confined by SELinux policies. ↗
- ·RHEL 2.1 and 3 are not affected because their version of ntpd does not use the vulnerable sprintf() call in ntpd/ntp_crypto.c. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8HIGH
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
vendor_vmware·2009-11-20·CVSS 5.0
CVE-2007-2052 [MEDIUM] VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
VMSA-2009-0016: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-
BSD
FreeBSD-SA-09:11.ntpd: ntpd stack-based buffer-overflow vulnerability
bsd_advisories·2009-06-10·CVSS 6.8
CVE-2009-1252 [MEDIUM] FreeBSD-SA-09:11.ntpd: ntpd stack-based buffer-overflow vulnerability
FreeBSD-SA-09:11.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd stack-based buffer-overflow vulnerability
Category: contrib
Module: ntpd
Announced: 2009-06-10
Credits: Chris Ries
Affects: All supported versions of FreeBSD.
Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE)
2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1)
2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6)
2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE)
2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5)
2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11)
CVE Name: CVE-2009-1252
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The ntpd(8) daemon is an implementation
Ubuntu
Ntp vulnerabilities
vendor_ubuntu·2009-05-19·CVSS 6.8
CVE-2009-0159 [MEDIUM] Ntp vulnerabilities
Title: Ntp vulnerabilities
Summary: Ntp vulnerabilities
A stack-based buffer overflow was discovered in ntpq. If a user were
tricked into connecting to a malicious ntp server, a remote attacker could
cause a denial of service in ntpq, or possibly execute arbitrary code with
the privileges of the user invoking the program. (CVE-2009-0159)
Chris Ries discovered a stack-based overflow in ntp. If ntp was configured
to use autokey, a remote attacker could send a crafted packet to cause a
denial of service, or possibly execute arbitrary code. (CVE-2009-1252)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
ntp: remote arbitrary code execution vulnerability if autokeys is enabled
vendor_redhat·2009-05-18·CVSS 6.8
CVE-2009-1252 [MEDIUM] CWE-121 ntp: remote arbitrary code execution vulnerability if autokeys is enabled
ntp: remote arbitrary code execution vulnerability if autokeys is enabled
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
Debian
CVE-2009-1252: ntp - Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd ...
vendor_debian·2009·CVSS 6.8
CVE-2009-1252 [MEDIUM] CVE-2009-1252: ntp - Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd ...
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
Scope: local
bullseye: resolved (fixed in 1:4.2.4p6+dfsg-2)
GHSA
GHSA-x2p2-g54c-2jqg: Stack-based buffer overflow in the crypto_recv function in ntp_crypto
ghsa_unreviewed·2022-05-03
CVE-2009-1252 [MEDIUM] CWE-119 GHSA-x2p2-g54c-2jqg: Stack-based buffer overflow in the crypto_recv function in ntp_crypto
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
OSV
CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto
osv·2009-05-19·CVSS 6.8
CVE-2009-1252 [MEDIUM] CVE-2009-1252: Stack-based buffer overflow in the crypto_recv function in ntp_crypto
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.
No detection rules found.
No public exploits indexed.
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.aschttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1039.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1040.htmlhttp://secunia.com/advisories/35137http://secunia.com/advisories/35138http://secunia.com/advisories/35166http://secunia.com/advisories/35169http://secunia.com/advisories/35243http://secunia.com/advisories/35253http://secunia.com/advisories/35308http://secunia.com/advisories/35336http://secunia.com/advisories/35388http://secunia.com/advisories/35416http://secunia.com/advisories/35630http://secunia.com/advisories/37470http://secunia.com/advisories/37471http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.aschttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566238http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0092http://www.debian.org/security/2009/dsa-1801http://www.gentoo.org/security/en/glsa/glsa-200905-08.xmlhttp://www.kb.cert.org/vuls/id/853097http://www.mandriva.com/security/advisories?name=MDVSA-2009:117http://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35017http://www.securitytracker.com/id?1022243http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1361http://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/show_bug.cgi?id=499694https://launchpad.net/bugs/cve/2009-1252https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11231https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6307https://support.ntp.org/bugs/show_bug.cgi?id=1151https://usn.ubuntu.com/777-1/https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00293.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01414.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01449.htmlftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.aschttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1039.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1040.htmlhttp://secunia.com/advisories/35137http://secunia.com/advisories/35138http://secunia.com/advisories/35166http://secunia.com/advisories/35169http://secunia.com/advisories/35243http://secunia.com/advisories/35253http://secunia.com/advisories/35308http://secunia.com/advisories/35336http://secunia.com/advisories/35388http://secunia.com/advisories/35416http://secunia.com/advisories/35630http://secunia.com/advisories/37470http://secunia.com/advisories/37471http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.aschttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566238http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0092http://www.debian.org/security/2009/dsa-1801http://www.gentoo.org/security/en/glsa/glsa-200905-08.xmlhttp://www.kb.cert.org/vuls/id/853097http://www.mandriva.com/security/advisories?name=MDVSA-2009:117http://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35017http://www.securitytracker.com/id?1022243http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1361http://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/show_bug.cgi?id=499694https://launchpad.net/bugs/cve/2009-1252https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11231https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6307https://support.ntp.org/bugs/show_bug.cgi?id=1151https://usn.ubuntu.com/777-1/https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00293.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01414.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01449.html
2009-05-19
Published