SuSE: 'xntp' buffer overflow

    Date09 Apr 2001
    CategorySuSE
    3867
    Posted ByLinuxSecurity Advisories
    An exploit published by Przemyslaw Frasunek demonstrates a buffer overflow in the control request parsing code of the ntpd.
    
    ______________________________________________________________________________
    
                            SuSE Security Announcement
    
            Package:                xntp
            Announcement-ID:        SuSE-SA:2001:10
            Date:                   Monday, April 9th 22:30 MEST
            Affected SuSE versions: (6.0, 6.1, 6.2), 6.3, 6.4, 7.0, 7.1
            Vulnerability Type:     remote root compromise
            Severity (1-10):        8
            SuSE default package:   no
            Other affected systems: systems using xntp in newer versions
    
        Content of this advisory:
            1) security vulnerability resolved: xntp
               problem description, discussion, solution and upgrade information
            2) pending vulnerabilities, solutions, workarounds
            3) standard appendix (further information)
    
    ______________________________________________________________________________
    
    1)  problem description, brief discussion, solution, upgrade information
    
        xntp is the network time protocol package widely used with many unix
        and linux systems for system time synchronization over a network.
        An exploit published by Przemyslaw Frasunek demonstrates a buffer
        overflow in the control request parsing code. The exploit allows a
        remote attacker to execute arbitrary commands as root. All versions as
        shipped with SuSE Linux are affected by the buffer overflow problem.
    
        A temporary workaround is to kill the daemon and to set the variable
        START_XNTPD in the file /etc/rc.config to "no" so that the daemon
        will not be started again upon reboot of the system. Correct the system
        time manually if necessary or adjust the time by running ntpdate from
        a cron job on a regular basis.
    
        We believe that this problem is generally underestimated since the
        xntpd daemon tends to get forgotten over the years of a system's life-
        time once installed and configured. The xntpd daemon is not started by
        default in SuSE Linux distributions. We strongly recommend to immediately
        update the xntp package on each system where the daemon is installed,
        configured and running.
    
        Note:
        The xntp update packages for most distributions have been available
        for download since Friday last week. The packages for all 6.4 and 7.0
        version distributions had to be rebuilt due to a specfile bug that
        did not show up earlier and that caused a delay in building packages.
        This bug causes the rpm subsystem to complain about the release number
        of the package. Now that this bug is corrected, you might find yourself
        having installed a package where there is a newer version of the package
        on the ftp server. However, regardless of the package release number,
        all published packages fix the currently known security problems in the
        xntpd network time daemon.
    
        Note:
        The source rpm of xntp in newer distributions generates two packages:
        xntp.rpm and xntpdoc.rpm. It is not necessary to update the xntpdoc
        package which is why we do not provide the update packages on our ftp
        server. The xntpdoc package only contains the documentation for the
        xntp package and did not change in this updated package.
    
    
        Download the update package from locations desribed below and install
        the package with the command `rpm -Uhv file.rpm'. The md5sum for each
        file is in the line below. You can verify the integrity of the rpm
        files using the command
            `rpm --checksig --nogpg file.rpm',
        independently from the md5 signatures below.
    
        SPECIAL INSTALL INSTRUCTIONS:
        ==============================
        The xntpd daemon must be restarted for the new package to become
        active after the installation of the update rpm. You can do this
        by running the command
            kill -15 `pidof xntpd`
        as root. After performing the upgrade using the rpm command above,
        you can restart the xntpd:
            rcxntpd start
        You should now see the new daemon synchronizing in your syslogs,
        depending on where you configured the daemon to write its logs to.
    
    
        i386 Intel Platform:
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/xntp-4.0.99f-34.i386.rpm
          9e39ca8f7b01fef22766463b8295e25d
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/xntp-4.0.99f-34.src.rpm
          dfa51b46c92b917353f52e5d83863478
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/xntp-4.0.99f-37.i386.rpm
          4293ad8a3e084ec5d773bbcab8380c08
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/xntp-4.0.99f-37.src.rpm
          745b894dcb6a97caa36f97858a51e279
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/xntp-4.0.99f-38.i386.rpm
          8001ac19d0ee812be82b6b066b4313d5
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/xntp-4.0.99f-38.src.rpm
          7d56618cba3d768aa53246f39158987d
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/xntp-4.0.98d-1.i386.rpm
          2f5d7b43b167c6acf13f68b13b1b7989
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/xntp-4.0.98d-1.src.rpm
          11182e5e8c3769e6f9498ade9fcbe1fc
    
        SuSE-6.2 (unsupported platform)
         ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/xntp-4.0.93a-18.i386.rpm
          5b55d179e3d4a0c57513bed03013c1a9
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/xntp-4.0.93a-18.src.rpm
          dbb7c833ddc25b0bde406b4319d4106f
    
        SuSE-6.1 (unsupported platform)
         ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/xntp-4.0.92c-1.i386.rpm
          baa93b55a4eaa486968fa6285f04c865
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/xntp-4.0.92c-1.src.rpm
          06f0174e8934e3ce6f419284564a7c91
    
    
    
        Sparc Platform:
    
        SuSE-7.1
        The xntp packages for the SuSE-7.1 sparc distribution are currently
        pending for being built. They will be available on the ftp server
        as soon as they are built. The packages are gpg-signed using the key
        <This email address is being protected from spambots. You need JavaScript enabled to view it.> that should have been installed on your system upon
        system installation/upgrade. Use the command `rpm --checksig xntp.rpm´
        to verify this signature once the packages are available for download.
        In the meanwhile, please use the temporary workaround as described above.
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/xntp-4.0.99f-19.sparc.rpm
          bea9ea6a88ae68f27962d1b9ad866eac
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/xntp-4.0.99f-19.src.rpm
          83243db2982126e1a6ba371ef6dcf59b
    
    
        AXP Alpha Platform:
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/xntp-4.0.99f-22.alpha.rpm
          e410a96c44f12ba3d51a4f1f3e056fcd
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/xntp-4.0.99f-22.src.rpm
          61ed8e66753868735cd14e94cb295718
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/xntp-4.0.99f-22.alpha.rpm
          9460bd3eaf5500c0184d9394b8b86627
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/xntp-4.0.99f-22.src.rpm
          5c62ef99f064b687047087562cfe54ca
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/xntp-4.0.98d-1.alpha.rpm
          ad8c8494f0aaa06a1690e4edcaa43904
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/xntp-4.0.98d-1.src.rpm
          743fe2aba27f1801ac5b14cff2f2edb6
    
        SuSE-6.1 (unsupported platform)
         ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/xntp-4.0.92c-40.alpha.rpm
          d400eeecb9bd0b4347f3fe58f7f90fee
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/xntp-4.0.92c-40.src.rpm
          e2d01c31542ebbf8c740b820a6372ad1
    
    
        PPC Power PC Platform:
    
        SuSE-7.1
        The xntp packages for the SuSE-7.1 ppc distribution are currently
        pending for being built. They will be available on the ftp server
        as soon as they are built. The packages are gpg-signed using the key
        <This email address is being protected from spambots. You need JavaScript enabled to view it.> that should have been installed on your system upon
        system installation/upgrade. Use the command `rpm --checksig xntp.rpm´
        to verify this signature once the packages are available for download.
        In the meanwhile, please use the temporary workaround as described above.
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/xntp-4.0.99f-21.ppc.rpm
          2d82e8f63df84cb409df7659437c1177
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/xntp-4.0.99f-21.src.rpm
          a0bce6c36cf30da1aa587e03103a01f6
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/xntp-4.0.99f-21.ppc.rpm
          fe9082268bdf53dddcaad075284f899b
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/xntp-4.0.99f-21.src.rpm
          1940b97593e3e134487d294a721e350d
    
    
    ______________________________________________________________________________
    
    2)  Pending vulnerabilities in SuSE Distributions and Workarounds:
    
        - kernel
        Please expect security updates of the Linux kernel soon. To resolve all
        currently known security problems in the Linux kernel, update the kernel
        manually to version 2.2.19 or wait until the SuSE update rpm packages
        for the supported distributions 6.3, 6.4, 7.0 and 7.1 are ready to be
        used and available for download.
    
        - more updates
        In addition to the kernel update, please expect more packages to see
        security updates. Currently, this involves vim, mc and sudo.
    
    
        - bind8
        The update packages for the 7.0 sparc distribution is available.
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/bind8-8.2.3-39.sparc.rpm
          c7e2a95bd4b90d03207ffc3a9880c36c
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/bind8-8.2.3-39.src.rpm
          5d4d4b608f2a8a3e61f7dc6917254f4f
        The SuSE-7.1 sparc distribution was published after the bugs in bind8
        were corrected.
    ______________________________________________________________________________
    
    3)  standard appendix:
    
        SuSE runs two security mailing lists to which any interested party may
        subscribe:
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   general/linux/SuSE security discussion.
                All SuSE security announcements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   SuSE's announce-only mailing list.
                Only SuSE's security annoucements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        For general information or the frequently asked questions (faq)
        send mail to:
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> or
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> respectively.
    
        ===============================================
        SuSE's security contact is <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        ===============================================
    
    ______________________________________________________________________________
    
        The information in this advisory may be distributed or reproduced,
        provided that the advisory is not modified in any way.
        SuSE GmbH makes no warranties of any kind whatsoever with respect
        to the information contained in this security advisory.
    
    Type Bits/KeyID    Date       User ID
    pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.3i
    
    mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
    BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
    JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
    1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
    P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
    cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
    VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
    yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
    tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
    xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
    Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
    choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
    BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
    v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
    x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
    Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
    MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
    saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
    L0oixF12Cg==
    =pIeS
    -----END PGP PUBLIC KEY BLOCK-----
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.