Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.
Unitrends risk assessment: none (no public IP)
NTP would only be a buffer overflow risk in our product if the NTP engine was exposed on a public firewall via unfiltered external IP. With even that the CVE lists risks as low. The best a hacker could accomplish after brute force attack of the NTP protocol are the type of generator we use and the encryption scheme for that key used. Unitrends appliances are not using a key cypher for NTP so this is a non-risk. Further, the worst case scenario of a compromised system is the hacker can gain the privileges of the NTP service account, which are far below root and highly restricted.
As Unitrends does not support our appliances deployed with public IPs exposing all ports, there is no risk to our appliances from these vulnerabilities when using supported configurations.
Date of Red Hat bugzilla was 12/19/2014.
- CentOS6: ntp-4.2.6p5-2.el6 (default is ntp-4.2.6p5-1.el6)
- CentOS5: ntp-4.2.2p1-18.el5_11 (default is ntp-4.2.2p1-15.el5)