-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Network Time Protocol (NTP) Vulnerabilities

April 17, 2001 18:00 GMT                                          Number L-071
[Revision A 10/29/2001 Added Sun Bulletin #211]
[Revision B 11/21/2001 Modified Platform's FreeBSD section]
______________________________________________________________________________
PROBLEM:       The Network Time Protocol (NTP) codes of certain vendors are 
               vulnerable to a buffer overflow attack. 
PLATFORM:      Hewlett-Packard:
                 HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX. 
               Red Hat:
                 Red Hat Linux 6.2 and earlier (for xntpd). 
                 Red Hat Linux 7.0 (for ntpd). 
               NetBSD:
                 NetBSD prior to 1.4. 
                 NetBSD 1.4 and 1.5. 
                 NetBSD-CURRENT prior to 2001-04-05.
               FreeBSD:
                 FreeBSD 3.x (all releases).
                 FreeBSD 4.x (all releases prior to 4.3-RELEASE).
                 FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction 
                   date 2001-04-06. 
                 FreeBSD ports collection prior to the correction date 
                   2001-04-06. 
               Caldera:
                 OpenLinux 2.3 (All packages previous to xntp-3.5.93e-5)
                 OpenLinux eServer 2.3.1 and OpenLinux eBuilder (All packages 
                   previous to xntp-3.5.93e-5)
                 OpenLinux eDesktop 2.4 (All packages previous to 
                   xntp-4.0.97-2)
               Sun:
                 Solaris 8, 7, and 2.6.
                 SunOS 5.8, 5.7, and 5.6.

DAMAGE:        A remote intruder can use the buffer overflow to cause the NTP 
               code, and even the machine that is running NTP, to crash. It is
               possible that the buffer overflow can be used to execute 
               arbritrary code. If the NTP daemon is running as root, then 
               this could lead to a root compromise. 
SOLUTION:      Obtain your particular vendor’s directions from the vendor’s 
               web site and follow the vendor’s suggestions.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The listed vendors have determined that their 
ASSESSMENT:    codes are vulnerable. The vulnerabilities and detailed exploits 
               have been discussed in public forums. 
______________________________________________________________________________

The NTP code sets and maintains a UNIX system’s time-of-day in agreement with 
Internet standard time servers.  NTP uses the Internet Protocol (IP) and User 
Datagram Protocol (UDP) for sending and receiving the time-of-day information.
There are buffer overflow attacks that can cause some NTP servers to crash, 
leading to a root compromise.

CIAC has included the vendor information we know about in this bulletin.  
While CIAC will add new vendor information as we receive it, you should always
check your vendor’s web site to insure you have the latest information.

Hewlett-Packard:

     Use your browser to get to the HP IT Resource Center page at:

     http://itrc.hp.com

     Under the Maintenance/Support menu, click on the "search technical 
     knowledge base" link.  Login using your ID and password.  Check with your
     system administrator to see if you have an existing login or click on the
     "register now" link in the "New Users - Please Register" section.  Once 
     you are in the "Technical Knowledge Base" page, select the "Security 
     Bulletins" link in the "HP-UX Software" section.  Do a "Search By 
     Keyword" for "xntpd", and look for "Security Advisory #0148, 06 Apr. ‘01"
     in the search results.  This is the bulletin "Sec. Vulnerability in 
     xntpd(1M)".

Red Hat Linux:

     Use your browser to get to the Red Hat Linux Errata page at:

     http://www.redhat.com/support/errata/

     Under the "General Red Hat Linux Errata" section, go to the "Version 7.0 
     (Guinness)" subsection and click on the "Security Advisories" link.  This
     will bring you to the "Red Hat Linux 7.0 Security Advisories" page.  
     Click on the "xntp3 (RSHA-2001-045)" link under the "Name" column to get 
     to the security bulletin "Network Time Daemon (ntpd) has potential remote
     root exploit."

NetBSD:

     Use your browser to get to the NetBSD Project’s "Security and NetBSD" 
     page at:

     http://www.netbsd.org/Security/

     Click on the "advisory archive" link to get to the advisory "NetBSD-
     SA2001-004 Buffer overflow in NTP daemon".

FreeBSD:

     Use your browser to get to the "FreeBSD Security Information" page at:

     http://www.freebsd.org/security/security.html

     Under the "Table of Contents" section, click on the "FreeBSD Security
     Advisories" link.  In the "FreeBSD Security Advisories" section, click on 
     the ""FTP_Site" link.  Double-click on the link 
     "FreeBSD-SA-01:31.ntpd.asc" to download the FreeBSD-SA-01:31 advisory
     "ntpd contains potential remote compromise".

Caldera:

     Use your browser to get to Caldera's "Security Advisories" page at:

     http://www.calderasystems.com/support/security/

     Click on the "CSSA-2001-013.0" link for the "Remote root exploit in 
     ntpd" security advisory.

Sun:

     Use your browser to get to the "Sun Microsystems" page at:

     http://www.sun.com/

     Select the "Site Index" tab at the top of the page to get to the 
     "Sun.Com Site Index" page.  Select the letter "S" in the
     alphabetical listing at the top of the page.  Scroll down the 
     page to the "Sunsolve Online Support" entry, and click on it.  
     Once you are in the "SunSolve Online" page, go to the "SunSolve 
     Contents" page and click on the "Security Bulletin Archive".  
     Once you are in the "Security Information/Security Bulletin"
     page,  click on Bulletin numbered 211, topic "xntpd".
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Hewlett-Packard, Red Hat, 
NetBSD, FreeBSD, Caldera, and Sun for the information contained in this 
bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
l-064: The Lion Internet Worm DDOS Risk
L-065: Solaris Exploitation of snmpXdmid
L-066: Internet Explorer MIME Mime Header Vulnerability
L-067: Linux worm Adore
L-068: Cisco VPN3000 Concentrator TELNET Vulnerability
L-069: Cisco Content Services Switch User Account Vulnerability
L-070: FTP Filename Expansion Vulnerability

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBO/wHyLnzJzdsy3QZAQFmGAP8DsSeJyIK3gkSZJishwhhNcFfzDke9WaC
T/IqXlvlR+eg18YG/1fwlhW4UjyjIpfco9c1W10qVpU3aQ6zPBjv0jKKoGX4LVOs
HRPeUCEU8hUNfnLXSH0X8YcwPKVyB7aBA7PZtdzAajLdK1lsmXE4GAxeSXG/LVr0
zGuUJMyGfbs=
=XXEf
-----END PGP SIGNATURE-----