SB2019012401 - Multiple vulnerabilities in NTPsec
Published: January 24, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2019-6442)
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to the affected software allows one byte to be written out of bounds in the ntpd daemon, related to the config_remotely function in the ntp_config.c source code file, the yyparse function in the ntp_parser.tab.c source code file, and the yyerror function in the ntp_parser.y source code file. A remote attacker can send a configuration request that submits malicious input, trigger ou-of-bounds write and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Stack out-of-bounds read (CVE-ID: CVE-2019-6443)
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a bug in ctl_getitem. A remote attacker can trigger a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd and perform a denial of service attack.
3) Stack out-of-bounds read (CVE-ID: CVE-2019-6444)
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to attacker-controlled data is dereferenced by ntohl() in ntpd. A remote attacker can trigger stack-based buffer over-read in process_control() in ntp_control.c perform a denial of service attack.
4) NULL pointer dereference (CVE-ID: CVE-2019-6445)
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote authenticated attacker can trigger NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. A remote attacker can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://dumpco.re/blog/ntpsec-bugs
- https://dumpco.re/bugs/ntpsec-authed-oobwrite
- https://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWS
- https://www.exploit-db.com/exploits/46178/
- https://dumpco.re/bugs/ntpsec-oobread1
- https://www.exploit-db.com/exploits/46175/
- https://dumpco.re/bugs/ntpsec-oobread2
- https://www.exploit-db.com/exploits/46176/
- https://dumpco.re/bugs/ntpsec-authed-npe
- https://www.exploit-db.com/exploits/46177/