AUSCERT External Security Bulletin Redistribution

      ESB-2001.149 -- FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd
                 ntpd contains potential remote compromise
                               17 April 2001


        AusCERT Security Bulletin Summary

Product:                ntp
Vendor:                 FreeBSD
Operating System:       FreeBSD 3.x
                        FreeBSD 4.x
                        FreeBSD 3.5-STABLE
                        FreeBSD 4.2-STABLE
Impact:                 Root Compromise
Access Required:        Remote

Ref:                    ESB-2001.138

- --------------------------BEGIN INCLUDED TEXT--------------------


FreeBSD-SA-01:31                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          ntpd contains potential remote compromise

Category:       core/ports
Module:         ntpd
Announced:      2001-04-06
Credits:        Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Affects:        FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
                FreeBSD 3.5-STABLE and 4.2-STABLE prior to the
                correction date.
                Ports collection prior to the correction date.
Corrected:      2001-04-06 (FreeBSD 4.2-STABLE, 3.5-STABLE, and ports)
Vendor status:  Vendor notified.
FreeBSD only:   NO

I.   Background

The ntpd daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a
reference time source.  Older versions of ntpd, such as those in
FreeBSD 3.x, were named xntpd.

II.  Problem Description

An overflowable buffer exists in the ntpd daemon related to the
building of a response for a query with a large readvar argument.
Due to insufficient bounds checking, a remote attacker may be able
to cause arbitrary code to be executed as the user running the
ntpd daemon, usually root.

All versions of FreeBSD prior to the correction date, including
FreeBSD 3.5.1 and 4.2, and versions of the ntpd port prior to
ntp-4.0.99k_2 contain this problem.  The base system and ports
collections that will ship with FreeBSD 4.3 do not contain this
problem since it was corrected before the release.

III. Impact

Malicious remote users may be able to execute arbitrary code on an
ntpd server as the user running the ntpd daemon, usually root.

The ntpd daemon is not enabled by default.  If you have not enabled
ntpd, your system is not vulnerable.

IV.  Workaround

Disable the ntpd daemon using the following command:

# kill -KILL `cat /var/run/ntpd.pid`

Additionally, the ntpd daemon should be disabled in the system's
startup configuration file /etc/rc.conf, normally accomplished by
changing "xntpd_enable=YES" to "xntpd_enable=NO".

Since NTP is a stateless UDP-based protocol, source addresses can be
spoofed rendering firewalling ineffective for stopping this

V.   Solution

[Base system]

One of the following:

1) Upgrade to FreeBSD 4.2-STABLE or 3.5.1-STABLE after the correction

2) Download the patch and detached PGP signature from the following

The following patch applies to FreeBSD 4.x.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch.asc

The folllowing patch applies to FreeBSD 3.x.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch.asc

Verify the detached signature using your PGP utility.

Issue the following commands as root:

[FreeBSD 4.x]

# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/ntp
# make all install

[FreeBSD 3.x]

# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/xntpd
# make all install

Finally, if ntpd is already running then kill and restart the ntpd
daemon: perform the following command as root:

# kill -KILL `cat /var/run/ntpd.pid` && /usr/sbin/ntpd

[Ports collection]

Use one of the following options to upgrade the ntpd software, then
kill and restart the ntpd daemon if it is already running.

To kill and restart the ntpd daemon, perform the following command as

# kill -KILL `cat /var/run/ntpd.pid` && /usr/local/sbin/ntpd

1) Upgrade your entire ports collection and rebuild the ntpd port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:


NOTE: It may be several days before updated packages are available.

Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the ntpd port from:


and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:


Version: GnuPG v1.0.4 (FreeBSD)
Comment: FreeBSD: The Power To Serve


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key