-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-011 ================================= Topic: ntpd may start with different group id than desired Version: NetBSD-current: source prior to October 14, 2005 NetBSD 2.1: affected NetBSD 2.0.3: affected NetBSD 2.0.2: affected NetBSD 2.0.1: affected NetBSD 1.6.*: affected pkgsrc: ntp packages prior to 4.2.0nb7 Severity: privilege escalation Fixed: NetBSD-current: October 14, 2005 NetBSD-3 branch: October 14, 2005 (3.0 will include the fix) NetBSD-2.1 branch: November 1, 2005 (2.1.1 will include the fix) NetBSD-2.0 branch: November 1, 2005 (2.0.4 will include the fix) NetBSD-2 branch: November 1, 2005 NetBSD-1.6 branch: November 1, 2005 pkgsrc: ntp-4.2.0nb7 corrects this issue Abstract ======== When started with the -u parameter, and passed a group to run as, ntpd will use the primary group of the user and not the provided group. This vulnerability has been assigned CVE reference CAN-2005-2496. Technical Details ================= When invoked with the ``-u user:group'' or ``-u :group'' parameter, with the group being specified as a group name, ntpd always accessed the ``pw_gid'' member of the credentials for ``user'', instead of the ``gr_gid'' member of the credentials for ``group''. When both a user and group were specified, this meant ntpd ran with the group-id being set to the primary group of the user. When only a group was specified, ntpd would access an uninitialized pointer, which would result in undefined behavior. In a worst case scenario, when started with ``-u :group'' it could run with root privileges. Another vulnerability would then be required to maliciously exploit those privileges. Solutions and Workarounds ========================= The default NetBSD running ntp configuration is not vulnerable to this bug, since the ntpd user has the correct primary group id. However, it is recommended that all users of affected versions update their ntpd to include the fix. The following instructions describe how to upgrade your ntpd binaries by updating your source tree and rebuilding and installing a new version of ntpd. * NetBSD-current: Systems running NetBSD-current dated from before 2005-10-13 should be upgraded to NetBSD-current dated 2005-10-14 or later. The following file needs to be updated from the netbsd-current CVS branch (aka HEAD): src/dist/ntp/ntpd/ntpd.c To update from CVS, re-build, and re-install ntpd: # cd src # cvs update -d -P dist/ntp/ntpd/ntpd.c # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.*: Systems running NetBSD 2.* sources dated from before 2005-11-01 should be upgraded from NetBSD 2.* sources dated 2005-11-02 or later. The following file needs to be updated from the netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch: dist/ntp/ntpd/ntpd.c To update from CVS, re-build, and re-install ntpd: # cd src # cvs update -d -P -r netbsd-2 dist/ntp/ntpd/ntpd.c # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6.*: Systems running NetBSD 1.6 sources dated from before 2005-11-01 should be upgraded from NetBSD 1.6 sources dated 2005-11-02 or later. NetBSD 1.6.3 will include the fix. The following file needs to be updated from the netbsd-1-6 CVS branch: dist/ntp/ntpd/ntpd.c To update from CVS, re-build, and re-install ntpd: # cd src # cvs update -d -P -r netbsd-1-6 dist/ntp/ntpd/ntpd.c # cd usr.sbin/ntp # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Josh Bressers for reporting the bug to Secunia. Adrian Portelli for reporting the bug to the NetBSD Security Officer. Revision History ================ 2005-11-01 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-011.txt,v 1.6 2005/10/31 22:21:02 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ2fJ+j5Ru2/4N2IFAQIYnQQAkHVFd+AP/+iNH5hp3Gz308N9G0D+boLu FtdHGvUZ56YOQvhG+H5vTxse2TyIeV9QkZSfLRLiu+IEx6GaqZKTlOOihIxKjLJ1 Qp/EA1qjFpcGxhJyxwNT2uBKjSXD3lco0bIS94HJ0c3aBO5eRfbaOfsA9/LtjY+s Gmg3wKQgJbc= =L/AK -----END PGP SIGNATURE-----