NTP Client vulnerable to buffer overflow?

mspinale · Tue Mar 01, 2011 6:43 pm

I have a web server behind RoS 3.22. The router performs NAT and passes port 80 and port 443 web traffic along only. The web server is also protected by its own software firewall.

A vulnerability scan was performed by ComplyGuard as part of a PCI compliance check for the web server. This turned up two possible issues in the router or router configuration that I wonder if anyone has come across:

[color=#0080BF]Possible vulnerability in ntpd
Description : If this vulnerability is present, a remote attacker could
gain root access to an affected system.[http://www.ntp.org/downloads.html] Upgrade to NTP 4.2.4p8 or higher,
or upgrade as designated by Linux vendor.

To find out if your version of ntpd is
vulnerable, enter the command:
ntpq -c version 
CVE/CAN
CVE-2001-0414  
Solution
[http://www.ntp.org/downloads.html] Upgrade to NTP 4.2.4p8 or higher,or upgrade as designated by Linux vendor. 
Exceptions/False Postivies[/color]

[/color]

Is there a way to determine if this NTP vulnerability is actually present or if instead this is a false-positive? If an issue, has it been mitigated in a newer RoS Version?

The 2nd issue is a DoS vulnerability. I don't agree that this would be high in my case. Here is the issue that was reported:

Synopsis : TCP reset using approximate sequence number
Description : A remote attacker could cause a denial of service on
systems which rely upon persistent TCP connections.To correct this problem on Cisco devices, apply one of the
fixes referenced in the Cisco security advisories for
[http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and
[http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml] non-IOS operating systems.
Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and
[http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes.

If a fix is not available, this problem can be worked
around by using a secure protocol such as
[http://rfc.net/rfc2411.html] IPsec, or by
filtering incoming connections to services such as BGP
which rely on persistent TCP connections at the firewall,
such that only allowed addresses may reach them. 
CVE/CAN
CVE-2004-0230  
Solution: To correct this problem on Cisco devices, apply one of thefixes referenced in the Cisco security advisories for[http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and[http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml] non-IOS operating systems.Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and[http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes.

[/color]

Any input would be greatly appreciated!

Marc

robertfranz · Thu May 31, 2012 2:17 am

PCI scans are by and large, junk.

The purpose is valid, but the execution is a thinly veiled money grab.

Scan vendor throws out ridiculous "this might be a vulnerability" en masse, then challenges the customer to produce reams of documentation to dispute it, or pay a small monthly "fee for non compliance."

Mikrotik doesn't help when the vast majority of their customer base is running really old firmware, because the new releases are utter garbage.

I received some 450g's today as I was out of backup units to replace failed Miktotiks.

Yup - port flapping is alive and well in the shipping firmware.

This is why I'm done done done with Mikrotik.

I'm replacing my one failed unit now, and holding the other two in reserve in case any more fail before I can replace them all with better quality hardware.

It's cheaper for me to use Cisco 881w's than 450g's, given that I have to travel to replace them.

NTP Client vulnerable to buffer overflow?

NTP Client vulnerable to buffer overflow?

Re: NTP Client vulnerable to buffer overflow?