1 --- 2 NTP 4.2.8p18 (Harlan Stenn <stenn (a] ntp.org>, 2024 May 24) 3 4 Focus: Bug fixes 5 6 Severity: Recommended 7 8 This release: 9 10 - changes crypto (OpenSSL or compatible) detection and default build behavior. 11 Previously, crypto was supported if available unless the --without-crypto 12 option was given to configure. With this release, the prior behavior of 13 falling back to a crypto-free build if usable libcrypto was not found has 14 changed to instead cause configure to fail with an error. 15 The --without-crypto option must be explicitly provided if you want a build 16 that does not use libcrypto functionality. 17 - Fixes 40 bugs 18 - Includes 40 other improvements 19 20 Details below: 21 22 * [Bug 3918] Tweak openssl header/library handling. <stenn (a] ntp.org> 23 * [Bug 3914] Spurious "Unexpected origin timestamp" logged after time 24 stepped. <hart (a] ntp.org> 25 * [Bug 3913] Avoid duplicate IPv6 link-local manycast associations. 26 <hart (a] ntp.org> 27 * [Bug 3912] Avoid rare math errors in ntptrace. <brian.utterback (a] oracle.com> 28 * [Bug 3910] Memory leak using openssl-3 <hart (a] ntp.org> 29 * [Bug 3909] Do not select multicast local address for unicast peer. 30 <hart (a] ntp.org> 31 * [Bug 3903] lib/isc/win32/strerror.c NTstrerror() is not thread-safe. 32 <hart (a] ntp.org> 33 * [Bug 3901] LIB_GETBUF isn't thread-safe. <hart (a] ntp.org> 34 * [Bug 3900] fast_xmit() selects wrong local addr responding to mcast on 35 Windows. <hart (a] ntp.org> 36 * [Bug 3888] ntpd with multiple same-subnet IPs using manycastclient creates 37 duplicate associations. <hart (a] ntp.org> 38 * [Bug 3872] Ignore restrict mask for hostname. <hart (a] ntp.org> 39 * [Bug 3871] 4.2.8p17 build without hopf6021 refclock enabled fails. 40 Reported by Hans Mayer. Moved NONEMPTY_TRANSLATION_UNIT 41 declaration from ntp_types.h to config.h. <hart (a] ntp.org> 42 * [Bug 3870] Server drops client packets with ppoll < 4. <stenn (a] ntp.org> 43 * [Bug 3869] Remove long-gone "calldelay" & "crypto sign" from docs. 44 Reported by PoolMUC (a] web.de. <hart (a] ntp.org> 45 * [Bug 3868] Cannot restrict a pool peer. <hart (a] ntp.org> Thanks to 46 Edward McGuire for tracking down the deficiency. 47 * [Bug 3864] ntpd IPv6 refid different for big-endian and little-endian. 48 <hart (a] ntp.org> 49 * [Bug 3859] Use NotifyIpInterfaceChange on Windows ntpd. <hart (a] ntp.org> 50 * [Bug 3856] Enable Edit & Continue debugging with Visual Studio. 51 <hart (a] ntp.org> 52 * [Bug 3855] ntpq lacks an equivalent to ntpdc's delrestrict. <hart (a] ntp.org> 53 * [Bug 3854] ntpd 4.2.8p17 corrupts rawstats file with space in refid. 54 <hart (a] ntp.org> 55 * [Bug 3853] Clean up warnings with modern compilers. <hart (a] ntp.org> 56 * [Bug 3852] check-libntp.mf and friends are not triggering rebuilds as 57 intended. <hart (a] ntp.org> 58 * [Bug 3851] Drop pool server when no local address can reach it. 59 <hart (a] ntp.org> 60 * [Bug 3850] ntpq -c apeers breaks column formatting s2 w/refclock refid. 61 <hart (a] ntp.org> 62 * [Bug 3849] ntpd --wait-sync times out. <hart (a] ntp.org> 63 * [Bug 3847] SSL detection in configure should run-test if runpath is needed. 64 <hart (a] ntp.org> 65 * [Bug 3846] Use -Wno-format-truncation by default. <hart (a] ntp.org> 66 * [Bug 3845] accelerate pool clock_sync when IPv6 has only link-local access. 67 <hart (a] ntp.org> 68 * [Bug 3842] Windows ntpd PPSAPI DLL load failure crashes. <hart (a] ntp.org> 69 * [Bug 3841] 4.2.8p17 build break w/ gcc 12 -Wformat-security without -Wformat 70 Need to remove --Wformat-security when removing -Wformat to 71 silence numerous libopts warnings. <hart (a] ntp.org> 72 * [Bug 3837] NULL pointer deref crash when ntpd deletes last interface. 73 Reported by renmingshuai. Correct UNLINK_EXPR_SLIST() when the 74 list is empty. <hart (a] ntp.org> 75 * [Bug 3835] NTP_HARD_*FLAGS not used by libevent tearoff. <hart (a] ntp.org> 76 * [Bug 3831] pollskewlist zeroed on runtime configuration. <hart (a] ntp.org> 77 * [Bug 3830] configure libevent check intersperses output with answer. <stenn@> 78 * [Bug 3828] BK should ignore a git repo in the same directory. 79 <burnicki (a] ntp.org> 80 * [Bug 3827] Fix build in case CLOCK_HOPF6021 or CLOCK_WHARTON_400A 81 is disabled. <burnicki (a] ntp.org> 82 * [Bug 3825] Don't touch HTML files unless building inside a BK repo. 83 Fix the script checkHtmlFileDates. <burnicki (a] ntp.org> 84 * [Bug 3756] Improve OpenSSL library/header detection. 85 * [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. <hart (a] ntp.org> 86 * [Bug 2734] TEST3 prevents initial interleave sync. Fix from <PoolMUC (a] web.de> 87 * Log failures to allocate receive buffers. <hart (a] ntp.org> 88 * Remove extraneous */ from libparse/ieee754io.c 89 * Fix .datecheck target line in Makefile.am. <stenn (a] ntp.org> 90 * Update the copyright year. <stenn (a] ntp.org> 91 * Update ntp.conf documentation to add "delrestrict" and correct information 92 about KoD rate limiting. <hart (a] ntp.org> 93 * html/clockopt.html cleanup. <stenn (a] ntp.org> 94 * util/lsf-times - added. <stenn (a] ntp.org> 95 * Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c. <hart (a] ntp.org> 96 * Provide ntpd thread names to debugger on Windows. <hart (a] ntp.org> 97 * Remove dead code libntp/numtohost.c and its unit tests. <hart (a] ntp.org> 98 * Remove class A, B, C IPv4 distinctions in netof(). <hart (a] ntp.org> 99 * Use @configure_input@ in various *.in files to include a comment that 100 the file is generated from another pointing to the *.in. <hart (a] ntp.org> 101 * Correct underquoting, indents in ntp_facilitynames.m4. <hart (a] ntp.org> 102 * Clean up a few warnings seen building with older gcc. <hart (a] ntp.org> 103 * Fix build on older FreeBSD lacking sys/procctl.h. <hart (a] ntp.org> 104 * Disable [Bug 3627] workaround on newer FreeBSD which has the kernel fix 105 that makes it unnecessary, re-enabling ASLR stack gap. <hart (a] ntp.org> 106 * Use NONEMPTY_COMPILATION_UNIT in more conditionally-compiled files. 107 * Remove useless pointer to Windows Help from system error messages. 108 * Avoid newlines within Windows error messages. <hart (a] ntp.org> 109 * Ensure unique association IDs if wrapped. <hart (a] ntp.org> 110 * Simplify calc_addr_distance(). <hart (a] ntp.org> 111 * Clamp min/maxpoll in edge cases in newpeer(). <hart (a] ntp.org> 112 * Quiet local addr change logging when unpeering. <hart (a] ntp.org> 113 * Correct missing arg for %s printf specifier in 114 send_blocking_resp_internal(). <hart (a] ntp.org> 115 * Suppress OpenSSL 3 deprecation warning clutter. <hart (a] ntp.org> 116 * Correct OpenSSL usage in Autokey code to avoid warnings about 117 discarding const qualifiers with OpenSSL 3. <hart (a] ntp.org> 118 * Display KoD refid as text in recently added message. <hart (a] ntp.org> 119 * Avoid running checkHtmlFileDates script repeatedly when no html/*.html 120 files have changed. <hart (a] ntp.org> 121 * Abort configure if --enable-crypto-rand given & unavailable. <hart (a] ntp.org> 122 * Add configure --enable-verbose-ssl to trace SSL detection. <hart (a] ntp.org> 123 * Add build test coverage for --disable-saveconfig to flock-build script. 124 <hart (a] ntp.org> 125 * Remove deprecated configure --with-arlib option. <hart (a] ntp.org> 126 * Remove configure support for ISC UNIX ca. 1998. <hart (a] ntp.org> 127 * Move NTP_OPENSSL and NTP_CRYPTO_RAND invocations from configure.ac files 128 to NTP_LIBNTP. <hart (a] ntp.org> 129 * Remove dead code: HAVE_U_INT32_ONLY_WITH_DNS. <hart (a] ntp.org> 130 * Eliminate [v]snprintf redefinition warnings on macOS. <hart (a] ntp.org> 131 * Fix clang 14 cast increases alignment warning on Linux. <hart (a] ntp.org> 132 * Move ENABLE_CMAC to ntp_openssl.m4, reviving sntp/tests CMAC unit tests. 133 <hart (a] ntp.org> 134 * Use NTP_HARD_CPPFLAGS in libopts tearoff. <hart (a] ntp.org> 135 * wire in --enable-build-framework-help 136 137 --- 138 NTP 4.2.8p17 (Harlan Stenn <stenn (a] ntp.org>, 2023 Jun 06) 139 140 Focus: Bug fixes 141 142 Severity: HIGH (for people running 4.2.8p16) 143 144 This release: 145 146 - fixes 3 bugs, including a regression 147 - adds new unit tests 148 149 Details below: 150 151 * [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at 152 event_sync. Reported by Edward McGuire. <hart (a] ntp.org> 153 * [Bug 3822] ntpd significantly delays first poll of servers specified by name. 154 <hart (a] ntp.org> Miroslav Lichvar identified regression in 4.2.8p16. 155 * [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with 156 4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to 157 Miroslav Lichvar and Matt for rapid testing and identifying the 158 problem. <hart (a] ntp.org> 159 * Add tests/libntp/digests.c to catch regressions reading keys file or with 160 symmetric authentication digest output. 161 162 --- 163 NTP 4.2.8p16 (Harlan Stenn <stenn (a] ntp.org>, 2023 May 30) 164 165 Focus: Security, Bug fixes 166 167 Severity: LOW 168 169 This release: 170 171 - fixes 4 vulnerabilities (3 LOW and 1 None severity), 172 - fixes 46 bugs 173 - includes 15 general improvements 174 - adds support for OpenSSL-3.0 175 176 Details below: 177 178 * [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger (a] ntp.org> 179 * [Sec 3807] praecis_parse() in the Palisade refclock driver has a 180 hypothetical input buffer overflow. Reported by ... stenn@ 181 * [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger (a] ntp.org> 182 - solved numerically instead of using string manipulation 183 * [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled. 184 <stenn (a] ntp.org> 185 * [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@> 186 * [Bug 3817] Bounds-check "tos floor" configuration. <hart (a] ntp.org> 187 * [Bug 3814] First poll delay of new or cleared associations miscalculated. 188 <hart (a] ntp.org> 189 * [Bug 3802] ntp-keygen -I default identity modulus bits too small for 190 OpenSSL 3. Reported by rmsh1216 (a] 163.com <hart (a] ntp.org> 191 * [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart (a] ntp.org> 192 * [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart (a] ntp.org> 193 * [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart (a] ntp.org> 194 * [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when 195 disconnected, breaking ntpq and ntpdc. <hart (a] ntp.org> 196 * [Bug 3795] pollskewlist documentation uses | when it shouldn't. 197 - ntp.conf manual page and miscopt.html corrections. <hart (a] ntp.org> 198 * [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart (a] ntp.org> 199 - Report and patch by Yuezhen LUAN <wei6410 (a] sina.com>. 200 * [Bug 3786] Timer starvation on high-load Windows ntpd. <hart (a] ntp.org> 201 * [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded. 202 <hart (a] ntp.org> 203 * [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart (a] ntp.org> 204 * [Bug 3774] mode 6 packets corrupted in rawstats file <hart (a] ntp.org> 205 - Reported by Edward McGuire, fix identified by <wei6410 (a] sina.com>. 206 * [Bug 3758] Provide a 'device' config statement for refclocks <perlinger (a] ntp.org> 207 * [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger (a] ntp.org> 208 * [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger (a] ntp.org> 209 * [Bug 3725] Make copyright of clk_wharton.c compatible with Debian. 210 Philippe De Muyter <phdm (a] macqel.be> 211 * [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger (a] ntp.org> 212 - openssl applink needed again for openSSL-1.1.1 213 * [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing. 214 Reported by Brian Utterback, broken in 2010 by <hart (a] ntp.org> 215 * [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger (a] ntp.org> 216 - command line options override config statements where applicable 217 - make initial frequency settings idempotent and reversible 218 - make sure kernel PLL gets a recovered drift componsation 219 * [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger (a] ntp.org> 220 * [Bug 3694] NMEA refclock seems to unnecessarily require location in messages 221 - misleading title; essentially a request to ignore the receiver status. 222 Added a mode bit for this. <perlinger (a] ntp.org> 223 * [Bug 3693] Improvement of error handling key lengths <perlinger (a] ntp.org> 224 - original patch by Richard Schmidt, with mods & unit test fixes 225 * [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger (a] ntp.org> 226 - implement/wrap 'realpath()' to resolve symlinks in device names 227 * [Bug 3691] Buffer Overflow reading GPSD output 228 - original patch by matt<ntpbr (a] mattcorallo.com> 229 - increased max PDU size to 4k to avoid truncation 230 * [Bug 3690] newline in ntp clock variable (parse) <perlinger (a] ntp.org> 231 - patch by Frank Kardel 232 * [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger (a] ntp.org> 233 - ntp{q,dc} now use the same password processing as ntpd does in the key 234 file, so having a binary secret >= 11 bytes is possible for all keys. 235 (This is a different approach to the problem than suggested) 236 * [Bug 3688] GCC 10 build errors in testsuite <perlinger (a] ntp.org> 237 * [Bug 3687] ntp_crypto_rand RNG status not known <perlinger (a] ntp.org> 238 - patch by Gerry Garvey 239 * [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger (a] ntp.org> 240 - original patch by Gerry Garvey 241 * [Bug 3677] additional peer events not decoded in associations listing <perlinger (a] ntp.org> 242 - original patch by Gerry Garvey 243 * [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough) 244 - applied patches by Gerry Garvey 245 * [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage 246 * [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger (a] ntp.org> 247 - idea+patch by Gerry Garvey 248 * [Bug 3672] fix biased selection in median cut <perlinger (a] ntp.org> 249 * [Bug 3666] avoid unlimited receive buffer allocation <perlinger (a] ntp.org> 250 - follow-up: fix inverted sense in check, reset shortfall counter 251 * [Bug 3660] Revert 4.2.8p15 change to manycast. <hart (a] ntp.org> 252 * [Bug 3640] document "discard monitor" and fix the code. <hart (a] ntp.org> 253 - fixed bug identified by Edward McGuire <perlinger (a] ntp.org> 254 * [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger (a] ntp.org> 255 - applied patch by Gerry Garvey 256 * [Bug 3432] refclocks that 'write()' should check the result <perlinger (a] ntp.org> 257 - backport from -dev, plus some more work on warnings for unchecked results 258 * [Bug 3428] ntpd spinning consuming CPU on Linux router with full table. 259 Reported by Israel G. Lugo. <hart (a] ntp.org> 260 * [Bug 3103] libopts zsave_warn format string too few arguments <bkorb (a] gnu.org> 261 * [Bug 2990] multicastclient incorrectly causes bind to broadcast address. 262 Integrated patch from Brian Utterback. <hart (a] ntp.org> 263 * [Bug 2525] Turn on automake subdir-objects across the project. <hart (a] ntp.org> 264 * [Bug 2410] syslog an error message on panic exceeded. <brian.utterback (a] oracle.com> 265 * Use correct rounding in mstolfp(). perlinger/hart 266 * M_ADDF should use u_int32. <hart (a] ntp.org> 267 * Only define tv_fmt_libbuf() if we will use it. <stenn (a] ntp.org> 268 * Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn 269 * Make sure the value returned by refid_str() prints cleanly. <stenn (a] ntp.org> 270 * If DEBUG is enabled, the startup banner now says that debug assertions 271 are in force and that ntpd will abort if any are violated. <stenn (a] ntp.org> 272 * syslog valid incoming KoDs. <stenn (a] ntp.org> 273 * Rename a poorly-named variable. <stenn (a] ntp.org> 274 * Disable "embedded NUL in string" messages in libopts, when we can. <stenn@> 275 * Use https in the AC_INIT URLs in configure.ac. <stenn (a] ntp.org> 276 * Implement NTP_FUNC_REALPATH. <stenn (a] ntp.org> 277 * Lose a gmake construct in ntpd/Makefile.am. <stenn (a] ntp.org> 278 * upgrade to: autogen-5.18.16 279 * upgrade to: libopts-42.1.17 280 * upgrade to: autoconf-2.71 281 * upgrade to: automake-1.16.15 282 * Upgrade to libevent-2.1.12-stable <stenn (a] ntp.org> 283 * Support OpenSSL-3.0 284 285 --- 286 NTP 4.2.8p15 (Harlan Stenn <stenn (a] ntp.org>, 2020 Jun 23) 287 288 Focus: Security, Bug fixes 289 290 Severity: MEDIUM 291 292 This release fixes one vulnerability: Associations that use CMAC 293 authentication between ntpd from versions 4.2.8p11/4.3.97 and 294 4.2.8p14/4.3.100 will leak a small amount of memory for each packet. 295 Eventually, ntpd will run out of memory and abort. 296 297 It also fixes 13 other bugs. 298 299 * [Sec 3661] memory leak with AES128CMAC keys <perlinger (a] ntp.org> 300 * [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 301 - Thanks to Sylar Tao 302 * [Bug 3667] decodenetnum fails with numeric port <perlinger (a] ntp.org> 303 - rewrite 'decodenetnum()' in terms of inet_pton 304 * [Bug 3666] avoid unlimited receive buffer allocation <perlinger (a] ntp.org> 305 - limit number of receive buffers, with an iron reserve for refclocks 306 * [Bug 3664] Enable openSSL CMAC support on Windows <burnicki (a] ntp.org> 307 * [Bug 3662] Fix build errors on Windows with VS2008 <burnicki (a] ntp.org> 308 * [Bug 3660] Manycast orphan mode startup discovery problem. <stenn (a] ntp.org> 309 - integrated patch from Charles Claggett 310 * [Bug 3659] Move definition of psl[] from ntp_config.h to 311 ntp_config.h <perlinger (a] ntp.org> 312 * [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger (a] ntp.org> 313 * [Bug 3655] ntpdc memstats hash counts <perlinger (a] ntp.org> 314 - fix by Gerry garvey 315 * [Bug 3653] Refclock jitter RMS calculation <perlinger (a] ntp.org> 316 - thanks to Gerry Garvey 317 * [Bug 3646] Avoid sync with unsync orphan <perlinger (a] ntp.org> 318 - patch by Gerry Garvey 319 * [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger (a] ntp.org> 320 * [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe (a] ntp.org> 321 - applied patch by Takao Abe 322 323 --- 324 NTP 4.2.8p14 (Harlan Stenn <stenn (a] ntp.org>, 2020 Mar 03) 325 326 Focus: Security, Bug fixes, enhancements. 327 328 Severity: MEDIUM 329 330 This release fixes three vulnerabilities: a bug that causes causes an ntpd 331 instance that is explicitly configured to override the default and allow 332 ntpdc (mode 7) connections to be made to a server to read some uninitialized 333 memory; fixes the case where an unmonitored ntpd using an unauthenticated 334 association to its servers may be susceptible to a forged packet DoS attack; 335 and fixes an attack against a client instance that uses a single 336 unauthenticated time source. It also fixes 46 other bugs and addresses 337 4 other issues. 338 339 * [Sec 3610] process_control() should bail earlier on short packets. stenn@ 340 - Reported by Philippe Antoine 341 * [Sec 3596] Highly predictable timestamp attack. <stenn (a] ntp.org> 342 - Reported by Miroslav Lichvar 343 * [Sec 3592] DoS attack on client ntpd <perlinger (a] ntp.org> 344 - Reported by Miroslav Lichvar 345 * [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 346 * [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger (a] ntp.org> 347 * [Bug 3635] Make leapsecond file hash check optional <perlinger (a] ntp.org> 348 * [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 349 * [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 350 - implement Zeller's congruence in libparse and libntp <perlinger (a] ntp.org> 351 * [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger (a] ntp.org> 352 - integrated patch by Cy Schubert 353 * [Bug 3620] memory leak in ntpq sysinfo <perlinger (a] ntp.org> 354 - applied patch by Gerry Garvey 355 * [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger (a] ntp.org> 356 - applied patch by Gerry Garvey 357 * [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger (a] ntp.org> 358 - integrated patch by Richard Steedman 359 * [Bug 3615] accelerate refclock startup <perlinger (a] ntp.org> 360 * [Bug 3613] Propagate noselect to mobilized pool servers <stenn (a] ntp.org> 361 - Reported by Martin Burnicki 362 * [Bug 3612] Use-of-uninitialized-value in receive function <perlinger (a] ntp.org> 363 - Reported by Philippe Antoine 364 * [Bug 3611] NMEA time interpreted incorrectly <perlinger (a] ntp.org> 365 - officially document new "trust date" mode bit for NMEA driver 366 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 367 * [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger (a] ntp.org> 368 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 369 * [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger (a] ntp.org> 370 - removed ffs() and fls() prototypes as per Brian Utterback 371 * [Bug 3604] Wrong param byte order passing into record_raw_stats() in 372 ntp_io.c <perlinger (a] ntp.org> 373 - fixed byte and paramter order as suggested by wei6410 (a] sina.com 374 * [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger (a] ntp.org> 375 * [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger (a] ntp.org> 376 - added padding as suggested by John Paul Adrian Glaubitz 377 * [Bug 3594] ntpd discards messages coming through nmead <perlinger (a] ntp.org> 378 * [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger (a] ntp.org> 379 * [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger (a] ntp.org> 380 * [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger (a] ntp.org> 381 - stdout+stderr are set to line buffered during test setup now 382 * [Bug 3583] synchronization error <perlinger (a] ntp.org> 383 - set clock to base date if system time is before that limit 384 * [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger (a] ntp.org> 385 * [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger (a] ntp.org> 386 - Reported by Paulo Neves 387 * [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger (a] ntp.org> 388 - also updates for refclock_nmea.c and refclock_jupiter.c 389 * [Bug 3576] New GPS date function API <perlinger (a] ntp.org> 390 * [Bug 3573] nptdate: missleading error message <perlinger (a] ntp.org> 391 * [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger (a] ntp.org> 392 * [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger (a] ntp.org> 393 - sidekick: service port resolution in 'ntpdate' 394 * [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger (a] ntp.org> 395 - applied patch by Douglas Royds 396 * [Bug 3542] ntpdc monlist parameters cannot be set <perlinger (a] ntp.org> 397 * [Bug 3533] ntpdc peer_info ipv6 issues <perlinger (a] ntp.org> 398 - applied patch by Gerry Garvey 399 * [Bug 3531] make check: test-decodenetnum fails <perlinger (a] ntp.org> 400 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 401 - fix wrong cond-compile tests in unit tests 402 * [Bug 3517] Reducing build noise <perlinger (a] ntp.org> 403 * [Bug 3516] Require tooling from this decade <perlinger (a] ntp.org> 404 - patch by Philipp Prindeville 405 * [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger (a] ntp.org> 406 - patch by Philipp Prindeville 407 * [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger (a] ntp.org> 408 - patch by Philipp Prindeville 409 * [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger (a] ntp.org> 410 - partial application of patch by Philipp Prindeville 411 * [Bug 3491] Signed values of LFP datatypes should always display a sign 412 - applied patch by Gerry Garvey & fixed unit tests <perlinger (a] ntp.org> 413 * [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger (a] ntp.org> 414 - applied (modified) patch by Richard Steedman 415 * [Bug 3473] RefID of refclocks should always be text format <perlinger (a] ntp.org> 416 - applied patch by Gerry Garvey (with minor formatting changes) 417 * [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger (a] ntp.org> 418 - applied patch by Miroslav Lichvar 419 * [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 420 <perlinger (a] ntp.org> 421 * [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 422 is specified with -u <perlinger (a] ntp.org> 423 - monitor daemon child startup & propagate exit codes 424 * [Bug 1433] runtime check whether the kernel really supports capabilities 425 - (modified) patch by Kurt Roeckx <perlinger (a] ntp.org> 426 * Clean up sntp/networking.c:sendpkt() error message. <stenn (a] ntp.org> 427 * Provide more detail on unrecognized config file parser tokens. <stenn (a] ntp.org> 428 * Startup log improvements. <stenn (a] ntp.org> 429 * Update the copyright year. 430 431 --- 432 NTP 4.2.8p13 (Harlan Stenn <stenn (a] ntp.org>, 2019 Mar 07) 433 434 Focus: Security, Bug fixes, enhancements. 435 436 Severity: MEDIUM 437 438 This release fixes a bug that allows an attacker with access to an 439 explicitly trusted source to send a crafted malicious mode 6 (ntpq) 440 packet that can trigger a NULL pointer dereference, crashing ntpd. 441 It also provides 17 other bugfixes and 1 other improvement: 442 443 * [Sec 3565] Crafted null dereference attack in authenticated 444 mode 6 packet <perlinger (a] ntp.org> 445 - reported by Magnus Stubman 446 * [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger (a] ntp.org> 447 - applied patch by Ian Lepore 448 * [Bug 3558] Crash and integer size bug <perlinger (a] ntp.org> 449 - isolate and fix linux/windows specific code issue 450 * [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger (a] ntp.org> 451 - provide better function for incremental string formatting 452 * [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger (a] ntp.org> 453 - applied patch by Gerry Garvey 454 * [Bug 3554] config revoke stores incorrect value <perlinger (a] ntp.org> 455 - original finding by Gerry Garvey, additional cleanup needed 456 * [Bug 3549] Spurious initgroups() error message <perlinger (a] ntp.org> 457 - patch by Christous Zoulas 458 * [Bug 3548] Signature not verified on windows system <perlinger (a] ntp.org> 459 - finding by Chen Jiabin, plus another one by me 460 * [Bug 3541] patch to fix STA_NANO struct timex units <perlinger (a] ntp.org> 461 - applied patch by Maciej Szmigiero 462 * [Bug 3540] Cannot set minsane to 0 anymore <perlinger (a] ntp.org> 463 - applied patch by Andre Charbonneau 464 * [Bug 3539] work_fork build fails when droproot is not supported <perlinger (a] ntp.org> 465 - applied patch by Baruch Siach 466 * [Bug 3538] Build fails for no-MMU targets <perlinger (a] ntp.org> 467 - applied patch by Baruch Siach 468 * [Bug 3535] libparse won't handle GPS week rollover <perlinger (a] ntp.org> 469 - refactored handling of GPS era based on 'tos basedate' for 470 parse (TSIP) and JUPITER clocks 471 * [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger (a] ntp.org> 472 - patch by Daniel J. Luke; this does not fix a potential linker 473 regression issue on MacOS. 474 * [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 475 anomaly <perlinger (a] ntp.org>, reported by GGarvey. 476 - --enable-bug3527-fix support by HStenn 477 * [Bug 3526] Incorrect poll interval in packet <perlinger (a] ntp.org> 478 - applied patch by Gerry Garvey 479 * [Bug 3471] Check for openssl/[ch]mac.h. <perlinger (a] ntp.org> 480 - added missing check, reported by Reinhard Max <perlinger (a] ntp.org> 481 * [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 482 - this is a variant of [bug 3558] and should be fixed with it 483 * Implement 'configure --disable-signalled-io' 484 485 -- 486 NTP 4.2.8p12 (Harlan Stenn <stenn (a] ntp.org>, 2018/14/09) 487 488 Focus: Security, Bug fixes, enhancements. 489 490 Severity: MEDIUM 491 492 This release fixes a "hole" in the noepeer capability introduced to ntpd 493 in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 494 ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 495 496 * [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 497 498 * [Sec 3012] Fix a hole in the new "noepeer" processing. 499 500 * Bug Fixes: 501 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn (a] ntp.org> 502 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 503 other TrustedBSD platforms 504 - applied patch by Ian Lepore <perlinger (a] ntp.org> 505 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger (a] ntp.org> 506 - changed interaction with SCM to signal pending startup 507 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger (a] ntp.org> 508 - applied patch by Gerry Garvey 509 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger (a] ntp.org> 510 - applied patch by Gerry Garvey 511 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger (a] ntp.org> 512 - rework of ntpq 'nextvar()' key/value parsing 513 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger (a] ntp.org> 514 - applied patch by Gerry Garvey (with mods) 515 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger (a] ntp.org> 516 - applied patch by Gerry Garvey 517 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger (a] ntp.org> 518 - applied patch by Gerry Garvey (with mods) 519 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger (a] ntp.org> 520 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 521 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger (a] ntp.org> 522 - applied patch by Gerry Garvey 523 [Bug 3474] Missing pmode in mode7 peer info response <perlinger (a] ntp.org> 524 - applied patch by Gerry Garvey 525 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 526 - add #define ENABLE_CMAC support in configure. HStenn. 527 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger (a] ntp.org> 528 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger (a] ntp.org> 529 - patch by Stephen Friedl 530 [Bug 3467] Potential memory fault in ntpq [...] <perlinger (a] ntp.org> 531 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 532 [Bug 3465] Default TTL values cannot be used <perlinger (a] ntp.org> 533 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger (a] ntp.org> 534 - initial patch by Hal Murray; also fixed refclock_report() trouble 535 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn (a] ntp.org> 536 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 537 - According to Brooks Davis, there was only one location <perlinger (a] ntp.org> 538 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger (a] ntp.org> 539 - applied patch by Gerry Garvey 540 [Bug 3445] Symmetric peer won't sync on startup <perlinger (a] ntp.org> 541 - applied patch by Gerry Garvey 542 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 543 with modifications 544 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 545 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger (a] ntp.org> 546 - applied patch by Miroslav Lichvar 547 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 548 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger (a] ntp.org> 549 - integrated patch by Reinhard Max 550 [Bug 2821] minor build issues <perlinger (a] ntp.org> 551 - applied patches by Christos Zoulas, including real bug fixes 552 html/authopt.html: cleanup, from <stenn (a] ntp.org> 553 ntpd/ntpd.c: DROPROOT cleanup. <stenn (a] ntp.org> 554 Symmetric key range is 1-65535. Update docs. <stenn (a] ntp.org> 555 556 -- 557 NTP 4.2.8p11 (Harlan Stenn <stenn (a] ntp.org>, 2018/02/27) 558 559 Focus: Security, Bug fixes, enhancements. 560 561 Severity: MEDIUM 562 563 This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 564 vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 565 provides 65 other non-security fixes and improvements: 566 567 * NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 568 association (LOW/MED) 569 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 570 References: Sec 3454 / CVE-2018-7185 / VU#961909 571 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 572 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 573 2.9 and 6.8. 574 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 575 score between 2.6 and 3.1 576 Summary: 577 The NTP Protocol allows for both non-authenticated and 578 authenticated associations, in client/server, symmetric (peer), 579 and several broadcast modes. In addition to the basic NTP 580 operational modes, symmetric mode and broadcast servers can 581 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 582 was inadvertently introduced into the protocol engine that 583 allows a non-authenticated zero-origin (reset) packet to reset 584 an authenticated interleaved peer association. If an attacker 585 can send a packet with a zero-origin timestamp and the source 586 IP address of the "other side" of an interleaved association, 587 the 'victim' ntpd will reset its association. The attacker must 588 continue sending these packets in order to maintain the 589 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 590 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 591 interleaved mode must be explicitly configured/enabled. 592 Mitigation: 593 Implement BCP-38. 594 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 595 or the NTP Public Services Project Download Page. 596 If you are unable to upgrade to 4.2.8p11 or later and have 597 'peer HOST xleave' lines in your ntp.conf file, remove the 598 'xleave' option. 599 Have enough sources of time. 600 Properly monitor your ntpd instances. 601 If ntpd stops running, auto-restart it without -g . 602 Credit: 603 This weakness was discovered by Miroslav Lichvar of Red Hat. 604 605 * NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 606 state (LOW/MED) 607 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 608 References: Sec 3453 / CVE-2018-7184 / VU#961909 609 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 610 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 611 Could score between 2.9 and 6.8. 612 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 613 Could score between 2.6 and 6.0. 614 Summary: 615 The fix for NtpBug2952 was incomplete, and while it fixed one 616 problem it created another. Specifically, it drops bad packets 617 before updating the "received" timestamp. This means a 618 third-party can inject a packet with a zero-origin timestamp, 619 meaning the sender wants to reset the association, and the 620 transmit timestamp in this bogus packet will be saved as the 621 most recent "received" timestamp. The real remote peer does 622 not know this value and this will disrupt the association until 623 the association resets. 624 Mitigation: 625 Implement BCP-38. 626 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 627 or the NTP Public Services Project Download Page. 628 Use authentication with 'peer' mode. 629 Have enough sources of time. 630 Properly monitor your ntpd instances. 631 If ntpd stops running, auto-restart it without -g . 632 Credit: 633 This weakness was discovered by Miroslav Lichvar of Red Hat. 634 635 * NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 636 peering (LOW) 637 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 638 References: Sec 3415 / CVE-2018-7170 / VU#961909 639 Sec 3012 / CVE-2016-1549 / VU#718152 640 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 641 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 642 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 643 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 644 Summary: 645 ntpd can be vulnerable to Sybil attacks. If a system is set up to 646 use a trustedkey and if one is not using the feature introduced in 647 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 648 specify which IPs can serve time, a malicious authenticated peer 649 -- i.e. one where the attacker knows the private symmetric key -- 650 can create arbitrarily-many ephemeral associations in order to win 651 the clock selection of ntpd and modify a victim's clock. Three 652 additional protections are offered in ntp-4.2.8p11. One is the 653 new 'noepeer' directive, which disables symmetric passive 654 ephemeral peering. Another is the new 'ippeerlimit' directive, 655 which limits the number of peers that can be created from an IP. 656 The third extends the functionality of the 4th field in the 657 ntp.keys file to include specifying a subnet range. 658 Mitigation: 659 Implement BCP-38. 660 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 661 or the NTP Public Services Project Download Page. 662 Use the 'noepeer' directive to prohibit symmetric passive 663 ephemeral associations. 664 Use the 'ippeerlimit' directive to limit the number of peers 665 that can be created from an IP. 666 Use the 4th argument in the ntp.keys file to limit the IPs and 667 subnets that can be time servers. 668 Have enough sources of time. 669 Properly monitor your ntpd instances. 670 If ntpd stops running, auto-restart it without -g . 671 Credit: 672 This weakness was reported as Bug 3012 by Matthew Van Gundy of 673 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 674 675 * ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 676 Date Resolved: 27 Feb 2018 677 References: Sec 3414 / CVE-2018-7183 / VU#961909 678 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 679 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 680 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 681 Summary: 682 ntpq is a monitoring and control program for ntpd. decodearr() 683 is an internal function of ntpq that is used to -- wait for it -- 684 decode an array in a response string when formatted data is being 685 displayed. This is a problem in affected versions of ntpq if a 686 maliciously-altered ntpd returns an array result that will trip this 687 bug, or if a bad actor is able to read an ntpq request on its way to 688 a remote ntpd server and forge and send a response before the remote 689 ntpd sends its response. It's potentially possible that the 690 malicious data could become injectable/executable code. 691 Mitigation: 692 Implement BCP-38. 693 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 694 or the NTP Public Services Project Download Page. 695 Credit: 696 This weakness was discovered by Michael Macnair of Thales e-Security. 697 698 * NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 699 behavior and information leak (Info/Medium) 700 Date Resolved: 27 Feb 2018 701 References: Sec 3412 / CVE-2018-7182 / VU#961909 702 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 703 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 704 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 705 0.0 if C:N 706 Summary: 707 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 708 A malicious mode 6 packet can be sent to an ntpd instance, and 709 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 710 cause ctl_getitem() to read past the end of its buffer. 711 Mitigation: 712 Implement BCP-38. 713 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 714 or the NTP Public Services Project Download Page. 715 Have enough sources of time. 716 Properly monitor your ntpd instances. 717 If ntpd stops running, auto-restart it without -g . 718 Credit: 719 This weakness was discovered by Yihan Lian of Qihoo 360. 720 721 * NTP Bug 3012: Sybil vulnerability: ephemeral association attack 722 Also see Bug 3415, above. 723 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 724 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 725 References: Sec 3012 / CVE-2016-1549 / VU#718152 726 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 727 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 728 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 729 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 730 Summary: 731 ntpd can be vulnerable to Sybil attacks. If a system is set up 732 to use a trustedkey and if one is not using the feature 733 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 734 ntp.keys file to specify which IPs can serve time, a malicious 735 authenticated peer -- i.e. one where the attacker knows the 736 private symmetric key -- can create arbitrarily-many ephemeral 737 associations in order to win the clock selection of ntpd and 738 modify a victim's clock. Two additional protections are 739 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 740 disables symmetric passive ephemeral peering. The other extends 741 the functionality of the 4th field in the ntp.keys file to 742 include specifying a subnet range. 743 Mitigation: 744 Implement BCP-38. 745 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 746 the NTP Public Services Project Download Page. 747 Use the 'noepeer' directive to prohibit symmetric passive 748 ephemeral associations. 749 Use the 'ippeerlimit' directive to limit the number of peer 750 associations from an IP. 751 Use the 4th argument in the ntp.keys file to limit the IPs 752 and subnets that can be time servers. 753 Properly monitor your ntpd instances. 754 Credit: 755 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 756 757 * Bug fixes: 758 [Bug 3457] OpenSSL FIPS mode regression <perlinger (a] ntp.org> 759 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger (a] ntp.org> 760 - applied patch by Sean Haugh 761 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger (a] ntp.org> 762 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 763 - removed error log caused by rounding/slew, ensured postcondition <perlinger (a] ntp.org> 764 [Bug 3447] AES-128-CMAC (fixes) <perlinger (a] ntp.org> 765 - refactoring the MAC code, too 766 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn (a] ntp.org 767 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger (a] ntp.org> 768 - applied patch by ggarvey 769 [Bug 3438] Negative values and values > 999 days in... <perlinger (a] ntp.org> 770 - applied patch by ggarvey (with minor mods) 771 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 772 - applied patch (with mods) by Miroslav Lichvar <perlinger (a] ntp.org> 773 [Bug 3435] anchor NTP era alignment <perlinger (a] ntp.org> 774 [Bug 3433] sntp crashes when run with -a. <stenn (a] ntp.org> 775 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 776 - fixed several issues with hash algos in ntpd, sntp, ntpq, 777 ntpdc and the test suites <perlinger (a] ntp.org> 778 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger (a] ntp.org> 779 - initial patch by Daniel Pouzzner 780 [Bug 3423] QNX adjtime() implementation error checking is 781 wrong <perlinger (a] ntp.org> 782 [Bug 3417] ntpq ifstats packet counters can be negative 783 made IFSTATS counter quantities unsigned <perlinger (a] ntp.org> 784 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 785 - raised receive buffer size to 1200 <perlinger (a] ntp.org> 786 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 787 analysis tool. <abe (a] ntp.org> 788 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 789 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger (a] ntp.org> 790 - fix/drop assumptions on OpenSSL libs directory layout 791 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 792 - initial patch by timeflies (a] mail2tor.com <perlinger (a] ntp.org> 793 [Bug 3398] tests fail with core dump <perlinger (a] ntp.org> 794 - patch contributed by Alexander Bluhm 795 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 796 rework of formatting & data transfer stuff in 'ntp_control.c' 797 avoids unecessary buffers and size limitations. <perlinger (a] ntp.org> 798 [Bug 3394] Leap second deletion does not work on ntpd clients 799 - fixed handling of dynamic deletion w/o leap file <perlinger (a] ntp.org> 800 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 801 - increased mimimum stack size to 32kB <perlinger (a] ntp.org> 802 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger (a] ntp.org> 803 - reverted handling of PPS kernel consumer to 4.2.6 behavior 804 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe (a] ntp.org> 805 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 806 [Bug 3016] wrong error position reported for bad ":config pool" 807 - fixed location counter & ntpq output <perlinger (a] ntp.org> 808 [Bug 2900] libntp build order problem. HStenn. 809 [Bug 2878] Tests are cluttering up syslog <perlinger (a] ntp.org> 810 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs (a] bodosom.net, 811 perlinger (a] ntp.org 812 [Bug 2557] Fix Thunderbolt init. ntp-bugs (a] bodosom.net, perlinger@ntp. 813 [Bug 948] Trustedkey config directive leaks memory. <perlinger (a] ntp.org> 814 Use strlcpy() to copy strings, not memcpy(). HStenn. 815 Typos. HStenn. 816 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 817 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 818 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger (a] ntp.org 819 Fix trivial warnings from 'make check'. perlinger (a] ntp.org 820 Fix bug in the override portion of the compiler hardening macro. HStenn. 821 record_raw_stats(): Log entire packet. Log writes. HStenn. 822 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 823 sntp: tweak key file logging. HStenn. 824 sntp: pkt_output(): Improve debug output. HStenn. 825 update-leap: updates from Paul McMath. 826 When using pkg-config, report --modversion. HStenn. 827 Clean up libevent configure checks. HStenn. 828 sntp: show the IP of who sent us a crypto-NAK. HStenn. 829 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 830 authistrustedip() - use it in more places. HStenn, JPerlinger. 831 New sysstats: sys_lamport, sys_tsrounding. HStenn. 832 Update ntp.keys .../N documentation. HStenn. 833 Distribute testconf.yml. HStenn. 834 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 835 Rename the configuration flag fifo variables. HStenn. 836 Improve saveconfig output. HStenn. 837 Decode restrict flags on receive() debug output. HStenn. 838 Decode interface flags on receive() debug output. HStenn. 839 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 840 Update the documentation in ntp.conf.def . HStenn. 841 restrictions() must return restrict flags and ippeerlimit. HStenn. 842 Update ntpq peer documentation to describe the 'p' type. HStenn. 843 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 844 Provide dump_restricts() for debugging. HStenn. 845 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 846 847 * Other items: 848 849 * update-leap needs the following perl modules: 850 Net::SSLeay 851 IO::Socket::SSL 852 853 * New sysstats variables: sys_lamport, sys_tsrounding 854 See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 855 sys_lamport counts the number of observed Lamport violations, while 856 sys_tsrounding counts observed timestamp rounding events. 857 858 * New ntp.conf items: 859 860 - restrict ... noepeer 861 - restrict ... ippeerlimit N 862 863 The 'noepeer' directive will disallow all ephemeral/passive peer 864 requests. 865 866 The 'ippeerlimit' directive limits the number of time associations 867 for each IP in the designated set of addresses. This limit does not 868 apply to explicitly-configured associations. A value of -1, the current 869 default, means an unlimited number of associations may connect from a 870 single IP. 0 means "none", etc. Ordinarily the only way multiple 871 associations would come from the same IP would be if the remote side 872 was using a proxy. But a trusted machine might become compromised, 873 in which case an attacker might spin up multiple authenticated sessions 874 from different ports. This directive should be helpful in this case. 875 876 * New ntp.keys feature: Each IP in the optional list of IPs in the 4th 877 field may contain a /subnetbits specification, which identifies the 878 scope of IPs that may use this key. This IP/subnet restriction can be 879 used to limit the IPs that may use the key in most all situations where 880 a key is used. 881 -- 882 NTP 4.2.8p10 (Harlan Stenn <stenn (a] ntp.org>, 2017/03/21) 883 884 Focus: Security, Bug fixes, enhancements. 885 886 Severity: MEDIUM 887 888 This release fixes 5 medium-, 6 low-, and 4 informational-severity 889 vulnerabilities, and provides 15 other non-security fixes and improvements: 890 891 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 892 Date Resolved: 21 Mar 2017 893 References: Sec 3389 / CVE-2017-6464 / VU#325339 894 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 895 ntp-4.3.0 up to, but not including ntp-4.3.94. 896 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 897 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 898 Summary: 899 A vulnerability found in the NTP server makes it possible for an 900 authenticated remote user to crash ntpd via a malformed mode 901 configuration directive. 902 Mitigation: 903 Implement BCP-38. 904 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 905 the NTP Public Services Project Download Page 906 Properly monitor your ntpd instances, and auto-restart 907 ntpd (without -g) if it stops running. 908 Credit: 909 This weakness was discovered by Cure53. 910 911 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 912 Date Resolved: 21 Mar 2017 913 References: Sec 3388 / CVE-2017-6462 / VU#325339 914 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 915 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 916 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 917 Summary: 918 There is a potential for a buffer overflow in the legacy Datum 919 Programmable Time Server refclock driver. Here the packets are 920 processed from the /dev/datum device and handled in 921 datum_pts_receive(). Since an attacker would be required to 922 somehow control a malicious /dev/datum device, this does not 923 appear to be a practical attack and renders this issue "Low" in 924 terms of severity. 925 Mitigation: 926 If you have a Datum reference clock installed and think somebody 927 may maliciously change the device, upgrade to 4.2.8p10, or 928 later, from the NTP Project Download Page or the NTP Public 929 Services Project Download Page 930 Properly monitor your ntpd instances, and auto-restart 931 ntpd (without -g) if it stops running. 932 Credit: 933 This weakness was discovered by Cure53. 934 935 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 936 Date Resolved: 21 Mar 2017 937 References: Sec 3387 / CVE-2017-6463 / VU#325339 938 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 939 ntp-4.3.0 up to, but not including ntp-4.3.94. 940 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 941 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 942 Summary: 943 A vulnerability found in the NTP server allows an authenticated 944 remote attacker to crash the daemon by sending an invalid setting 945 via the :config directive. The unpeer option expects a number or 946 an address as an argument. In case the value is "0", a 947 segmentation fault occurs. 948 Mitigation: 949 Implement BCP-38. 950 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 951 or the NTP Public Services Project Download Page 952 Properly monitor your ntpd instances, and auto-restart 953 ntpd (without -g) if it stops running. 954 Credit: 955 This weakness was discovered by Cure53. 956 957 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 958 Date Resolved: 21 Mar 2017 959 References: Sec 3386 960 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 961 ntp-4.3.0 up to, but not including ntp-4.3.94. 962 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 963 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 964 Summary: 965 The NTP Mode 6 monitoring and control client, ntpq, uses the 966 function ntpq_stripquotes() to remove quotes and escape characters 967 from a given string. According to the documentation, the function 968 is supposed to return the number of copied bytes but due to 969 incorrect pointer usage this value is always zero. Although the 970 return value of this function is never used in the code, this 971 flaw could lead to a vulnerability in the future. Since relying 972 on wrong return values when performing memory operations is a 973 dangerous practice, it is recommended to return the correct value 974 in accordance with the documentation pertinent to the code. 975 Mitigation: 976 Implement BCP-38. 977 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 978 or the NTP Public Services Project Download Page 979 Properly monitor your ntpd instances, and auto-restart 980 ntpd (without -g) if it stops running. 981 Credit: 982 This weakness was discovered by Cure53. 983 984 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 985 Date Resolved: 21 Mar 2017 986 References: Sec 3385 987 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 988 ntp-4.3.0 up to, but not including ntp-4.3.94. 989 Summary: 990 NTP makes use of several wrappers around the standard heap memory 991 allocation functions that are provided by libc. This is mainly 992 done to introduce additional safety checks concentrated on 993 several goals. First, they seek to ensure that memory is not 994 accidentally freed, secondly they verify that a correct amount 995 is always allocated and, thirdly, that allocation failures are 996 correctly handled. There is an additional implementation for 997 scenarios where memory for a specific amount of items of the 998 same size needs to be allocated. The handling can be found in 999 the oreallocarray() function for which a further number-of-elements 1000 parameter needs to be provided. Although no considerable threat 1001 was identified as tied to a lack of use of this function, it is 1002 recommended to correctly apply oreallocarray() as a preferred 1003 option across all of the locations where it is possible. 1004 Mitigation: 1005 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1006 or the NTP Public Services Project Download Page 1007 Credit: 1008 This weakness was discovered by Cure53. 1009 1010 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 1011 PPSAPI ONLY) (Low) 1012 Date Resolved: 21 Mar 2017 1013 References: Sec 3384 / CVE-2017-6455 / VU#325339 1014 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 1015 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 1016 including ntp-4.3.94. 1017 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1018 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1019 Summary: 1020 The Windows NT port has the added capability to preload DLLs 1021 defined in the inherited global local environment variable 1022 PPSAPI_DLLS. The code contained within those libraries is then 1023 called from the NTPD service, usually running with elevated 1024 privileges. Depending on how securely the machine is setup and 1025 configured, if ntpd is configured to use the PPSAPI under Windows 1026 this can easily lead to a code injection. 1027 Mitigation: 1028 Implement BCP-38. 1029 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1030 or the NTP Public Services Project Download Page 1031 Credit: 1032 This weakness was discovered by Cure53. 1033 1034 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 1035 installer ONLY) (Low) 1036 Date Resolved: 21 Mar 2017 1037 References: Sec 3383 / CVE-2017-6452 / VU#325339 1038 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 1039 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 1040 to, but not including ntp-4.3.94. 1041 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1042 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1043 Summary: 1044 The Windows installer for NTP calls strcat(), blindly appending 1045 the string passed to the stack buffer in the addSourceToRegistry() 1046 function. The stack buffer is 70 bytes smaller than the buffer 1047 in the calling main() function. Together with the initially 1048 copied Registry path, the combination causes a stack buffer 1049 overflow and effectively overwrites the stack frame. The 1050 passed application path is actually limited to 256 bytes by the 1051 operating system, but this is not sufficient to assure that the 1052 affected stack buffer is consistently protected against 1053 overflowing at all times. 1054 Mitigation: 1055 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1056 or the NTP Public Services Project Download Page 1057 Credit: 1058 This weakness was discovered by Cure53. 1059 1060 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 1061 installer ONLY) (Low) 1062 Date Resolved: 21 Mar 2017 1063 References: Sec 3382 / CVE-2017-6459 / VU#325339 1064 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 1065 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 1066 up to, but not including ntp-4.3.94. 1067 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1068 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1069 Summary: 1070 The Windows installer for NTP calls strcpy() with an argument 1071 that specifically contains multiple null bytes. strcpy() only 1072 copies a single terminating null character into the target 1073 buffer instead of copying the required double null bytes in the 1074 addKeysToRegistry() function. As a consequence, a garbage 1075 registry entry can be created. The additional arsize parameter 1076 is erroneously set to contain two null bytes and the following 1077 call to RegSetValueEx() claims to be passing in a multi-string 1078 value, though this may not be true. 1079 Mitigation: 1080 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1081 or the NTP Public Services Project Download Page 1082 Credit: 1083 This weakness was discovered by Cure53. 1084 1085 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 1086 References: Sec 3381 1087 Summary: 1088 The report says: Statically included external projects 1089 potentially introduce several problems and the issue of having 1090 extensive amounts of code that is "dead" in the resulting binary 1091 must clearly be pointed out. The unnecessary unused code may or 1092 may not contain bugs and, quite possibly, might be leveraged for 1093 code-gadget-based branch-flow redirection exploits. Analogically, 1094 having source trees statically included as well means a failure 1095 in taking advantage of the free feature for periodical updates. 1096 This solution is offered by the system's Package Manager. The 1097 three libraries identified are libisc, libevent, and libopts. 1098 Resolution: 1099 For libisc, we already only use a portion of the original library. 1100 We've found and fixed bugs in the original implementation (and 1101 offered the patches to ISC), and plan to see what has changed 1102 since we last upgraded the code. libisc is generally not 1103 installed, and when it it we usually only see the static libisc.a 1104 file installed. Until we know for sure that the bugs we've found 1105 and fixed are fixed upstream, we're better off with the copy we 1106 are using. 1107 1108 Version 1 of libevent was the only production version available 1109 until recently, and we've been requiring version 2 for a long time. 1110 But if the build system has at least version 2 of libevent 1111 installed, we'll use the version that is installed on the system. 1112 Otherwise, we provide a copy of libevent that we know works. 1113 1114 libopts is provided by GNU AutoGen, and that library and package 1115 undergoes frequent API version updates. The version of autogen 1116 used to generate the tables for the code must match the API 1117 version in libopts. AutoGen can be ... difficult to build and 1118 install, and very few developers really need it. So we have it 1119 on our build and development machines, and we provide the 1120 specific version of the libopts code in the distribution to make 1121 sure that the proper API version of libopts is available. 1122 1123 As for the point about there being code in these libraries that 1124 NTP doesn't use, OK. But other packages used these libraries as 1125 well, and it is reasonable to assume that other people are paying 1126 attention to security and code quality issues for the overall 1127 libraries. It takes significant resources to analyze and 1128 customize these libraries to only include what we need, and to 1129 date we believe the cost of this effort does not justify the benefit. 1130 Credit: 1131 This issue was discovered by Cure53. 1132 1133 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 1134 Date Resolved: 21 Mar 2017 1135 References: Sec 3380 1136 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1137 ntp-4.3.0 up to, but not including ntp-4.3.94. 1138 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 1139 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 1140 Summary: 1141 There is a fencepost error in a "recovery branch" of the code for 1142 the Oncore GPS receiver if the communication link to the ONCORE 1143 is weak / distorted and the decoding doesn't work. 1144 Mitigation: 1145 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 1146 the NTP Public Services Project Download Page 1147 Properly monitor your ntpd instances, and auto-restart 1148 ntpd (without -g) if it stops running. 1149 Credit: 1150 This weakness was discovered by Cure53. 1151 1152 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 1153 Date Resolved: 21 Mar 2017 1154 References: Sec 3379 / CVE-2017-6458 / VU#325339 1155 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1156 ntp-4.3.0 up to, but not including ntp-4.3.94. 1157 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 1158 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1159 Summary: 1160 ntpd makes use of different wrappers around ctl_putdata() to 1161 create name/value ntpq (mode 6) response strings. For example, 1162 ctl_putstr() is usually used to send string data (variable names 1163 or string data). The formatting code was missing a length check 1164 for variable names. If somebody explicitly created any unusually 1165 long variable names in ntpd (longer than 200-512 bytes, depending 1166 on the type of variable), then if any of these variables are 1167 added to the response list it would overflow a buffer. 1168 Mitigation: 1169 Implement BCP-38. 1170 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1171 or the NTP Public Services Project Download Page 1172 If you don't want to upgrade, then don't setvar variable names 1173 longer than 200-512 bytes in your ntp.conf file. 1174 Properly monitor your ntpd instances, and auto-restart 1175 ntpd (without -g) if it stops running. 1176 Credit: 1177 This weakness was discovered by Cure53. 1178 1179 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 1180 Date Resolved: 21 Mar 2017 1181 References: Sec 3378 / CVE-2017-6451 / VU#325339 1182 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1183 ntp-4.3.0 up to, but not including ntp-4.3.94. 1184 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 1185 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 1186 Summary: 1187 The legacy MX4200 refclock is only built if is specifically 1188 enabled, and furthermore additional code changes are required to 1189 compile and use it. But it uses the libc functions snprintf() 1190 and vsnprintf() incorrectly, which can lead to an out-of-bounds 1191 memory write due to an improper handling of the return value of 1192 snprintf()/vsnprintf(). Since the return value is used as an 1193 iterator and it can be larger than the buffer's size, it is 1194 possible for the iterator to point somewhere outside of the 1195 allocated buffer space. This results in an out-of-bound memory 1196 write. This behavior can be leveraged to overwrite a saved 1197 instruction pointer on the stack and gain control over the 1198 execution flow. During testing it was not possible to identify 1199 any malicious usage for this vulnerability. Specifically, no 1200 way for an attacker to exploit this vulnerability was ultimately 1201 unveiled. However, it has the potential to be exploited, so the 1202 code should be fixed. 1203 Mitigation, if you have a Magnavox MX4200 refclock: 1204 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1205 or the NTP Public Services Project Download Page. 1206 Properly monitor your ntpd instances, and auto-restart 1207 ntpd (without -g) if it stops running. 1208 Credit: 1209 This weakness was discovered by Cure53. 1210 1211 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 1212 malicious ntpd (Medium) 1213 Date Resolved: 21 Mar 2017 1214 References: Sec 3377 / CVE-2017-6460 / VU#325339 1215 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 1216 ntp-4.3.0 up to, but not including ntp-4.3.94. 1217 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1218 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1219 Summary: 1220 A stack buffer overflow in ntpq can be triggered by a malicious 1221 ntpd server when ntpq requests the restriction list from the server. 1222 This is due to a missing length check in the reslist() function. 1223 It occurs whenever the function parses the server's response and 1224 encounters a flagstr variable of an excessive length. The string 1225 will be copied into a fixed-size buffer, leading to an overflow on 1226 the function's stack-frame. Note well that this problem requires 1227 a malicious server, and affects ntpq, not ntpd. 1228 Mitigation: 1229 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1230 or the NTP Public Services Project Download Page 1231 If you can't upgrade your version of ntpq then if you want to know 1232 the reslist of an instance of ntpd that you do not control, 1233 know that if the target ntpd is malicious that it can send back 1234 a response that intends to crash your ntpq process. 1235 Credit: 1236 This weakness was discovered by Cure53. 1237 1238 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 1239 Date Resolved: 21 Mar 2017 1240 References: Sec 3376 1241 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1242 ntp-4.3.0 up to, but not including ntp-4.3.94. 1243 CVSS2: N/A 1244 CVSS3: N/A 1245 Summary: 1246 The build process for NTP has not, by default, provided compile 1247 or link flags to offer "hardened" security options. Package 1248 maintainers have always been able to provide hardening security 1249 flags for their builds. As of ntp-4.2.8p10, the NTP build 1250 system has a way to provide OS-specific hardening flags. Please 1251 note that this is still not a really great solution because it 1252 is specific to NTP builds. It's inefficient to have every 1253 package supply, track and maintain this information for every 1254 target build. It would be much better if there was a common way 1255 for OSes to provide this information in a way that arbitrary 1256 packages could benefit from it. 1257 Mitigation: 1258 Implement BCP-38. 1259 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1260 or the NTP Public Services Project Download Page 1261 Properly monitor your ntpd instances, and auto-restart 1262 ntpd (without -g) if it stops running. 1263 Credit: 1264 This weakness was reported by Cure53. 1265 1266 * 0rigin DoS (Medium) 1267 Date Resolved: 21 Mar 2017 1268 References: Sec 3361 / CVE-2016-9042 / VU#325339 1269 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 1270 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 1271 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 1272 Summary: 1273 An exploitable denial of service vulnerability exists in the 1274 origin timestamp check functionality of ntpd 4.2.8p9. A specially 1275 crafted unauthenticated network packet can be used to reset the 1276 expected origin timestamp for target peers. Legitimate replies 1277 from targeted peers will fail the origin timestamp check (TEST2) 1278 causing the reply to be dropped and creating a denial of service 1279 condition. This vulnerability can only be exploited if the 1280 attacker can spoof all of the servers. 1281 Mitigation: 1282 Implement BCP-38. 1283 Configure enough servers/peers that an attacker cannot target 1284 all of your time sources. 1285 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1286 or the NTP Public Services Project Download Page 1287 Properly monitor your ntpd instances, and auto-restart 1288 ntpd (without -g) if it stops running. 1289 Credit: 1290 This weakness was discovered by Matthew Van Gundy of Cisco. 1291 1292 Other fixes: 1293 1294 * [Bug 3393] clang scan-build findings <perlinger (a] ntp.org> 1295 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1296 - rework of patch set from <ntp.org (a] eroen.eu>. <perlinger (a] ntp.org> 1297 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger (a] ntp.org> 1298 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1299 on 4.4BSD-Lite derived platforms <perlinger (a] ntp.org> 1300 - original patch by Majdi S. Abbas 1301 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger (a] ntp.org> 1302 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger (a] ntp.org> 1303 - initial patch by Christos Zoulas 1304 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger (a] ntp.org> 1305 - move loader API from 'inline' to proper source 1306 - augment pathless dlls with absolute path to NTPD 1307 - use 'msyslog()' instead of 'printf() 'for reporting trouble 1308 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger (a] ntp.org> 1309 - applied patch by Matthew Van Gundy 1310 * [Bug 3065] Quiet warnings on NetBSD <perlinger (a] ntp.org> 1311 - applied some of the patches provided by Havard. Not all of them 1312 still match the current code base, and I did not touch libopt. 1313 * [Bug 3062] Change the process name of forked DNS worker <perlinger (a] ntp.org> 1314 - applied patch by Reinhard Max. See bugzilla for limitations. 1315 * [Bug 2923] Trap Configuration Fail <perlinger (a] ntp.org> 1316 - fixed dependency inversion from [Bug 2837] 1317 * [Bug 2896] Nothing happens if minsane < maxclock < minclock 1318 - produce ERROR log message about dysfunctional daemon. <perlinger (a] ntp.org> 1319 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger (a] ntp.org> 1320 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1321 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1322 - Fixed these and some more locations of this pattern. 1323 Probably din't get them all, though. <perlinger (a] ntp.org> 1324 * Update copyright year. 1325 1326 -- 1327 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn (a] ntp.org> 1328 1329 * [Bug 3144] NTP does not build without openSSL. <perlinger (a] ntp.org> 1330 - added missed changeset for automatic openssl lib detection 1331 - fixed some minor warning issues 1332 * [Bug 3095] More compatibility with openssl 1.1. <perlinger (a] ntp.org> 1333 * configure.ac cleanup. stenn (a] ntp.org 1334 * openssl configure cleanup. stenn (a] ntp.org 1335 1336 -- 1337 NTP 4.2.8p9 (Harlan Stenn <stenn (a] ntp.org>, 2016/11/21) 1338 1339 Focus: Security, Bug fixes, enhancements. 1340 1341 Severity: HIGH 1342 1343 In addition to bug fixes and enhancements, this release fixes the 1344 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 1345 5 low-severity vulnerabilities, and provides 28 other non-security 1346 fixes and improvements: 1347 1348 * Trap crash 1349 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1350 References: Sec 3119 / CVE-2016-9311 / VU#633847 1351 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1352 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1353 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1354 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1355 Summary: 1356 ntpd does not enable trap service by default. If trap service 1357 has been explicitly enabled, an attacker can send a specially 1358 crafted packet to cause a null pointer dereference that will 1359 crash ntpd, resulting in a denial of service. 1360 Mitigation: 1361 Implement BCP-38. 1362 Use "restrict default noquery ..." in your ntp.conf file. Only 1363 allow mode 6 queries from trusted networks and hosts. 1364 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1365 or the NTP Public Services Project Download Page 1366 Properly monitor your ntpd instances, and auto-restart ntpd 1367 (without -g) if it stops running. 1368 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1369 1370 * Mode 6 information disclosure and DDoS vector 1371 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1372 References: Sec 3118 / CVE-2016-9310 / VU#633847 1373 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1374 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1375 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1376 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1377 Summary: 1378 An exploitable configuration modification vulnerability exists 1379 in the control mode (mode 6) functionality of ntpd. If, against 1380 long-standing BCP recommendations, "restrict default noquery ..." 1381 is not specified, a specially crafted control mode packet can set 1382 ntpd traps, providing information disclosure and DDoS 1383 amplification, and unset ntpd traps, disabling legitimate 1384 monitoring. A remote, unauthenticated, network attacker can 1385 trigger this vulnerability. 1386 Mitigation: 1387 Implement BCP-38. 1388 Use "restrict default noquery ..." in your ntp.conf file. 1389 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1390 or the NTP Public Services Project Download Page 1391 Properly monitor your ntpd instances, and auto-restart ntpd 1392 (without -g) if it stops running. 1393 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1394 1395 * Broadcast Mode Replay Prevention DoS 1396 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1397 References: Sec 3114 / CVE-2016-7427 / VU#633847 1398 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1399 ntp-4.3.90 up to, but not including ntp-4.3.94. 1400 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1401 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1402 Summary: 1403 The broadcast mode of NTP is expected to only be used in a 1404 trusted network. If the broadcast network is accessible to an 1405 attacker, a potentially exploitable denial of service 1406 vulnerability in ntpd's broadcast mode replay prevention 1407 functionality can be abused. An attacker with access to the NTP 1408 broadcast domain can periodically inject specially crafted 1409 broadcast mode NTP packets into the broadcast domain which, 1410 while being logged by ntpd, can cause ntpd to reject broadcast 1411 mode packets from legitimate NTP broadcast servers. 1412 Mitigation: 1413 Implement BCP-38. 1414 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1415 or the NTP Public Services Project Download Page 1416 Properly monitor your ntpd instances, and auto-restart ntpd 1417 (without -g) if it stops running. 1418 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1419 1420 * Broadcast Mode Poll Interval Enforcement DoS 1421 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1422 References: Sec 3113 / CVE-2016-7428 / VU#633847 1423 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1424 ntp-4.3.90 up to, but not including ntp-4.3.94 1425 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1426 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1427 Summary: 1428 The broadcast mode of NTP is expected to only be used in a 1429 trusted network. If the broadcast network is accessible to an 1430 attacker, a potentially exploitable denial of service 1431 vulnerability in ntpd's broadcast mode poll interval enforcement 1432 functionality can be abused. To limit abuse, ntpd restricts the 1433 rate at which each broadcast association will process incoming 1434 packets. ntpd will reject broadcast mode packets that arrive 1435 before the poll interval specified in the preceding broadcast 1436 packet expires. An attacker with access to the NTP broadcast 1437 domain can send specially crafted broadcast mode NTP packets to 1438 the broadcast domain which, while being logged by ntpd, will 1439 cause ntpd to reject broadcast mode packets from legitimate NTP 1440 broadcast servers. 1441 Mitigation: 1442 Implement BCP-38. 1443 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1444 or the NTP Public Services Project Download Page 1445 Properly monitor your ntpd instances, and auto-restart ntpd 1446 (without -g) if it stops running. 1447 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1448 1449 * Windows: ntpd DoS by oversized UDP packet 1450 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1451 References: Sec 3110 / CVE-2016-9312 / VU#633847 1452 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1453 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1454 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1455 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1456 Summary: 1457 If a vulnerable instance of ntpd on Windows receives a crafted 1458 malicious packet that is "too big", ntpd will stop working. 1459 Mitigation: 1460 Implement BCP-38. 1461 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1462 or the NTP Public Services Project Download Page 1463 Properly monitor your ntpd instances, and auto-restart ntpd 1464 (without -g) if it stops running. 1465 Credit: This weakness was discovered by Robert Pajak of ABB. 1466 1467 * 0rigin (zero origin) issues 1468 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1469 References: Sec 3102 / CVE-2016-7431 / VU#633847 1470 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1471 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1472 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1473 Summary: 1474 Zero Origin timestamp problems were fixed by Bug 2945 in 1475 ntp-4.2.8p6. However, subsequent timestamp validation checks 1476 introduced a regression in the handling of some Zero origin 1477 timestamp checks. 1478 Mitigation: 1479 Implement BCP-38. 1480 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1481 or the NTP Public Services Project Download Page 1482 Properly monitor your ntpd instances, and auto-restart ntpd 1483 (without -g) if it stops running. 1484 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1485 Malhotra of Boston University. 1486 1487 * read_mru_list() does inadequate incoming packet checks 1488 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1489 References: Sec 3082 / CVE-2016-7434 / VU#633847 1490 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1491 ntp-4.3.0 up to, but not including ntp-4.3.94. 1492 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1493 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1494 Summary: 1495 If ntpd is configured to allow mrulist query requests from a 1496 server that sends a crafted malicious packet, ntpd will crash 1497 on receipt of that crafted malicious mrulist query packet. 1498 Mitigation: 1499 Only allow mrulist query packets from trusted hosts. 1500 Implement BCP-38. 1501 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1502 or the NTP Public Services Project Download Page 1503 Properly monitor your ntpd instances, and auto-restart ntpd 1504 (without -g) if it stops running. 1505 Credit: This weakness was discovered by Magnus Stubman. 1506 1507 * Attack on interface selection 1508 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1509 References: Sec 3072 / CVE-2016-7429 / VU#633847 1510 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1511 ntp-4.3.0 up to, but not including ntp-4.3.94 1512 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1513 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1514 Summary: 1515 When ntpd receives a server response on a socket that corresponds 1516 to a different interface than was used for the request, the peer 1517 structure is updated to use the interface for new requests. If 1518 ntpd is running on a host with multiple interfaces in separate 1519 networks and the operating system doesn't check source address in 1520 received packets (e.g. rp_filter on Linux is set to 0), an 1521 attacker that knows the address of the source can send a packet 1522 with spoofed source address which will cause ntpd to select wrong 1523 interface for the source and prevent it from sending new requests 1524 until the list of interfaces is refreshed, which happens on 1525 routing changes or every 5 minutes by default. If the attack is 1526 repeated often enough (once per second), ntpd will not be able to 1527 synchronize with the source. 1528 Mitigation: 1529 Implement BCP-38. 1530 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1531 or the NTP Public Services Project Download Page 1532 If you are going to configure your OS to disable source address 1533 checks, also configure your firewall configuration to control 1534 what interfaces can receive packets from what networks. 1535 Properly monitor your ntpd instances, and auto-restart ntpd 1536 (without -g) if it stops running. 1537 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1538 1539 * Client rate limiting and server responses 1540 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1541 References: Sec 3071 / CVE-2016-7426 / VU#633847 1542 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1543 ntp-4.3.0 up to, but not including ntp-4.3.94 1544 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1545 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1546 Summary: 1547 When ntpd is configured with rate limiting for all associations 1548 (restrict default limited in ntp.conf), the limits are applied 1549 also to responses received from its configured sources. An 1550 attacker who knows the sources (e.g., from an IPv4 refid in 1551 server response) and knows the system is (mis)configured in this 1552 way can periodically send packets with spoofed source address to 1553 keep the rate limiting activated and prevent ntpd from accepting 1554 valid responses from its sources. 1555 1556 While this blanket rate limiting can be useful to prevent 1557 brute-force attacks on the origin timestamp, it allows this DoS 1558 attack. Similarly, it allows the attacker to prevent mobilization 1559 of ephemeral associations. 1560 Mitigation: 1561 Implement BCP-38. 1562 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1563 or the NTP Public Services Project Download Page 1564 Properly monitor your ntpd instances, and auto-restart ntpd 1565 (without -g) if it stops running. 1566 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1567 1568 * Fix for bug 2085 broke initial sync calculations 1569 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1570 References: Sec 3067 / CVE-2016-7433 / VU#633847 1571 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1572 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1573 root-distance calculation in general is incorrect in all versions 1574 of ntp-4 until this release. 1575 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1576 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1577 Summary: 1578 Bug 2085 described a condition where the root delay was included 1579 twice, causing the jitter value to be higher than expected. Due 1580 to a misinterpretation of a small-print variable in The Book, the 1581 fix for this problem was incorrect, resulting in a root distance 1582 that did not include the peer dispersion. The calculations and 1583 formulae have been reviewed and reconciled, and the code has been 1584 updated accordingly. 1585 Mitigation: 1586 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1587 or the NTP Public Services Project Download Page 1588 Properly monitor your ntpd instances, and auto-restart ntpd 1589 (without -g) if it stops running. 1590 Credit: This weakness was discovered independently by Brian Utterback of 1591 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1592 1593 Other fixes: 1594 1595 * [Bug 3142] bug in netmask prefix length detection <perlinger (a] ntp.org> 1596 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn (a] ntp.org 1597 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1598 - moved retry decision where it belongs. <perlinger (a] ntp.org> 1599 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1600 using the loopback-ppsapi-provider.dll <perlinger (a] ntp.org> 1601 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger (a] ntp.org> 1602 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger (a] ntp.org> 1603 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1604 * [Bug 3095] Compatibility with openssl 1.1 <perlinger (a] ntp.org> 1605 - applied patches by Kurt Roeckx <kurt (a] roeckx.be> to source 1606 - added shim layer for SSL API calls with issues (both directions) 1607 * [Bug 3089] Serial Parser does not work anymore for hopfser like device 1608 - simplified / refactored hex-decoding in driver. <perlinger (a] ntp.org> 1609 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1610 * [Bug 3068] Linker warnings when building on Solaris. perlinger (a] ntp.org 1611 - applied patch thanks to Andrew Stormont <andyjstormont (a] gmail.com> 1612 * [Bug 3067] Root distance calculation needs improvement. HStenn 1613 * [Bug 3066] NMEA clock ignores pps. perlinger (a] ntp.org 1614 - PPS-HACK works again. 1615 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger (a] ntp.org> 1616 - applied patch by Brian Utterback <brian.utterback (a] oracle.com> 1617 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1618 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1619 <perlinger (a] ntp.org> 1620 - patches by Reinhard Max <max (a] suse.com> and Havard Eidnes <he (a] uninett.no> 1621 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe (a] ntp.org 1622 - Patch provided by Kuramatsu. 1623 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger (a] ntp.org> 1624 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1625 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1626 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1627 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1628 * [Bug 2959] refclock_jupiter: gps week correction <perlinger (a] ntp.org> 1629 - fixed GPS week expansion to work based on build date. Special thanks 1630 to Craig Leres for initial patch and testing. 1631 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1632 - fixed Makefile.am <perlinger (a] ntp.org> 1633 * [Bug 2689] ATOM driver processes last PPS pulse at startup, 1634 even if it is very old <perlinger (a] ntp.org> 1635 - make sure PPS source is alive before processing samples 1636 - improve stability close to the 500ms phase jump (phase gate) 1637 * Fix typos in include/ntp.h. 1638 * Shim X509_get_signature_nid() if needed 1639 * git author attribution cleanup 1640 * bk ignore file cleanup 1641 * remove locks in Windows IO, use rpc-like thread synchronisation instead 1642 1643 --- 1644 NTP 4.2.8p8 (Harlan Stenn <stenn (a] ntp.org>, 2016/06/02) 1645 1646 Focus: Security, Bug fixes, enhancements. 1647 1648 Severity: HIGH 1649 1650 In addition to bug fixes and enhancements, this release fixes the 1651 following 1 high- and 4 low-severity vulnerabilities: 1652 1653 * CRYPTO_NAK crash 1654 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1655 References: Sec 3046 / CVE-2016-4957 / VU#321640 1656 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1657 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1658 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1659 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1660 could cause ntpd to crash. 1661 Mitigation: 1662 Implement BCP-38. 1663 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1664 or the NTP Public Services Project Download Page 1665 If you cannot upgrade from 4.2.8p7, the only other alternatives 1666 are to patch your code or filter CRYPTO_NAK packets. 1667 Properly monitor your ntpd instances, and auto-restart ntpd 1668 (without -g) if it stops running. 1669 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1670 1671 * Bad authentication demobilizes ephemeral associations 1672 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1673 References: Sec 3045 / CVE-2016-4953 / VU#321640 1674 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1675 ntp-4.3.0 up to, but not including ntp-4.3.93. 1676 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1677 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1678 Summary: An attacker who knows the origin timestamp and can send a 1679 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1680 target before any other response is sent can demobilize that 1681 association. 1682 Mitigation: 1683 Implement BCP-38. 1684 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1685 or the NTP Public Services Project Download Page 1686 Properly monitor your ntpd instances. 1687 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1688 1689 * Processing spoofed server packets 1690 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1691 References: Sec 3044 / CVE-2016-4954 / VU#321640 1692 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1693 ntp-4.3.0 up to, but not including ntp-4.3.93. 1694 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1695 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1696 Summary: An attacker who is able to spoof packets with correct origin 1697 timestamps from enough servers before the expected response 1698 packets arrive at the target machine can affect some peer 1699 variables and, for example, cause a false leap indication to be set. 1700 Mitigation: 1701 Implement BCP-38. 1702 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1703 or the NTP Public Services Project Download Page 1704 Properly monitor your ntpd instances. 1705 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1706 1707 * Autokey association reset 1708 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1709 References: Sec 3043 / CVE-2016-4955 / VU#321640 1710 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1711 ntp-4.3.0 up to, but not including ntp-4.3.93. 1712 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1713 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1714 Summary: An attacker who is able to spoof a packet with a correct 1715 origin timestamp before the expected response packet arrives at 1716 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1717 the association's peer variables to be cleared. If this can be 1718 done often enough, it will prevent that association from working. 1719 Mitigation: 1720 Implement BCP-38. 1721 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1722 or the NTP Public Services Project Download Page 1723 Properly monitor your ntpd instances. 1724 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1725 1726 * Broadcast interleave 1727 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1728 References: Sec 3042 / CVE-2016-4956 / VU#321640 1729 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1730 ntp-4.3.0 up to, but not including ntp-4.3.93. 1731 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1732 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1733 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1734 so broadcast clients can be triggered to flip into interleave mode. 1735 Mitigation: 1736 Implement BCP-38. 1737 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1738 or the NTP Public Services Project Download Page 1739 Properly monitor your ntpd instances. 1740 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1741 1742 Other fixes: 1743 * [Bug 3038] NTP fails to build in VS2015. perlinger (a] ntp.org 1744 - provide build environment 1745 - 'wint_t' and 'struct timespec' defined by VS2015 1746 - fixed print()/scanf() format issues 1747 * [Bug 3052] Add a .gitignore file. Edmund Wong. 1748 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1749 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1750 JPerlinger, HStenn. 1751 * Fix typo in ntp-wait and plot_summary. HStenn. 1752 * Make sure we have an "author" file for git imports. HStenn. 1753 * Update the sntp problem tests for MacOS. HStenn. 1754 1755 --- 1756 NTP 4.2.8p7 (Harlan Stenn <stenn (a] ntp.org>, 2016/04/26) 1757 1758 Focus: Security, Bug fixes, enhancements. 1759 1760 Severity: MEDIUM 1761 1762 When building NTP from source, there is a new configure option 1763 available, --enable-dynamic-interleave. More information on this below. 1764 1765 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1766 versions of ntp. These events have almost certainly happened in the 1767 past, it's just that they were silently counted and not logged. With 1768 the increasing awareness around security, we feel it's better to clearly 1769 log these events to help detect abusive behavior. This increased 1770 logging can also help detect other problems, too. 1771 1772 In addition to bug fixes and enhancements, this release fixes the 1773 following 9 low- and medium-severity vulnerabilities: 1774 1775 * Improve NTP security against buffer comparison timing attacks, 1776 AKA: authdecrypt-timing 1777 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1778 References: Sec 2879 / CVE-2016-1550 1779 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1780 4.3.0 up to, but not including 4.3.92 1781 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1782 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1783 Summary: Packet authentication tests have been performed using 1784 memcmp() or possibly bcmp(), and it is potentially possible 1785 for a local or perhaps LAN-based attacker to send a packet with 1786 an authentication payload and indirectly observe how much of 1787 the digest has matched. 1788 Mitigation: 1789 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1790 or the NTP Public Services Project Download Page. 1791 Properly monitor your ntpd instances. 1792 Credit: This weakness was discovered independently by Loganaden 1793 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1794 1795 * Zero origin timestamp bypass: Additional KoD checks. 1796 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1797 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1798 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1799 1800 * peer associations were broken by the fix for NtpBug2899 1801 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1802 References: Sec 2952 / CVE-2015-7704 1803 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1804 4.3.0 up to, but not including 4.3.92 1805 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1806 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1807 associations did not address all of the issues. 1808 Mitigation: 1809 Implement BCP-38. 1810 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1811 or the NTP Public Services Project Download Page 1812 If you can't upgrade, use "server" associations instead of 1813 "peer" associations. 1814 Monitor your ntpd instances. 1815 Credit: This problem was discovered by Michael Tatarinov. 1816 1817 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1818 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1819 References: Sec 3007 / CVE-2016-1547 / VU#718152 1820 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1821 4.3.0 up to, but not including 4.3.92 1822 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1823 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1824 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1825 off-path attacker can cause a preemptable client association to 1826 be demobilized by sending a crypto NAK packet to a victim client 1827 with a spoofed source address of an existing associated peer. 1828 This is true even if authentication is enabled. 1829 1830 Furthermore, if the attacker keeps sending crypto NAK packets, 1831 for example one every second, the victim never has a chance to 1832 reestablish the association and synchronize time with that 1833 legitimate server. 1834 1835 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1836 stringent checks are performed on incoming packets, but there 1837 are still ways to exploit this vulnerability in versions before 1838 ntp-4.2.8p7. 1839 Mitigation: 1840 Implement BCP-38. 1841 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1842 or the NTP Public Services Project Download Page 1843 Properly monitor your ntpd instances 1844 Credit: This weakness was discovered by Stephen Gray and 1845 Matthew Van Gundy of Cisco ASIG. 1846 1847 * ctl_getitem() return value not always checked 1848 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1849 References: Sec 3008 / CVE-2016-2519 1850 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1851 4.3.0 up to, but not including 4.3.92 1852 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1853 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1854 Summary: ntpq and ntpdc can be used to store and retrieve information 1855 in ntpd. It is possible to store a data value that is larger 1856 than the size of the buffer that the ctl_getitem() function of 1857 ntpd uses to report the return value. If the length of the 1858 requested data value returned by ctl_getitem() is too large, 1859 the value NULL is returned instead. There are 2 cases where the 1860 return value from ctl_getitem() was not directly checked to make 1861 sure it's not NULL, but there are subsequent INSIST() checks 1862 that make sure the return value is not NULL. There are no data 1863 values ordinarily stored in ntpd that would exceed this buffer 1864 length. But if one has permission to store values and one stores 1865 a value that is "too large", then ntpd will abort if an attempt 1866 is made to read that oversized value. 1867 Mitigation: 1868 Implement BCP-38. 1869 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1870 or the NTP Public Services Project Download Page 1871 Properly monitor your ntpd instances. 1872 Credit: This weakness was discovered by Yihan Lian of the Cloud 1873 Security Team, Qihoo 360. 1874 1875 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1876 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1877 References: Sec 3009 / CVE-2016-2518 / VU#718152 1878 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1879 4.3.0 up to, but not including 4.3.92 1880 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1881 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1882 Summary: Using a crafted packet to create a peer association with 1883 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1884 out-of-bounds reference. 1885 Mitigation: 1886 Implement BCP-38. 1887 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1888 or the NTP Public Services Project Download Page 1889 Properly monitor your ntpd instances 1890 Credit: This weakness was discovered by Yihan Lian of the Cloud 1891 Security Team, Qihoo 360. 1892 1893 * remote configuration trustedkey/requestkey/controlkey values are not 1894 properly validated 1895 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1896 References: Sec 3010 / CVE-2016-2517 / VU#718152 1897 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1898 4.3.0 up to, but not including 4.3.92 1899 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1900 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1901 Summary: If ntpd was expressly configured to allow for remote 1902 configuration, a malicious user who knows the controlkey for 1903 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1904 can create a session with ntpd and then send a crafted packet to 1905 ntpd that will change the value of the trustedkey, controlkey, 1906 or requestkey to a value that will prevent any subsequent 1907 authentication with ntpd until ntpd is restarted. 1908 Mitigation: 1909 Implement BCP-38. 1910 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1911 or the NTP Public Services Project Download Page 1912 Properly monitor your ntpd instances 1913 Credit: This weakness was discovered by Yihan Lian of the Cloud 1914 Security Team, Qihoo 360. 1915 1916 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1917 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1918 References: Sec 3011 / CVE-2016-2516 / VU#718152 1919 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1920 4.3.0 up to, but not including 4.3.92 1921 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1922 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1923 Summary: If ntpd was expressly configured to allow for remote 1924 configuration, a malicious user who knows the controlkey for 1925 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1926 can create a session with ntpd and if an existing association is 1927 unconfigured using the same IP twice on the unconfig directive 1928 line, ntpd will abort. 1929 Mitigation: 1930 Implement BCP-38. 1931 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1932 or the NTP Public Services Project Download Page 1933 Properly monitor your ntpd instances 1934 Credit: This weakness was discovered by Yihan Lian of the Cloud 1935 Security Team, Qihoo 360. 1936 1937 * Refclock impersonation vulnerability 1938 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1939 References: Sec 3020 / CVE-2016-1551 1940 Affects: On a very limited number of OSes, all NTP releases up to but 1941 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1942 By "very limited number of OSes" we mean no general-purpose OSes 1943 have yet been identified that have this vulnerability. 1944 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1945 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1946 Summary: While most OSes implement martian packet filtering in their 1947 network stack, at least regarding 127.0.0.0/8, some will allow 1948 packets claiming to be from 127.0.0.0/8 that arrive over a 1949 physical network. On these OSes, if ntpd is configured to use a 1950 reference clock an attacker can inject packets over the network 1951 that look like they are coming from that reference clock. 1952 Mitigation: 1953 Implement martian packet filtering and BCP-38. 1954 Configure ntpd to use an adequate number of time sources. 1955 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1956 or the NTP Public Services Project Download Page 1957 If you are unable to upgrade and if you are running an OS that 1958 has this vulnerability, implement martian packet filters and 1959 lobby your OS vendor to fix this problem, or run your 1960 refclocks on computers that use OSes that are not vulnerable 1961 to these attacks and have your vulnerable machines get their 1962 time from protected resources. 1963 Properly monitor your ntpd instances. 1964 Credit: This weakness was discovered by Matt Street and others of 1965 Cisco ASIG. 1966 1967 The following issues were fixed in earlier releases and contain 1968 improvements in 4.2.8p7: 1969 1970 * Clients that receive a KoD should validate the origin timestamp field. 1971 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1972 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1973 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1974 1975 * Skeleton key: passive server with trusted key can serve time. 1976 References: Sec 2936 / CVE-2015-7974 1977 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1978 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1979 1980 Two other vulnerabilities have been reported, and the mitigations 1981 for these are as follows: 1982 1983 * Interleave-pivot 1984 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1985 References: Sec 2978 / CVE-2016-1548 1986 Affects: All ntp-4 releases. 1987 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1988 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1989 Summary: It is possible to change the time of an ntpd client or deny 1990 service to an ntpd client by forcing it to change from basic 1991 client/server mode to interleaved symmetric mode. An attacker 1992 can spoof a packet from a legitimate ntpd server with an origin 1993 timestamp that matches the peer->dst timestamp recorded for that 1994 server. After making this switch, the client will reject all 1995 future legitimate server responses. It is possible to force the 1996 victim client to move time after the mode has been changed. 1997 ntpq gives no indication that the mode has been switched. 1998 Mitigation: 1999 Implement BCP-38. 2000 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 2001 or the NTP Public Services Project Download Page. These 2002 versions will not dynamically "flip" into interleave mode 2003 unless configured to do so. 2004 Properly monitor your ntpd instances. 2005 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 2006 and separately by Jonathan Gardner of Cisco ASIG. 2007 2008 * Sybil vulnerability: ephemeral association attack 2009 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 2010 References: Sec 3012 / CVE-2016-1549 2011 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 2012 4.3.0 up to, but not including 4.3.92 2013 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 2014 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 2015 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 2016 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 2017 field in the ntp.keys file to specify which IPs can serve time, 2018 a malicious authenticated peer can create arbitrarily-many 2019 ephemeral associations in order to win the clock selection of 2020 ntpd and modify a victim's clock. 2021 Mitigation: 2022 Implement BCP-38. 2023 Use the 4th field in the ntp.keys file to specify which IPs 2024 can be time servers. 2025 Properly monitor your ntpd instances. 2026 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2027 2028 Other fixes: 2029 2030 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger (a] ntp.org 2031 - fixed yet another race condition in the threaded resolver code. 2032 * [Bug 2858] bool support. Use stdbool.h when available. HStenn. 2033 * [Bug 2879] Improve NTP security against timing attacks. perlinger (a] ntp.org 2034 - integrated patches by Loganaden Velvidron <logan (a] ntp.org> 2035 with some modifications & unit tests 2036 * [Bug 2960] async name resolution fixes for chroot() environments. 2037 Reinhard Max. 2038 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger (a] ntp.org 2039 * [Bug 2995] Fixes to compile on Windows 2040 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger (a] ntp.org 2041 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger (a] ntp.org 2042 - Patch provided by Ch. Weisgerber 2043 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 2044 - A change related to [Bug 2853] forbids trailing white space in 2045 remote config commands. perlinger (a] ntp.org 2046 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 2047 - report and patch from Aleksandr Kostikov. 2048 - Overhaul of Windows IO completion port handling. perlinger (a] ntp.org 2049 * [Bug 3022] authkeys.c should be refactored. perlinger (a] ntp.org 2050 - fixed memory leak in access list (auth[read]keys.c) 2051 - refactored handling of key access lists (auth[read]keys.c) 2052 - reduced number of error branches (authreadkeys.c) 2053 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger (a] ntp.org 2054 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 2055 * [Bug 3031] ntp broadcastclient unable to synchronize to an server 2056 when the time of server changed. perlinger (a] ntp.org 2057 - Check the initial delay calculation and reject/unpeer the broadcast 2058 server if the delay exceeds 50ms. Retry again after the next 2059 broadcast packet. 2060 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 2061 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 2062 * Update html/xleave.html documentation. Harlan Stenn. 2063 * Update ntp.conf documentation. Harlan Stenn. 2064 * Fix some Credit: attributions in the NEWS file. Harlan Stenn. 2065 * Fix typo in html/monopt.html. Harlan Stenn. 2066 * Add README.pullrequests. Harlan Stenn. 2067 * Cleanup to include/ntp.h. Harlan Stenn. 2068 2069 New option to 'configure': 2070 2071 While looking in to the issues around Bug 2978, the "interleave pivot" 2072 issue, it became clear that there are some intricate and unresolved 2073 issues with interleave operations. We also realized that the interleave 2074 protocol was never added to the NTPv4 Standard, and it should have been. 2075 2076 Interleave mode was first released in July of 2008, and can be engaged 2077 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 2078 contain the 'xleave' option, which will expressly enable interlave mode 2079 for that association. Additionally, if a time packet arrives and is 2080 found inconsistent with normal protocol behavior but has certain 2081 characteristics that are compatible with interleave mode, NTP will 2082 dynamically switch to interleave mode. With sufficient knowledge, an 2083 attacker can send a crafted forged packet to an NTP instance that 2084 triggers only one side to enter interleaved mode. 2085 2086 To prevent this attack until we can thoroughly document, describe, 2087 fix, and test the dynamic interleave mode, we've added a new 2088 'configure' option to the build process: 2089 2090 --enable-dynamic-interleave 2091 2092 This option controls whether or not NTP will, if conditions are right, 2093 engage dynamic interleave mode. Dynamic interleave mode is disabled by 2094 default in ntp-4.2.8p7. 2095 2096 --- 2097 NTP 4.2.8p6 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/20) 2098 2099 Focus: Security, Bug fixes, enhancements. 2100 2101 Severity: MEDIUM 2102 2103 In addition to bug fixes and enhancements, this release fixes the 2104 following 1 low- and 8 medium-severity vulnerabilities: 2105 2106 * Potential Infinite Loop in 'ntpq' 2107 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2108 References: Sec 2548 / CVE-2015-8158 2109 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2110 4.3.0 up to, but not including 4.3.90 2111 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2112 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 2113 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 2114 The loop's only stopping conditions are receiving a complete and 2115 correct response or hitting a small number of error conditions. 2116 If the packet contains incorrect values that don't trigger one of 2117 the error conditions, the loop continues to receive new packets. 2118 Note well, this is an attack against an instance of 'ntpq', not 2119 'ntpd', and this attack requires the attacker to do one of the 2120 following: 2121 * Own a malicious NTP server that the client trusts 2122 * Prevent a legitimate NTP server from sending packets to 2123 the 'ntpq' client 2124 * MITM the 'ntpq' communications between the 'ntpq' client 2125 and the NTP server 2126 Mitigation: 2127 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2128 or the NTP Public Services Project Download Page 2129 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 2130 2131 * 0rigin: Zero Origin Timestamp Bypass 2132 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2133 References: Sec 2945 / CVE-2015-8138 2134 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2135 4.3.0 up to, but not including 4.3.90 2136 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 2137 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 2138 (3.7 - LOW if you score AC:L) 2139 Summary: To distinguish legitimate peer responses from forgeries, a 2140 client attempts to verify a response packet by ensuring that the 2141 origin timestamp in the packet matches the origin timestamp it 2142 transmitted in its last request. A logic error exists that 2143 allows packets with an origin timestamp of zero to bypass this 2144 check whenever there is not an outstanding request to the server. 2145 Mitigation: 2146 Configure 'ntpd' to get time from multiple sources. 2147 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2148 or the NTP Public Services Project Download Page. 2149 Monitor your 'ntpd' instances. 2150 Credit: This weakness was discovered by Matthey Van Gundy and 2151 Jonathan Gardner of Cisco ASIG. 2152 2153 * Stack exhaustion in recursive traversal of restriction list 2154 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 2155 References: Sec 2940 / CVE-2015-7978 2156 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2157 4.3.0 up to, but not including 4.3.90 2158 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2159 Summary: An unauthenticated 'ntpdc reslist' command can cause a 2160 segmentation fault in ntpd by exhausting the call stack. 2161 Mitigation: 2162 Implement BCP-38. 2163 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2164 or the NTP Public Services Project Download Page. 2165 If you are unable to upgrade: 2166 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2167 If you must enable mode 7: 2168 configure the use of a 'requestkey' to control who can 2169 issue mode 7 requests. 2170 configure 'restrict noquery' to further limit mode 7 2171 requests to trusted sources. 2172 Monitor your ntpd instances. 2173 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 2174 2175 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 2176 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2177 References: Sec 2942 / CVE-2015-7979 2178 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2179 4.3.0 up to, but not including 4.3.90 2180 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 2181 Summary: An off-path attacker can send broadcast packets with bad 2182 authentication (wrong key, mismatched key, incorrect MAC, etc) 2183 to broadcast clients. It is observed that the broadcast client 2184 tears down the association with the broadcast server upon 2185 receiving just one bad packet. 2186 Mitigation: 2187 Implement BCP-38. 2188 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2189 or the NTP Public Services Project Download Page. 2190 Monitor your 'ntpd' instances. 2191 If this sort of attack is an active problem for you, you have 2192 deeper problems to investigate. In this case also consider 2193 having smaller NTP broadcast domains. 2194 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2195 University. 2196 2197 * reslist NULL pointer dereference 2198 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2199 References: Sec 2939 / CVE-2015-7977 2200 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2201 4.3.0 up to, but not including 4.3.90 2202 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2203 Summary: An unauthenticated 'ntpdc reslist' command can cause a 2204 segmentation fault in ntpd by causing a NULL pointer dereference. 2205 Mitigation: 2206 Implement BCP-38. 2207 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 2208 the NTP Public Services Project Download Page. 2209 If you are unable to upgrade: 2210 mode 7 is disabled by default. Don't enable it. 2211 If you must enable mode 7: 2212 configure the use of a 'requestkey' to control who can 2213 issue mode 7 requests. 2214 configure 'restrict noquery' to further limit mode 7 2215 requests to trusted sources. 2216 Monitor your ntpd instances. 2217 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 2218 2219 * 'ntpq saveconfig' command allows dangerous characters in filenames. 2220 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2221 References: Sec 2938 / CVE-2015-7976 2222 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2223 4.3.0 up to, but not including 4.3.90 2224 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 2225 Summary: The ntpq saveconfig command does not do adequate filtering 2226 of special characters from the supplied filename. 2227 Note well: The ability to use the saveconfig command is controlled 2228 by the 'restrict nomodify' directive, and the recommended default 2229 configuration is to disable this capability. If the ability to 2230 execute a 'saveconfig' is required, it can easily (and should) be 2231 limited and restricted to a known small number of IP addresses. 2232 Mitigation: 2233 Implement BCP-38. 2234 use 'restrict default nomodify' in your 'ntp.conf' file. 2235 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 2236 If you are unable to upgrade: 2237 build NTP with 'configure --disable-saveconfig' if you will 2238 never need this capability, or 2239 use 'restrict default nomodify' in your 'ntp.conf' file. Be 2240 careful about what IPs have the ability to send 'modify' 2241 requests to 'ntpd'. 2242 Monitor your ntpd instances. 2243 'saveconfig' requests are logged to syslog - monitor your syslog files. 2244 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 2245 2246 * nextvar() missing length check in ntpq 2247 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2248 References: Sec 2937 / CVE-2015-7975 2249 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2250 4.3.0 up to, but not including 4.3.90 2251 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 2252 If you score A:C, this becomes 4.0. 2253 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 2254 Summary: ntpq may call nextvar() which executes a memcpy() into the 2255 name buffer without a proper length check against its maximum 2256 length of 256 bytes. Note well that we're taking about ntpq here. 2257 The usual worst-case effect of this vulnerability is that the 2258 specific instance of ntpq will crash and the person or process 2259 that did this will have stopped themselves. 2260 Mitigation: 2261 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2262 or the NTP Public Services Project Download Page. 2263 If you are unable to upgrade: 2264 If you have scripts that feed input to ntpq make sure there are 2265 some sanity checks on the input received from the "outside". 2266 This is potentially more dangerous if ntpq is run as root. 2267 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 2268 2269 * Skeleton Key: Any trusted key system can serve time 2270 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2271 References: Sec 2936 / CVE-2015-7974 2272 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2273 4.3.0 up to, but not including 4.3.90 2274 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 2275 Summary: Symmetric key encryption uses a shared trusted key. The 2276 reported title for this issue was "Missing key check allows 2277 impersonation between authenticated peers" and the report claimed 2278 "A key specified only for one server should only work to 2279 authenticate that server, other trusted keys should be refused." 2280 Except there has never been any correlation between this trusted 2281 key and server v. clients machines and there has never been any 2282 way to specify a key only for one server. We have treated this as 2283 an enhancement request, and ntp-4.2.8p6 includes other checks and 2284 tests to strengthen clients against attacks coming from broadcast 2285 servers. 2286 Mitigation: 2287 Implement BCP-38. 2288 If this scenario represents a real or a potential issue for you, 2289 upgrade to 4.2.8p6, or later, from the NTP Project Download 2290 Page or the NTP Public Services Project Download Page, and 2291 use the new field in the ntp.keys file that specifies the list 2292 of IPs that are allowed to serve time. Note that this alone 2293 will not protect against time packets with forged source IP 2294 addresses, however other changes in ntp-4.2.8p6 provide 2295 significant mitigation against broadcast attacks. MITM attacks 2296 are a different story. 2297 If you are unable to upgrade: 2298 Don't use broadcast mode if you cannot monitor your client 2299 servers. 2300 If you choose to use symmetric keys to authenticate time 2301 packets in a hostile environment where ephemeral time 2302 servers can be created, or if it is expected that malicious 2303 time servers will participate in an NTP broadcast domain, 2304 limit the number of participating systems that participate 2305 in the shared-key group. 2306 Monitor your ntpd instances. 2307 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 2308 2309 * Deja Vu: Replay attack on authenticated broadcast mode 2310 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2311 References: Sec 2935 / CVE-2015-7973 2312 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2313 4.3.0 up to, but not including 4.3.90 2314 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 2315 Summary: If an NTP network is configured for broadcast operations then 2316 either a man-in-the-middle attacker or a malicious participant 2317 that has the same trusted keys as the victim can replay time packets. 2318 Mitigation: 2319 Implement BCP-38. 2320 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2321 or the NTP Public Services Project Download Page. 2322 If you are unable to upgrade: 2323 Don't use broadcast mode if you cannot monitor your client servers. 2324 Monitor your ntpd instances. 2325 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2326 University. 2327 2328 Other fixes: 2329 2330 * [Bug 2772] adj_systime overflows tv_usec. perlinger (a] ntp.org 2331 * [Bug 2814] msyslog deadlock when signaled. perlinger (a] ntp.org 2332 - applied patch by shenpeng11 (a] huawei.com with minor adjustments 2333 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger (a] ntp.org 2334 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger (a] ntp.org 2335 * [Bug 2892] Several test cases assume IPv6 capabilities even when 2336 IPv6 is disabled in the build. perlinger (a] ntp.org 2337 - Found this already fixed, but validation led to cleanup actions. 2338 * [Bug 2905] DNS lookups broken. perlinger (a] ntp.org 2339 - added limits to stack consumption, fixed some return code handling 2340 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2341 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 2342 - make CTRL-C work for retrieval and printing od MRU list. perlinger (a] ntp.org 2343 * [Bug 2980] reduce number of warnings. perlinger (a] ntp.org 2344 - integrated several patches from Havard Eidnes (he (a] uninett.no) 2345 * [Bug 2985] bogus calculation in authkeys.c perlinger (a] ntp.org 2346 - implement 'auth_log2()' using integer bithack instead of float calculation 2347 * Make leapsec_query debug messages less verbose. Harlan Stenn. 2348 2349 --- 2350 NTP 4.2.8p5 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/07) 2351 2352 Focus: Security, Bug fixes, enhancements. 2353 2354 Severity: MEDIUM 2355 2356 In addition to bug fixes and enhancements, this release fixes the 2357 following medium-severity vulnerability: 2358 2359 * Small-step/big-step. Close the panic gate earlier. 2360 References: Sec 2956, CVE-2015-5300 2361 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2362 4.3.0 up to, but not including 4.3.78 2363 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2364 Summary: If ntpd is always started with the -g option, which is 2365 common and against long-standing recommendation, and if at the 2366 moment ntpd is restarted an attacker can immediately respond to 2367 enough requests from enough sources trusted by the target, which 2368 is difficult and not common, there is a window of opportunity 2369 where the attacker can cause ntpd to set the time to an 2370 arbitrary value. Similarly, if an attacker is able to respond 2371 to enough requests from enough sources trusted by the target, 2372 the attacker can cause ntpd to abort and restart, at which 2373 point it can tell the target to set the time to an arbitrary 2374 value if and only if ntpd was re-started against long-standing 2375 recommendation with the -g flag, or if ntpd was not given the 2376 -g flag, the attacker can move the target system's time by at 2377 most 900 seconds' time per attack. 2378 Mitigation: 2379 Configure ntpd to get time from multiple sources. 2380 Upgrade to 4.2.8p5, or later, from the NTP Project Download 2381 Page or the NTP Public Services Project Download Page 2382 As we've long documented, only use the -g option to ntpd in 2383 cold-start situations. 2384 Monitor your ntpd instances. 2385 Credit: This weakness was discovered by Aanchal Malhotra, 2386 Isaac E. Cohen, and Sharon Goldberg at Boston University. 2387 2388 NOTE WELL: The -g flag disables the limit check on the panic_gate 2389 in ntpd, which is 900 seconds by default. The bug identified by 2390 the researchers at Boston University is that the panic_gate 2391 check was only re-enabled after the first change to the system 2392 clock that was greater than 128 milliseconds, by default. The 2393 correct behavior is that the panic_gate check should be 2394 re-enabled after any initial time correction. 2395 2396 If an attacker is able to inject consistent but erroneous time 2397 responses to your systems via the network or "over the air", 2398 perhaps by spoofing radio, cellphone, or navigation satellite 2399 transmissions, they are in a great position to affect your 2400 system's clock. There comes a point where your very best 2401 defenses include: 2402 2403 Configure ntpd to get time from multiple sources. 2404 Monitor your ntpd instances. 2405 2406 Other fixes: 2407 2408 * Coverity submission process updated from Coverity 5 to Coverity 7. 2409 The NTP codebase has been undergoing regular Coverity scans on an 2410 ongoing basis since 2006. As part of our recent upgrade from 2411 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2412 the newly-written Unity test programs. These were fixed. 2413 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger (a] ntp.org 2414 * [Bug 2887] stratum -1 config results as showing value 99 2415 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 2416 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2417 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2418 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2419 - applied patch by Christos Zoulas. perlinger (a] ntp.org 2420 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2421 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2422 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 2423 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 2424 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 2425 - accept key file only if there are no parsing errors 2426 - fixed size_t/u_int format clash 2427 - fixed wrong use of 'strlcpy' 2428 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2429 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 2430 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2431 - promote use of 'size_t' for values that express a size 2432 - use ptr-to-const for read-only arguments 2433 - make sure SOCKET values are not truncated (win32-specific) 2434 - format string fixes 2435 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2436 * [Bug 2967] ntpdate command suffers an assertion failure 2437 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 2438 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2439 lots of clients. perlinger (a] ntp.org 2440 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2441 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 2442 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2443 * Unity test cleanup. Harlan Stenn. 2444 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2445 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2446 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2447 * Quiet a warning from clang. Harlan Stenn. 2448 2449 --- 2450 NTP 4.2.8p4 (Harlan Stenn <stenn (a] ntp.org>, 2015/10/21) 2451 2452 Focus: Security, Bug fixes, enhancements. 2453 2454 Severity: MEDIUM 2455 2456 In addition to bug fixes and enhancements, this release fixes the 2457 following 13 low- and medium-severity vulnerabilities: 2458 2459 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 2460 to potential crashes or potential code injection/information leakage. 2461 2462 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2463 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2464 and 4.3.0 up to, but not including 4.3.77 2465 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2466 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2467 certain code paths where a packet with particular autokey operations 2468 that contained malicious data was not always being completely 2469 validated. Receipt of these packets can cause ntpd to crash. 2470 Mitigation: 2471 Don't use autokey. 2472 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2473 Page or the NTP Public Services Project Download Page 2474 Monitor your ntpd instances. 2475 Credit: This weakness was discovered by Tenable Network Security. 2476 2477 * Clients that receive a KoD should validate the origin timestamp field. 2478 2479 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2480 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2481 and 4.3.0 up to, but not including 4.3.77 2482 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2483 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2484 KoD messages that have been forged by an attacker, causing it to 2485 delay or stop querying its servers for time updates. Also, an 2486 attacker can forge packets that claim to be from the target and 2487 send them to servers often enough that a server that implements 2488 KoD rate limiting will send the target machine a KoD response to 2489 attempt to reduce the rate of incoming packets, or it may also 2490 trigger a firewall block at the server for packets from the target 2491 machine. For either of these attacks to succeed, the attacker must 2492 know what servers the target is communicating with. An attacker 2493 can be anywhere on the Internet and can frequently learn the 2494 identity of the target's time source by sending the target a 2495 time query. 2496 Mitigation: 2497 Implement BCP-38. 2498 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2499 or the NTP Public Services Project Download Page 2500 If you can't upgrade, restrict who can query ntpd to learn who 2501 its servers are, and what IPs are allowed to ask your system 2502 for the time. This mitigation is heavy-handed. 2503 Monitor your ntpd instances. 2504 Note: 2505 4.2.8p4 protects against the first attack. For the second attack, 2506 all we can do is warn when it is happening, which we do in 4.2.8p4. 2507 Credit: This weakness was discovered by Aanchal Malhotra, 2508 Issac E. Cohen, and Sharon Goldberg of Boston University. 2509 2510 * configuration directives to change "pidfile" and "driftfile" should 2511 only be allowed locally. 2512 2513 References: Sec 2902 / CVE-2015-5196 2514 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2515 and 4.3.0 up to, but not including 4.3.77 2516 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2517 Summary: If ntpd is configured to allow for remote configuration, 2518 and if the (possibly spoofed) source IP address is allowed to 2519 send remote configuration requests, and if the attacker knows 2520 the remote configuration password, it's possible for an attacker 2521 to use the "pidfile" or "driftfile" directives to potentially 2522 overwrite other files. 2523 Mitigation: 2524 Implement BCP-38. 2525 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2526 Page or the NTP Public Services Project Download Page 2527 If you cannot upgrade, don't enable remote configuration. 2528 If you must enable remote configuration and cannot upgrade, 2529 remote configuration of NTF's ntpd requires: 2530 - an explicitly configured trustedkey, and you should also 2531 configure a controlkey. 2532 - access from a permitted IP. You choose the IPs. 2533 - authentication. Don't disable it. Practice secure key safety. 2534 Monitor your ntpd instances. 2535 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2536 2537 * Slow memory leak in CRYPTO_ASSOC 2538 2539 References: Sec 2909 / CVE-2015-7701 2540 Affects: All ntp-4 releases that use autokey up to, but not 2541 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2542 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2543 4.6 otherwise 2544 Summary: If ntpd is configured to use autokey, then an attacker can 2545 send packets to ntpd that will, after several days of ongoing 2546 attack, cause it to run out of memory. 2547 Mitigation: 2548 Don't use autokey. 2549 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2550 Page or the NTP Public Services Project Download Page 2551 Monitor your ntpd instances. 2552 Credit: This weakness was discovered by Tenable Network Security. 2553 2554 * mode 7 loop counter underrun 2555 2556 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2557 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2558 and 4.3.0 up to, but not including 4.3.77 2559 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2560 Summary: If ntpd is configured to enable mode 7 packets, and if the 2561 use of mode 7 packets is not properly protected thru the use of 2562 the available mode 7 authentication and restriction mechanisms, 2563 and if the (possibly spoofed) source IP address is allowed to 2564 send mode 7 queries, then an attacker can send a crafted packet 2565 to ntpd that will cause it to crash. 2566 Mitigation: 2567 Implement BCP-38. 2568 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2569 Page or the NTP Public Services Project Download Page. 2570 If you are unable to upgrade: 2571 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2572 If you must enable mode 7: 2573 configure the use of a requestkey to control who can issue 2574 mode 7 requests. 2575 configure restrict noquery to further limit mode 7 requests 2576 to trusted sources. 2577 Monitor your ntpd instances. 2578 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2579 2580 * memory corruption in password store 2581 2582 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2583 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2584 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2585 Summary: If ntpd is configured to allow remote configuration, and if 2586 the (possibly spoofed) source IP address is allowed to send 2587 remote configuration requests, and if the attacker knows the 2588 remote configuration password or if ntpd was configured to 2589 disable authentication, then an attacker can send a set of 2590 packets to ntpd that may cause a crash or theoretically 2591 perform a code injection attack. 2592 Mitigation: 2593 Implement BCP-38. 2594 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2595 Page or the NTP Public Services Project Download Page. 2596 If you are unable to upgrade, remote configuration of NTF's 2597 ntpd requires: 2598 an explicitly configured "trusted" key. Only configure 2599 this if you need it. 2600 access from a permitted IP address. You choose the IPs. 2601 authentication. Don't disable it. Practice secure key safety. 2602 Monitor your ntpd instances. 2603 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2604 2605 * Infinite loop if extended logging enabled and the logfile and 2606 keyfile are the same. 2607 2608 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2609 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2610 and 4.3.0 up to, but not including 4.3.77 2611 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2612 Summary: If ntpd is configured to allow remote configuration, and if 2613 the (possibly spoofed) source IP address is allowed to send 2614 remote configuration requests, and if the attacker knows the 2615 remote configuration password or if ntpd was configured to 2616 disable authentication, then an attacker can send a set of 2617 packets to ntpd that will cause it to crash and/or create a 2618 potentially huge log file. Specifically, the attacker could 2619 enable extended logging, point the key file at the log file, 2620 and cause what amounts to an infinite loop. 2621 Mitigation: 2622 Implement BCP-38. 2623 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2624 Page or the NTP Public Services Project Download Page. 2625 If you are unable to upgrade, remote configuration of NTF's ntpd 2626 requires: 2627 an explicitly configured "trusted" key. Only configure this 2628 if you need it. 2629 access from a permitted IP address. You choose the IPs. 2630 authentication. Don't disable it. Practice secure key safety. 2631 Monitor your ntpd instances. 2632 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2633 2634 * Potential path traversal vulnerability in the config file saving of 2635 ntpd on VMS. 2636 2637 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2638 Affects: All ntp-4 releases running under VMS up to, but not 2639 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2640 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2641 Summary: If ntpd is configured to allow remote configuration, and if 2642 the (possibly spoofed) IP address is allowed to send remote 2643 configuration requests, and if the attacker knows the remote 2644 configuration password or if ntpd was configured to disable 2645 authentication, then an attacker can send a set of packets to 2646 ntpd that may cause ntpd to overwrite files. 2647 Mitigation: 2648 Implement BCP-38. 2649 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2650 Page or the NTP Public Services Project Download Page. 2651 If you are unable to upgrade, remote configuration of NTF's ntpd 2652 requires: 2653 an explicitly configured "trusted" key. Only configure 2654 this if you need it. 2655 access from permitted IP addresses. You choose the IPs. 2656 authentication. Don't disable it. Practice key security safety. 2657 Monitor your ntpd instances. 2658 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2659 2660 * ntpq atoascii() potential memory corruption 2661 2662 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2663 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2664 and 4.3.0 up to, but not including 4.3.77 2665 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2666 Summary: If an attacker can figure out the precise moment that ntpq 2667 is listening for data and the port number it is listening on or 2668 if the attacker can provide a malicious instance ntpd that 2669 victims will connect to then an attacker can send a set of 2670 crafted mode 6 response packets that, if received by ntpq, 2671 can cause ntpq to crash. 2672 Mitigation: 2673 Implement BCP-38. 2674 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2675 Page or the NTP Public Services Project Download Page. 2676 If you are unable to upgrade and you run ntpq against a server 2677 and ntpq crashes, try again using raw mode. Build or get a 2678 patched ntpq and see if that fixes the problem. Report new 2679 bugs in ntpq or abusive servers appropriately. 2680 If you use ntpq in scripts, make sure ntpq does what you expect 2681 in your scripts. 2682 Credit: This weakness was discovered by Yves Younan and 2683 Aleksander Nikolich of Cisco Talos. 2684 2685 * Invalid length data provided by a custom refclock driver could cause 2686 a buffer overflow. 2687 2688 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2689 Affects: Potentially all ntp-4 releases running up to, but not 2690 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2691 that have custom refclocks 2692 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2693 5.9 unusual worst case 2694 Summary: A negative value for the datalen parameter will overflow a 2695 data buffer. NTF's ntpd driver implementations always set this 2696 value to 0 and are therefore not vulnerable to this weakness. 2697 If you are running a custom refclock driver in ntpd and that 2698 driver supplies a negative value for datalen (no custom driver 2699 of even minimal competence would do this) then ntpd would 2700 overflow a data buffer. It is even hypothetically possible 2701 in this case that instead of simply crashing ntpd the attacker 2702 could effect a code injection attack. 2703 Mitigation: 2704 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2705 Page or the NTP Public Services Project Download Page. 2706 If you are unable to upgrade: 2707 If you are running custom refclock drivers, make sure 2708 the signed datalen value is either zero or positive. 2709 Monitor your ntpd instances. 2710 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2711 2712 * Password Length Memory Corruption Vulnerability 2713 2714 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2715 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2716 4.3.0 up to, but not including 4.3.77 2717 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2718 1.7 usual case, 6.8, worst case 2719 Summary: If ntpd is configured to allow remote configuration, and if 2720 the (possibly spoofed) source IP address is allowed to send 2721 remote configuration requests, and if the attacker knows the 2722 remote configuration password or if ntpd was (foolishly) 2723 configured to disable authentication, then an attacker can 2724 send a set of packets to ntpd that may cause it to crash, 2725 with the hypothetical possibility of a small code injection. 2726 Mitigation: 2727 Implement BCP-38. 2728 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2729 Page or the NTP Public Services Project Download Page. 2730 If you are unable to upgrade, remote configuration of NTF's 2731 ntpd requires: 2732 an explicitly configured "trusted" key. Only configure 2733 this if you need it. 2734 access from a permitted IP address. You choose the IPs. 2735 authentication. Don't disable it. Practice secure key safety. 2736 Monitor your ntpd instances. 2737 Credit: This weakness was discovered by Yves Younan and 2738 Aleksander Nikolich of Cisco Talos. 2739 2740 * decodenetnum() will ASSERT botch instead of returning FAIL on some 2741 bogus values. 2742 2743 References: Sec 2922 / CVE-2015-7855 2744 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2745 4.3.0 up to, but not including 4.3.77 2746 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2747 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2748 an unusually long data value where a network address is expected, 2749 the decodenetnum() function will abort with an assertion failure 2750 instead of simply returning a failure condition. 2751 Mitigation: 2752 Implement BCP-38. 2753 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2754 Page or the NTP Public Services Project Download Page. 2755 If you are unable to upgrade: 2756 mode 7 is disabled by default. Don't enable it. 2757 Use restrict noquery to limit who can send mode 6 2758 and mode 7 requests. 2759 Configure and use the controlkey and requestkey 2760 authentication directives to limit who can 2761 send mode 6 and mode 7 requests. 2762 Monitor your ntpd instances. 2763 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2764 2765 * NAK to the Future: Symmetric association authentication bypass via 2766 crypto-NAK. 2767 2768 References: Sec 2941 / CVE-2015-7871 2769 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2770 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2771 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2772 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2773 from unauthenticated ephemeral symmetric peers by bypassing the 2774 authentication required to mobilize peer associations. This 2775 vulnerability appears to have been introduced in ntp-4.2.5p186 2776 when the code handling mobilization of new passive symmetric 2777 associations (lines 1103-1165) was refactored. 2778 Mitigation: 2779 Implement BCP-38. 2780 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2781 Page or the NTP Public Services Project Download Page. 2782 If you are unable to upgrade: 2783 Apply the patch to the bottom of the "authentic" check 2784 block around line 1136 of ntp_proto.c. 2785 Monitor your ntpd instances. 2786 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2787 2788 Backward-Incompatible changes: 2789 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 2790 While the general default of 32M is still the case, under Linux 2791 the default value has been changed to -1 (do not lock ntpd into 2792 memory). A value of 0 means "lock ntpd into memory with whatever 2793 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2794 value in it, that value will continue to be used. 2795 2796 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 2797 If you've written a script that looks for this case in, say, the 2798 output of ntpq, you probably want to change your regex matches 2799 from 'outlyer' to 'outl[iy]er'. 2800 2801 New features in this release: 2802 * 'rlimit memlock' now has finer-grained control. A value of -1 means 2803 "don't lock ntpd into memore". This is the default for Linux boxes. 2804 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2805 the value is the number of megabytes of memory to lock. The default 2806 is 32 megabytes. 2807 2808 * The old Google Test framework has been replaced with a new framework, 2809 based on http://www.throwtheswitch.org/unity/ . 2810 2811 Bug Fixes and Improvements: 2812 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2813 privileges and limiting resources in NTPD removes the need to link 2814 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2815 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2816 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2817 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2818 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 2819 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2820 * [Bug 2849] Systems with more than one default route may never 2821 synchronize. Brian Utterback. Note that this patch might need to 2822 be reverted once Bug 2043 has been fixed. 2823 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2824 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2825 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2826 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2827 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2828 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2829 be configured for the distribution targets. Harlan Stenn. 2830 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2831 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 2832 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 2833 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 2834 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2835 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2836 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2837 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2838 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2839 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2840 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2841 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2842 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2843 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2844 * sntp/tests/ function parameter list cleanup. Damir Tomi. 2845 * tests/libntp/ function parameter list cleanup. Damir Tomi. 2846 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 2847 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2848 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2849 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 2850 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 2851 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2852 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2853 formatting; first declaration, then code (C90); deleted unnecessary comments; 2854 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2855 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2856 fix formatting, cleanup. Tomasz Flendrich 2857 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2858 Tomasz Flendrich 2859 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2860 fix formatting. Tomasz Flendrich 2861 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2862 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2863 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2864 Tomasz Flendrich 2865 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2866 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2867 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2868 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2869 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2870 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2871 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2872 fixed formatting. Tomasz Flendrich 2873 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2874 removed unnecessary comments, cleanup. Tomasz Flendrich 2875 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2876 comments, cleanup. Tomasz Flendrich 2877 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2878 Tomasz Flendrich 2879 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2880 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2881 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2882 Tomasz Flendrich 2883 * sntp/tests/kodDatabase.c added consts, deleted empty function, 2884 fixed formatting. Tomasz Flendrich 2885 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2886 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 2887 fixed formatting, deleted unused variable. Tomasz Flendrich 2888 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2889 Tomasz Flendrich 2890 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2891 fixed formatting. Tomasz Flendrich 2892 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 2893 the order of includes, fixed formatting, removed unnecessary comments. 2894 Tomasz Flendrich 2895 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2896 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2897 made one function do its job, deleted unnecessary prints, fixed formatting. 2898 Tomasz Flendrich 2899 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2900 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2901 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2902 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2903 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2904 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2905 * Don't build sntp/libevent/sample/. Harlan Stenn. 2906 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2907 * br-flock: --enable-local-libevent. Harlan Stenn. 2908 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2909 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2910 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2911 * Code cleanup. Harlan Stenn. 2912 * libntp/icom.c: Typo fix. Harlan Stenn. 2913 * util/ntptime.c: initialization nit. Harlan Stenn. 2914 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2915 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2916 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2917 Tomasz Flendrich 2918 * Changed progname to be const in many files - now it's consistent. Tomasz 2919 Flendrich 2920 * Typo fix for GCC warning suppression. Harlan Stenn. 2921 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 2922 * Added declarations to all Unity tests, and did minor fixes to them. 2923 Reduced the number of warnings by half. Damir Tomi. 2924 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2925 with the latest Unity updates from Mark. Damir Tomi. 2926 * Retire google test - phase I. Harlan Stenn. 2927 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2928 * Update the NEWS file. Harlan Stenn. 2929 * Autoconf cleanup. Harlan Stenn. 2930 * Unit test dist cleanup. Harlan Stenn. 2931 * Cleanup various test Makefile.am files. Harlan Stenn. 2932 * Pthread autoconf macro cleanup. Harlan Stenn. 2933 * Fix progname definition in unity runner scripts. Harlan Stenn. 2934 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2935 * Update the patch for bug 2817. Harlan Stenn. 2936 * More updates for bug 2817. Harlan Stenn. 2937 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2938 * gcc on older HPUX may need +allowdups. Harlan Stenn. 2939 * Adding missing MCAST protection. Harlan Stenn. 2940 * Disable certain test programs on certain platforms. Harlan Stenn. 2941 * Implement --enable-problem-tests (on by default). Harlan Stenn. 2942 * build system tweaks. Harlan Stenn. 2943 2944 --- 2945 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 2946 2947 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2948 2949 Severity: MEDIUM 2950 2951 Security Fix: 2952 2953 * [Sec 2853] Crafted remote config packet can crash some versions of 2954 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2955 2956 Under specific circumstances an attacker can send a crafted packet to 2957 cause a vulnerable ntpd instance to crash. This requires each of the 2958 following to be true: 2959 2960 1) ntpd set up to allow remote configuration (not allowed by default), and 2961 2) knowledge of the configuration password, and 2962 3) access to a computer entrusted to perform remote configuration. 2963 2964 This vulnerability is considered low-risk. 2965 2966 New features in this release: 2967 2968 Optional (disabled by default) support to have ntpd provide smeared 2969 leap second time. A specially built and configured ntpd will only 2970 offer smeared time in response to client packets. These response 2971 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2972 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2973 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2974 information. 2975 2976 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2977 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2978 2979 We've imported the Unity test framework, and have begun converting 2980 the existing google-test items to this new framework. If you want 2981 to write new tests or change old ones, you'll need to have ruby 2982 installed. You don't need ruby to run the test suite. 2983 2984 Bug Fixes and Improvements: 2985 2986 * CID 739725: Fix a rare resource leak in libevent/listener.c. 2987 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2988 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2989 * CID 1269537: Clean up a line of dead code in getShmTime(). 2990 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2991 * [Bug 2590] autogen-5.18.5. 2992 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2993 of 'limited'. 2994 * [Bug 2650] fix includefile processing. 2995 * [Bug 2745] ntpd -x steps clock on leap second 2996 Fixed an initial-value problem that caused misbehaviour in absence of 2997 any leapsecond information. 2998 Do leap second stepping only of the step adjustment is beyond the 2999 proper jump distance limit and step correction is allowed at all. 3000 * [Bug 2750] build for Win64 3001 Building for 32bit of loopback ppsapi needs def file 3002 * [Bug 2776] Improve ntpq's 'help keytype'. 3003 * [Bug 2778] Implement "apeers" ntpq command to include associd. 3004 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 3005 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 3006 interface is ignored as long as this flag is not set since the 3007 interface is not usable (e.g., no link). 3008 * [Bug 2794] Clean up kernel clock status reports. 3009 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 3010 of incompatible open/fdopen parameters. 3011 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 3012 * [Bug 2805] ntpd fails to join multicast group. 3013 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 3014 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 3015 Fix crash during cleanup if GPS device not present and char device. 3016 Increase internal token buffer to parse all JSON data, even SKY. 3017 Defer logging of errors during driver init until the first unit is 3018 started, so the syslog is not cluttered when the driver is not used. 3019 Various improvements, see http://bugs.ntp.org/2808 for details. 3020 Changed libjsmn to a more recent version. 3021 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 3022 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 3023 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 3024 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 3025 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 3026 * [Bug 2824] Convert update-leap to perl. (also see 2769) 3027 * [Bug 2825] Quiet file installation in html/ . 3028 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 3029 NTPD transfers the current TAI (instead of an announcement) now. 3030 This might still needed improvement. 3031 Update autokey data ASAP when 'sys_tai' changes. 3032 Fix unit test that was broken by changes for autokey update. 3033 Avoid potential signature length issue and use DPRINTF where possible 3034 in ntp_crypto.c. 3035 * [Bug 2832] refclock_jjy.c supports the TDC-300. 3036 * [Bug 2834] Correct a broken html tag in html/refclock.html 3037 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 3038 robust, and require 2 consecutive timestamps to be consistent. 3039 * [Bug 2837] Allow a configurable DSCP value. 3040 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 3041 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 3042 * [Bug 2842] Bug in mdoc2man. 3043 * [Bug 2843] make check fails on 4.3.36 3044 Fixed compiler warnings about numeric range overflow 3045 (The original topic was fixed in a byplay to bug#2830) 3046 * [Bug 2845] Harden memory allocation in ntpd. 3047 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 3048 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 3049 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 3050 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 3051 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 3052 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 3053 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 3054 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 3055 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 3056 * html/drivers/driver22.html: typo fix. Harlan Stenn. 3057 * refidsmear test cleanup. Tomasz Flendrich. 3058 * refidsmear function support and tests. Harlan Stenn. 3059 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 3060 something that was only in the 4.2.6 sntp. Harlan Stenn. 3061 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 3062 Damir Tomi 3063 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 3064 Damir Tomi 3065 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 3066 Damir Tomi 3067 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 3068 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 3069 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 3070 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 3071 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 3072 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 3073 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 3074 Damir Tomi 3075 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 3076 networking.c, keyFile.c, utilities.cpp, sntptest.h, 3077 fileHandlingTest.h. Damir Tomi 3078 * Initial support for experimental leap smear code. Harlan Stenn. 3079 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 3080 * Report select() debug messages at debug level 3 now. 3081 * sntp/scripts/genLocInfo: treat raspbian as debian. 3082 * Unity test framework fixes. 3083 ** Requires ruby for changes to tests. 3084 * Initial support for PACKAGE_VERSION tests. 3085 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 3086 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 3087 * Add an assert to the ntpq ifstats code. 3088 * Clean up the RLIMIT_STACK code. 3089 * Improve the ntpq documentation around the controlkey keyid. 3090 * ntpq.c cleanup. 3091 * Windows port build cleanup. 3092 3093 --- 3094 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 3095 3096 Focus: Security and Bug fixes, enhancements. 3097 3098 Severity: MEDIUM 3099 3100 In addition to bug fixes and enhancements, this release fixes the 3101 following medium-severity vulnerabilities involving private key 3102 authentication: 3103 3104 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 3105 3106 References: Sec 2779 / CVE-2015-1798 / VU#374268 3107 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 3108 including ntp-4.2.8p2 where the installation uses symmetric keys 3109 to authenticate remote associations. 3110 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 3111 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 3112 Summary: When ntpd is configured to use a symmetric key to authenticate 3113 a remote NTP server/peer, it checks if the NTP message 3114 authentication code (MAC) in received packets is valid, but not if 3115 there actually is any MAC included. Packets without a MAC are 3116 accepted as if they had a valid MAC. This allows a MITM attacker to 3117 send false packets that are accepted by the client/peer without 3118 having to know the symmetric key. The attacker needs to know the 3119 transmit timestamp of the client to match it in the forged reply 3120 and the false reply needs to reach the client before the genuine 3121 reply from the server. The attacker doesn't necessarily need to be 3122 relaying the packets between the client and the server. 3123 3124 Authentication using autokey doesn't have this problem as there is 3125 a check that requires the key ID to be larger than NTP_MAXKEY, 3126 which fails for packets without a MAC. 3127 Mitigation: 3128 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 3129 or the NTP Public Services Project Download Page 3130 Configure ntpd with enough time sources and monitor it properly. 3131 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 3132 3133 * [Sec 2781] Authentication doesn't protect symmetric associations against 3134 DoS attacks. 3135 3136 References: Sec 2781 / CVE-2015-1799 / VU#374268 3137 Affects: All NTP releases starting with at least xntp3.3wy up to but 3138 not including ntp-4.2.8p2 where the installation uses symmetric 3139 key authentication. 3140 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 3141 Note: the CVSS base Score for this issue could be 4.3 or lower, and 3142 it could be higher than 5.4. 3143 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 3144 Summary: An attacker knowing that NTP hosts A and B are peering with 3145 each other (symmetric association) can send a packet to host A 3146 with source address of B which will set the NTP state variables 3147 on A to the values sent by the attacker. Host A will then send 3148 on its next poll to B a packet with originate timestamp that 3149 doesn't match the transmit timestamp of B and the packet will 3150 be dropped. If the attacker does this periodically for both 3151 hosts, they won't be able to synchronize to each other. This is 3152 a known denial-of-service attack, described at 3153 https://www.eecis.udel.edu/~mills/onwire.html . 3154 3155 According to the document the NTP authentication is supposed to 3156 protect symmetric associations against this attack, but that 3157 doesn't seem to be the case. The state variables are updated even 3158 when authentication fails and the peers are sending packets with 3159 originate timestamps that don't match the transmit timestamps on 3160 the receiving side. 3161 3162 This seems to be a very old problem, dating back to at least 3163 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 3164 specifications, so other NTP implementations with support for 3165 symmetric associations and authentication may be vulnerable too. 3166 An update to the NTP RFC to correct this error is in-process. 3167 Mitigation: 3168 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 3169 or the NTP Public Services Project Download Page 3170 Note that for users of autokey, this specific style of MITM attack 3171 is simply a long-known potential problem. 3172 Configure ntpd with appropriate time sources and monitor ntpd. 3173 Alert your staff if problems are detected. 3174 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 3175 3176 * New script: update-leap 3177 The update-leap script will verify and if necessary, update the 3178 leap-second definition file. 3179 It requires the following commands in order to work: 3180 3181 wget logger tr sed shasum 3182 3183 Some may choose to run this from cron. It needs more portability testing. 3184 3185 Bug Fixes and Improvements: 3186 3187 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 3188 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 3189 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 3190 * [Bug 2728] See if C99-style structure initialization works. 3191 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 3192 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 3193 * [Bug 2751] jitter.h has stale copies of l_fp macros. 3194 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 3195 * [Bug 2757] Quiet compiler warnings. 3196 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 3197 * [Bug 2763] Allow different thresholds for forward and backward steps. 3198 * [Bug 2766] ntp-keygen output files should not be world-readable. 3199 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 3200 * [Bug 2771] nonvolatile value is documented in wrong units. 3201 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 3202 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 3203 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 3204 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 3205 Removed non-ASCII characters from some copyright comments. 3206 Removed trailing whitespace. 3207 Updated definitions for Meinberg clocks from current Meinberg header files. 3208 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 3209 Account for updated definitions pulled from Meinberg header files. 3210 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 3211 Replaced some constant numbers by defines from ntp_calendar.h 3212 Modified creation of parse-specific variables for Meinberg devices 3213 in gps16x_message(). 3214 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 3215 Modified mbg_tm_str() which now expexts an additional parameter controlling 3216 if the time status shall be printed. 3217 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 3218 * [Sec 2781] Authentication doesn't protect symmetric associations against 3219 DoS attacks. 3220 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 3221 * [Bug 2789] Quiet compiler warnings from libevent. 3222 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 3223 pause briefly before measuring system clock precision to yield 3224 correct results. 3225 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 3226 * Use predefined function types for parse driver functions 3227 used to set up function pointers. 3228 Account for changed prototype of parse_inp_fnc_t functions. 3229 Cast parse conversion results to appropriate types to avoid 3230 compiler warnings. 3231 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 3232 when called with pointers to different types. 3233 3234 --- 3235 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 3236 3237 Focus: Security and Bug fixes, enhancements. 3238 3239 Severity: HIGH 3240 3241 In addition to bug fixes and enhancements, this release fixes the 3242 following high-severity vulnerabilities: 3243 3244 * vallen is not validated in several places in ntp_crypto.c, leading 3245 to a potential information leak or possibly a crash 3246 3247 References: Sec 2671 / CVE-2014-9297 / VU#852879 3248 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 3249 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3250 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 3251 Summary: The vallen packet value is not validated in several code 3252 paths in ntp_crypto.c which can lead to information leakage 3253 or perhaps a crash of the ntpd process. 3254 Mitigation - any of: 3255 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3256 or the NTP Public Services Project Download Page. 3257 Disable Autokey Authentication by removing, or commenting out, 3258 all configuration directives beginning with the "crypto" 3259 keyword in your ntp.conf file. 3260 Credit: This vulnerability was discovered by Stephen Roettger of the 3261 Google Security Team, with additional cases found by Sebastian 3262 Krahmer of the SUSE Security Team and Harlan Stenn of Network 3263 Time Foundation. 3264 3265 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 3266 can be bypassed. 3267 3268 References: Sec 2672 / CVE-2014-9298 / VU#852879 3269 Affects: All NTP4 releases before 4.2.8p1, under at least some 3270 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 3271 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 3272 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 3273 Summary: While available kernels will prevent 127.0.0.1 addresses 3274 from "appearing" on non-localhost IPv4 interfaces, some kernels 3275 do not offer the same protection for ::1 source addresses on 3276 IPv6 interfaces. Since NTP's access control is based on source 3277 address and localhost addresses generally have no restrictions, 3278 an attacker can send malicious control and configuration packets 3279 by spoofing ::1 addresses from the outside. Note Well: This is 3280 not really a bug in NTP, it's a problem with some OSes. If you 3281 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 3282 ACL restrictions on any application can be bypassed! 3283 Mitigation: 3284 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3285 or the NTP Public Services Project Download Page 3286 Install firewall rules to block packets claiming to come from 3287 ::1 from inappropriate network interfaces. 3288 Credit: This vulnerability was discovered by Stephen Roettger of 3289 the Google Security Team. 3290 3291 Additionally, over 30 bugfixes and improvements were made to the codebase. 3292 See the ChangeLog for more information. 3293 3294 --- 3295 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 3296 3297 Focus: Security and Bug fixes, enhancements. 3298 3299 Severity: HIGH 3300 3301 In addition to bug fixes and enhancements, this release fixes the 3302 following high-severity vulnerabilities: 3303 3304 ************************** vv NOTE WELL vv ***************************** 3305 3306 The vulnerabilities listed below can be significantly mitigated by 3307 following the BCP of putting 3308 3309 restrict default ... noquery 3310 3311 in the ntp.conf file. With the exception of: 3312 3313 receive(): missing return on error 3314 References: Sec 2670 / CVE-2014-9296 / VU#852879 3315 3316 below (which is a limited-risk vulnerability), none of the recent 3317 vulnerabilities listed below can be exploited if the source IP is 3318 restricted from sending a 'query'-class packet by your ntp.conf file. 3319 3320 ************************** ^^ NOTE WELL ^^ ***************************** 3321 3322 * Weak default key in config_auth(). 3323 3324 References: [Sec 2665] / CVE-2014-9293 / VU#852879 3325 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3326 Vulnerable Versions: all releases prior to 4.2.7p11 3327 Date Resolved: 28 Jan 2010 3328 3329 Summary: If no 'auth' key is set in the configuration file, ntpd 3330 would generate a random key on the fly. There were two 3331 problems with this: 1) the generated key was 31 bits in size, 3332 and 2) it used the (now weak) ntp_random() function, which was 3333 seeded with a 32-bit value and could only provide 32 bits of 3334 entropy. This was sufficient back in the late 1990s when the 3335 code was written. Not today. 3336 3337 Mitigation - any of: 3338 - Upgrade to 4.2.7p11 or later. 3339 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3340 3341 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3342 of the Google Security Team. 3343 3344 * Non-cryptographic random number generator with weak seed used by 3345 ntp-keygen to generate symmetric keys. 3346 3347 References: [Sec 2666] / CVE-2014-9294 / VU#852879 3348 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3349 Vulnerable Versions: All NTP4 releases before 4.2.7p230 3350 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3351 3352 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3353 prepare a random number generator that was of good quality back 3354 in the late 1990s. The random numbers produced was then used to 3355 generate symmetric keys. In ntp-4.2.8 we use a current-technology 3356 cryptographic random number generator, either RAND_bytes from 3357 OpenSSL, or arc4random(). 3358 3359 Mitigation - any of: 3360 - Upgrade to 4.2.7p230 or later. 3361 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3362 3363 Credit: This vulnerability was discovered in ntp-4.2.6 by 3364 Stephen Roettger of the Google Security Team. 3365 3366 * Buffer overflow in crypto_recv() 3367 3368 References: Sec 2667 / CVE-2014-9295 / VU#852879 3369 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3370 Versions: All releases before 4.2.8 3371 Date Resolved: Stable (4.2.8) 18 Dec 2014 3372 3373 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3374 file contains a 'crypto pw ...' directive) a remote attacker 3375 can send a carefully crafted packet that can overflow a stack 3376 buffer and potentially allow malicious code to be executed 3377 with the privilege level of the ntpd process. 3378 3379 Mitigation - any of: 3380 - Upgrade to 4.2.8, or later, or 3381 - Disable Autokey Authentication by removing, or commenting out, 3382 all configuration directives beginning with the crypto keyword 3383 in your ntp.conf file. 3384 3385 Credit: This vulnerability was discovered by Stephen Roettger of the 3386 Google Security Team. 3387 3388 * Buffer overflow in ctl_putdata() 3389 3390 References: Sec 2668 / CVE-2014-9295 / VU#852879 3391 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3392 Versions: All NTP4 releases before 4.2.8 3393 Date Resolved: Stable (4.2.8) 18 Dec 2014 3394 3395 Summary: A remote attacker can send a carefully crafted packet that 3396 can overflow a stack buffer and potentially allow malicious 3397 code to be executed with the privilege level of the ntpd process. 3398 3399 Mitigation - any of: 3400 - Upgrade to 4.2.8, or later. 3401 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3402 3403 Credit: This vulnerability was discovered by Stephen Roettger of the 3404 Google Security Team. 3405 3406 * Buffer overflow in configure() 3407 3408 References: Sec 2669 / CVE-2014-9295 / VU#852879 3409 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3410 Versions: All NTP4 releases before 4.2.8 3411 Date Resolved: Stable (4.2.8) 18 Dec 2014 3412 3413 Summary: A remote attacker can send a carefully crafted packet that 3414 can overflow a stack buffer and potentially allow malicious 3415 code to be executed with the privilege level of the ntpd process. 3416 3417 Mitigation - any of: 3418 - Upgrade to 4.2.8, or later. 3419 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3420 3421 Credit: This vulnerability was discovered by Stephen Roettger of the 3422 Google Security Team. 3423 3424 * receive(): missing return on error 3425 3426 References: Sec 2670 / CVE-2014-9296 / VU#852879 3427 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3428 Versions: All NTP4 releases before 4.2.8 3429 Date Resolved: Stable (4.2.8) 18 Dec 2014 3430 3431 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3432 the code path where an error was detected, which meant 3433 processing did not stop when a specific rare error occurred. 3434 We haven't found a way for this bug to affect system integrity. 3435 If there is no way to affect system integrity the base CVSS 3436 score for this bug is 0. If there is one avenue through which 3437 system integrity can be partially affected, the base score 3438 becomes a 5. If system integrity can be partially affected 3439 via all three integrity metrics, the CVSS base score become 7.5. 3440 3441 Mitigation - any of: 3442 - Upgrade to 4.2.8, or later, 3443 - Remove or comment out all configuration directives 3444 beginning with the crypto keyword in your ntp.conf file. 3445 3446 Credit: This vulnerability was discovered by Stephen Roettger of the 3447 Google Security Team. 3448 3449 See http://support.ntp.org/security for more information. 3450 3451 New features / changes in this release: 3452 3453 Important Changes 3454 3455 * Internal NTP Era counters 3456 3457 The internal counters that track the "era" (range of years) we are in 3458 rolls over every 136 years'. The current "era" started at the stroke of 3459 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 3460 1 Jan 2036. 3461 In the past, we have used the "midpoint" of the range to decide which 3462 era we were in. Given the longevity of some products, it became clear 3463 that it would be more functional to "look back" less, and "look forward" 3464 more. We now compile a timestamp into the ntpd executable and when we 3465 get a timestamp we us the "built-on" to tell us what era we are in. 3466 This check "looks back" 10 years, and "looks forward" 126 years. 3467 3468 * ntpdc responses disabled by default 3469 3470 Dave Hart writes: 3471 3472 For a long time, ntpq and its mostly text-based mode 6 (control) 3473 protocol have been preferred over ntpdc and its mode 7 (private 3474 request) protocol for runtime queries and configuration. There has 3475 been a goal of deprecating ntpdc, previously held back by numerous 3476 capabilities exposed by ntpdc with no ntpq equivalent. I have been 3477 adding commands to ntpq to cover these cases, and I believe I've 3478 covered them all, though I've not compared command-by-command 3479 recently. 3480 3481 As I've said previously, the binary mode 7 protocol involves a lot of 3482 hand-rolled structure layout and byte-swapping code in both ntpd and 3483 ntpdc which is hard to get right. As ntpd grows and changes, the 3484 changes are difficult to expose via ntpdc while maintaining forward 3485 and backward compatibility between ntpdc and ntpd. In contrast, 3486 ntpq's text-based, label=value approach involves more code reuse and 3487 allows compatible changes without extra work in most cases. 3488 3489 Mode 7 has always been defined as vendor/implementation-specific while 3490 mode 6 is described in RFC 1305 and intended to be open to interoperate 3491 with other implementations. There is an early draft of an updated 3492 mode 6 description that likely will join the other NTPv4 RFCs 3493 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3494 3495 For these reasons, ntpd 4.2.7p230 by default disables processing of 3496 ntpdc queries, reducing ntpd's attack surface and functionally 3497 deprecating ntpdc. If you are in the habit of using ntpdc for certain 3498 operations, please try the ntpq equivalent. If there's no equivalent, 3499 please open a bug report at http://bugs.ntp.org./ 3500 3501 In addition to the above, over 1100 issues have been resolved between 3502 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3503 lists these. 3504 3505 --- 3506 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 3507 3508 Focus: Bug fixes 3509 3510 Severity: Medium 3511 3512 This is a recommended upgrade. 3513 3514 This release updates sys_rootdisp and sys_jitter calculations to match the 3515 RFC specification, fixes a potential IPv6 address matching error for the 3516 "nic" and "interface" configuration directives, suppresses the creation of 3517 extraneous ephemeral associations for certain broadcastclient and 3518 multicastclient configurations, cleans up some ntpq display issues, and 3519 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3520 3521 New features / changes in this release: 3522 3523 ntpd 3524 3525 * Updated "nic" and "interface" IPv6 address handling to prevent 3526 mismatches with localhost [::1] and wildcard [::] which resulted from 3527 using the address/prefix format (e.g. fe80::/64) 3528 * Fix orphan mode stratum incorrectly counting to infinity 3529 * Orphan parent selection metric updated to includes missing ntohl() 3530 * Non-printable stratum 16 refid no longer sent to ntp 3531 * Duplicate ephemeral associations suppressed for broadcastclient and 3532 multicastclient without broadcastdelay 3533 * Exclude undetermined sys_refid from use in loopback TEST12 3534 * Exclude MODE_SERVER responses from KoD rate limiting 3535 * Include root delay in clock_update() sys_rootdisp calculations 3536 * get_systime() updated to exclude sys_residual offset (which only 3537 affected bits "below" sys_tick, the precision threshold) 3538 * sys.peer jitter weighting corrected in sys_jitter calculation 3539 3540 ntpq 3541 3542 * -n option extended to include the billboard "server" column 3543 * IPv6 addresses in the local column truncated to prevent overruns 3544 3545 --- 3546 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 3547 3548 Focus: Bug fixes and portability improvements 3549 3550 Severity: Medium 3551 3552 This is a recommended upgrade. 3553 3554 This release includes build infrastructure updates, code 3555 clean-ups, minor bug fixes, fixes for a number of minor 3556 ref-clock issues, and documentation revisions. 3557 3558 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3559 3560 New features / changes in this release: 3561 3562 Build system 3563 3564 * Fix checking for struct rtattr 3565 * Update config.guess and config.sub for AIX 3566 * Upgrade required version of autogen and libopts for building 3567 from our source code repository 3568 3569 ntpd 3570 3571 * Back-ported several fixes for Coverity warnings from ntp-dev 3572 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3573 * Allow "logconfig =allall" configuration directive 3574 * Bind tentative IPv6 addresses on Linux 3575 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 3576 * Improved tally bit handling to prevent incorrect ntpq peer status reports 3577 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3578 candidate list unless they are designated a "prefer peer" 3579 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3580 selection during the 'tos orphanwait' period 3581 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3582 drivers 3583 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 3584 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3585 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3586 clock slew on Microsoft Windows 3587 * Code cleanup in libntpq 3588 3589 ntpdc 3590 3591 * Fix timerstats reporting 3592 3593 ntpdate 3594 3595 * Reduce time required to set clock 3596 * Allow a timeout greater than 2 seconds 3597 3598 sntp 3599 3600 * Backward incompatible command-line option change: 3601 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3602 3603 Documentation 3604 3605 * Update html2man. Fix some tags in the .html files 3606 * Distribute ntp-wait.html 3607 3608 --- 3609 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 3610 3611 Focus: Bug fixes and portability improvements 3612 3613 Severity: Medium 3614 3615 This is a recommended upgrade. 3616 3617 This release includes build infrastructure updates, code 3618 clean-ups, minor bug fixes, fixes for a number of minor 3619 ref-clock issues, and documentation revisions. 3620 3621 Portability improvements in this release affect AIX, Atari FreeMiNT, 3622 FreeBSD4, Linux and Microsoft Windows. 3623 3624 New features / changes in this release: 3625 3626 Build system 3627 * Use lsb_release to get information about Linux distributions. 3628 * 'test' is in /usr/bin (instead of /bin) on some systems. 3629 * Basic sanity checks for the ChangeLog file. 3630 * Source certain build files with ./filename for systems without . in PATH. 3631 * IRIX portability fix. 3632 * Use a single copy of the "libopts" code. 3633 * autogen/libopts upgrade. 3634 * configure.ac m4 quoting cleanup. 3635 3636 ntpd 3637 * Do not bind to IN6_IFF_ANYCAST addresses. 3638 * Log the reason for exiting under Windows. 3639 * Multicast fixes for Windows. 3640 * Interpolation fixes for Windows. 3641 * IPv4 and IPv6 Multicast fixes. 3642 * Manycast solicitation fixes and general repairs. 3643 * JJY refclock cleanup. 3644 * NMEA refclock improvements. 3645 * Oncore debug message cleanup. 3646 * Palisade refclock now builds under Linux. 3647 * Give RAWDCF more baud rates. 3648 * Support Truetime Satellite clocks under Windows. 3649 * Support Arbiter 1093C Satellite clocks under Windows. 3650 * Make sure that the "filegen" configuration command defaults to "enable". 3651 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3652 * Prohibit 'includefile' directive in remote configuration command. 3653 * Fix 'nic' interface bindings. 3654 * Fix the way we link with openssl if openssl is installed in the base 3655 system. 3656 3657 ntp-keygen 3658 * Fix -V coredump. 3659 * OpenSSL version display cleanup. 3660 3661 ntpdc 3662 * Many counters should be treated as unsigned. 3663 3664 ntpdate 3665 * Do not ignore replies with equal receive and transmit timestamps. 3666 3667 ntpq 3668 * libntpq warning cleanup. 3669 3670 ntpsnmpd 3671 * Correct SNMP type for "precision" and "resolution". 3672 * Update the MIB from the draft version to RFC-5907. 3673 3674 sntp 3675 * Display timezone offset when showing time for sntp in the local 3676 timezone. 3677 * Pay proper attention to RATE KoD packets. 3678 * Fix a miscalculation of the offset. 3679 * Properly parse empty lines in the key file. 3680 * Logging cleanup. 3681 * Use tv_usec correctly in set_time(). 3682 * Documentation cleanup. 3683 3684 --- 3685 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 3686 3687 Focus: Bug fixes and portability improvements 3688 3689 Severity: Medium 3690 3691 This is a recommended upgrade. 3692 3693 This release includes build infrastructure updates, code 3694 clean-ups, minor bug fixes, fixes for a number of minor 3695 ref-clock issues, improved KOD handling, OpenSSL related 3696 updates and documentation revisions. 3697 3698 Portability improvements in this release affect Irix, Linux, 3699 Mac OS, Microsoft Windows, OpenBSD and QNX6 3700 3701 New features / changes in this release: 3702 3703 ntpd 3704 * Range syntax for the trustedkey configuration directive 3705 * Unified IPv4 and IPv6 restrict lists 3706 3707 ntpdate 3708 * Rate limiting and KOD handling 3709 3710 ntpsnmpd 3711 * default connection to net-snmpd via a unix-domain socket 3712 * command-line 'socket name' option 3713 3714 ntpq / ntpdc 3715 * support for the "passwd ..." syntax 3716 * key-type specific password prompts 3717 3718 sntp 3719 * MD5 authentication of an ntpd 3720 * Broadcast and crypto 3721 * OpenSSL support 3722 3723 --- 3724 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 3725 3726 Focus: Bug fixes, portability fixes, and documentation improvements 3727 3728 Severity: Medium 3729 3730 This is a recommended upgrade. 3731 3732 --- 3733 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3734 3735 Focus: enhancements and bug fixes. 3736 3737 --- 3738 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3739 3740 Focus: Security Fixes 3741 3742 Severity: HIGH 3743 3744 This release fixes the following high-severity vulnerability: 3745 3746 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3747 3748 See http://support.ntp.org/security for more information. 3749 3750 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3751 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3752 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3753 request or a mode 7 error response from an address which is not listed 3754 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3755 reply with a mode 7 error response (and log a message). In this case: 3756 3757 * If an attacker spoofs the source address of ntpd host A in a 3758 mode 7 response packet sent to ntpd host B, both A and B will 3759 continuously send each other error responses, for as long as 3760 those packets get through. 3761 3762 * If an attacker spoofs an address of ntpd host A in a mode 7 3763 response packet sent to ntpd host A, A will respond to itself 3764 endlessly, consuming CPU and logging excessively. 3765 3766 Credit for finding this vulnerability goes to Robin Park and Dmitri 3767 Vinokurov of Alcatel-Lucent. 3768 3769 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3770 3771 --- 3772 ntpd now syncs to refclocks right away. 3773 3774 Backward-Incompatible changes: 3775 3776 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3777 Use '--var name' or '--dvar name' instead. (Bug 817) 3778 3779 --- 3780 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 3781 3782 Focus: Security and Bug Fixes 3783 3784 Severity: HIGH 3785 3786 This release fixes the following high-severity vulnerability: 3787 3788 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3789 3790 See http://support.ntp.org/security for more information. 3791 3792 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3793 line) then a carefully crafted packet sent to the machine will cause 3794 a buffer overflow and possible execution of injected code, running 3795 with the privileges of the ntpd process (often root). 3796 3797 Credit for finding this vulnerability goes to Chris Ries of CMU. 3798 3799 This release fixes the following low-severity vulnerabilities: 3800 3801 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3802 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3803 3804 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3805 Credit for finding this issue goes to Dave Hart. 3806 3807 This release fixes a number of bugs and adds some improvements: 3808 3809 * Improved logging 3810 * Fix many compiler warnings 3811 * Many fixes and improvements for Windows 3812 * Adds support for AIX 6.1 3813 * Resolves some issues under MacOS X and Solaris 3814 3815 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3816 3817 --- 3818 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 3819 3820 Focus: Security Fix 3821 3822 Severity: Low 3823 3824 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3825 the OpenSSL library relating to the incorrect checking of the return 3826 value of EVP_VerifyFinal function. 3827 3828 Credit for finding this issue goes to the Google Security Team for 3829 finding the original issue with OpenSSL, and to ocert.org for finding 3830 the problem in NTP and telling us about it. 3831 3832 This is a recommended upgrade. 3833 --- 3834 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 3835 3836 Focus: Minor Bugfixes 3837 3838 This release fixes a number of Windows-specific ntpd bugs and 3839 platform-independent ntpdate bugs. A logging bugfix has been applied 3840 to the ONCORE driver. 3841 3842 The "dynamic" keyword and is now obsolete and deferred binding to local 3843 interfaces is the new default. The minimum time restriction for the 3844 interface update interval has been dropped. 3845 3846 A number of minor build system and documentation fixes are included. 3847 3848 This is a recommended upgrade for Windows. 3849 3850 --- 3851 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 3852 3853 Focus: Minor Bugfixes 3854 3855 This release updates certain copyright information, fixes several display 3856 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3857 shutdown in the parse refclock driver, removes some lint from the code, 3858 stops accessing certain buffers immediately after they were freed, fixes 3859 a problem with non-command-line specification of -6, and allows the loopback 3860 interface to share addresses with other interfaces. 3861 3862 --- 3863 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 3864 3865 Focus: Minor Bugfixes 3866 3867 This release fixes a bug in Windows that made it difficult to 3868 terminate ntpd under windows. 3869 This is a recommended upgrade for Windows. 3870 3871 --- 3872 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 3873 3874 Focus: Minor Bugfixes 3875 3876 This release fixes a multicast mode authentication problem, 3877 an error in NTP packet handling on Windows that could lead to 3878 ntpd crashing, and several other minor bugs. Handling of 3879 multicast interfaces and logging configuration were improved. 3880 The required versions of autogen and libopts were incremented. 3881 This is a recommended upgrade for Windows and multicast users. 3882 3883 --- 3884 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 3885 3886 Focus: enhancements and bug fixes. 3887 3888 Dynamic interface rescanning was added to simplify the use of ntpd in 3889 conjunction with DHCP. GNU AutoGen is used for its command-line options 3890 processing. Separate PPS devices are supported for PARSE refclocks, MD5 3891 signatures are now provided for the release files. Drivers have been 3892 added for some new ref-clocks and have been removed for some older 3893 ref-clocks. This release also includes other improvements, documentation 3894 and bug fixes. 3895 3896 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3897 C support. 3898 3899 --- 3900 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 3901 3902 Focus: enhancements and bug fixes. 3903 --- 3904 NTP 4.2.8p17 (Harlan Stenn <stenn (a] ntp.org>, 2023 Jun 06) 3905 3906 Focus: Bug fixes 3907 3908 Severity: HIGH (for people running 4.2.8p16) 3909 3910 This release: 3911 3912 - fixes 3 bugs, including a regression 3913 - adds new unit tests 3914 3915 Details below: 3916 3917 * [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at 3918 event_sync. Reported by Edward McGuire. <hart (a] ntp.org> 3919 * [Bug 3822] ntpd significantly delays first poll of servers specified by name. 3920 <hart (a] ntp.org> Miroslav Lichvar identified regression in 4.2.8p16. 3921 * [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with 3922 4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to 3923 Miroslav Lichvar and Matt for rapid testing and identifying the 3924 problem. <hart (a] ntp.org> 3925 * Add tests/libntp/digests.c to catch regressions reading keys file or with 3926 symmetric authentication digest output. 3927 3928 --- 3929 NTP 4.2.8p16 (Harlan Stenn <stenn (a] ntp.org>, 2023 May 30) 3930 3931 Focus: Security, Bug fixes 3932 3933 Severity: LOW 3934 3935 This release: 3936 3937 - fixes 4 vulnerabilities (3 LOW and 1 None severity), 3938 - fixes 46 bugs 3939 - includes 15 general improvements 3940 - adds support for OpenSSL-3.0 3941 3942 Details below: 3943 3944 * [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger (a] ntp.org> 3945 * [Sec 3807] praecis_parse() in the Palisade refclock driver has a 3946 hypothetical input buffer overflow. Reported by ... stenn@ 3947 * [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger (a] ntp.org> 3948 - solved numerically instead of using string manipulation 3949 * [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled. 3950 <stenn (a] ntp.org> 3951 * [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@> 3952 * [Bug 3817] Bounds-check "tos floor" configuration. <hart (a] ntp.org> 3953 * [Bug 3814] First poll delay of new or cleared associations miscalculated. 3954 <hart (a] ntp.org> 3955 * [Bug 3802] ntp-keygen -I default identity modulus bits too small for 3956 OpenSSL 3. Reported by rmsh1216 (a] 163.com <hart (a] ntp.org> 3957 * [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart (a] ntp.org> 3958 * [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart (a] ntp.org> 3959 * [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart (a] ntp.org> 3960 * [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when 3961 disconnected, breaking ntpq and ntpdc. <hart (a] ntp.org> 3962 * [Bug 3795] pollskewlist documentation uses | when it shouldn't. 3963 - ntp.conf manual page and miscopt.html corrections. <hart (a] ntp.org> 3964 * [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart (a] ntp.org> 3965 - Report and patch by Yuezhen LUAN <wei6410 (a] sina.com>. 3966 * [Bug 3786] Timer starvation on high-load Windows ntpd. <hart (a] ntp.org> 3967 * [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded. 3968 <hart (a] ntp.org> 3969 * [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart (a] ntp.org> 3970 * [Bug 3774] mode 6 packets corrupted in rawstats file <hart (a] ntp.org> 3971 - Reported by Edward McGuire, fix identified by <wei6410 (a] sina.com>. 3972 * [Bug 3758] Provide a 'device' config statement for refclocks <perlinger (a] ntp.org> 3973 * [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger (a] ntp.org> 3974 * [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger (a] ntp.org> 3975 * [Bug 3725] Make copyright of clk_wharton.c compatible with Debian. 3976 Philippe De Muyter <phdm (a] macqel.be> 3977 * [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger (a] ntp.org> 3978 - openssl applink needed again for openSSL-1.1.1 3979 * [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing. 3980 Reported by Brian Utterback, broken in 2010 by <hart (a] ntp.org> 3981 * [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger (a] ntp.org> 3982 - command line options override config statements where applicable 3983 - make initial frequency settings idempotent and reversible 3984 - make sure kernel PLL gets a recovered drift componsation 3985 * [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger (a] ntp.org> 3986 * [Bug 3694] NMEA refclock seems to unnecessarily require location in messages 3987 - misleading title; essentially a request to ignore the receiver status. 3988 Added a mode bit for this. <perlinger (a] ntp.org> 3989 * [Bug 3693] Improvement of error handling key lengths <perlinger (a] ntp.org> 3990 - original patch by Richard Schmidt, with mods & unit test fixes 3991 * [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger (a] ntp.org> 3992 - implement/wrap 'realpath()' to resolve symlinks in device names 3993 * [Bug 3691] Buffer Overflow reading GPSD output 3994 - original patch by matt<ntpbr (a] mattcorallo.com> 3995 - increased max PDU size to 4k to avoid truncation 3996 * [Bug 3690] newline in ntp clock variable (parse) <perlinger (a] ntp.org> 3997 - patch by Frank Kardel 3998 * [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger (a] ntp.org> 3999 - ntp{q,dc} now use the same password processing as ntpd does in the key 4000 file, so having a binary secret >= 11 bytes is possible for all keys. 4001 (This is a different approach to the problem than suggested) 4002 * [Bug 3688] GCC 10 build errors in testsuite <perlinger (a] ntp.org> 4003 * [Bug 3687] ntp_crypto_rand RNG status not known <perlinger (a] ntp.org> 4004 - patch by Gerry Garvey 4005 * [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger (a] ntp.org> 4006 - original patch by Gerry Garvey 4007 * [Bug 3677] additional peer events not decoded in associations listing <perlinger (a] ntp.org> 4008 - original patch by Gerry Garvey 4009 * [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough) 4010 - applied patches by Gerry Garvey 4011 * [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage 4012 * [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger (a] ntp.org> 4013 - idea+patch by Gerry Garvey 4014 * [Bug 3672] fix biased selection in median cut <perlinger (a] ntp.org> 4015 * [Bug 3666] avoid unlimited receive buffer allocation <perlinger (a] ntp.org> 4016 - follow-up: fix inverted sense in check, reset shortfall counter 4017 * [Bug 3660] Revert 4.2.8p15 change to manycast. <hart (a] ntp.org> 4018 * [Bug 3640] document "discard monitor" and fix the code. <hart (a] ntp.org> 4019 - fixed bug identified by Edward McGuire <perlinger (a] ntp.org> 4020 * [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger (a] ntp.org> 4021 - applied patch by Gerry Garvey 4022 * [Bug 3432] refclocks that 'write()' should check the result <perlinger (a] ntp.org> 4023 - backport from -dev, plus some more work on warnings for unchecked results 4024 * [Bug 3428] ntpd spinning consuming CPU on Linux router with full table. 4025 Reported by Israel G. Lugo. <hart (a] ntp.org> 4026 * [Bug 3103] libopts zsave_warn format string too few arguments <bkorb (a] gnu.org> 4027 * [Bug 2990] multicastclient incorrectly causes bind to broadcast address. 4028 Integrated patch from Brian Utterback. <hart (a] ntp.org> 4029 * [Bug 2525] Turn on automake subdir-objects across the project. <hart (a] ntp.org> 4030 * [Bug 2410] syslog an error message on panic exceeded. <brian.utterback (a] oracle.com> 4031 * Use correct rounding in mstolfp(). perlinger/hart 4032 * M_ADDF should use u_int32. <hart (a] ntp.org> 4033 * Only define tv_fmt_libbuf() if we will use it. <stenn (a] ntp.org> 4034 * Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn 4035 * Make sure the value returned by refid_str() prints cleanly. <stenn (a] ntp.org> 4036 * If DEBUG is enabled, the startup banner now says that debug assertions 4037 are in force and that ntpd will abort if any are violated. <stenn (a] ntp.org> 4038 * syslog valid incoming KoDs. <stenn (a] ntp.org> 4039 * Rename a poorly-named variable. <stenn (a] ntp.org> 4040 * Disable "embedded NUL in string" messages in libopts, when we can. <stenn@> 4041 * Use https in the AC_INIT URLs in configure.ac. <stenn (a] ntp.org> 4042 * Implement NTP_FUNC_REALPATH. <stenn (a] ntp.org> 4043 * Lose a gmake construct in ntpd/Makefile.am. <stenn (a] ntp.org> 4044 * upgrade to: autogen-5.18.16 4045 * upgrade to: libopts-42.1.17 4046 * upgrade to: autoconf-2.71 4047 * upgrade to: automake-1.16.15 4048 * Upgrade to libevent-2.1.12-stable <stenn (a] ntp.org> 4049 * Support OpenSSL-3.0 4050 4051 --- 4052 NTP 4.2.8p15 (Harlan Stenn <stenn (a] ntp.org>, 2020 Jun 23) 4053 4054 Focus: Security, Bug fixes 4055 4056 Severity: MEDIUM 4057 4058 This release fixes one vulnerability: Associations that use CMAC 4059 authentication between ntpd from versions 4.2.8p11/4.3.97 and 4060 4.2.8p14/4.3.100 will leak a small amount of memory for each packet. 4061 Eventually, ntpd will run out of memory and abort. 4062 4063 It also fixes 13 other bugs. 4064 4065 * [Sec 3661] memory leak with AES128CMAC keys <perlinger (a] ntp.org> 4066 * [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 4067 - Thanks to Sylar Tao 4068 * [Bug 3667] decodenetnum fails with numeric port <perlinger (a] ntp.org> 4069 - rewrite 'decodenetnum()' in terms of inet_pton 4070 * [Bug 3666] avoid unlimited receive buffer allocation <perlinger (a] ntp.org> 4071 - limit number of receive buffers, with an iron reserve for refclocks 4072 * [Bug 3664] Enable openSSL CMAC support on Windows <burnicki (a] ntp.org> 4073 * [Bug 3662] Fix build errors on Windows with VS2008 <burnicki (a] ntp.org> 4074 * [Bug 3660] Manycast orphan mode startup discovery problem. <stenn (a] ntp.org> 4075 - integrated patch from Charles Claggett 4076 * [Bug 3659] Move definition of psl[] from ntp_config.h to 4077 ntp_config.h <perlinger (a] ntp.org> 4078 * [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger (a] ntp.org> 4079 * [Bug 3655] ntpdc memstats hash counts <perlinger (a] ntp.org> 4080 - fix by Gerry garvey 4081 * [Bug 3653] Refclock jitter RMS calculation <perlinger (a] ntp.org> 4082 - thanks to Gerry Garvey 4083 * [Bug 3646] Avoid sync with unsync orphan <perlinger (a] ntp.org> 4084 - patch by Gerry Garvey 4085 * [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger (a] ntp.org> 4086 * [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe (a] ntp.org> 4087 - applied patch by Takao Abe 4088 4089 --- 4090 NTP 4.2.8p14 (Harlan Stenn <stenn (a] ntp.org>, 2020 Mar 03) 4091 4092 Focus: Security, Bug fixes, enhancements. 4093 4094 Severity: MEDIUM 4095 4096 This release fixes three vulnerabilities: a bug that causes causes an ntpd 4097 instance that is explicitly configured to override the default and allow 4098 ntpdc (mode 7) connections to be made to a server to read some uninitialized 4099 memory; fixes the case where an unmonitored ntpd using an unauthenticated 4100 association to its servers may be susceptible to a forged packet DoS attack; 4101 and fixes an attack against a client instance that uses a single 4102 unauthenticated time source. It also fixes 46 other bugs and addresses 4103 4 other issues. 4104 4105 * [Sec 3610] process_control() should bail earlier on short packets. stenn@ 4106 - Reported by Philippe Antoine 4107 * [Sec 3596] Highly predictable timestamp attack. <stenn (a] ntp.org> 4108 - Reported by Miroslav Lichvar 4109 * [Sec 3592] DoS attack on client ntpd <perlinger (a] ntp.org> 4110 - Reported by Miroslav Lichvar 4111 * [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 4112 * [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger (a] ntp.org> 4113 * [Bug 3635] Make leapsecond file hash check optional <perlinger (a] ntp.org> 4114 * [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 4115 * [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 4116 - implement Zeller's congruence in libparse and libntp <perlinger (a] ntp.org> 4117 * [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger (a] ntp.org> 4118 - integrated patch by Cy Schubert 4119 * [Bug 3620] memory leak in ntpq sysinfo <perlinger (a] ntp.org> 4120 - applied patch by Gerry Garvey 4121 * [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger (a] ntp.org> 4122 - applied patch by Gerry Garvey 4123 * [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger (a] ntp.org> 4124 - integrated patch by Richard Steedman 4125 * [Bug 3615] accelerate refclock startup <perlinger (a] ntp.org> 4126 * [Bug 3613] Propagate noselect to mobilized pool servers <stenn (a] ntp.org> 4127 - Reported by Martin Burnicki 4128 * [Bug 3612] Use-of-uninitialized-value in receive function <perlinger (a] ntp.org> 4129 - Reported by Philippe Antoine 4130 * [Bug 3611] NMEA time interpreted incorrectly <perlinger (a] ntp.org> 4131 - officially document new "trust date" mode bit for NMEA driver 4132 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 4133 * [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger (a] ntp.org> 4134 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 4135 * [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger (a] ntp.org> 4136 - removed ffs() and fls() prototypes as per Brian Utterback 4137 * [Bug 3604] Wrong param byte order passing into record_raw_stats() in 4138 ntp_io.c <perlinger (a] ntp.org> 4139 - fixed byte and paramter order as suggested by wei6410 (a] sina.com 4140 * [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger (a] ntp.org> 4141 * [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger (a] ntp.org> 4142 - added padding as suggested by John Paul Adrian Glaubitz 4143 * [Bug 3594] ntpd discards messages coming through nmead <perlinger (a] ntp.org> 4144 * [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger (a] ntp.org> 4145 * [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger (a] ntp.org> 4146 * [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger (a] ntp.org> 4147 - stdout+stderr are set to line buffered during test setup now 4148 * [Bug 3583] synchronization error <perlinger (a] ntp.org> 4149 - set clock to base date if system time is before that limit 4150 * [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger (a] ntp.org> 4151 * [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger (a] ntp.org> 4152 - Reported by Paulo Neves 4153 * [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger (a] ntp.org> 4154 - also updates for refclock_nmea.c and refclock_jupiter.c 4155 * [Bug 3576] New GPS date function API <perlinger (a] ntp.org> 4156 * [Bug 3573] nptdate: missleading error message <perlinger (a] ntp.org> 4157 * [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger (a] ntp.org> 4158 * [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger (a] ntp.org> 4159 - sidekick: service port resolution in 'ntpdate' 4160 * [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger (a] ntp.org> 4161 - applied patch by Douglas Royds 4162 * [Bug 3542] ntpdc monlist parameters cannot be set <perlinger (a] ntp.org> 4163 * [Bug 3533] ntpdc peer_info ipv6 issues <perlinger (a] ntp.org> 4164 - applied patch by Gerry Garvey 4165 * [Bug 3531] make check: test-decodenetnum fails <perlinger (a] ntp.org> 4166 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 4167 - fix wrong cond-compile tests in unit tests 4168 * [Bug 3517] Reducing build noise <perlinger (a] ntp.org> 4169 * [Bug 3516] Require tooling from this decade <perlinger (a] ntp.org> 4170 - patch by Philipp Prindeville 4171 * [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger (a] ntp.org> 4172 - patch by Philipp Prindeville 4173 * [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger (a] ntp.org> 4174 - patch by Philipp Prindeville 4175 * [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger (a] ntp.org> 4176 - partial application of patch by Philipp Prindeville 4177 * [Bug 3491] Signed values of LFP datatypes should always display a sign 4178 - applied patch by Gerry Garvey & fixed unit tests <perlinger (a] ntp.org> 4179 * [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger (a] ntp.org> 4180 - applied (modified) patch by Richard Steedman 4181 * [Bug 3473] RefID of refclocks should always be text format <perlinger (a] ntp.org> 4182 - applied patch by Gerry Garvey (with minor formatting changes) 4183 * [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger (a] ntp.org> 4184 - applied patch by Miroslav Lichvar 4185 * [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 4186 <perlinger (a] ntp.org> 4187 * [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 4188 is specified with -u <perlinger (a] ntp.org> 4189 - monitor daemon child startup & propagate exit codes 4190 * [Bug 1433] runtime check whether the kernel really supports capabilities 4191 - (modified) patch by Kurt Roeckx <perlinger (a] ntp.org> 4192 * Clean up sntp/networking.c:sendpkt() error message. <stenn (a] ntp.org> 4193 * Provide more detail on unrecognized config file parser tokens. <stenn (a] ntp.org> 4194 * Startup log improvements. <stenn (a] ntp.org> 4195 * Update the copyright year. 4196 4197 --- 4198 NTP 4.2.8p13 (Harlan Stenn <stenn (a] ntp.org>, 2019 Mar 07) 4199 4200 Focus: Security, Bug fixes, enhancements. 4201 4202 Severity: MEDIUM 4203 4204 This release fixes a bug that allows an attacker with access to an 4205 explicitly trusted source to send a crafted malicious mode 6 (ntpq) 4206 packet that can trigger a NULL pointer dereference, crashing ntpd. 4207 It also provides 17 other bugfixes and 1 other improvement: 4208 4209 * [Sec 3565] Crafted null dereference attack in authenticated 4210 mode 6 packet <perlinger (a] ntp.org> 4211 - reported by Magnus Stubman 4212 * [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger (a] ntp.org> 4213 - applied patch by Ian Lepore 4214 * [Bug 3558] Crash and integer size bug <perlinger (a] ntp.org> 4215 - isolate and fix linux/windows specific code issue 4216 * [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger (a] ntp.org> 4217 - provide better function for incremental string formatting 4218 * [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger (a] ntp.org> 4219 - applied patch by Gerry Garvey 4220 * [Bug 3554] config revoke stores incorrect value <perlinger (a] ntp.org> 4221 - original finding by Gerry Garvey, additional cleanup needed 4222 * [Bug 3549] Spurious initgroups() error message <perlinger (a] ntp.org> 4223 - patch by Christous Zoulas 4224 * [Bug 3548] Signature not verified on windows system <perlinger (a] ntp.org> 4225 - finding by Chen Jiabin, plus another one by me 4226 * [Bug 3541] patch to fix STA_NANO struct timex units <perlinger (a] ntp.org> 4227 - applied patch by Maciej Szmigiero 4228 * [Bug 3540] Cannot set minsane to 0 anymore <perlinger (a] ntp.org> 4229 - applied patch by Andre Charbonneau 4230 * [Bug 3539] work_fork build fails when droproot is not supported <perlinger (a] ntp.org> 4231 - applied patch by Baruch Siach 4232 * [Bug 3538] Build fails for no-MMU targets <perlinger (a] ntp.org> 4233 - applied patch by Baruch Siach 4234 * [Bug 3535] libparse won't handle GPS week rollover <perlinger (a] ntp.org> 4235 - refactored handling of GPS era based on 'tos basedate' for 4236 parse (TSIP) and JUPITER clocks 4237 * [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger (a] ntp.org> 4238 - patch by Daniel J. Luke; this does not fix a potential linker 4239 regression issue on MacOS. 4240 * [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 4241 anomaly <perlinger (a] ntp.org>, reported by GGarvey. 4242 - --enable-bug3527-fix support by HStenn 4243 * [Bug 3526] Incorrect poll interval in packet <perlinger (a] ntp.org> 4244 - applied patch by Gerry Garvey 4245 * [Bug 3471] Check for openssl/[ch]mac.h. <perlinger (a] ntp.org> 4246 - added missing check, reported by Reinhard Max <perlinger (a] ntp.org> 4247 * [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 4248 - this is a variant of [bug 3558] and should be fixed with it 4249 * Implement 'configure --disable-signalled-io' 4250 4251 -- 4252 NTP 4.2.8p12 (Harlan Stenn <stenn (a] ntp.org>, 2018/14/09) 4253 4254 Focus: Security, Bug fixes, enhancements. 4255 4256 Severity: MEDIUM 4257 4258 This release fixes a "hole" in the noepeer capability introduced to ntpd 4259 in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 4260 ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 4261 4262 * [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 4263 4264 * [Sec 3012] Fix a hole in the new "noepeer" processing. 4265 4266 * Bug Fixes: 4267 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn (a] ntp.org> 4268 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 4269 other TrustedBSD platforms 4270 - applied patch by Ian Lepore <perlinger (a] ntp.org> 4271 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger (a] ntp.org> 4272 - changed interaction with SCM to signal pending startup 4273 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger (a] ntp.org> 4274 - applied patch by Gerry Garvey 4275 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger (a] ntp.org> 4276 - applied patch by Gerry Garvey 4277 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger (a] ntp.org> 4278 - rework of ntpq 'nextvar()' key/value parsing 4279 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger (a] ntp.org> 4280 - applied patch by Gerry Garvey (with mods) 4281 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger (a] ntp.org> 4282 - applied patch by Gerry Garvey 4283 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger (a] ntp.org> 4284 - applied patch by Gerry Garvey (with mods) 4285 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger (a] ntp.org> 4286 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 4287 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger (a] ntp.org> 4288 - applied patch by Gerry Garvey 4289 [Bug 3474] Missing pmode in mode7 peer info response <perlinger (a] ntp.org> 4290 - applied patch by Gerry Garvey 4291 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 4292 - add #define ENABLE_CMAC support in configure. HStenn. 4293 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger (a] ntp.org> 4294 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger (a] ntp.org> 4295 - patch by Stephen Friedl 4296 [Bug 3467] Potential memory fault in ntpq [...] <perlinger (a] ntp.org> 4297 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 4298 [Bug 3465] Default TTL values cannot be used <perlinger (a] ntp.org> 4299 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger (a] ntp.org> 4300 - initial patch by Hal Murray; also fixed refclock_report() trouble 4301 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn (a] ntp.org> 4302 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 4303 - According to Brooks Davis, there was only one location <perlinger (a] ntp.org> 4304 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger (a] ntp.org> 4305 - applied patch by Gerry Garvey 4306 [Bug 3445] Symmetric peer won't sync on startup <perlinger (a] ntp.org> 4307 - applied patch by Gerry Garvey 4308 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 4309 with modifications 4310 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 4311 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger (a] ntp.org> 4312 - applied patch by Miroslav Lichvar 4313 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 4314 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger (a] ntp.org> 4315 - integrated patch by Reinhard Max 4316 [Bug 2821] minor build issues <perlinger (a] ntp.org> 4317 - applied patches by Christos Zoulas, including real bug fixes 4318 html/authopt.html: cleanup, from <stenn (a] ntp.org> 4319 ntpd/ntpd.c: DROPROOT cleanup. <stenn (a] ntp.org> 4320 Symmetric key range is 1-65535. Update docs. <stenn (a] ntp.org> 4321 4322 -- 4323 NTP 4.2.8p11 (Harlan Stenn <stenn (a] ntp.org>, 2018/02/27) 4324 4325 Focus: Security, Bug fixes, enhancements. 4326 4327 Severity: MEDIUM 4328 4329 This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 4330 vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 4331 provides 65 other non-security fixes and improvements: 4332 4333 * NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 4334 association (LOW/MED) 4335 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 4336 References: Sec 3454 / CVE-2018-7185 / VU#961909 4337 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 4338 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 4339 2.9 and 6.8. 4340 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 4341 score between 2.6 and 3.1 4342 Summary: 4343 The NTP Protocol allows for both non-authenticated and 4344 authenticated associations, in client/server, symmetric (peer), 4345 and several broadcast modes. In addition to the basic NTP 4346 operational modes, symmetric mode and broadcast servers can 4347 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 4348 was inadvertently introduced into the protocol engine that 4349 allows a non-authenticated zero-origin (reset) packet to reset 4350 an authenticated interleaved peer association. If an attacker 4351 can send a packet with a zero-origin timestamp and the source 4352 IP address of the "other side" of an interleaved association, 4353 the 'victim' ntpd will reset its association. The attacker must 4354 continue sending these packets in order to maintain the 4355 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 4356 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 4357 interleaved mode must be explicitly configured/enabled. 4358 Mitigation: 4359 Implement BCP-38. 4360 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 4361 or the NTP Public Services Project Download Page. 4362 If you are unable to upgrade to 4.2.8p11 or later and have 4363 'peer HOST xleave' lines in your ntp.conf file, remove the 4364 'xleave' option. 4365 Have enough sources of time. 4366 Properly monitor your ntpd instances. 4367 If ntpd stops running, auto-restart it without -g . 4368 Credit: 4369 This weakness was discovered by Miroslav Lichvar of Red Hat. 4370 4371 * NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 4372 state (LOW/MED) 4373 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 4374 References: Sec 3453 / CVE-2018-7184 / VU#961909 4375 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 4376 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4377 Could score between 2.9 and 6.8. 4378 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 4379 Could score between 2.6 and 6.0. 4380 Summary: 4381 The fix for NtpBug2952 was incomplete, and while it fixed one 4382 problem it created another. Specifically, it drops bad packets 4383 before updating the "received" timestamp. This means a 4384 third-party can inject a packet with a zero-origin timestamp, 4385 meaning the sender wants to reset the association, and the 4386 transmit timestamp in this bogus packet will be saved as the 4387 most recent "received" timestamp. The real remote peer does 4388 not know this value and this will disrupt the association until 4389 the association resets. 4390 Mitigation: 4391 Implement BCP-38. 4392 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 4393 or the NTP Public Services Project Download Page. 4394 Use authentication with 'peer' mode. 4395 Have enough sources of time. 4396 Properly monitor your ntpd instances. 4397 If ntpd stops running, auto-restart it without -g . 4398 Credit: 4399 This weakness was discovered by Miroslav Lichvar of Red Hat. 4400 4401 * NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 4402 peering (LOW) 4403 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 4404 References: Sec 3415 / CVE-2018-7170 / VU#961909 4405 Sec 3012 / CVE-2016-1549 / VU#718152 4406 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4407 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 4408 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 4409 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 4410 Summary: 4411 ntpd can be vulnerable to Sybil attacks. If a system is set up to 4412 use a trustedkey and if one is not using the feature introduced in 4413 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 4414 specify which IPs can serve time, a malicious authenticated peer 4415 -- i.e. one where the attacker knows the private symmetric key -- 4416 can create arbitrarily-many ephemeral associations in order to win 4417 the clock selection of ntpd and modify a victim's clock. Three 4418 additional protections are offered in ntp-4.2.8p11. One is the 4419 new 'noepeer' directive, which disables symmetric passive 4420 ephemeral peering. Another is the new 'ippeerlimit' directive, 4421 which limits the number of peers that can be created from an IP. 4422 The third extends the functionality of the 4th field in the 4423 ntp.keys file to include specifying a subnet range. 4424 Mitigation: 4425 Implement BCP-38. 4426 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 4427 or the NTP Public Services Project Download Page. 4428 Use the 'noepeer' directive to prohibit symmetric passive 4429 ephemeral associations. 4430 Use the 'ippeerlimit' directive to limit the number of peers 4431 that can be created from an IP. 4432 Use the 4th argument in the ntp.keys file to limit the IPs and 4433 subnets that can be time servers. 4434 Have enough sources of time. 4435 Properly monitor your ntpd instances. 4436 If ntpd stops running, auto-restart it without -g . 4437 Credit: 4438 This weakness was reported as Bug 3012 by Matthew Van Gundy of 4439 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 4440 4441 * ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 4442 Date Resolved: 27 Feb 2018 4443 References: Sec 3414 / CVE-2018-7183 / VU#961909 4444 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 4445 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 4446 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 4447 Summary: 4448 ntpq is a monitoring and control program for ntpd. decodearr() 4449 is an internal function of ntpq that is used to -- wait for it -- 4450 decode an array in a response string when formatted data is being 4451 displayed. This is a problem in affected versions of ntpq if a 4452 maliciously-altered ntpd returns an array result that will trip this 4453 bug, or if a bad actor is able to read an ntpq request on its way to 4454 a remote ntpd server and forge and send a response before the remote 4455 ntpd sends its response. It's potentially possible that the 4456 malicious data could become injectable/executable code. 4457 Mitigation: 4458 Implement BCP-38. 4459 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 4460 or the NTP Public Services Project Download Page. 4461 Credit: 4462 This weakness was discovered by Michael Macnair of Thales e-Security. 4463 4464 * NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 4465 behavior and information leak (Info/Medium) 4466 Date Resolved: 27 Feb 2018 4467 References: Sec 3412 / CVE-2018-7182 / VU#961909 4468 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 4469 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 4470 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4471 0.0 if C:N 4472 Summary: 4473 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 4474 A malicious mode 6 packet can be sent to an ntpd instance, and 4475 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 4476 cause ctl_getitem() to read past the end of its buffer. 4477 Mitigation: 4478 Implement BCP-38. 4479 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 4480 or the NTP Public Services Project Download Page. 4481 Have enough sources of time. 4482 Properly monitor your ntpd instances. 4483 If ntpd stops running, auto-restart it without -g . 4484 Credit: 4485 This weakness was discovered by Yihan Lian of Qihoo 360. 4486 4487 * NTP Bug 3012: Sybil vulnerability: ephemeral association attack 4488 Also see Bug 3415, above. 4489 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 4490 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 4491 References: Sec 3012 / CVE-2016-1549 / VU#718152 4492 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4493 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 4494 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 4495 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 4496 Summary: 4497 ntpd can be vulnerable to Sybil attacks. If a system is set up 4498 to use a trustedkey and if one is not using the feature 4499 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 4500 ntp.keys file to specify which IPs can serve time, a malicious 4501 authenticated peer -- i.e. one where the attacker knows the 4502 private symmetric key -- can create arbitrarily-many ephemeral 4503 associations in order to win the clock selection of ntpd and 4504 modify a victim's clock. Two additional protections are 4505 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 4506 disables symmetric passive ephemeral peering. The other extends 4507 the functionality of the 4th field in the ntp.keys file to 4508 include specifying a subnet range. 4509 Mitigation: 4510 Implement BCP-38. 4511 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 4512 the NTP Public Services Project Download Page. 4513 Use the 'noepeer' directive to prohibit symmetric passive 4514 ephemeral associations. 4515 Use the 'ippeerlimit' directive to limit the number of peer 4516 associations from an IP. 4517 Use the 4th argument in the ntp.keys file to limit the IPs 4518 and subnets that can be time servers. 4519 Properly monitor your ntpd instances. 4520 Credit: 4521 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 4522 4523 * Bug fixes: 4524 [Bug 3457] OpenSSL FIPS mode regression <perlinger (a] ntp.org> 4525 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger (a] ntp.org> 4526 - applied patch by Sean Haugh 4527 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger (a] ntp.org> 4528 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 4529 - removed error log caused by rounding/slew, ensured postcondition <perlinger (a] ntp.org> 4530 [Bug 3447] AES-128-CMAC (fixes) <perlinger (a] ntp.org> 4531 - refactoring the MAC code, too 4532 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn (a] ntp.org 4533 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger (a] ntp.org> 4534 - applied patch by ggarvey 4535 [Bug 3438] Negative values and values > 999 days in... <perlinger (a] ntp.org> 4536 - applied patch by ggarvey (with minor mods) 4537 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 4538 - applied patch (with mods) by Miroslav Lichvar <perlinger (a] ntp.org> 4539 [Bug 3435] anchor NTP era alignment <perlinger (a] ntp.org> 4540 [Bug 3433] sntp crashes when run with -a. <stenn (a] ntp.org> 4541 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 4542 - fixed several issues with hash algos in ntpd, sntp, ntpq, 4543 ntpdc and the test suites <perlinger (a] ntp.org> 4544 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger (a] ntp.org> 4545 - initial patch by Daniel Pouzzner 4546 [Bug 3423] QNX adjtime() implementation error checking is 4547 wrong <perlinger (a] ntp.org> 4548 [Bug 3417] ntpq ifstats packet counters can be negative 4549 made IFSTATS counter quantities unsigned <perlinger (a] ntp.org> 4550 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 4551 - raised receive buffer size to 1200 <perlinger (a] ntp.org> 4552 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 4553 analysis tool. <abe (a] ntp.org> 4554 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 4555 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger (a] ntp.org> 4556 - fix/drop assumptions on OpenSSL libs directory layout 4557 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 4558 - initial patch by timeflies (a] mail2tor.com <perlinger (a] ntp.org> 4559 [Bug 3398] tests fail with core dump <perlinger (a] ntp.org> 4560 - patch contributed by Alexander Bluhm 4561 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 4562 rework of formatting & data transfer stuff in 'ntp_control.c' 4563 avoids unecessary buffers and size limitations. <perlinger (a] ntp.org> 4564 [Bug 3394] Leap second deletion does not work on ntpd clients 4565 - fixed handling of dynamic deletion w/o leap file <perlinger (a] ntp.org> 4566 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 4567 - increased mimimum stack size to 32kB <perlinger (a] ntp.org> 4568 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger (a] ntp.org> 4569 - reverted handling of PPS kernel consumer to 4.2.6 behavior 4570 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe (a] ntp.org> 4571 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 4572 [Bug 3016] wrong error position reported for bad ":config pool" 4573 - fixed location counter & ntpq output <perlinger (a] ntp.org> 4574 [Bug 2900] libntp build order problem. HStenn. 4575 [Bug 2878] Tests are cluttering up syslog <perlinger (a] ntp.org> 4576 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs (a] bodosom.net, 4577 perlinger (a] ntp.org 4578 [Bug 2557] Fix Thunderbolt init. ntp-bugs (a] bodosom.net, perlinger@ntp. 4579 [Bug 948] Trustedkey config directive leaks memory. <perlinger (a] ntp.org> 4580 Use strlcpy() to copy strings, not memcpy(). HStenn. 4581 Typos. HStenn. 4582 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 4583 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 4584 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger (a] ntp.org 4585 Fix trivial warnings from 'make check'. perlinger (a] ntp.org 4586 Fix bug in the override portion of the compiler hardening macro. HStenn. 4587 record_raw_stats(): Log entire packet. Log writes. HStenn. 4588 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 4589 sntp: tweak key file logging. HStenn. 4590 sntp: pkt_output(): Improve debug output. HStenn. 4591 update-leap: updates from Paul McMath. 4592 When using pkg-config, report --modversion. HStenn. 4593 Clean up libevent configure checks. HStenn. 4594 sntp: show the IP of who sent us a crypto-NAK. HStenn. 4595 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 4596 authistrustedip() - use it in more places. HStenn, JPerlinger. 4597 New sysstats: sys_lamport, sys_tsrounding. HStenn. 4598 Update ntp.keys .../N documentation. HStenn. 4599 Distribute testconf.yml. HStenn. 4600 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 4601 Rename the configuration flag fifo variables. HStenn. 4602 Improve saveconfig output. HStenn. 4603 Decode restrict flags on receive() debug output. HStenn. 4604 Decode interface flags on receive() debug output. HStenn. 4605 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 4606 Update the documentation in ntp.conf.def . HStenn. 4607 restrictions() must return restrict flags and ippeerlimit. HStenn. 4608 Update ntpq peer documentation to describe the 'p' type. HStenn. 4609 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 4610 Provide dump_restricts() for debugging. HStenn. 4611 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 4612 4613 * Other items: 4614 4615 * update-leap needs the following perl modules: 4616 Net::SSLeay 4617 IO::Socket::SSL 4618 4619 * New sysstats variables: sys_lamport, sys_tsrounding 4620 See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 4621 sys_lamport counts the number of observed Lamport violations, while 4622 sys_tsrounding counts observed timestamp rounding events. 4623 4624 * New ntp.conf items: 4625 4626 - restrict ... noepeer 4627 - restrict ... ippeerlimit N 4628 4629 The 'noepeer' directive will disallow all ephemeral/passive peer 4630 requests. 4631 4632 The 'ippeerlimit' directive limits the number of time associations 4633 for each IP in the designated set of addresses. This limit does not 4634 apply to explicitly-configured associations. A value of -1, the current 4635 default, means an unlimited number of associations may connect from a 4636 single IP. 0 means "none", etc. Ordinarily the only way multiple 4637 associations would come from the same IP would be if the remote side 4638 was using a proxy. But a trusted machine might become compromised, 4639 in which case an attacker might spin up multiple authenticated sessions 4640 from different ports. This directive should be helpful in this case. 4641 4642 * New ntp.keys feature: Each IP in the optional list of IPs in the 4th 4643 field may contain a /subnetbits specification, which identifies the 4644 scope of IPs that may use this key. This IP/subnet restriction can be 4645 used to limit the IPs that may use the key in most all situations where 4646 a key is used. 4647 -- 4648 NTP 4.2.8p10 (Harlan Stenn <stenn (a] ntp.org>, 2017/03/21) 4649 4650 Focus: Security, Bug fixes, enhancements. 4651 4652 Severity: MEDIUM 4653 4654 This release fixes 5 medium-, 6 low-, and 4 informational-severity 4655 vulnerabilities, and provides 15 other non-security fixes and improvements: 4656 4657 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 4658 Date Resolved: 21 Mar 2017 4659 References: Sec 3389 / CVE-2017-6464 / VU#325339 4660 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 4661 ntp-4.3.0 up to, but not including ntp-4.3.94. 4662 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 4663 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 4664 Summary: 4665 A vulnerability found in the NTP server makes it possible for an 4666 authenticated remote user to crash ntpd via a malformed mode 4667 configuration directive. 4668 Mitigation: 4669 Implement BCP-38. 4670 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 4671 the NTP Public Services Project Download Page 4672 Properly monitor your ntpd instances, and auto-restart 4673 ntpd (without -g) if it stops running. 4674 Credit: 4675 This weakness was discovered by Cure53. 4676 4677 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 4678 Date Resolved: 21 Mar 2017 4679 References: Sec 3388 / CVE-2017-6462 / VU#325339 4680 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 4681 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 4682 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 4683 Summary: 4684 There is a potential for a buffer overflow in the legacy Datum 4685 Programmable Time Server refclock driver. Here the packets are 4686 processed from the /dev/datum device and handled in 4687 datum_pts_receive(). Since an attacker would be required to 4688 somehow control a malicious /dev/datum device, this does not 4689 appear to be a practical attack and renders this issue "Low" in 4690 terms of severity. 4691 Mitigation: 4692 If you have a Datum reference clock installed and think somebody 4693 may maliciously change the device, upgrade to 4.2.8p10, or 4694 later, from the NTP Project Download Page or the NTP Public 4695 Services Project Download Page 4696 Properly monitor your ntpd instances, and auto-restart 4697 ntpd (without -g) if it stops running. 4698 Credit: 4699 This weakness was discovered by Cure53. 4700 4701 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 4702 Date Resolved: 21 Mar 2017 4703 References: Sec 3387 / CVE-2017-6463 / VU#325339 4704 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 4705 ntp-4.3.0 up to, but not including ntp-4.3.94. 4706 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 4707 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 4708 Summary: 4709 A vulnerability found in the NTP server allows an authenticated 4710 remote attacker to crash the daemon by sending an invalid setting 4711 via the :config directive. The unpeer option expects a number or 4712 an address as an argument. In case the value is "0", a 4713 segmentation fault occurs. 4714 Mitigation: 4715 Implement BCP-38. 4716 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4717 or the NTP Public Services Project Download Page 4718 Properly monitor your ntpd instances, and auto-restart 4719 ntpd (without -g) if it stops running. 4720 Credit: 4721 This weakness was discovered by Cure53. 4722 4723 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 4724 Date Resolved: 21 Mar 2017 4725 References: Sec 3386 4726 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 4727 ntp-4.3.0 up to, but not including ntp-4.3.94. 4728 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 4729 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 4730 Summary: 4731 The NTP Mode 6 monitoring and control client, ntpq, uses the 4732 function ntpq_stripquotes() to remove quotes and escape characters 4733 from a given string. According to the documentation, the function 4734 is supposed to return the number of copied bytes but due to 4735 incorrect pointer usage this value is always zero. Although the 4736 return value of this function is never used in the code, this 4737 flaw could lead to a vulnerability in the future. Since relying 4738 on wrong return values when performing memory operations is a 4739 dangerous practice, it is recommended to return the correct value 4740 in accordance with the documentation pertinent to the code. 4741 Mitigation: 4742 Implement BCP-38. 4743 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4744 or the NTP Public Services Project Download Page 4745 Properly monitor your ntpd instances, and auto-restart 4746 ntpd (without -g) if it stops running. 4747 Credit: 4748 This weakness was discovered by Cure53. 4749 4750 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 4751 Date Resolved: 21 Mar 2017 4752 References: Sec 3385 4753 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 4754 ntp-4.3.0 up to, but not including ntp-4.3.94. 4755 Summary: 4756 NTP makes use of several wrappers around the standard heap memory 4757 allocation functions that are provided by libc. This is mainly 4758 done to introduce additional safety checks concentrated on 4759 several goals. First, they seek to ensure that memory is not 4760 accidentally freed, secondly they verify that a correct amount 4761 is always allocated and, thirdly, that allocation failures are 4762 correctly handled. There is an additional implementation for 4763 scenarios where memory for a specific amount of items of the 4764 same size needs to be allocated. The handling can be found in 4765 the oreallocarray() function for which a further number-of-elements 4766 parameter needs to be provided. Although no considerable threat 4767 was identified as tied to a lack of use of this function, it is 4768 recommended to correctly apply oreallocarray() as a preferred 4769 option across all of the locations where it is possible. 4770 Mitigation: 4771 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4772 or the NTP Public Services Project Download Page 4773 Credit: 4774 This weakness was discovered by Cure53. 4775 4776 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 4777 PPSAPI ONLY) (Low) 4778 Date Resolved: 21 Mar 2017 4779 References: Sec 3384 / CVE-2017-6455 / VU#325339 4780 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 4781 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 4782 including ntp-4.3.94. 4783 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 4784 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 4785 Summary: 4786 The Windows NT port has the added capability to preload DLLs 4787 defined in the inherited global local environment variable 4788 PPSAPI_DLLS. The code contained within those libraries is then 4789 called from the NTPD service, usually running with elevated 4790 privileges. Depending on how securely the machine is setup and 4791 configured, if ntpd is configured to use the PPSAPI under Windows 4792 this can easily lead to a code injection. 4793 Mitigation: 4794 Implement BCP-38. 4795 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4796 or the NTP Public Services Project Download Page 4797 Credit: 4798 This weakness was discovered by Cure53. 4799 4800 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 4801 installer ONLY) (Low) 4802 Date Resolved: 21 Mar 2017 4803 References: Sec 3383 / CVE-2017-6452 / VU#325339 4804 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 4805 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 4806 to, but not including ntp-4.3.94. 4807 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 4808 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 4809 Summary: 4810 The Windows installer for NTP calls strcat(), blindly appending 4811 the string passed to the stack buffer in the addSourceToRegistry() 4812 function. The stack buffer is 70 bytes smaller than the buffer 4813 in the calling main() function. Together with the initially 4814 copied Registry path, the combination causes a stack buffer 4815 overflow and effectively overwrites the stack frame. The 4816 passed application path is actually limited to 256 bytes by the 4817 operating system, but this is not sufficient to assure that the 4818 affected stack buffer is consistently protected against 4819 overflowing at all times. 4820 Mitigation: 4821 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4822 or the NTP Public Services Project Download Page 4823 Credit: 4824 This weakness was discovered by Cure53. 4825 4826 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 4827 installer ONLY) (Low) 4828 Date Resolved: 21 Mar 2017 4829 References: Sec 3382 / CVE-2017-6459 / VU#325339 4830 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 4831 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 4832 up to, but not including ntp-4.3.94. 4833 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 4834 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 4835 Summary: 4836 The Windows installer for NTP calls strcpy() with an argument 4837 that specifically contains multiple null bytes. strcpy() only 4838 copies a single terminating null character into the target 4839 buffer instead of copying the required double null bytes in the 4840 addKeysToRegistry() function. As a consequence, a garbage 4841 registry entry can be created. The additional arsize parameter 4842 is erroneously set to contain two null bytes and the following 4843 call to RegSetValueEx() claims to be passing in a multi-string 4844 value, though this may not be true. 4845 Mitigation: 4846 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4847 or the NTP Public Services Project Download Page 4848 Credit: 4849 This weakness was discovered by Cure53. 4850 4851 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 4852 References: Sec 3381 4853 Summary: 4854 The report says: Statically included external projects 4855 potentially introduce several problems and the issue of having 4856 extensive amounts of code that is "dead" in the resulting binary 4857 must clearly be pointed out. The unnecessary unused code may or 4858 may not contain bugs and, quite possibly, might be leveraged for 4859 code-gadget-based branch-flow redirection exploits. Analogically, 4860 having source trees statically included as well means a failure 4861 in taking advantage of the free feature for periodical updates. 4862 This solution is offered by the system's Package Manager. The 4863 three libraries identified are libisc, libevent, and libopts. 4864 Resolution: 4865 For libisc, we already only use a portion of the original library. 4866 We've found and fixed bugs in the original implementation (and 4867 offered the patches to ISC), and plan to see what has changed 4868 since we last upgraded the code. libisc is generally not 4869 installed, and when it it we usually only see the static libisc.a 4870 file installed. Until we know for sure that the bugs we've found 4871 and fixed are fixed upstream, we're better off with the copy we 4872 are using. 4873 4874 Version 1 of libevent was the only production version available 4875 until recently, and we've been requiring version 2 for a long time. 4876 But if the build system has at least version 2 of libevent 4877 installed, we'll use the version that is installed on the system. 4878 Otherwise, we provide a copy of libevent that we know works. 4879 4880 libopts is provided by GNU AutoGen, and that library and package 4881 undergoes frequent API version updates. The version of autogen 4882 used to generate the tables for the code must match the API 4883 version in libopts. AutoGen can be ... difficult to build and 4884 install, and very few developers really need it. So we have it 4885 on our build and development machines, and we provide the 4886 specific version of the libopts code in the distribution to make 4887 sure that the proper API version of libopts is available. 4888 4889 As for the point about there being code in these libraries that 4890 NTP doesn't use, OK. But other packages used these libraries as 4891 well, and it is reasonable to assume that other people are paying 4892 attention to security and code quality issues for the overall 4893 libraries. It takes significant resources to analyze and 4894 customize these libraries to only include what we need, and to 4895 date we believe the cost of this effort does not justify the benefit. 4896 Credit: 4897 This issue was discovered by Cure53. 4898 4899 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 4900 Date Resolved: 21 Mar 2017 4901 References: Sec 3380 4902 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 4903 ntp-4.3.0 up to, but not including ntp-4.3.94. 4904 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 4905 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 4906 Summary: 4907 There is a fencepost error in a "recovery branch" of the code for 4908 the Oncore GPS receiver if the communication link to the ONCORE 4909 is weak / distorted and the decoding doesn't work. 4910 Mitigation: 4911 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 4912 the NTP Public Services Project Download Page 4913 Properly monitor your ntpd instances, and auto-restart 4914 ntpd (without -g) if it stops running. 4915 Credit: 4916 This weakness was discovered by Cure53. 4917 4918 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 4919 Date Resolved: 21 Mar 2017 4920 References: Sec 3379 / CVE-2017-6458 / VU#325339 4921 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 4922 ntp-4.3.0 up to, but not including ntp-4.3.94. 4923 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 4924 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 4925 Summary: 4926 ntpd makes use of different wrappers around ctl_putdata() to 4927 create name/value ntpq (mode 6) response strings. For example, 4928 ctl_putstr() is usually used to send string data (variable names 4929 or string data). The formatting code was missing a length check 4930 for variable names. If somebody explicitly created any unusually 4931 long variable names in ntpd (longer than 200-512 bytes, depending 4932 on the type of variable), then if any of these variables are 4933 added to the response list it would overflow a buffer. 4934 Mitigation: 4935 Implement BCP-38. 4936 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4937 or the NTP Public Services Project Download Page 4938 If you don't want to upgrade, then don't setvar variable names 4939 longer than 200-512 bytes in your ntp.conf file. 4940 Properly monitor your ntpd instances, and auto-restart 4941 ntpd (without -g) if it stops running. 4942 Credit: 4943 This weakness was discovered by Cure53. 4944 4945 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 4946 Date Resolved: 21 Mar 2017 4947 References: Sec 3378 / CVE-2017-6451 / VU#325339 4948 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 4949 ntp-4.3.0 up to, but not including ntp-4.3.94. 4950 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 4951 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 4952 Summary: 4953 The legacy MX4200 refclock is only built if is specifically 4954 enabled, and furthermore additional code changes are required to 4955 compile and use it. But it uses the libc functions snprintf() 4956 and vsnprintf() incorrectly, which can lead to an out-of-bounds 4957 memory write due to an improper handling of the return value of 4958 snprintf()/vsnprintf(). Since the return value is used as an 4959 iterator and it can be larger than the buffer's size, it is 4960 possible for the iterator to point somewhere outside of the 4961 allocated buffer space. This results in an out-of-bound memory 4962 write. This behavior can be leveraged to overwrite a saved 4963 instruction pointer on the stack and gain control over the 4964 execution flow. During testing it was not possible to identify 4965 any malicious usage for this vulnerability. Specifically, no 4966 way for an attacker to exploit this vulnerability was ultimately 4967 unveiled. However, it has the potential to be exploited, so the 4968 code should be fixed. 4969 Mitigation, if you have a Magnavox MX4200 refclock: 4970 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4971 or the NTP Public Services Project Download Page. 4972 Properly monitor your ntpd instances, and auto-restart 4973 ntpd (without -g) if it stops running. 4974 Credit: 4975 This weakness was discovered by Cure53. 4976 4977 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 4978 malicious ntpd (Medium) 4979 Date Resolved: 21 Mar 2017 4980 References: Sec 3377 / CVE-2017-6460 / VU#325339 4981 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 4982 ntp-4.3.0 up to, but not including ntp-4.3.94. 4983 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 4984 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 4985 Summary: 4986 A stack buffer overflow in ntpq can be triggered by a malicious 4987 ntpd server when ntpq requests the restriction list from the server. 4988 This is due to a missing length check in the reslist() function. 4989 It occurs whenever the function parses the server's response and 4990 encounters a flagstr variable of an excessive length. The string 4991 will be copied into a fixed-size buffer, leading to an overflow on 4992 the function's stack-frame. Note well that this problem requires 4993 a malicious server, and affects ntpq, not ntpd. 4994 Mitigation: 4995 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 4996 or the NTP Public Services Project Download Page 4997 If you can't upgrade your version of ntpq then if you want to know 4998 the reslist of an instance of ntpd that you do not control, 4999 know that if the target ntpd is malicious that it can send back 5000 a response that intends to crash your ntpq process. 5001 Credit: 5002 This weakness was discovered by Cure53. 5003 5004 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 5005 Date Resolved: 21 Mar 2017 5006 References: Sec 3376 5007 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 5008 ntp-4.3.0 up to, but not including ntp-4.3.94. 5009 CVSS2: N/A 5010 CVSS3: N/A 5011 Summary: 5012 The build process for NTP has not, by default, provided compile 5013 or link flags to offer "hardened" security options. Package 5014 maintainers have always been able to provide hardening security 5015 flags for their builds. As of ntp-4.2.8p10, the NTP build 5016 system has a way to provide OS-specific hardening flags. Please 5017 note that this is still not a really great solution because it 5018 is specific to NTP builds. It's inefficient to have every 5019 package supply, track and maintain this information for every 5020 target build. It would be much better if there was a common way 5021 for OSes to provide this information in a way that arbitrary 5022 packages could benefit from it. 5023 Mitigation: 5024 Implement BCP-38. 5025 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 5026 or the NTP Public Services Project Download Page 5027 Properly monitor your ntpd instances, and auto-restart 5028 ntpd (without -g) if it stops running. 5029 Credit: 5030 This weakness was reported by Cure53. 5031 5032 * 0rigin DoS (Medium) 5033 Date Resolved: 21 Mar 2017 5034 References: Sec 3361 / CVE-2016-9042 / VU#325339 5035 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 5036 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 5037 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 5038 Summary: 5039 An exploitable denial of service vulnerability exists in the 5040 origin timestamp check functionality of ntpd 4.2.8p9. A specially 5041 crafted unauthenticated network packet can be used to reset the 5042 expected origin timestamp for target peers. Legitimate replies 5043 from targeted peers will fail the origin timestamp check (TEST2) 5044 causing the reply to be dropped and creating a denial of service 5045 condition. This vulnerability can only be exploited if the 5046 attacker can spoof all of the servers. 5047 Mitigation: 5048 Implement BCP-38. 5049 Configure enough servers/peers that an attacker cannot target 5050 all of your time sources. 5051 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 5052 or the NTP Public Services Project Download Page 5053 Properly monitor your ntpd instances, and auto-restart 5054 ntpd (without -g) if it stops running. 5055 Credit: 5056 This weakness was discovered by Matthew Van Gundy of Cisco. 5057 5058 Other fixes: 5059 5060 * [Bug 3393] clang scan-build findings <perlinger (a] ntp.org> 5061 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes 5062 - rework of patch set from <ntp.org (a] eroen.eu>. <perlinger (a] ntp.org> 5063 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger (a] ntp.org> 5064 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int 5065 on 4.4BSD-Lite derived platforms <perlinger (a] ntp.org> 5066 - original patch by Majdi S. Abbas 5067 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger (a] ntp.org> 5068 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger (a] ntp.org> 5069 - initial patch by Christos Zoulas 5070 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger (a] ntp.org> 5071 - move loader API from 'inline' to proper source 5072 - augment pathless dlls with absolute path to NTPD 5073 - use 'msyslog()' instead of 'printf() 'for reporting trouble 5074 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger (a] ntp.org> 5075 - applied patch by Matthew Van Gundy 5076 * [Bug 3065] Quiet warnings on NetBSD <perlinger (a] ntp.org> 5077 - applied some of the patches provided by Havard. Not all of them 5078 still match the current code base, and I did not touch libopt. 5079 * [Bug 3062] Change the process name of forked DNS worker <perlinger (a] ntp.org> 5080 - applied patch by Reinhard Max. See bugzilla for limitations. 5081 * [Bug 2923] Trap Configuration Fail <perlinger (a] ntp.org> 5082 - fixed dependency inversion from [Bug 2837] 5083 * [Bug 2896] Nothing happens if minsane < maxclock < minclock 5084 - produce ERROR log message about dysfunctional daemon. <perlinger (a] ntp.org> 5085 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger (a] ntp.org> 5086 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 5087 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 5088 - Fixed these and some more locations of this pattern. 5089 Probably din't get them all, though. <perlinger (a] ntp.org> 5090 * Update copyright year. 5091 5092 -- 5093 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn (a] ntp.org> 5094 5095 * [Bug 3144] NTP does not build without openSSL. <perlinger (a] ntp.org> 5096 - added missed changeset for automatic openssl lib detection 5097 - fixed some minor warning issues 5098 * [Bug 3095] More compatibility with openssl 1.1. <perlinger (a] ntp.org> 5099 * configure.ac cleanup. stenn (a] ntp.org 5100 * openssl configure cleanup. stenn (a] ntp.org 5101 5102 -- 5103 NTP 4.2.8p9 (Harlan Stenn <stenn (a] ntp.org>, 2016/11/21) 5104 5105 Focus: Security, Bug fixes, enhancements. 5106 5107 Severity: HIGH 5108 5109 In addition to bug fixes and enhancements, this release fixes the 5110 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 5111 5 low-severity vulnerabilities, and provides 28 other non-security 5112 fixes and improvements: 5113 5114 * Trap crash 5115 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5116 References: Sec 3119 / CVE-2016-9311 / VU#633847 5117 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 5118 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 5119 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5120 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 5121 Summary: 5122 ntpd does not enable trap service by default. If trap service 5123 has been explicitly enabled, an attacker can send a specially 5124 crafted packet to cause a null pointer dereference that will 5125 crash ntpd, resulting in a denial of service. 5126 Mitigation: 5127 Implement BCP-38. 5128 Use "restrict default noquery ..." in your ntp.conf file. Only 5129 allow mode 6 queries from trusted networks and hosts. 5130 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5131 or the NTP Public Services Project Download Page 5132 Properly monitor your ntpd instances, and auto-restart ntpd 5133 (without -g) if it stops running. 5134 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 5135 5136 * Mode 6 information disclosure and DDoS vector 5137 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5138 References: Sec 3118 / CVE-2016-9310 / VU#633847 5139 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 5140 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 5141 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 5142 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 5143 Summary: 5144 An exploitable configuration modification vulnerability exists 5145 in the control mode (mode 6) functionality of ntpd. If, against 5146 long-standing BCP recommendations, "restrict default noquery ..." 5147 is not specified, a specially crafted control mode packet can set 5148 ntpd traps, providing information disclosure and DDoS 5149 amplification, and unset ntpd traps, disabling legitimate 5150 monitoring. A remote, unauthenticated, network attacker can 5151 trigger this vulnerability. 5152 Mitigation: 5153 Implement BCP-38. 5154 Use "restrict default noquery ..." in your ntp.conf file. 5155 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5156 or the NTP Public Services Project Download Page 5157 Properly monitor your ntpd instances, and auto-restart ntpd 5158 (without -g) if it stops running. 5159 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 5160 5161 * Broadcast Mode Replay Prevention DoS 5162 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5163 References: Sec 3114 / CVE-2016-7427 / VU#633847 5164 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 5165 ntp-4.3.90 up to, but not including ntp-4.3.94. 5166 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 5167 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 5168 Summary: 5169 The broadcast mode of NTP is expected to only be used in a 5170 trusted network. If the broadcast network is accessible to an 5171 attacker, a potentially exploitable denial of service 5172 vulnerability in ntpd's broadcast mode replay prevention 5173 functionality can be abused. An attacker with access to the NTP 5174 broadcast domain can periodically inject specially crafted 5175 broadcast mode NTP packets into the broadcast domain which, 5176 while being logged by ntpd, can cause ntpd to reject broadcast 5177 mode packets from legitimate NTP broadcast servers. 5178 Mitigation: 5179 Implement BCP-38. 5180 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5181 or the NTP Public Services Project Download Page 5182 Properly monitor your ntpd instances, and auto-restart ntpd 5183 (without -g) if it stops running. 5184 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 5185 5186 * Broadcast Mode Poll Interval Enforcement DoS 5187 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5188 References: Sec 3113 / CVE-2016-7428 / VU#633847 5189 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 5190 ntp-4.3.90 up to, but not including ntp-4.3.94 5191 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 5192 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 5193 Summary: 5194 The broadcast mode of NTP is expected to only be used in a 5195 trusted network. If the broadcast network is accessible to an 5196 attacker, a potentially exploitable denial of service 5197 vulnerability in ntpd's broadcast mode poll interval enforcement 5198 functionality can be abused. To limit abuse, ntpd restricts the 5199 rate at which each broadcast association will process incoming 5200 packets. ntpd will reject broadcast mode packets that arrive 5201 before the poll interval specified in the preceding broadcast 5202 packet expires. An attacker with access to the NTP broadcast 5203 domain can send specially crafted broadcast mode NTP packets to 5204 the broadcast domain which, while being logged by ntpd, will 5205 cause ntpd to reject broadcast mode packets from legitimate NTP 5206 broadcast servers. 5207 Mitigation: 5208 Implement BCP-38. 5209 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5210 or the NTP Public Services Project Download Page 5211 Properly monitor your ntpd instances, and auto-restart ntpd 5212 (without -g) if it stops running. 5213 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 5214 5215 * Windows: ntpd DoS by oversized UDP packet 5216 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5217 References: Sec 3110 / CVE-2016-9312 / VU#633847 5218 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 5219 and ntp-4.3.0 up to, but not including ntp-4.3.94. 5220 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 5221 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5222 Summary: 5223 If a vulnerable instance of ntpd on Windows receives a crafted 5224 malicious packet that is "too big", ntpd will stop working. 5225 Mitigation: 5226 Implement BCP-38. 5227 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5228 or the NTP Public Services Project Download Page 5229 Properly monitor your ntpd instances, and auto-restart ntpd 5230 (without -g) if it stops running. 5231 Credit: This weakness was discovered by Robert Pajak of ABB. 5232 5233 * 0rigin (zero origin) issues 5234 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5235 References: Sec 3102 / CVE-2016-7431 / VU#633847 5236 Affects: ntp-4.2.8p8, and ntp-4.3.93. 5237 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5238 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 5239 Summary: 5240 Zero Origin timestamp problems were fixed by Bug 2945 in 5241 ntp-4.2.8p6. However, subsequent timestamp validation checks 5242 introduced a regression in the handling of some Zero origin 5243 timestamp checks. 5244 Mitigation: 5245 Implement BCP-38. 5246 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5247 or the NTP Public Services Project Download Page 5248 Properly monitor your ntpd instances, and auto-restart ntpd 5249 (without -g) if it stops running. 5250 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 5251 Malhotra of Boston University. 5252 5253 * read_mru_list() does inadequate incoming packet checks 5254 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5255 References: Sec 3082 / CVE-2016-7434 / VU#633847 5256 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 5257 ntp-4.3.0 up to, but not including ntp-4.3.94. 5258 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 5259 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 5260 Summary: 5261 If ntpd is configured to allow mrulist query requests from a 5262 server that sends a crafted malicious packet, ntpd will crash 5263 on receipt of that crafted malicious mrulist query packet. 5264 Mitigation: 5265 Only allow mrulist query packets from trusted hosts. 5266 Implement BCP-38. 5267 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5268 or the NTP Public Services Project Download Page 5269 Properly monitor your ntpd instances, and auto-restart ntpd 5270 (without -g) if it stops running. 5271 Credit: This weakness was discovered by Magnus Stubman. 5272 5273 * Attack on interface selection 5274 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5275 References: Sec 3072 / CVE-2016-7429 / VU#633847 5276 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 5277 ntp-4.3.0 up to, but not including ntp-4.3.94 5278 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 5279 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 5280 Summary: 5281 When ntpd receives a server response on a socket that corresponds 5282 to a different interface than was used for the request, the peer 5283 structure is updated to use the interface for new requests. If 5284 ntpd is running on a host with multiple interfaces in separate 5285 networks and the operating system doesn't check source address in 5286 received packets (e.g. rp_filter on Linux is set to 0), an 5287 attacker that knows the address of the source can send a packet 5288 with spoofed source address which will cause ntpd to select wrong 5289 interface for the source and prevent it from sending new requests 5290 until the list of interfaces is refreshed, which happens on 5291 routing changes or every 5 minutes by default. If the attack is 5292 repeated often enough (once per second), ntpd will not be able to 5293 synchronize with the source. 5294 Mitigation: 5295 Implement BCP-38. 5296 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5297 or the NTP Public Services Project Download Page 5298 If you are going to configure your OS to disable source address 5299 checks, also configure your firewall configuration to control 5300 what interfaces can receive packets from what networks. 5301 Properly monitor your ntpd instances, and auto-restart ntpd 5302 (without -g) if it stops running. 5303 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 5304 5305 * Client rate limiting and server responses 5306 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5307 References: Sec 3071 / CVE-2016-7426 / VU#633847 5308 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 5309 ntp-4.3.0 up to, but not including ntp-4.3.94 5310 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 5311 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 5312 Summary: 5313 When ntpd is configured with rate limiting for all associations 5314 (restrict default limited in ntp.conf), the limits are applied 5315 also to responses received from its configured sources. An 5316 attacker who knows the sources (e.g., from an IPv4 refid in 5317 server response) and knows the system is (mis)configured in this 5318 way can periodically send packets with spoofed source address to 5319 keep the rate limiting activated and prevent ntpd from accepting 5320 valid responses from its sources. 5321 5322 While this blanket rate limiting can be useful to prevent 5323 brute-force attacks on the origin timestamp, it allows this DoS 5324 attack. Similarly, it allows the attacker to prevent mobilization 5325 of ephemeral associations. 5326 Mitigation: 5327 Implement BCP-38. 5328 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5329 or the NTP Public Services Project Download Page 5330 Properly monitor your ntpd instances, and auto-restart ntpd 5331 (without -g) if it stops running. 5332 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 5333 5334 * Fix for bug 2085 broke initial sync calculations 5335 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 5336 References: Sec 3067 / CVE-2016-7433 / VU#633847 5337 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 5338 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 5339 root-distance calculation in general is incorrect in all versions 5340 of ntp-4 until this release. 5341 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 5342 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 5343 Summary: 5344 Bug 2085 described a condition where the root delay was included 5345 twice, causing the jitter value to be higher than expected. Due 5346 to a misinterpretation of a small-print variable in The Book, the 5347 fix for this problem was incorrect, resulting in a root distance 5348 that did not include the peer dispersion. The calculations and 5349 formulae have been reviewed and reconciled, and the code has been 5350 updated accordingly. 5351 Mitigation: 5352 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 5353 or the NTP Public Services Project Download Page 5354 Properly monitor your ntpd instances, and auto-restart ntpd 5355 (without -g) if it stops running. 5356 Credit: This weakness was discovered independently by Brian Utterback of 5357 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 5358 5359 Other fixes: 5360 5361 * [Bug 3142] bug in netmask prefix length detection <perlinger (a] ntp.org> 5362 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn (a] ntp.org 5363 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop 5364 - moved retry decision where it belongs. <perlinger (a] ntp.org> 5365 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 5366 using the loopback-ppsapi-provider.dll <perlinger (a] ntp.org> 5367 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger (a] ntp.org> 5368 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger (a] ntp.org> 5369 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 5370 * [Bug 3095] Compatibility with openssl 1.1 <perlinger (a] ntp.org> 5371 - applied patches by Kurt Roeckx <kurt (a] roeckx.be> to source 5372 - added shim layer for SSL API calls with issues (both directions) 5373 * [Bug 3089] Serial Parser does not work anymore for hopfser like device 5374 - simplified / refactored hex-decoding in driver. <perlinger (a] ntp.org> 5375 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 5376 * [Bug 3068] Linker warnings when building on Solaris. perlinger (a] ntp.org 5377 - applied patch thanks to Andrew Stormont <andyjstormont (a] gmail.com> 5378 * [Bug 3067] Root distance calculation needs improvement. HStenn 5379 * [Bug 3066] NMEA clock ignores pps. perlinger (a] ntp.org 5380 - PPS-HACK works again. 5381 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger (a] ntp.org> 5382 - applied patch by Brian Utterback <brian.utterback (a] oracle.com> 5383 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 5384 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 5385 <perlinger (a] ntp.org> 5386 - patches by Reinhard Max <max (a] suse.com> and Havard Eidnes <he (a] uninett.no> 5387 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe (a] ntp.org 5388 - Patch provided by Kuramatsu. 5389 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger (a] ntp.org> 5390 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 5391 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 5392 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 5393 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 5394 * [Bug 2959] refclock_jupiter: gps week correction <perlinger (a] ntp.org> 5395 - fixed GPS week expansion to work based on build date. Special thanks 5396 to Craig Leres for initial patch and testing. 5397 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 5398 - fixed Makefile.am <perlinger (a] ntp.org> 5399 * [Bug 2689] ATOM driver processes last PPS pulse at startup, 5400 even if it is very old <perlinger (a] ntp.org> 5401 - make sure PPS source is alive before processing samples 5402 - improve stability close to the 500ms phase jump (phase gate) 5403 * Fix typos in include/ntp.h. 5404 * Shim X509_get_signature_nid() if needed 5405 * git author attribution cleanup 5406 * bk ignore file cleanup 5407 * remove locks in Windows IO, use rpc-like thread synchronisation instead 5408 5409 --- 5410 NTP 4.2.8p8 (Harlan Stenn <stenn (a] ntp.org>, 2016/06/02) 5411 5412 Focus: Security, Bug fixes, enhancements. 5413 5414 Severity: HIGH 5415 5416 In addition to bug fixes and enhancements, this release fixes the 5417 following 1 high- and 4 low-severity vulnerabilities: 5418 5419 * CRYPTO_NAK crash 5420 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 5421 References: Sec 3046 / CVE-2016-4957 / VU#321640 5422 Affects: ntp-4.2.8p7, and ntp-4.3.92. 5423 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 5424 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5425 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 5426 could cause ntpd to crash. 5427 Mitigation: 5428 Implement BCP-38. 5429 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 5430 or the NTP Public Services Project Download Page 5431 If you cannot upgrade from 4.2.8p7, the only other alternatives 5432 are to patch your code or filter CRYPTO_NAK packets. 5433 Properly monitor your ntpd instances, and auto-restart ntpd 5434 (without -g) if it stops running. 5435 Credit: This weakness was discovered by Nicolas Edet of Cisco. 5436 5437 * Bad authentication demobilizes ephemeral associations 5438 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 5439 References: Sec 3045 / CVE-2016-4953 / VU#321640 5440 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 5441 ntp-4.3.0 up to, but not including ntp-4.3.93. 5442 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 5443 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 5444 Summary: An attacker who knows the origin timestamp and can send a 5445 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 5446 target before any other response is sent can demobilize that 5447 association. 5448 Mitigation: 5449 Implement BCP-38. 5450 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 5451 or the NTP Public Services Project Download Page 5452 Properly monitor your ntpd instances. 5453 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 5454 5455 * Processing spoofed server packets 5456 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 5457 References: Sec 3044 / CVE-2016-4954 / VU#321640 5458 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 5459 ntp-4.3.0 up to, but not including ntp-4.3.93. 5460 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 5461 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 5462 Summary: An attacker who is able to spoof packets with correct origin 5463 timestamps from enough servers before the expected response 5464 packets arrive at the target machine can affect some peer 5465 variables and, for example, cause a false leap indication to be set. 5466 Mitigation: 5467 Implement BCP-38. 5468 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 5469 or the NTP Public Services Project Download Page 5470 Properly monitor your ntpd instances. 5471 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 5472 5473 * Autokey association reset 5474 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 5475 References: Sec 3043 / CVE-2016-4955 / VU#321640 5476 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 5477 ntp-4.3.0 up to, but not including ntp-4.3.93. 5478 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 5479 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 5480 Summary: An attacker who is able to spoof a packet with a correct 5481 origin timestamp before the expected response packet arrives at 5482 the target machine can send a CRYPTO_NAK or a bad MAC and cause 5483 the association's peer variables to be cleared. If this can be 5484 done often enough, it will prevent that association from working. 5485 Mitigation: 5486 Implement BCP-38. 5487 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 5488 or the NTP Public Services Project Download Page 5489 Properly monitor your ntpd instances. 5490 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 5491 5492 * Broadcast interleave 5493 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 5494 References: Sec 3042 / CVE-2016-4956 / VU#321640 5495 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 5496 ntp-4.3.0 up to, but not including ntp-4.3.93. 5497 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 5498 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 5499 Summary: The fix for NtpBug2978 does not cover broadcast associations, 5500 so broadcast clients can be triggered to flip into interleave mode. 5501 Mitigation: 5502 Implement BCP-38. 5503 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 5504 or the NTP Public Services Project Download Page 5505 Properly monitor your ntpd instances. 5506 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 5507 5508 Other fixes: 5509 * [Bug 3038] NTP fails to build in VS2015. perlinger (a] ntp.org 5510 - provide build environment 5511 - 'wint_t' and 'struct timespec' defined by VS2015 5512 - fixed print()/scanf() format issues 5513 * [Bug 3052] Add a .gitignore file. Edmund Wong. 5514 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 5515 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 5516 JPerlinger, HStenn. 5517 * Fix typo in ntp-wait and plot_summary. HStenn. 5518 * Make sure we have an "author" file for git imports. HStenn. 5519 * Update the sntp problem tests for MacOS. HStenn. 5520 5521 --- 5522 NTP 4.2.8p7 (Harlan Stenn <stenn (a] ntp.org>, 2016/04/26) 5523 5524 Focus: Security, Bug fixes, enhancements. 5525 5526 Severity: MEDIUM 5527 5528 When building NTP from source, there is a new configure option 5529 available, --enable-dynamic-interleave. More information on this below. 5530 5531 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 5532 versions of ntp. These events have almost certainly happened in the 5533 past, it's just that they were silently counted and not logged. With 5534 the increasing awareness around security, we feel it's better to clearly 5535 log these events to help detect abusive behavior. This increased 5536 logging can also help detect other problems, too. 5537 5538 In addition to bug fixes and enhancements, this release fixes the 5539 following 9 low- and medium-severity vulnerabilities: 5540 5541 * Improve NTP security against buffer comparison timing attacks, 5542 AKA: authdecrypt-timing 5543 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5544 References: Sec 2879 / CVE-2016-1550 5545 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5546 4.3.0 up to, but not including 4.3.92 5547 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 5548 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 5549 Summary: Packet authentication tests have been performed using 5550 memcmp() or possibly bcmp(), and it is potentially possible 5551 for a local or perhaps LAN-based attacker to send a packet with 5552 an authentication payload and indirectly observe how much of 5553 the digest has matched. 5554 Mitigation: 5555 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5556 or the NTP Public Services Project Download Page. 5557 Properly monitor your ntpd instances. 5558 Credit: This weakness was discovered independently by Loganaden 5559 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 5560 5561 * Zero origin timestamp bypass: Additional KoD checks. 5562 References: Sec 2945 / Sec 2901 / CVE-2015-8138 5563 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 5564 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 5565 5566 * peer associations were broken by the fix for NtpBug2899 5567 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5568 References: Sec 2952 / CVE-2015-7704 5569 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5570 4.3.0 up to, but not including 4.3.92 5571 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 5572 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 5573 associations did not address all of the issues. 5574 Mitigation: 5575 Implement BCP-38. 5576 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5577 or the NTP Public Services Project Download Page 5578 If you can't upgrade, use "server" associations instead of 5579 "peer" associations. 5580 Monitor your ntpd instances. 5581 Credit: This problem was discovered by Michael Tatarinov. 5582 5583 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 5584 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5585 References: Sec 3007 / CVE-2016-1547 / VU#718152 5586 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5587 4.3.0 up to, but not including 4.3.92 5588 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 5589 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 5590 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 5591 off-path attacker can cause a preemptable client association to 5592 be demobilized by sending a crypto NAK packet to a victim client 5593 with a spoofed source address of an existing associated peer. 5594 This is true even if authentication is enabled. 5595 5596 Furthermore, if the attacker keeps sending crypto NAK packets, 5597 for example one every second, the victim never has a chance to 5598 reestablish the association and synchronize time with that 5599 legitimate server. 5600 5601 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 5602 stringent checks are performed on incoming packets, but there 5603 are still ways to exploit this vulnerability in versions before 5604 ntp-4.2.8p7. 5605 Mitigation: 5606 Implement BCP-38. 5607 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5608 or the NTP Public Services Project Download Page 5609 Properly monitor your ntpd instances 5610 Credit: This weakness was discovered by Stephen Gray and 5611 Matthew Van Gundy of Cisco ASIG. 5612 5613 * ctl_getitem() return value not always checked 5614 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5615 References: Sec 3008 / CVE-2016-2519 5616 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5617 4.3.0 up to, but not including 4.3.92 5618 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 5619 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 5620 Summary: ntpq and ntpdc can be used to store and retrieve information 5621 in ntpd. It is possible to store a data value that is larger 5622 than the size of the buffer that the ctl_getitem() function of 5623 ntpd uses to report the return value. If the length of the 5624 requested data value returned by ctl_getitem() is too large, 5625 the value NULL is returned instead. There are 2 cases where the 5626 return value from ctl_getitem() was not directly checked to make 5627 sure it's not NULL, but there are subsequent INSIST() checks 5628 that make sure the return value is not NULL. There are no data 5629 values ordinarily stored in ntpd that would exceed this buffer 5630 length. But if one has permission to store values and one stores 5631 a value that is "too large", then ntpd will abort if an attempt 5632 is made to read that oversized value. 5633 Mitigation: 5634 Implement BCP-38. 5635 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5636 or the NTP Public Services Project Download Page 5637 Properly monitor your ntpd instances. 5638 Credit: This weakness was discovered by Yihan Lian of the Cloud 5639 Security Team, Qihoo 360. 5640 5641 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 5642 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5643 References: Sec 3009 / CVE-2016-2518 / VU#718152 5644 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5645 4.3.0 up to, but not including 4.3.92 5646 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 5647 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 5648 Summary: Using a crafted packet to create a peer association with 5649 hmode > 7 causes the MATCH_ASSOC() lookup to make an 5650 out-of-bounds reference. 5651 Mitigation: 5652 Implement BCP-38. 5653 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5654 or the NTP Public Services Project Download Page 5655 Properly monitor your ntpd instances 5656 Credit: This weakness was discovered by Yihan Lian of the Cloud 5657 Security Team, Qihoo 360. 5658 5659 * remote configuration trustedkey/requestkey/controlkey values are not 5660 properly validated 5661 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5662 References: Sec 3010 / CVE-2016-2517 / VU#718152 5663 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5664 4.3.0 up to, but not including 4.3.92 5665 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 5666 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 5667 Summary: If ntpd was expressly configured to allow for remote 5668 configuration, a malicious user who knows the controlkey for 5669 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 5670 can create a session with ntpd and then send a crafted packet to 5671 ntpd that will change the value of the trustedkey, controlkey, 5672 or requestkey to a value that will prevent any subsequent 5673 authentication with ntpd until ntpd is restarted. 5674 Mitigation: 5675 Implement BCP-38. 5676 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5677 or the NTP Public Services Project Download Page 5678 Properly monitor your ntpd instances 5679 Credit: This weakness was discovered by Yihan Lian of the Cloud 5680 Security Team, Qihoo 360. 5681 5682 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 5683 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5684 References: Sec 3011 / CVE-2016-2516 / VU#718152 5685 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5686 4.3.0 up to, but not including 4.3.92 5687 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 5688 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 5689 Summary: If ntpd was expressly configured to allow for remote 5690 configuration, a malicious user who knows the controlkey for 5691 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 5692 can create a session with ntpd and if an existing association is 5693 unconfigured using the same IP twice on the unconfig directive 5694 line, ntpd will abort. 5695 Mitigation: 5696 Implement BCP-38. 5697 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5698 or the NTP Public Services Project Download Page 5699 Properly monitor your ntpd instances 5700 Credit: This weakness was discovered by Yihan Lian of the Cloud 5701 Security Team, Qihoo 360. 5702 5703 * Refclock impersonation vulnerability 5704 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5705 References: Sec 3020 / CVE-2016-1551 5706 Affects: On a very limited number of OSes, all NTP releases up to but 5707 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 5708 By "very limited number of OSes" we mean no general-purpose OSes 5709 have yet been identified that have this vulnerability. 5710 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 5711 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 5712 Summary: While most OSes implement martian packet filtering in their 5713 network stack, at least regarding 127.0.0.0/8, some will allow 5714 packets claiming to be from 127.0.0.0/8 that arrive over a 5715 physical network. On these OSes, if ntpd is configured to use a 5716 reference clock an attacker can inject packets over the network 5717 that look like they are coming from that reference clock. 5718 Mitigation: 5719 Implement martian packet filtering and BCP-38. 5720 Configure ntpd to use an adequate number of time sources. 5721 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5722 or the NTP Public Services Project Download Page 5723 If you are unable to upgrade and if you are running an OS that 5724 has this vulnerability, implement martian packet filters and 5725 lobby your OS vendor to fix this problem, or run your 5726 refclocks on computers that use OSes that are not vulnerable 5727 to these attacks and have your vulnerable machines get their 5728 time from protected resources. 5729 Properly monitor your ntpd instances. 5730 Credit: This weakness was discovered by Matt Street and others of 5731 Cisco ASIG. 5732 5733 The following issues were fixed in earlier releases and contain 5734 improvements in 4.2.8p7: 5735 5736 * Clients that receive a KoD should validate the origin timestamp field. 5737 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 5738 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 5739 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 5740 5741 * Skeleton key: passive server with trusted key can serve time. 5742 References: Sec 2936 / CVE-2015-7974 5743 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 5744 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 5745 5746 Two other vulnerabilities have been reported, and the mitigations 5747 for these are as follows: 5748 5749 * Interleave-pivot 5750 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5751 References: Sec 2978 / CVE-2016-1548 5752 Affects: All ntp-4 releases. 5753 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 5754 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 5755 Summary: It is possible to change the time of an ntpd client or deny 5756 service to an ntpd client by forcing it to change from basic 5757 client/server mode to interleaved symmetric mode. An attacker 5758 can spoof a packet from a legitimate ntpd server with an origin 5759 timestamp that matches the peer->dst timestamp recorded for that 5760 server. After making this switch, the client will reject all 5761 future legitimate server responses. It is possible to force the 5762 victim client to move time after the mode has been changed. 5763 ntpq gives no indication that the mode has been switched. 5764 Mitigation: 5765 Implement BCP-38. 5766 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 5767 or the NTP Public Services Project Download Page. These 5768 versions will not dynamically "flip" into interleave mode 5769 unless configured to do so. 5770 Properly monitor your ntpd instances. 5771 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 5772 and separately by Jonathan Gardner of Cisco ASIG. 5773 5774 * Sybil vulnerability: ephemeral association attack 5775 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 5776 References: Sec 3012 / CVE-2016-1549 5777 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 5778 4.3.0 up to, but not including 4.3.92 5779 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 5780 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 5781 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 5782 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 5783 field in the ntp.keys file to specify which IPs can serve time, 5784 a malicious authenticated peer can create arbitrarily-many 5785 ephemeral associations in order to win the clock selection of 5786 ntpd and modify a victim's clock. 5787 Mitigation: 5788 Implement BCP-38. 5789 Use the 4th field in the ntp.keys file to specify which IPs 5790 can be time servers. 5791 Properly monitor your ntpd instances. 5792 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 5793 5794 Other fixes: 5795 5796 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger (a] ntp.org 5797 - fixed yet another race condition in the threaded resolver code. 5798 * [Bug 2858] bool support. Use stdbool.h when available. HStenn. 5799 * [Bug 2879] Improve NTP security against timing attacks. perlinger (a] ntp.org 5800 - integrated patches by Loganaden Velvidron <logan (a] ntp.org> 5801 with some modifications & unit tests 5802 * [Bug 2960] async name resolution fixes for chroot() environments. 5803 Reinhard Max. 5804 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger (a] ntp.org 5805 * [Bug 2995] Fixes to compile on Windows 5806 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger (a] ntp.org 5807 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger (a] ntp.org 5808 - Patch provided by Ch. Weisgerber 5809 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 5810 - A change related to [Bug 2853] forbids trailing white space in 5811 remote config commands. perlinger (a] ntp.org 5812 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 5813 - report and patch from Aleksandr Kostikov. 5814 - Overhaul of Windows IO completion port handling. perlinger (a] ntp.org 5815 * [Bug 3022] authkeys.c should be refactored. perlinger (a] ntp.org 5816 - fixed memory leak in access list (auth[read]keys.c) 5817 - refactored handling of key access lists (auth[read]keys.c) 5818 - reduced number of error branches (authreadkeys.c) 5819 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger (a] ntp.org 5820 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 5821 * [Bug 3031] ntp broadcastclient unable to synchronize to an server 5822 when the time of server changed. perlinger (a] ntp.org 5823 - Check the initial delay calculation and reject/unpeer the broadcast 5824 server if the delay exceeds 50ms. Retry again after the next 5825 broadcast packet. 5826 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 5827 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 5828 * Update html/xleave.html documentation. Harlan Stenn. 5829 * Update ntp.conf documentation. Harlan Stenn. 5830 * Fix some Credit: attributions in the NEWS file. Harlan Stenn. 5831 * Fix typo in html/monopt.html. Harlan Stenn. 5832 * Add README.pullrequests. Harlan Stenn. 5833 * Cleanup to include/ntp.h. Harlan Stenn. 5834 5835 New option to 'configure': 5836 5837 While looking in to the issues around Bug 2978, the "interleave pivot" 5838 issue, it became clear that there are some intricate and unresolved 5839 issues with interleave operations. We also realized that the interleave 5840 protocol was never added to the NTPv4 Standard, and it should have been. 5841 5842 Interleave mode was first released in July of 2008, and can be engaged 5843 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 5844 contain the 'xleave' option, which will expressly enable interlave mode 5845 for that association. Additionally, if a time packet arrives and is 5846 found inconsistent with normal protocol behavior but has certain 5847 characteristics that are compatible with interleave mode, NTP will 5848 dynamically switch to interleave mode. With sufficient knowledge, an 5849 attacker can send a crafted forged packet to an NTP instance that 5850 triggers only one side to enter interleaved mode. 5851 5852 To prevent this attack until we can thoroughly document, describe, 5853 fix, and test the dynamic interleave mode, we've added a new 5854 'configure' option to the build process: 5855 5856 --enable-dynamic-interleave 5857 5858 This option controls whether or not NTP will, if conditions are right, 5859 engage dynamic interleave mode. Dynamic interleave mode is disabled by 5860 default in ntp-4.2.8p7. 5861 5862 --- 5863 NTP 4.2.8p6 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/20) 5864 5865 Focus: Security, Bug fixes, enhancements. 5866 5867 Severity: MEDIUM 5868 5869 In addition to bug fixes and enhancements, this release fixes the 5870 following 1 low- and 8 medium-severity vulnerabilities: 5871 5872 * Potential Infinite Loop in 'ntpq' 5873 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 5874 References: Sec 2548 / CVE-2015-8158 5875 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5876 4.3.0 up to, but not including 4.3.90 5877 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 5878 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 5879 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 5880 The loop's only stopping conditions are receiving a complete and 5881 correct response or hitting a small number of error conditions. 5882 If the packet contains incorrect values that don't trigger one of 5883 the error conditions, the loop continues to receive new packets. 5884 Note well, this is an attack against an instance of 'ntpq', not 5885 'ntpd', and this attack requires the attacker to do one of the 5886 following: 5887 * Own a malicious NTP server that the client trusts 5888 * Prevent a legitimate NTP server from sending packets to 5889 the 'ntpq' client 5890 * MITM the 'ntpq' communications between the 'ntpq' client 5891 and the NTP server 5892 Mitigation: 5893 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 5894 or the NTP Public Services Project Download Page 5895 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 5896 5897 * 0rigin: Zero Origin Timestamp Bypass 5898 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 5899 References: Sec 2945 / CVE-2015-8138 5900 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5901 4.3.0 up to, but not including 4.3.90 5902 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 5903 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 5904 (3.7 - LOW if you score AC:L) 5905 Summary: To distinguish legitimate peer responses from forgeries, a 5906 client attempts to verify a response packet by ensuring that the 5907 origin timestamp in the packet matches the origin timestamp it 5908 transmitted in its last request. A logic error exists that 5909 allows packets with an origin timestamp of zero to bypass this 5910 check whenever there is not an outstanding request to the server. 5911 Mitigation: 5912 Configure 'ntpd' to get time from multiple sources. 5913 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 5914 or the NTP Public Services Project Download Page. 5915 Monitor your 'ntpd' instances. 5916 Credit: This weakness was discovered by Matthey Van Gundy and 5917 Jonathan Gardner of Cisco ASIG. 5918 5919 * Stack exhaustion in recursive traversal of restriction list 5920 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 5921 References: Sec 2940 / CVE-2015-7978 5922 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5923 4.3.0 up to, but not including 4.3.90 5924 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 5925 Summary: An unauthenticated 'ntpdc reslist' command can cause a 5926 segmentation fault in ntpd by exhausting the call stack. 5927 Mitigation: 5928 Implement BCP-38. 5929 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 5930 or the NTP Public Services Project Download Page. 5931 If you are unable to upgrade: 5932 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 5933 If you must enable mode 7: 5934 configure the use of a 'requestkey' to control who can 5935 issue mode 7 requests. 5936 configure 'restrict noquery' to further limit mode 7 5937 requests to trusted sources. 5938 Monitor your ntpd instances. 5939 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 5940 5941 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 5942 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 5943 References: Sec 2942 / CVE-2015-7979 5944 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5945 4.3.0 up to, but not including 4.3.90 5946 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 5947 Summary: An off-path attacker can send broadcast packets with bad 5948 authentication (wrong key, mismatched key, incorrect MAC, etc) 5949 to broadcast clients. It is observed that the broadcast client 5950 tears down the association with the broadcast server upon 5951 receiving just one bad packet. 5952 Mitigation: 5953 Implement BCP-38. 5954 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 5955 or the NTP Public Services Project Download Page. 5956 Monitor your 'ntpd' instances. 5957 If this sort of attack is an active problem for you, you have 5958 deeper problems to investigate. In this case also consider 5959 having smaller NTP broadcast domains. 5960 Credit: This weakness was discovered by Aanchal Malhotra of Boston 5961 University. 5962 5963 * reslist NULL pointer dereference 5964 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 5965 References: Sec 2939 / CVE-2015-7977 5966 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5967 4.3.0 up to, but not including 4.3.90 5968 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 5969 Summary: An unauthenticated 'ntpdc reslist' command can cause a 5970 segmentation fault in ntpd by causing a NULL pointer dereference. 5971 Mitigation: 5972 Implement BCP-38. 5973 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 5974 the NTP Public Services Project Download Page. 5975 If you are unable to upgrade: 5976 mode 7 is disabled by default. Don't enable it. 5977 If you must enable mode 7: 5978 configure the use of a 'requestkey' to control who can 5979 issue mode 7 requests. 5980 configure 'restrict noquery' to further limit mode 7 5981 requests to trusted sources. 5982 Monitor your ntpd instances. 5983 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 5984 5985 * 'ntpq saveconfig' command allows dangerous characters in filenames. 5986 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 5987 References: Sec 2938 / CVE-2015-7976 5988 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 5989 4.3.0 up to, but not including 4.3.90 5990 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 5991 Summary: The ntpq saveconfig command does not do adequate filtering 5992 of special characters from the supplied filename. 5993 Note well: The ability to use the saveconfig command is controlled 5994 by the 'restrict nomodify' directive, and the recommended default 5995 configuration is to disable this capability. If the ability to 5996 execute a 'saveconfig' is required, it can easily (and should) be 5997 limited and restricted to a known small number of IP addresses. 5998 Mitigation: 5999 Implement BCP-38. 6000 use 'restrict default nomodify' in your 'ntp.conf' file. 6001 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 6002 If you are unable to upgrade: 6003 build NTP with 'configure --disable-saveconfig' if you will 6004 never need this capability, or 6005 use 'restrict default nomodify' in your 'ntp.conf' file. Be 6006 careful about what IPs have the ability to send 'modify' 6007 requests to 'ntpd'. 6008 Monitor your ntpd instances. 6009 'saveconfig' requests are logged to syslog - monitor your syslog files. 6010 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 6011 6012 * nextvar() missing length check in ntpq 6013 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 6014 References: Sec 2937 / CVE-2015-7975 6015 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 6016 4.3.0 up to, but not including 4.3.90 6017 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 6018 If you score A:C, this becomes 4.0. 6019 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 6020 Summary: ntpq may call nextvar() which executes a memcpy() into the 6021 name buffer without a proper length check against its maximum 6022 length of 256 bytes. Note well that we're taking about ntpq here. 6023 The usual worst-case effect of this vulnerability is that the 6024 specific instance of ntpq will crash and the person or process 6025 that did this will have stopped themselves. 6026 Mitigation: 6027 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 6028 or the NTP Public Services Project Download Page. 6029 If you are unable to upgrade: 6030 If you have scripts that feed input to ntpq make sure there are 6031 some sanity checks on the input received from the "outside". 6032 This is potentially more dangerous if ntpq is run as root. 6033 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 6034 6035 * Skeleton Key: Any trusted key system can serve time 6036 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 6037 References: Sec 2936 / CVE-2015-7974 6038 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 6039 4.3.0 up to, but not including 4.3.90 6040 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 6041 Summary: Symmetric key encryption uses a shared trusted key. The 6042 reported title for this issue was "Missing key check allows 6043 impersonation between authenticated peers" and the report claimed 6044 "A key specified only for one server should only work to 6045 authenticate that server, other trusted keys should be refused." 6046 Except there has never been any correlation between this trusted 6047 key and server v. clients machines and there has never been any 6048 way to specify a key only for one server. We have treated this as 6049 an enhancement request, and ntp-4.2.8p6 includes other checks and 6050 tests to strengthen clients against attacks coming from broadcast 6051 servers. 6052 Mitigation: 6053 Implement BCP-38. 6054 If this scenario represents a real or a potential issue for you, 6055 upgrade to 4.2.8p6, or later, from the NTP Project Download 6056 Page or the NTP Public Services Project Download Page, and 6057 use the new field in the ntp.keys file that specifies the list 6058 of IPs that are allowed to serve time. Note that this alone 6059 will not protect against time packets with forged source IP 6060 addresses, however other changes in ntp-4.2.8p6 provide 6061 significant mitigation against broadcast attacks. MITM attacks 6062 are a different story. 6063 If you are unable to upgrade: 6064 Don't use broadcast mode if you cannot monitor your client 6065 servers. 6066 If you choose to use symmetric keys to authenticate time 6067 packets in a hostile environment where ephemeral time 6068 servers can be created, or if it is expected that malicious 6069 time servers will participate in an NTP broadcast domain, 6070 limit the number of participating systems that participate 6071 in the shared-key group. 6072 Monitor your ntpd instances. 6073 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 6074 6075 * Deja Vu: Replay attack on authenticated broadcast mode 6076 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 6077 References: Sec 2935 / CVE-2015-7973 6078 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 6079 4.3.0 up to, but not including 4.3.90 6080 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 6081 Summary: If an NTP network is configured for broadcast operations then 6082 either a man-in-the-middle attacker or a malicious participant 6083 that has the same trusted keys as the victim can replay time packets. 6084 Mitigation: 6085 Implement BCP-38. 6086 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 6087 or the NTP Public Services Project Download Page. 6088 If you are unable to upgrade: 6089 Don't use broadcast mode if you cannot monitor your client servers. 6090 Monitor your ntpd instances. 6091 Credit: This weakness was discovered by Aanchal Malhotra of Boston 6092 University. 6093 6094 Other fixes: 6095 6096 * [Bug 2772] adj_systime overflows tv_usec. perlinger (a] ntp.org 6097 * [Bug 2814] msyslog deadlock when signaled. perlinger (a] ntp.org 6098 - applied patch by shenpeng11 (a] huawei.com with minor adjustments 6099 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger (a] ntp.org 6100 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger (a] ntp.org 6101 * [Bug 2892] Several test cases assume IPv6 capabilities even when 6102 IPv6 is disabled in the build. perlinger (a] ntp.org 6103 - Found this already fixed, but validation led to cleanup actions. 6104 * [Bug 2905] DNS lookups broken. perlinger (a] ntp.org 6105 - added limits to stack consumption, fixed some return code handling 6106 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 6107 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 6108 - make CTRL-C work for retrieval and printing od MRU list. perlinger (a] ntp.org 6109 * [Bug 2980] reduce number of warnings. perlinger (a] ntp.org 6110 - integrated several patches from Havard Eidnes (he (a] uninett.no) 6111 * [Bug 2985] bogus calculation in authkeys.c perlinger (a] ntp.org 6112 - implement 'auth_log2()' using integer bithack instead of float calculation 6113 * Make leapsec_query debug messages less verbose. Harlan Stenn. 6114 6115 --- 6116 NTP 4.2.8p5 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/07) 6117 6118 Focus: Security, Bug fixes, enhancements. 6119 6120 Severity: MEDIUM 6121 6122 In addition to bug fixes and enhancements, this release fixes the 6123 following medium-severity vulnerability: 6124 6125 * Small-step/big-step. Close the panic gate earlier. 6126 References: Sec 2956, CVE-2015-5300 6127 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 6128 4.3.0 up to, but not including 4.3.78 6129 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 6130 Summary: If ntpd is always started with the -g option, which is 6131 common and against long-standing recommendation, and if at the 6132 moment ntpd is restarted an attacker can immediately respond to 6133 enough requests from enough sources trusted by the target, which 6134 is difficult and not common, there is a window of opportunity 6135 where the attacker can cause ntpd to set the time to an 6136 arbitrary value. Similarly, if an attacker is able to respond 6137 to enough requests from enough sources trusted by the target, 6138 the attacker can cause ntpd to abort and restart, at which 6139 point it can tell the target to set the time to an arbitrary 6140 value if and only if ntpd was re-started against long-standing 6141 recommendation with the -g flag, or if ntpd was not given the 6142 -g flag, the attacker can move the target system's time by at 6143 most 900 seconds' time per attack. 6144 Mitigation: 6145 Configure ntpd to get time from multiple sources. 6146 Upgrade to 4.2.8p5, or later, from the NTP Project Download 6147 Page or the NTP Public Services Project Download Page 6148 As we've long documented, only use the -g option to ntpd in 6149 cold-start situations. 6150 Monitor your ntpd instances. 6151 Credit: This weakness was discovered by Aanchal Malhotra, 6152 Isaac E. Cohen, and Sharon Goldberg at Boston University. 6153 6154 NOTE WELL: The -g flag disables the limit check on the panic_gate 6155 in ntpd, which is 900 seconds by default. The bug identified by 6156 the researchers at Boston University is that the panic_gate 6157 check was only re-enabled after the first change to the system 6158 clock that was greater than 128 milliseconds, by default. The 6159 correct behavior is that the panic_gate check should be 6160 re-enabled after any initial time correction. 6161 6162 If an attacker is able to inject consistent but erroneous time 6163 responses to your systems via the network or "over the air", 6164 perhaps by spoofing radio, cellphone, or navigation satellite 6165 transmissions, they are in a great position to affect your 6166 system's clock. There comes a point where your very best 6167 defenses include: 6168 6169 Configure ntpd to get time from multiple sources. 6170 Monitor your ntpd instances. 6171 6172 Other fixes: 6173 6174 * Coverity submission process updated from Coverity 5 to Coverity 7. 6175 The NTP codebase has been undergoing regular Coverity scans on an 6176 ongoing basis since 2006. As part of our recent upgrade from 6177 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 6178 the newly-written Unity test programs. These were fixed. 6179 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger (a] ntp.org 6180 * [Bug 2887] stratum -1 config results as showing value 99 6181 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 6182 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 6183 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 6184 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 6185 - applied patch by Christos Zoulas. perlinger (a] ntp.org 6186 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 6187 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 6188 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 6189 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 6190 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 6191 - accept key file only if there are no parsing errors 6192 - fixed size_t/u_int format clash 6193 - fixed wrong use of 'strlcpy' 6194 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 6195 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 6196 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 6197 - promote use of 'size_t' for values that express a size 6198 - use ptr-to-const for read-only arguments 6199 - make sure SOCKET values are not truncated (win32-specific) 6200 - format string fixes 6201 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 6202 * [Bug 2967] ntpdate command suffers an assertion failure 6203 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 6204 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 6205 lots of clients. perlinger (a] ntp.org 6206 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 6207 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 6208 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 6209 * Unity test cleanup. Harlan Stenn. 6210 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 6211 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 6212 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 6213 * Quiet a warning from clang. Harlan Stenn. 6214 6215 --- 6216 NTP 4.2.8p4 (Harlan Stenn <stenn (a] ntp.org>, 2015/10/21) 6217 6218 Focus: Security, Bug fixes, enhancements. 6219 6220 Severity: MEDIUM 6221 6222 In addition to bug fixes and enhancements, this release fixes the 6223 following 13 low- and medium-severity vulnerabilities: 6224 6225 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 6226 to potential crashes or potential code injection/information leakage. 6227 6228 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 6229 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 6230 and 4.3.0 up to, but not including 4.3.77 6231 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 6232 Summary: The fix for CVE-2014-9750 was incomplete in that there were 6233 certain code paths where a packet with particular autokey operations 6234 that contained malicious data was not always being completely 6235 validated. Receipt of these packets can cause ntpd to crash. 6236 Mitigation: 6237 Don't use autokey. 6238 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6239 Page or the NTP Public Services Project Download Page 6240 Monitor your ntpd instances. 6241 Credit: This weakness was discovered by Tenable Network Security. 6242 6243 * Clients that receive a KoD should validate the origin timestamp field. 6244 6245 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 6246 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 6247 and 4.3.0 up to, but not including 4.3.77 6248 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 6249 Summary: An ntpd client that honors Kiss-of-Death responses will honor 6250 KoD messages that have been forged by an attacker, causing it to 6251 delay or stop querying its servers for time updates. Also, an 6252 attacker can forge packets that claim to be from the target and 6253 send them to servers often enough that a server that implements 6254 KoD rate limiting will send the target machine a KoD response to 6255 attempt to reduce the rate of incoming packets, or it may also 6256 trigger a firewall block at the server for packets from the target 6257 machine. For either of these attacks to succeed, the attacker must 6258 know what servers the target is communicating with. An attacker 6259 can be anywhere on the Internet and can frequently learn the 6260 identity of the target's time source by sending the target a 6261 time query. 6262 Mitigation: 6263 Implement BCP-38. 6264 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 6265 or the NTP Public Services Project Download Page 6266 If you can't upgrade, restrict who can query ntpd to learn who 6267 its servers are, and what IPs are allowed to ask your system 6268 for the time. This mitigation is heavy-handed. 6269 Monitor your ntpd instances. 6270 Note: 6271 4.2.8p4 protects against the first attack. For the second attack, 6272 all we can do is warn when it is happening, which we do in 4.2.8p4. 6273 Credit: This weakness was discovered by Aanchal Malhotra, 6274 Issac E. Cohen, and Sharon Goldberg of Boston University. 6275 6276 * configuration directives to change "pidfile" and "driftfile" should 6277 only be allowed locally. 6278 6279 References: Sec 2902 / CVE-2015-5196 6280 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 6281 and 4.3.0 up to, but not including 4.3.77 6282 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 6283 Summary: If ntpd is configured to allow for remote configuration, 6284 and if the (possibly spoofed) source IP address is allowed to 6285 send remote configuration requests, and if the attacker knows 6286 the remote configuration password, it's possible for an attacker 6287 to use the "pidfile" or "driftfile" directives to potentially 6288 overwrite other files. 6289 Mitigation: 6290 Implement BCP-38. 6291 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6292 Page or the NTP Public Services Project Download Page 6293 If you cannot upgrade, don't enable remote configuration. 6294 If you must enable remote configuration and cannot upgrade, 6295 remote configuration of NTF's ntpd requires: 6296 - an explicitly configured trustedkey, and you should also 6297 configure a controlkey. 6298 - access from a permitted IP. You choose the IPs. 6299 - authentication. Don't disable it. Practice secure key safety. 6300 Monitor your ntpd instances. 6301 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 6302 6303 * Slow memory leak in CRYPTO_ASSOC 6304 6305 References: Sec 2909 / CVE-2015-7701 6306 Affects: All ntp-4 releases that use autokey up to, but not 6307 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 6308 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 6309 4.6 otherwise 6310 Summary: If ntpd is configured to use autokey, then an attacker can 6311 send packets to ntpd that will, after several days of ongoing 6312 attack, cause it to run out of memory. 6313 Mitigation: 6314 Don't use autokey. 6315 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6316 Page or the NTP Public Services Project Download Page 6317 Monitor your ntpd instances. 6318 Credit: This weakness was discovered by Tenable Network Security. 6319 6320 * mode 7 loop counter underrun 6321 6322 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 6323 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 6324 and 4.3.0 up to, but not including 4.3.77 6325 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 6326 Summary: If ntpd is configured to enable mode 7 packets, and if the 6327 use of mode 7 packets is not properly protected thru the use of 6328 the available mode 7 authentication and restriction mechanisms, 6329 and if the (possibly spoofed) source IP address is allowed to 6330 send mode 7 queries, then an attacker can send a crafted packet 6331 to ntpd that will cause it to crash. 6332 Mitigation: 6333 Implement BCP-38. 6334 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6335 Page or the NTP Public Services Project Download Page. 6336 If you are unable to upgrade: 6337 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 6338 If you must enable mode 7: 6339 configure the use of a requestkey to control who can issue 6340 mode 7 requests. 6341 configure restrict noquery to further limit mode 7 requests 6342 to trusted sources. 6343 Monitor your ntpd instances. 6344 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 6345 6346 * memory corruption in password store 6347 6348 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 6349 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 6350 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 6351 Summary: If ntpd is configured to allow remote configuration, and if 6352 the (possibly spoofed) source IP address is allowed to send 6353 remote configuration requests, and if the attacker knows the 6354 remote configuration password or if ntpd was configured to 6355 disable authentication, then an attacker can send a set of 6356 packets to ntpd that may cause a crash or theoretically 6357 perform a code injection attack. 6358 Mitigation: 6359 Implement BCP-38. 6360 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6361 Page or the NTP Public Services Project Download Page. 6362 If you are unable to upgrade, remote configuration of NTF's 6363 ntpd requires: 6364 an explicitly configured "trusted" key. Only configure 6365 this if you need it. 6366 access from a permitted IP address. You choose the IPs. 6367 authentication. Don't disable it. Practice secure key safety. 6368 Monitor your ntpd instances. 6369 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 6370 6371 * Infinite loop if extended logging enabled and the logfile and 6372 keyfile are the same. 6373 6374 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 6375 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 6376 and 4.3.0 up to, but not including 4.3.77 6377 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 6378 Summary: If ntpd is configured to allow remote configuration, and if 6379 the (possibly spoofed) source IP address is allowed to send 6380 remote configuration requests, and if the attacker knows the 6381 remote configuration password or if ntpd was configured to 6382 disable authentication, then an attacker can send a set of 6383 packets to ntpd that will cause it to crash and/or create a 6384 potentially huge log file. Specifically, the attacker could 6385 enable extended logging, point the key file at the log file, 6386 and cause what amounts to an infinite loop. 6387 Mitigation: 6388 Implement BCP-38. 6389 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6390 Page or the NTP Public Services Project Download Page. 6391 If you are unable to upgrade, remote configuration of NTF's ntpd 6392 requires: 6393 an explicitly configured "trusted" key. Only configure this 6394 if you need it. 6395 access from a permitted IP address. You choose the IPs. 6396 authentication. Don't disable it. Practice secure key safety. 6397 Monitor your ntpd instances. 6398 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 6399 6400 * Potential path traversal vulnerability in the config file saving of 6401 ntpd on VMS. 6402 6403 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 6404 Affects: All ntp-4 releases running under VMS up to, but not 6405 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 6406 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 6407 Summary: If ntpd is configured to allow remote configuration, and if 6408 the (possibly spoofed) IP address is allowed to send remote 6409 configuration requests, and if the attacker knows the remote 6410 configuration password or if ntpd was configured to disable 6411 authentication, then an attacker can send a set of packets to 6412 ntpd that may cause ntpd to overwrite files. 6413 Mitigation: 6414 Implement BCP-38. 6415 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6416 Page or the NTP Public Services Project Download Page. 6417 If you are unable to upgrade, remote configuration of NTF's ntpd 6418 requires: 6419 an explicitly configured "trusted" key. Only configure 6420 this if you need it. 6421 access from permitted IP addresses. You choose the IPs. 6422 authentication. Don't disable it. Practice key security safety. 6423 Monitor your ntpd instances. 6424 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 6425 6426 * ntpq atoascii() potential memory corruption 6427 6428 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 6429 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 6430 and 4.3.0 up to, but not including 4.3.77 6431 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 6432 Summary: If an attacker can figure out the precise moment that ntpq 6433 is listening for data and the port number it is listening on or 6434 if the attacker can provide a malicious instance ntpd that 6435 victims will connect to then an attacker can send a set of 6436 crafted mode 6 response packets that, if received by ntpq, 6437 can cause ntpq to crash. 6438 Mitigation: 6439 Implement BCP-38. 6440 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6441 Page or the NTP Public Services Project Download Page. 6442 If you are unable to upgrade and you run ntpq against a server 6443 and ntpq crashes, try again using raw mode. Build or get a 6444 patched ntpq and see if that fixes the problem. Report new 6445 bugs in ntpq or abusive servers appropriately. 6446 If you use ntpq in scripts, make sure ntpq does what you expect 6447 in your scripts. 6448 Credit: This weakness was discovered by Yves Younan and 6449 Aleksander Nikolich of Cisco Talos. 6450 6451 * Invalid length data provided by a custom refclock driver could cause 6452 a buffer overflow. 6453 6454 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 6455 Affects: Potentially all ntp-4 releases running up to, but not 6456 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 6457 that have custom refclocks 6458 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 6459 5.9 unusual worst case 6460 Summary: A negative value for the datalen parameter will overflow a 6461 data buffer. NTF's ntpd driver implementations always set this 6462 value to 0 and are therefore not vulnerable to this weakness. 6463 If you are running a custom refclock driver in ntpd and that 6464 driver supplies a negative value for datalen (no custom driver 6465 of even minimal competence would do this) then ntpd would 6466 overflow a data buffer. It is even hypothetically possible 6467 in this case that instead of simply crashing ntpd the attacker 6468 could effect a code injection attack. 6469 Mitigation: 6470 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6471 Page or the NTP Public Services Project Download Page. 6472 If you are unable to upgrade: 6473 If you are running custom refclock drivers, make sure 6474 the signed datalen value is either zero or positive. 6475 Monitor your ntpd instances. 6476 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 6477 6478 * Password Length Memory Corruption Vulnerability 6479 6480 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 6481 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 6482 4.3.0 up to, but not including 4.3.77 6483 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 6484 1.7 usual case, 6.8, worst case 6485 Summary: If ntpd is configured to allow remote configuration, and if 6486 the (possibly spoofed) source IP address is allowed to send 6487 remote configuration requests, and if the attacker knows the 6488 remote configuration password or if ntpd was (foolishly) 6489 configured to disable authentication, then an attacker can 6490 send a set of packets to ntpd that may cause it to crash, 6491 with the hypothetical possibility of a small code injection. 6492 Mitigation: 6493 Implement BCP-38. 6494 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6495 Page or the NTP Public Services Project Download Page. 6496 If you are unable to upgrade, remote configuration of NTF's 6497 ntpd requires: 6498 an explicitly configured "trusted" key. Only configure 6499 this if you need it. 6500 access from a permitted IP address. You choose the IPs. 6501 authentication. Don't disable it. Practice secure key safety. 6502 Monitor your ntpd instances. 6503 Credit: This weakness was discovered by Yves Younan and 6504 Aleksander Nikolich of Cisco Talos. 6505 6506 * decodenetnum() will ASSERT botch instead of returning FAIL on some 6507 bogus values. 6508 6509 References: Sec 2922 / CVE-2015-7855 6510 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 6511 4.3.0 up to, but not including 4.3.77 6512 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 6513 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 6514 an unusually long data value where a network address is expected, 6515 the decodenetnum() function will abort with an assertion failure 6516 instead of simply returning a failure condition. 6517 Mitigation: 6518 Implement BCP-38. 6519 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6520 Page or the NTP Public Services Project Download Page. 6521 If you are unable to upgrade: 6522 mode 7 is disabled by default. Don't enable it. 6523 Use restrict noquery to limit who can send mode 6 6524 and mode 7 requests. 6525 Configure and use the controlkey and requestkey 6526 authentication directives to limit who can 6527 send mode 6 and mode 7 requests. 6528 Monitor your ntpd instances. 6529 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 6530 6531 * NAK to the Future: Symmetric association authentication bypass via 6532 crypto-NAK. 6533 6534 References: Sec 2941 / CVE-2015-7871 6535 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 6536 4.2.8p4, and 4.3.0 up to but not including 4.3.77 6537 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 6538 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 6539 from unauthenticated ephemeral symmetric peers by bypassing the 6540 authentication required to mobilize peer associations. This 6541 vulnerability appears to have been introduced in ntp-4.2.5p186 6542 when the code handling mobilization of new passive symmetric 6543 associations (lines 1103-1165) was refactored. 6544 Mitigation: 6545 Implement BCP-38. 6546 Upgrade to 4.2.8p4, or later, from the NTP Project Download 6547 Page or the NTP Public Services Project Download Page. 6548 If you are unable to upgrade: 6549 Apply the patch to the bottom of the "authentic" check 6550 block around line 1136 of ntp_proto.c. 6551 Monitor your ntpd instances. 6552 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 6553 6554 Backward-Incompatible changes: 6555 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 6556 While the general default of 32M is still the case, under Linux 6557 the default value has been changed to -1 (do not lock ntpd into 6558 memory). A value of 0 means "lock ntpd into memory with whatever 6559 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 6560 value in it, that value will continue to be used. 6561 6562 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 6563 If you've written a script that looks for this case in, say, the 6564 output of ntpq, you probably want to change your regex matches 6565 from 'outlyer' to 'outl[iy]er'. 6566 6567 New features in this release: 6568 * 'rlimit memlock' now has finer-grained control. A value of -1 means 6569 "don't lock ntpd into memore". This is the default for Linux boxes. 6570 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 6571 the value is the number of megabytes of memory to lock. The default 6572 is 32 megabytes. 6573 6574 * The old Google Test framework has been replaced with a new framework, 6575 based on http://www.throwtheswitch.org/unity/ . 6576 6577 Bug Fixes and Improvements: 6578 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 6579 privileges and limiting resources in NTPD removes the need to link 6580 forcefully against 'libgcc_s' which does not always work. J.Perlinger 6581 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 6582 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 6583 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 6584 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 6585 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 6586 * [Bug 2849] Systems with more than one default route may never 6587 synchronize. Brian Utterback. Note that this patch might need to 6588 be reverted once Bug 2043 has been fixed. 6589 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 6590 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 6591 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 6592 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 6593 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 6594 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 6595 be configured for the distribution targets. Harlan Stenn. 6596 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 6597 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 6598 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 6599 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 6600 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 6601 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 6602 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 6603 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 6604 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 6605 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 6606 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 6607 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 6608 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 6609 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 6610 * sntp/tests/ function parameter list cleanup. Damir Tomi. 6611 * tests/libntp/ function parameter list cleanup. Damir Tomi. 6612 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 6613 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 6614 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 6615 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 6616 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 6617 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 6618 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 6619 formatting; first declaration, then code (C90); deleted unnecessary comments; 6620 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 6621 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 6622 fix formatting, cleanup. Tomasz Flendrich 6623 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 6624 Tomasz Flendrich 6625 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 6626 fix formatting. Tomasz Flendrich 6627 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 6628 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 6629 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 6630 Tomasz Flendrich 6631 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 6632 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 6633 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 6634 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 6635 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 6636 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 6637 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 6638 fixed formatting. Tomasz Flendrich 6639 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 6640 removed unnecessary comments, cleanup. Tomasz Flendrich 6641 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 6642 comments, cleanup. Tomasz Flendrich 6643 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 6644 Tomasz Flendrich 6645 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 6646 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 6647 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 6648 Tomasz Flendrich 6649 * sntp/tests/kodDatabase.c added consts, deleted empty function, 6650 fixed formatting. Tomasz Flendrich 6651 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 6652 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 6653 fixed formatting, deleted unused variable. Tomasz Flendrich 6654 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 6655 Tomasz Flendrich 6656 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 6657 fixed formatting. Tomasz Flendrich 6658 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 6659 the order of includes, fixed formatting, removed unnecessary comments. 6660 Tomasz Flendrich 6661 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 6662 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 6663 made one function do its job, deleted unnecessary prints, fixed formatting. 6664 Tomasz Flendrich 6665 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 6666 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 6667 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 6668 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 6669 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 6670 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 6671 * Don't build sntp/libevent/sample/. Harlan Stenn. 6672 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 6673 * br-flock: --enable-local-libevent. Harlan Stenn. 6674 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 6675 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 6676 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 6677 * Code cleanup. Harlan Stenn. 6678 * libntp/icom.c: Typo fix. Harlan Stenn. 6679 * util/ntptime.c: initialization nit. Harlan Stenn. 6680 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 6681 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 6682 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 6683 Tomasz Flendrich 6684 * Changed progname to be const in many files - now it's consistent. Tomasz 6685 Flendrich 6686 * Typo fix for GCC warning suppression. Harlan Stenn. 6687 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 6688 * Added declarations to all Unity tests, and did minor fixes to them. 6689 Reduced the number of warnings by half. Damir Tomi. 6690 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 6691 with the latest Unity updates from Mark. Damir Tomi. 6692 * Retire google test - phase I. Harlan Stenn. 6693 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 6694 * Update the NEWS file. Harlan Stenn. 6695 * Autoconf cleanup. Harlan Stenn. 6696 * Unit test dist cleanup. Harlan Stenn. 6697 * Cleanup various test Makefile.am files. Harlan Stenn. 6698 * Pthread autoconf macro cleanup. Harlan Stenn. 6699 * Fix progname definition in unity runner scripts. Harlan Stenn. 6700 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 6701 * Update the patch for bug 2817. Harlan Stenn. 6702 * More updates for bug 2817. Harlan Stenn. 6703 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 6704 * gcc on older HPUX may need +allowdups. Harlan Stenn. 6705 * Adding missing MCAST protection. Harlan Stenn. 6706 * Disable certain test programs on certain platforms. Harlan Stenn. 6707 * Implement --enable-problem-tests (on by default). Harlan Stenn. 6708 * build system tweaks. Harlan Stenn. 6709 6710 --- 6711 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 6712 6713 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 6714 6715 Severity: MEDIUM 6716 6717 Security Fix: 6718 6719 * [Sec 2853] Crafted remote config packet can crash some versions of 6720 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 6721 6722 Under specific circumstances an attacker can send a crafted packet to 6723 cause a vulnerable ntpd instance to crash. This requires each of the 6724 following to be true: 6725 6726 1) ntpd set up to allow remote configuration (not allowed by default), and 6727 2) knowledge of the configuration password, and 6728 3) access to a computer entrusted to perform remote configuration. 6729 6730 This vulnerability is considered low-risk. 6731 6732 New features in this release: 6733 6734 Optional (disabled by default) support to have ntpd provide smeared 6735 leap second time. A specially built and configured ntpd will only 6736 offer smeared time in response to client packets. These response 6737 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 6738 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 6739 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 6740 information. 6741 6742 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 6743 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 6744 6745 We've imported the Unity test framework, and have begun converting 6746 the existing google-test items to this new framework. If you want 6747 to write new tests or change old ones, you'll need to have ruby 6748 installed. You don't need ruby to run the test suite. 6749 6750 Bug Fixes and Improvements: 6751 6752 * CID 739725: Fix a rare resource leak in libevent/listener.c. 6753 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 6754 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 6755 * CID 1269537: Clean up a line of dead code in getShmTime(). 6756 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 6757 * [Bug 2590] autogen-5.18.5. 6758 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 6759 of 'limited'. 6760 * [Bug 2650] fix includefile processing. 6761 * [Bug 2745] ntpd -x steps clock on leap second 6762 Fixed an initial-value problem that caused misbehaviour in absence of 6763 any leapsecond information. 6764 Do leap second stepping only of the step adjustment is beyond the 6765 proper jump distance limit and step correction is allowed at all. 6766 * [Bug 2750] build for Win64 6767 Building for 32bit of loopback ppsapi needs def file 6768 * [Bug 2776] Improve ntpq's 'help keytype'. 6769 * [Bug 2778] Implement "apeers" ntpq command to include associd. 6770 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 6771 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 6772 interface is ignored as long as this flag is not set since the 6773 interface is not usable (e.g., no link). 6774 * [Bug 2794] Clean up kernel clock status reports. 6775 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 6776 of incompatible open/fdopen parameters. 6777 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 6778 * [Bug 2805] ntpd fails to join multicast group. 6779 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 6780 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 6781 Fix crash during cleanup if GPS device not present and char device. 6782 Increase internal token buffer to parse all JSON data, even SKY. 6783 Defer logging of errors during driver init until the first unit is 6784 started, so the syslog is not cluttered when the driver is not used. 6785 Various improvements, see http://bugs.ntp.org/2808 for details. 6786 Changed libjsmn to a more recent version. 6787 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 6788 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 6789 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 6790 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 6791 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 6792 * [Bug 2824] Convert update-leap to perl. (also see 2769) 6793 * [Bug 2825] Quiet file installation in html/ . 6794 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 6795 NTPD transfers the current TAI (instead of an announcement) now. 6796 This might still needed improvement. 6797 Update autokey data ASAP when 'sys_tai' changes. 6798 Fix unit test that was broken by changes for autokey update. 6799 Avoid potential signature length issue and use DPRINTF where possible 6800 in ntp_crypto.c. 6801 * [Bug 2832] refclock_jjy.c supports the TDC-300. 6802 * [Bug 2834] Correct a broken html tag in html/refclock.html 6803 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 6804 robust, and require 2 consecutive timestamps to be consistent. 6805 * [Bug 2837] Allow a configurable DSCP value. 6806 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 6807 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 6808 * [Bug 2842] Bug in mdoc2man. 6809 * [Bug 2843] make check fails on 4.3.36 6810 Fixed compiler warnings about numeric range overflow 6811 (The original topic was fixed in a byplay to bug#2830) 6812 * [Bug 2845] Harden memory allocation in ntpd. 6813 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 6814 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 6815 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 6816 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 6817 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 6818 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 6819 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 6820 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 6821 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 6822 * html/drivers/driver22.html: typo fix. Harlan Stenn. 6823 * refidsmear test cleanup. Tomasz Flendrich. 6824 * refidsmear function support and tests. Harlan Stenn. 6825 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 6826 something that was only in the 4.2.6 sntp. Harlan Stenn. 6827 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 6828 Damir Tomi 6829 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 6830 Damir Tomi 6831 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 6832 Damir Tomi 6833 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 6834 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 6835 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 6836 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 6837 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 6838 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 6839 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 6840 Damir Tomi 6841 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 6842 networking.c, keyFile.c, utilities.cpp, sntptest.h, 6843 fileHandlingTest.h. Damir Tomi 6844 * Initial support for experimental leap smear code. Harlan Stenn. 6845 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 6846 * Report select() debug messages at debug level 3 now. 6847 * sntp/scripts/genLocInfo: treat raspbian as debian. 6848 * Unity test framework fixes. 6849 ** Requires ruby for changes to tests. 6850 * Initial support for PACKAGE_VERSION tests. 6851 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 6852 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 6853 * Add an assert to the ntpq ifstats code. 6854 * Clean up the RLIMIT_STACK code. 6855 * Improve the ntpq documentation around the controlkey keyid. 6856 * ntpq.c cleanup. 6857 * Windows port build cleanup. 6858 6859 --- 6860 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 6861 6862 Focus: Security and Bug fixes, enhancements. 6863 6864 Severity: MEDIUM 6865 6866 In addition to bug fixes and enhancements, this release fixes the 6867 following medium-severity vulnerabilities involving private key 6868 authentication: 6869 6870 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 6871 6872 References: Sec 2779 / CVE-2015-1798 / VU#374268 6873 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 6874 including ntp-4.2.8p2 where the installation uses symmetric keys 6875 to authenticate remote associations. 6876 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 6877 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 6878 Summary: When ntpd is configured to use a symmetric key to authenticate 6879 a remote NTP server/peer, it checks if the NTP message 6880 authentication code (MAC) in received packets is valid, but not if 6881 there actually is any MAC included. Packets without a MAC are 6882 accepted as if they had a valid MAC. This allows a MITM attacker to 6883 send false packets that are accepted by the client/peer without 6884 having to know the symmetric key. The attacker needs to know the 6885 transmit timestamp of the client to match it in the forged reply 6886 and the false reply needs to reach the client before the genuine 6887 reply from the server. The attacker doesn't necessarily need to be 6888 relaying the packets between the client and the server. 6889 6890 Authentication using autokey doesn't have this problem as there is 6891 a check that requires the key ID to be larger than NTP_MAXKEY, 6892 which fails for packets without a MAC. 6893 Mitigation: 6894 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 6895 or the NTP Public Services Project Download Page 6896 Configure ntpd with enough time sources and monitor it properly. 6897 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 6898 6899 * [Sec 2781] Authentication doesn't protect symmetric associations against 6900 DoS attacks. 6901 6902 References: Sec 2781 / CVE-2015-1799 / VU#374268 6903 Affects: All NTP releases starting with at least xntp3.3wy up to but 6904 not including ntp-4.2.8p2 where the installation uses symmetric 6905 key authentication. 6906 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 6907 Note: the CVSS base Score for this issue could be 4.3 or lower, and 6908 it could be higher than 5.4. 6909 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 6910 Summary: An attacker knowing that NTP hosts A and B are peering with 6911 each other (symmetric association) can send a packet to host A 6912 with source address of B which will set the NTP state variables 6913 on A to the values sent by the attacker. Host A will then send 6914 on its next poll to B a packet with originate timestamp that 6915 doesn't match the transmit timestamp of B and the packet will 6916 be dropped. If the attacker does this periodically for both 6917 hosts, they won't be able to synchronize to each other. This is 6918 a known denial-of-service attack, described at 6919 https://www.eecis.udel.edu/~mills/onwire.html . 6920 6921 According to the document the NTP authentication is supposed to 6922 protect symmetric associations against this attack, but that 6923 doesn't seem to be the case. The state variables are updated even 6924 when authentication fails and the peers are sending packets with 6925 originate timestamps that don't match the transmit timestamps on 6926 the receiving side. 6927 6928 This seems to be a very old problem, dating back to at least 6929 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 6930 specifications, so other NTP implementations with support for 6931 symmetric associations and authentication may be vulnerable too. 6932 An update to the NTP RFC to correct this error is in-process. 6933 Mitigation: 6934 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 6935 or the NTP Public Services Project Download Page 6936 Note that for users of autokey, this specific style of MITM attack 6937 is simply a long-known potential problem. 6938 Configure ntpd with appropriate time sources and monitor ntpd. 6939 Alert your staff if problems are detected. 6940 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 6941 6942 * New script: update-leap 6943 The update-leap script will verify and if necessary, update the 6944 leap-second definition file. 6945 It requires the following commands in order to work: 6946 6947 wget logger tr sed shasum 6948 6949 Some may choose to run this from cron. It needs more portability testing. 6950 6951 Bug Fixes and Improvements: 6952 6953 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 6954 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 6955 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 6956 * [Bug 2728] See if C99-style structure initialization works. 6957 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 6958 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 6959 * [Bug 2751] jitter.h has stale copies of l_fp macros. 6960 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 6961 * [Bug 2757] Quiet compiler warnings. 6962 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 6963 * [Bug 2763] Allow different thresholds for forward and backward steps. 6964 * [Bug 2766] ntp-keygen output files should not be world-readable. 6965 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 6966 * [Bug 2771] nonvolatile value is documented in wrong units. 6967 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 6968 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 6969 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 6970 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 6971 Removed non-ASCII characters from some copyright comments. 6972 Removed trailing whitespace. 6973 Updated definitions for Meinberg clocks from current Meinberg header files. 6974 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 6975 Account for updated definitions pulled from Meinberg header files. 6976 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 6977 Replaced some constant numbers by defines from ntp_calendar.h 6978 Modified creation of parse-specific variables for Meinberg devices 6979 in gps16x_message(). 6980 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 6981 Modified mbg_tm_str() which now expexts an additional parameter controlling 6982 if the time status shall be printed. 6983 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 6984 * [Sec 2781] Authentication doesn't protect symmetric associations against 6985 DoS attacks. 6986 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 6987 * [Bug 2789] Quiet compiler warnings from libevent. 6988 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 6989 pause briefly before measuring system clock precision to yield 6990 correct results. 6991 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 6992 * Use predefined function types for parse driver functions 6993 used to set up function pointers. 6994 Account for changed prototype of parse_inp_fnc_t functions. 6995 Cast parse conversion results to appropriate types to avoid 6996 compiler warnings. 6997 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 6998 when called with pointers to different types. 6999 7000 --- 7001 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 7002 7003 Focus: Security and Bug fixes, enhancements. 7004 7005 Severity: HIGH 7006 7007 In addition to bug fixes and enhancements, this release fixes the 7008 following high-severity vulnerabilities: 7009 7010 * vallen is not validated in several places in ntp_crypto.c, leading 7011 to a potential information leak or possibly a crash 7012 7013 References: Sec 2671 / CVE-2014-9297 / VU#852879 7014 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 7015 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 7016 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 7017 Summary: The vallen packet value is not validated in several code 7018 paths in ntp_crypto.c which can lead to information leakage 7019 or perhaps a crash of the ntpd process. 7020 Mitigation - any of: 7021 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 7022 or the NTP Public Services Project Download Page. 7023 Disable Autokey Authentication by removing, or commenting out, 7024 all configuration directives beginning with the "crypto" 7025 keyword in your ntp.conf file. 7026 Credit: This vulnerability was discovered by Stephen Roettger of the 7027 Google Security Team, with additional cases found by Sebastian 7028 Krahmer of the SUSE Security Team and Harlan Stenn of Network 7029 Time Foundation. 7030 7031 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 7032 can be bypassed. 7033 7034 References: Sec 2672 / CVE-2014-9298 / VU#852879 7035 Affects: All NTP4 releases before 4.2.8p1, under at least some 7036 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 7037 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 7038 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 7039 Summary: While available kernels will prevent 127.0.0.1 addresses 7040 from "appearing" on non-localhost IPv4 interfaces, some kernels 7041 do not offer the same protection for ::1 source addresses on 7042 IPv6 interfaces. Since NTP's access control is based on source 7043 address and localhost addresses generally have no restrictions, 7044 an attacker can send malicious control and configuration packets 7045 by spoofing ::1 addresses from the outside. Note Well: This is 7046 not really a bug in NTP, it's a problem with some OSes. If you 7047 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 7048 ACL restrictions on any application can be bypassed! 7049 Mitigation: 7050 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 7051 or the NTP Public Services Project Download Page 7052 Install firewall rules to block packets claiming to come from 7053 ::1 from inappropriate network interfaces. 7054 Credit: This vulnerability was discovered by Stephen Roettger of 7055 the Google Security Team. 7056 7057 Additionally, over 30 bugfixes and improvements were made to the codebase. 7058 See the ChangeLog for more information. 7059 7060 --- 7061 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 7062 7063 Focus: Security and Bug fixes, enhancements. 7064 7065 Severity: HIGH 7066 7067 In addition to bug fixes and enhancements, this release fixes the 7068 following high-severity vulnerabilities: 7069 7070 ************************** vv NOTE WELL vv ***************************** 7071 7072 The vulnerabilities listed below can be significantly mitigated by 7073 following the BCP of putting 7074 7075 restrict default ... noquery 7076 7077 in the ntp.conf file. With the exception of: 7078 7079 receive(): missing return on error 7080 References: Sec 2670 / CVE-2014-9296 / VU#852879 7081 7082 below (which is a limited-risk vulnerability), none of the recent 7083 vulnerabilities listed below can be exploited if the source IP is 7084 restricted from sending a 'query'-class packet by your ntp.conf file. 7085 7086 ************************** ^^ NOTE WELL ^^ ***************************** 7087 7088 * Weak default key in config_auth(). 7089 7090 References: [Sec 2665] / CVE-2014-9293 / VU#852879 7091 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 7092 Vulnerable Versions: all releases prior to 4.2.7p11 7093 Date Resolved: 28 Jan 2010 7094 7095 Summary: If no 'auth' key is set in the configuration file, ntpd 7096 would generate a random key on the fly. There were two 7097 problems with this: 1) the generated key was 31 bits in size, 7098 and 2) it used the (now weak) ntp_random() function, which was 7099 seeded with a 32-bit value and could only provide 32 bits of 7100 entropy. This was sufficient back in the late 1990s when the 7101 code was written. Not today. 7102 7103 Mitigation - any of: 7104 - Upgrade to 4.2.7p11 or later. 7105 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 7106 7107 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 7108 of the Google Security Team. 7109 7110 * Non-cryptographic random number generator with weak seed used by 7111 ntp-keygen to generate symmetric keys. 7112 7113 References: [Sec 2666] / CVE-2014-9294 / VU#852879 7114 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 7115 Vulnerable Versions: All NTP4 releases before 4.2.7p230 7116 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 7117 7118 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 7119 prepare a random number generator that was of good quality back 7120 in the late 1990s. The random numbers produced was then used to 7121 generate symmetric keys. In ntp-4.2.8 we use a current-technology 7122 cryptographic random number generator, either RAND_bytes from 7123 OpenSSL, or arc4random(). 7124 7125 Mitigation - any of: 7126 - Upgrade to 4.2.7p230 or later. 7127 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 7128 7129 Credit: This vulnerability was discovered in ntp-4.2.6 by 7130 Stephen Roettger of the Google Security Team. 7131 7132 * Buffer overflow in crypto_recv() 7133 7134 References: Sec 2667 / CVE-2014-9295 / VU#852879 7135 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 7136 Versions: All releases before 4.2.8 7137 Date Resolved: Stable (4.2.8) 18 Dec 2014 7138 7139 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 7140 file contains a 'crypto pw ...' directive) a remote attacker 7141 can send a carefully crafted packet that can overflow a stack 7142 buffer and potentially allow malicious code to be executed 7143 with the privilege level of the ntpd process. 7144 7145 Mitigation - any of: 7146 - Upgrade to 4.2.8, or later, or 7147 - Disable Autokey Authentication by removing, or commenting out, 7148 all configuration directives beginning with the crypto keyword 7149 in your ntp.conf file. 7150 7151 Credit: This vulnerability was discovered by Stephen Roettger of the 7152 Google Security Team. 7153 7154 * Buffer overflow in ctl_putdata() 7155 7156 References: Sec 2668 / CVE-2014-9295 / VU#852879 7157 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 7158 Versions: All NTP4 releases before 4.2.8 7159 Date Resolved: Stable (4.2.8) 18 Dec 2014 7160 7161 Summary: A remote attacker can send a carefully crafted packet that 7162 can overflow a stack buffer and potentially allow malicious 7163 code to be executed with the privilege level of the ntpd process. 7164 7165 Mitigation - any of: 7166 - Upgrade to 4.2.8, or later. 7167 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 7168 7169 Credit: This vulnerability was discovered by Stephen Roettger of the 7170 Google Security Team. 7171 7172 * Buffer overflow in configure() 7173 7174 References: Sec 2669 / CVE-2014-9295 / VU#852879 7175 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 7176 Versions: All NTP4 releases before 4.2.8 7177 Date Resolved: Stable (4.2.8) 18 Dec 2014 7178 7179 Summary: A remote attacker can send a carefully crafted packet that 7180 can overflow a stack buffer and potentially allow malicious 7181 code to be executed with the privilege level of the ntpd process. 7182 7183 Mitigation - any of: 7184 - Upgrade to 4.2.8, or later. 7185 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 7186 7187 Credit: This vulnerability was discovered by Stephen Roettger of the 7188 Google Security Team. 7189 7190 * receive(): missing return on error 7191 7192 References: Sec 2670 / CVE-2014-9296 / VU#852879 7193 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 7194 Versions: All NTP4 releases before 4.2.8 7195 Date Resolved: Stable (4.2.8) 18 Dec 2014 7196 7197 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 7198 the code path where an error was detected, which meant 7199 processing did not stop when a specific rare error occurred. 7200 We haven't found a way for this bug to affect system integrity. 7201 If there is no way to affect system integrity the base CVSS 7202 score for this bug is 0. If there is one avenue through which 7203 system integrity can be partially affected, the base score 7204 becomes a 5. If system integrity can be partially affected 7205 via all three integrity metrics, the CVSS base score become 7.5. 7206 7207 Mitigation - any of: 7208 - Upgrade to 4.2.8, or later, 7209 - Remove or comment out all configuration directives 7210 beginning with the crypto keyword in your ntp.conf file. 7211 7212 Credit: This vulnerability was discovered by Stephen Roettger of the 7213 Google Security Team. 7214 7215 See http://support.ntp.org/security for more information. 7216 7217 New features / changes in this release: 7218 7219 Important Changes 7220 7221 * Internal NTP Era counters 7222 7223 The internal counters that track the "era" (range of years) we are in 7224 rolls over every 136 years'. The current "era" started at the stroke of 7225 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 7226 1 Jan 2036. 7227 In the past, we have used the "midpoint" of the range to decide which 7228 era we were in. Given the longevity of some products, it became clear 7229 that it would be more functional to "look back" less, and "look forward" 7230 more. We now compile a timestamp into the ntpd executable and when we 7231 get a timestamp we us the "built-on" to tell us what era we are in. 7232 This check "looks back" 10 years, and "looks forward" 126 years. 7233 7234 * ntpdc responses disabled by default 7235 7236 Dave Hart writes: 7237 7238 For a long time, ntpq and its mostly text-based mode 6 (control) 7239 protocol have been preferred over ntpdc and its mode 7 (private 7240 request) protocol for runtime queries and configuration. There has 7241 been a goal of deprecating ntpdc, previously held back by numerous 7242 capabilities exposed by ntpdc with no ntpq equivalent. I have been 7243 adding commands to ntpq to cover these cases, and I believe I've 7244 covered them all, though I've not compared command-by-command 7245 recently. 7246 7247 As I've said previously, the binary mode 7 protocol involves a lot of 7248 hand-rolled structure layout and byte-swapping code in both ntpd and 7249 ntpdc which is hard to get right. As ntpd grows and changes, the 7250 changes are difficult to expose via ntpdc while maintaining forward 7251 and backward compatibility between ntpdc and ntpd. In contrast, 7252 ntpq's text-based, label=value approach involves more code reuse and 7253 allows compatible changes without extra work in most cases. 7254 7255 Mode 7 has always been defined as vendor/implementation-specific while 7256 mode 6 is described in RFC 1305 and intended to be open to interoperate 7257 with other implementations. There is an early draft of an updated 7258 mode 6 description that likely will join the other NTPv4 RFCs 7259 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 7260 7261 For these reasons, ntpd 4.2.7p230 by default disables processing of 7262 ntpdc queries, reducing ntpd's attack surface and functionally 7263 deprecating ntpdc. If you are in the habit of using ntpdc for certain 7264 operations, please try the ntpq equivalent. If there's no equivalent, 7265 please open a bug report at http://bugs.ntp.org./ 7266 7267 In addition to the above, over 1100 issues have been resolved between 7268 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 7269 lists these. 7270 7271 --- 7272 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 7273 7274 Focus: Bug fixes 7275 7276 Severity: Medium 7277 7278 This is a recommended upgrade. 7279 7280 This release updates sys_rootdisp and sys_jitter calculations to match the 7281 RFC specification, fixes a potential IPv6 address matching error for the 7282 "nic" and "interface" configuration directives, suppresses the creation of 7283 extraneous ephemeral associations for certain broadcastclient and 7284 multicastclient configurations, cleans up some ntpq display issues, and 7285 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 7286 7287 New features / changes in this release: 7288 7289 ntpd 7290 7291 * Updated "nic" and "interface" IPv6 address handling to prevent 7292 mismatches with localhost [::1] and wildcard [::] which resulted from 7293 using the address/prefix format (e.g. fe80::/64) 7294 * Fix orphan mode stratum incorrectly counting to infinity 7295 * Orphan parent selection metric updated to includes missing ntohl() 7296 * Non-printable stratum 16 refid no longer sent to ntp 7297 * Duplicate ephemeral associations suppressed for broadcastclient and 7298 multicastclient without broadcastdelay 7299 * Exclude undetermined sys_refid from use in loopback TEST12 7300 * Exclude MODE_SERVER responses from KoD rate limiting 7301 * Include root delay in clock_update() sys_rootdisp calculations 7302 * get_systime() updated to exclude sys_residual offset (which only 7303 affected bits "below" sys_tick, the precision threshold) 7304 * sys.peer jitter weighting corrected in sys_jitter calculation 7305 7306 ntpq 7307 7308 * -n option extended to include the billboard "server" column 7309 * IPv6 addresses in the local column truncated to prevent overruns 7310 7311 --- 7312 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 7313 7314 Focus: Bug fixes and portability improvements 7315 7316 Severity: Medium 7317 7318 This is a recommended upgrade. 7319 7320 This release includes build infrastructure updates, code 7321 clean-ups, minor bug fixes, fixes for a number of minor 7322 ref-clock issues, and documentation revisions. 7323 7324 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 7325 7326 New features / changes in this release: 7327 7328 Build system 7329 7330 * Fix checking for struct rtattr 7331 * Update config.guess and config.sub for AIX 7332 * Upgrade required version of autogen and libopts for building 7333 from our source code repository 7334 7335 ntpd 7336 7337 * Back-ported several fixes for Coverity warnings from ntp-dev 7338 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 7339 * Allow "logconfig =allall" configuration directive 7340 * Bind tentative IPv6 addresses on Linux 7341 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 7342 * Improved tally bit handling to prevent incorrect ntpq peer status reports 7343 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 7344 candidate list unless they are designated a "prefer peer" 7345 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 7346 selection during the 'tos orphanwait' period 7347 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 7348 drivers 7349 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 7350 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 7351 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 7352 clock slew on Microsoft Windows 7353 * Code cleanup in libntpq 7354 7355 ntpdc 7356 7357 * Fix timerstats reporting 7358 7359 ntpdate 7360 7361 * Reduce time required to set clock 7362 * Allow a timeout greater than 2 seconds 7363 7364 sntp 7365 7366 * Backward incompatible command-line option change: 7367 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 7368 7369 Documentation 7370 7371 * Update html2man. Fix some tags in the .html files 7372 * Distribute ntp-wait.html 7373 7374 --- 7375 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 7376 7377 Focus: Bug fixes and portability improvements 7378 7379 Severity: Medium 7380 7381 This is a recommended upgrade. 7382 7383 This release includes build infrastructure updates, code 7384 clean-ups, minor bug fixes, fixes for a number of minor 7385 ref-clock issues, and documentation revisions. 7386 7387 Portability improvements in this release affect AIX, Atari FreeMiNT, 7388 FreeBSD4, Linux and Microsoft Windows. 7389 7390 New features / changes in this release: 7391 7392 Build system 7393 * Use lsb_release to get information about Linux distributions. 7394 * 'test' is in /usr/bin (instead of /bin) on some systems. 7395 * Basic sanity checks for the ChangeLog file. 7396 * Source certain build files with ./filename for systems without . in PATH. 7397 * IRIX portability fix. 7398 * Use a single copy of the "libopts" code. 7399 * autogen/libopts upgrade. 7400 * configure.ac m4 quoting cleanup. 7401 7402 ntpd 7403 * Do not bind to IN6_IFF_ANYCAST addresses. 7404 * Log the reason for exiting under Windows. 7405 * Multicast fixes for Windows. 7406 * Interpolation fixes for Windows. 7407 * IPv4 and IPv6 Multicast fixes. 7408 * Manycast solicitation fixes and general repairs. 7409 * JJY refclock cleanup. 7410 * NMEA refclock improvements. 7411 * Oncore debug message cleanup. 7412 * Palisade refclock now builds under Linux. 7413 * Give RAWDCF more baud rates. 7414 * Support Truetime Satellite clocks under Windows. 7415 * Support Arbiter 1093C Satellite clocks under Windows. 7416 * Make sure that the "filegen" configuration command defaults to "enable". 7417 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 7418 * Prohibit 'includefile' directive in remote configuration command. 7419 * Fix 'nic' interface bindings. 7420 * Fix the way we link with openssl if openssl is installed in the base 7421 system. 7422 7423 ntp-keygen 7424 * Fix -V coredump. 7425 * OpenSSL version display cleanup. 7426 7427 ntpdc 7428 * Many counters should be treated as unsigned. 7429 7430 ntpdate 7431 * Do not ignore replies with equal receive and transmit timestamps. 7432 7433 ntpq 7434 * libntpq warning cleanup. 7435 7436 ntpsnmpd 7437 * Correct SNMP type for "precision" and "resolution". 7438 * Update the MIB from the draft version to RFC-5907. 7439 7440 sntp 7441 * Display timezone offset when showing time for sntp in the local 7442 timezone. 7443 * Pay proper attention to RATE KoD packets. 7444 * Fix a miscalculation of the offset. 7445 * Properly parse empty lines in the key file. 7446 * Logging cleanup. 7447 * Use tv_usec correctly in set_time(). 7448 * Documentation cleanup. 7449 7450 --- 7451 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 7452 7453 Focus: Bug fixes and portability improvements 7454 7455 Severity: Medium 7456 7457 This is a recommended upgrade. 7458 7459 This release includes build infrastructure updates, code 7460 clean-ups, minor bug fixes, fixes for a number of minor 7461 ref-clock issues, improved KOD handling, OpenSSL related 7462 updates and documentation revisions. 7463 7464 Portability improvements in this release affect Irix, Linux, 7465 Mac OS, Microsoft Windows, OpenBSD and QNX6 7466 7467 New features / changes in this release: 7468 7469 ntpd 7470 * Range syntax for the trustedkey configuration directive 7471 * Unified IPv4 and IPv6 restrict lists 7472 7473 ntpdate 7474 * Rate limiting and KOD handling 7475 7476 ntpsnmpd 7477 * default connection to net-snmpd via a unix-domain socket 7478 * command-line 'socket name' option 7479 7480 ntpq / ntpdc 7481 * support for the "passwd ..." syntax 7482 * key-type specific password prompts 7483 7484 sntp 7485 * MD5 authentication of an ntpd 7486 * Broadcast and crypto 7487 * OpenSSL support 7488 7489 --- 7490 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 7491 7492 Focus: Bug fixes, portability fixes, and documentation improvements 7493 7494 Severity: Medium 7495 7496 This is a recommended upgrade. 7497 7498 --- 7499 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 7500 7501 Focus: enhancements and bug fixes. 7502 7503 --- 7504 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 7505 7506 Focus: Security Fixes 7507 7508 Severity: HIGH 7509 7510 This release fixes the following high-severity vulnerability: 7511 7512 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 7513 7514 See http://support.ntp.org/security for more information. 7515 7516 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 7517 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 7518 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 7519 request or a mode 7 error response from an address which is not listed 7520 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 7521 reply with a mode 7 error response (and log a message). In this case: 7522 7523 * If an attacker spoofs the source address of ntpd host A in a 7524 mode 7 response packet sent to ntpd host B, both A and B will 7525 continuously send each other error responses, for as long as 7526 those packets get through. 7527 7528 * If an attacker spoofs an address of ntpd host A in a mode 7 7529 response packet sent to ntpd host A, A will respond to itself 7530 endlessly, consuming CPU and logging excessively. 7531 7532 Credit for finding this vulnerability goes to Robin Park and Dmitri 7533 Vinokurov of Alcatel-Lucent. 7534 7535 THIS IS A STRONGLY RECOMMENDED UPGRADE. 7536 7537 --- 7538 ntpd now syncs to refclocks right away. 7539 7540 Backward-Incompatible changes: 7541 7542 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 7543 Use '--var name' or '--dvar name' instead. (Bug 817) 7544 7545 --- 7546 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 7547 7548 Focus: Security and Bug Fixes 7549 7550 Severity: HIGH 7551 7552 This release fixes the following high-severity vulnerability: 7553 7554 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 7555 7556 See http://support.ntp.org/security for more information. 7557 7558 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 7559 line) then a carefully crafted packet sent to the machine will cause 7560 a buffer overflow and possible execution of injected code, running 7561 with the privileges of the ntpd process (often root). 7562 7563 Credit for finding this vulnerability goes to Chris Ries of CMU. 7564 7565 This release fixes the following low-severity vulnerabilities: 7566 7567 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 7568 Credit for finding this vulnerability goes to Geoff Keating of Apple. 7569 7570 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 7571 Credit for finding this issue goes to Dave Hart. 7572 7573 This release fixes a number of bugs and adds some improvements: 7574 7575 * Improved logging 7576 * Fix many compiler warnings 7577 * Many fixes and improvements for Windows 7578 * Adds support for AIX 6.1 7579 * Resolves some issues under MacOS X and Solaris 7580 7581 THIS IS A STRONGLY RECOMMENDED UPGRADE. 7582 7583 --- 7584 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 7585 7586 Focus: Security Fix 7587 7588 Severity: Low 7589 7590 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 7591 the OpenSSL library relating to the incorrect checking of the return 7592 value of EVP_VerifyFinal function. 7593 7594 Credit for finding this issue goes to the Google Security Team for 7595 finding the original issue with OpenSSL, and to ocert.org for finding 7596 the problem in NTP and telling us about it. 7597 7598 This is a recommended upgrade. 7599 --- 7600 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 7601 7602 Focus: Minor Bugfixes 7603 7604 This release fixes a number of Windows-specific ntpd bugs and 7605 platform-independent ntpdate bugs. A logging bugfix has been applied 7606 to the ONCORE driver. 7607 7608 The "dynamic" keyword and is now obsolete and deferred binding to local 7609 interfaces is the new default. The minimum time restriction for the 7610 interface update interval has been dropped. 7611 7612 A number of minor build system and documentation fixes are included. 7613 7614 This is a recommended upgrade for Windows. 7615 7616 --- 7617 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 7618 7619 Focus: Minor Bugfixes 7620 7621 This release updates certain copyright information, fixes several display 7622 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 7623 shutdown in the parse refclock driver, removes some lint from the code, 7624 stops accessing certain buffers immediately after they were freed, fixes 7625 a problem with non-command-line specification of -6, and allows the loopback 7626 interface to share addresses with other interfaces. 7627 7628 --- 7629 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 7630 7631 Focus: Minor Bugfixes 7632 7633 This release fixes a bug in Windows that made it difficult to 7634 terminate ntpd under windows. 7635 This is a recommended upgrade for Windows. 7636 7637 --- 7638 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 7639 7640 Focus: Minor Bugfixes 7641 7642 This release fixes a multicast mode authentication problem, 7643 an error in NTP packet handling on Windows that could lead to 7644 ntpd crashing, and several other minor bugs. Handling of 7645 multicast interfaces and logging configuration were improved. 7646 The required versions of autogen and libopts were incremented. 7647 This is a recommended upgrade for Windows and multicast users. 7648 7649 --- 7650 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 7651 7652 Focus: enhancements and bug fixes. 7653 7654 Dynamic interface rescanning was added to simplify the use of ntpd in 7655 conjunction with DHCP. GNU AutoGen is used for its command-line options 7656 processing. Separate PPS devices are supported for PARSE refclocks, MD5 7657 signatures are now provided for the release files. Drivers have been 7658 added for some new ref-clocks and have been removed for some older 7659 ref-clocks. This release also includes other improvements, documentation 7660 and bug fixes. 7661 7662 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 7663 C support. 7664 7665 --- 7666 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 7667 7668 Focus: enhancements and bug fixes. 7669
Indexes created Mon Apr 13 00:22:24 UTC 2026