NEWS revision 1.1.1.14
1 -- 2 NTP 4.2.8p12 (Harlan Stenn <stenn (a] ntp.org>, 2018/14/09) 3 4 NOTE: this NEWS file will be undergoing more revisions. 5 6 Focus: Security, Bug fixes, enhancements. 7 8 Severity: MEDIUM 9 10 This release fixes a "hole" in the noepeer capability introduced to ntpd 11 in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 12 ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 13 14 * [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 15 16 * [Sec 3012] Fix a hole in the new "noepeer" processing. 17 18 * Bug Fixes: 19 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn (a] ntp.org> 20 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 21 other TrustedBSD platforms 22 - applied patch by Ian Lepore <perlinger (a] ntp.org> 23 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger (a] ntp.org> 24 - changed interaction with SCM to signal pending startup 25 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger (a] ntp.org> 26 - applied patch by Gerry Garvey 27 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger (a] ntp.org> 28 - applied patch by Gerry Garvey 29 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger (a] ntp.org> 30 - rework of ntpq 'nextvar()' key/value parsing 31 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger (a] ntp.org> 32 - applied patch by Gerry Garvey (with mods) 33 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger (a] ntp.org> 34 - applied patch by Gerry Garvey 35 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger (a] ntp.org> 36 - applied patch by Gerry Garvey (with mods) 37 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger (a] ntp.org> 38 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 39 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger (a] ntp.org> 40 - applied patch by Gerry Garvey 41 [Bug 3474] Missing pmode in mode7 peer info response <perlinger (a] ntp.org> 42 - applied patch by Gerry Garvey 43 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 44 - add #define ENABLE_CMAC support in configure. HStenn. 45 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger (a] ntp.org> 46 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger (a] ntp.org> 47 - patch by Stephen Friedl 48 [Bug 3467] Potential memory fault in ntpq [...] <perlinger (a] ntp.org> 49 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 50 [Bug 3465] Default TTL values cannot be used <perlinger (a] ntp.org> 51 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger (a] ntp.org> 52 - initial patch by Hal Murray; also fixed refclock_report() trouble 53 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn (a] ntp.org> 54 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 55 - According to Brooks Davis, there was only one location <perlinger (a] ntp.org> 56 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger (a] ntp.org> 57 - applied patch by Gerry Garvey 58 [Bug 3445] Symmetric peer won't sync on startup <perlinger (a] ntp.org> 59 - applied patch by Gerry Garvey 60 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 61 with modifications 62 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 63 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger (a] ntp.org> 64 - applied patch by Miroslav Lichvar 65 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 66 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger (a] ntp.org> 67 - integrated patch by Reinhard Max 68 [Bug 2821] minor build issues <perlinger (a] ntp.org> 69 - applied patches by Christos Zoulas, including real bug fixes 70 html/authopt.html: cleanup, from <stenn (a] ntp.org> 71 ntpd/ntpd.c: DROPROOT cleanup. <stenn (a] ntp.org> 72 Symmetric key range is 1-65535. Update docs. <stenn (a] ntp.org> 73 74 -- 75 NTP 4.2.8p11 (Harlan Stenn <stenn (a] ntp.org>, 2018/02/27) 76 77 Focus: Security, Bug fixes, enhancements. 78 79 Severity: MEDIUM 80 81 This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 82 vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 83 provides 65 other non-security fixes and improvements: 84 85 * NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 86 association (LOW/MED) 87 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 88 References: Sec 3454 / CVE-2018-7185 / VU#961909 89 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 90 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 91 2.9 and 6.8. 92 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 93 score between 2.6 and 3.1 94 Summary: 95 The NTP Protocol allows for both non-authenticated and 96 authenticated associations, in client/server, symmetric (peer), 97 and several broadcast modes. In addition to the basic NTP 98 operational modes, symmetric mode and broadcast servers can 99 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 100 was inadvertently introduced into the protocol engine that 101 allows a non-authenticated zero-origin (reset) packet to reset 102 an authenticated interleaved peer association. If an attacker 103 can send a packet with a zero-origin timestamp and the source 104 IP address of the "other side" of an interleaved association, 105 the 'victim' ntpd will reset its association. The attacker must 106 continue sending these packets in order to maintain the 107 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 108 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 109 interleaved mode must be explicitly configured/enabled. 110 Mitigation: 111 Implement BCP-38. 112 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 113 or the NTP Public Services Project Download Page. 114 If you are unable to upgrade to 4.2.8p11 or later and have 115 'peer HOST xleave' lines in your ntp.conf file, remove the 116 'xleave' option. 117 Have enough sources of time. 118 Properly monitor your ntpd instances. 119 If ntpd stops running, auto-restart it without -g . 120 Credit: 121 This weakness was discovered by Miroslav Lichvar of Red Hat. 122 123 * NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 124 state (LOW/MED) 125 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 126 References: Sec 3453 / CVE-2018-7184 / VU#961909 127 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 128 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 129 Could score between 2.9 and 6.8. 130 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 131 Could score between 2.6 and 6.0. 132 Summary: 133 The fix for NtpBug2952 was incomplete, and while it fixed one 134 problem it created another. Specifically, it drops bad packets 135 before updating the "received" timestamp. This means a 136 third-party can inject a packet with a zero-origin timestamp, 137 meaning the sender wants to reset the association, and the 138 transmit timestamp in this bogus packet will be saved as the 139 most recent "received" timestamp. The real remote peer does 140 not know this value and this will disrupt the association until 141 the association resets. 142 Mitigation: 143 Implement BCP-38. 144 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 145 or the NTP Public Services Project Download Page. 146 Use authentication with 'peer' mode. 147 Have enough sources of time. 148 Properly monitor your ntpd instances. 149 If ntpd stops running, auto-restart it without -g . 150 Credit: 151 This weakness was discovered by Miroslav Lichvar of Red Hat. 152 153 * NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 154 peering (LOW) 155 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 156 References: Sec 3415 / CVE-2018-7170 / VU#961909 157 Sec 3012 / CVE-2016-1549 / VU#718152 158 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 159 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 160 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 161 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 162 Summary: 163 ntpd can be vulnerable to Sybil attacks. If a system is set up to 164 use a trustedkey and if one is not using the feature introduced in 165 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 166 specify which IPs can serve time, a malicious authenticated peer 167 -- i.e. one where the attacker knows the private symmetric key -- 168 can create arbitrarily-many ephemeral associations in order to win 169 the clock selection of ntpd and modify a victim's clock. Three 170 additional protections are offered in ntp-4.2.8p11. One is the 171 new 'noepeer' directive, which disables symmetric passive 172 ephemeral peering. Another is the new 'ippeerlimit' directive, 173 which limits the number of peers that can be created from an IP. 174 The third extends the functionality of the 4th field in the 175 ntp.keys file to include specifying a subnet range. 176 Mitigation: 177 Implement BCP-38. 178 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 179 or the NTP Public Services Project Download Page. 180 Use the 'noepeer' directive to prohibit symmetric passive 181 ephemeral associations. 182 Use the 'ippeerlimit' directive to limit the number of peers 183 that can be created from an IP. 184 Use the 4th argument in the ntp.keys file to limit the IPs and 185 subnets that can be time servers. 186 Have enough sources of time. 187 Properly monitor your ntpd instances. 188 If ntpd stops running, auto-restart it without -g . 189 Credit: 190 This weakness was reported as Bug 3012 by Matthew Van Gundy of 191 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 192 193 * ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 194 Date Resolved: 27 Feb 2018 195 References: Sec 3414 / CVE-2018-7183 / VU#961909 196 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 197 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 198 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 199 Summary: 200 ntpq is a monitoring and control program for ntpd. decodearr() 201 is an internal function of ntpq that is used to -- wait for it -- 202 decode an array in a response string when formatted data is being 203 displayed. This is a problem in affected versions of ntpq if a 204 maliciously-altered ntpd returns an array result that will trip this 205 bug, or if a bad actor is able to read an ntpq request on its way to 206 a remote ntpd server and forge and send a response before the remote 207 ntpd sends its response. It's potentially possible that the 208 malicious data could become injectable/executable code. 209 Mitigation: 210 Implement BCP-38. 211 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 212 or the NTP Public Services Project Download Page. 213 Credit: 214 This weakness was discovered by Michael Macnair of Thales e-Security. 215 216 * NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 217 behavior and information leak (Info/Medium) 218 Date Resolved: 27 Feb 2018 219 References: Sec 3412 / CVE-2018-7182 / VU#961909 220 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 221 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 222 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 223 0.0 if C:N 224 Summary: 225 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 226 A malicious mode 6 packet can be sent to an ntpd instance, and 227 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 228 cause ctl_getitem() to read past the end of its buffer. 229 Mitigation: 230 Implement BCP-38. 231 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 232 or the NTP Public Services Project Download Page. 233 Have enough sources of time. 234 Properly monitor your ntpd instances. 235 If ntpd stops running, auto-restart it without -g . 236 Credit: 237 This weakness was discovered by Yihan Lian of Qihoo 360. 238 239 * NTP Bug 3012: Sybil vulnerability: ephemeral association attack 240 Also see Bug 3415, above. 241 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 242 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 243 References: Sec 3012 / CVE-2016-1549 / VU#718152 244 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 245 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 246 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 247 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 248 Summary: 249 ntpd can be vulnerable to Sybil attacks. If a system is set up 250 to use a trustedkey and if one is not using the feature 251 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 252 ntp.keys file to specify which IPs can serve time, a malicious 253 authenticated peer -- i.e. one where the attacker knows the 254 private symmetric key -- can create arbitrarily-many ephemeral 255 associations in order to win the clock selection of ntpd and 256 modify a victim's clock. Two additional protections are 257 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 258 disables symmetric passive ephemeral peering. The other extends 259 the functionality of the 4th field in the ntp.keys file to 260 include specifying a subnet range. 261 Mitigation: 262 Implement BCP-38. 263 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 264 the NTP Public Services Project Download Page. 265 Use the 'noepeer' directive to prohibit symmetric passive 266 ephemeral associations. 267 Use the 'ippeerlimit' directive to limit the number of peer 268 associations from an IP. 269 Use the 4th argument in the ntp.keys file to limit the IPs 270 and subnets that can be time servers. 271 Properly monitor your ntpd instances. 272 Credit: 273 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 274 275 * Bug fixes: 276 [Bug 3457] OpenSSL FIPS mode regression <perlinger (a] ntp.org> 277 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger (a] ntp.org> 278 - applied patch by Sean Haugh 279 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger (a] ntp.org> 280 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 281 - removed error log caused by rounding/slew, ensured postcondition <perlinger (a] ntp.org> 282 [Bug 3447] AES-128-CMAC (fixes) <perlinger (a] ntp.org> 283 - refactoring the MAC code, too 284 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn (a] ntp.org 285 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger (a] ntp.org> 286 - applied patch by ggarvey 287 [Bug 3438] Negative values and values > 999 days in... <perlinger (a] ntp.org> 288 - applied patch by ggarvey (with minor mods) 289 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 290 - applied patch (with mods) by Miroslav Lichvar <perlinger (a] ntp.org> 291 [Bug 3435] anchor NTP era alignment <perlinger (a] ntp.org> 292 [Bug 3433] sntp crashes when run with -a. <stenn (a] ntp.org> 293 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 294 - fixed several issues with hash algos in ntpd, sntp, ntpq, 295 ntpdc and the test suites <perlinger (a] ntp.org> 296 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger (a] ntp.org> 297 - initial patch by Daniel Pouzzner 298 [Bug 3423] QNX adjtime() implementation error checking is 299 wrong <perlinger (a] ntp.org> 300 [Bug 3417] ntpq ifstats packet counters can be negative 301 made IFSTATS counter quantities unsigned <perlinger (a] ntp.org> 302 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 303 - raised receive buffer size to 1200 <perlinger (a] ntp.org> 304 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 305 analysis tool. <abe (a] ntp.org> 306 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 307 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger (a] ntp.org> 308 - fix/drop assumptions on OpenSSL libs directory layout 309 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 310 - initial patch by timeflies (a] mail2tor.com <perlinger (a] ntp.org> 311 [Bug 3398] tests fail with core dump <perlinger (a] ntp.org> 312 - patch contributed by Alexander Bluhm 313 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 314 rework of formatting & data transfer stuff in 'ntp_control.c' 315 avoids unecessary buffers and size limitations. <perlinger (a] ntp.org> 316 [Bug 3394] Leap second deletion does not work on ntpd clients 317 - fixed handling of dynamic deletion w/o leap file <perlinger (a] ntp.org> 318 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 319 - increased mimimum stack size to 32kB <perlinger (a] ntp.org> 320 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger (a] ntp.org> 321 - reverted handling of PPS kernel consumer to 4.2.6 behavior 322 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe (a] ntp.org> 323 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 324 [Bug 3016] wrong error position reported for bad ":config pool" 325 - fixed location counter & ntpq output <perlinger (a] ntp.org> 326 [Bug 2900] libntp build order problem. HStenn. 327 [Bug 2878] Tests are cluttering up syslog <perlinger (a] ntp.org> 328 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs (a] bodosom.net, 329 perlinger (a] ntp.org 330 [Bug 2557] Fix Thunderbolt init. ntp-bugs (a] bodosom.net, perlinger@ntp. 331 [Bug 948] Trustedkey config directive leaks memory. <perlinger (a] ntp.org> 332 Use strlcpy() to copy strings, not memcpy(). HStenn. 333 Typos. HStenn. 334 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 335 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 336 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger (a] ntp.org 337 Fix trivial warnings from 'make check'. perlinger (a] ntp.org 338 Fix bug in the override portion of the compiler hardening macro. HStenn. 339 record_raw_stats(): Log entire packet. Log writes. HStenn. 340 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 341 sntp: tweak key file logging. HStenn. 342 sntp: pkt_output(): Improve debug output. HStenn. 343 update-leap: updates from Paul McMath. 344 When using pkg-config, report --modversion. HStenn. 345 Clean up libevent configure checks. HStenn. 346 sntp: show the IP of who sent us a crypto-NAK. HStenn. 347 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 348 authistrustedip() - use it in more places. HStenn, JPerlinger. 349 New sysstats: sys_lamport, sys_tsrounding. HStenn. 350 Update ntp.keys .../N documentation. HStenn. 351 Distribute testconf.yml. HStenn. 352 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 353 Rename the configuration flag fifo variables. HStenn. 354 Improve saveconfig output. HStenn. 355 Decode restrict flags on receive() debug output. HStenn. 356 Decode interface flags on receive() debug output. HStenn. 357 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 358 Update the documentation in ntp.conf.def . HStenn. 359 restrictions() must return restrict flags and ippeerlimit. HStenn. 360 Update ntpq peer documentation to describe the 'p' type. HStenn. 361 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 362 Provide dump_restricts() for debugging. HStenn. 363 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 364 365 * Other items: 366 367 * update-leap needs the following perl modules: 368 Net::SSLeay 369 IO::Socket::SSL 370 371 * New sysstats variables: sys_lamport, sys_tsrounding 372 See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 373 sys_lamport counts the number of observed Lamport violations, while 374 sys_tsrounding counts observed timestamp rounding events. 375 376 * New ntp.conf items: 377 378 - restrict ... noepeer 379 - restrict ... ippeerlimit N 380 381 The 'noepeer' directive will disallow all ephemeral/passive peer 382 requests. 383 384 The 'ippeerlimit' directive limits the number of time associations 385 for each IP in the designated set of addresses. This limit does not 386 apply to explicitly-configured associations. A value of -1, the current 387 default, means an unlimited number of associations may connect from a 388 single IP. 0 means "none", etc. Ordinarily the only way multiple 389 associations would come from the same IP would be if the remote side 390 was using a proxy. But a trusted machine might become compromised, 391 in which case an attacker might spin up multiple authenticated sessions 392 from different ports. This directive should be helpful in this case. 393 394 * New ntp.keys feature: Each IP in the optional list of IPs in the 4th 395 field may contain a /subnetbits specification, which identifies the 396 scope of IPs that may use this key. This IP/subnet restriction can be 397 used to limit the IPs that may use the key in most all situations where 398 a key is used. 399 -- 400 NTP 4.2.8p10 (Harlan Stenn <stenn (a] ntp.org>, 2017/03/21) 401 402 Focus: Security, Bug fixes, enhancements. 403 404 Severity: MEDIUM 405 406 This release fixes 5 medium-, 6 low-, and 4 informational-severity 407 vulnerabilities, and provides 15 other non-security fixes and improvements: 408 409 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 410 Date Resolved: 21 Mar 2017 411 References: Sec 3389 / CVE-2017-6464 / VU#325339 412 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 413 ntp-4.3.0 up to, but not including ntp-4.3.94. 414 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 415 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 416 Summary: 417 A vulnerability found in the NTP server makes it possible for an 418 authenticated remote user to crash ntpd via a malformed mode 419 configuration directive. 420 Mitigation: 421 Implement BCP-38. 422 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 423 the NTP Public Services Project Download Page 424 Properly monitor your ntpd instances, and auto-restart 425 ntpd (without -g) if it stops running. 426 Credit: 427 This weakness was discovered by Cure53. 428 429 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 430 Date Resolved: 21 Mar 2017 431 References: Sec 3388 / CVE-2017-6462 / VU#325339 432 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 433 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 434 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 435 Summary: 436 There is a potential for a buffer overflow in the legacy Datum 437 Programmable Time Server refclock driver. Here the packets are 438 processed from the /dev/datum device and handled in 439 datum_pts_receive(). Since an attacker would be required to 440 somehow control a malicious /dev/datum device, this does not 441 appear to be a practical attack and renders this issue "Low" in 442 terms of severity. 443 Mitigation: 444 If you have a Datum reference clock installed and think somebody 445 may maliciously change the device, upgrade to 4.2.8p10, or 446 later, from the NTP Project Download Page or the NTP Public 447 Services Project Download Page 448 Properly monitor your ntpd instances, and auto-restart 449 ntpd (without -g) if it stops running. 450 Credit: 451 This weakness was discovered by Cure53. 452 453 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 454 Date Resolved: 21 Mar 2017 455 References: Sec 3387 / CVE-2017-6463 / VU#325339 456 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 457 ntp-4.3.0 up to, but not including ntp-4.3.94. 458 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 459 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 460 Summary: 461 A vulnerability found in the NTP server allows an authenticated 462 remote attacker to crash the daemon by sending an invalid setting 463 via the :config directive. The unpeer option expects a number or 464 an address as an argument. In case the value is "0", a 465 segmentation fault occurs. 466 Mitigation: 467 Implement BCP-38. 468 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 469 or the NTP Public Services Project Download Page 470 Properly monitor your ntpd instances, and auto-restart 471 ntpd (without -g) if it stops running. 472 Credit: 473 This weakness was discovered by Cure53. 474 475 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 476 Date Resolved: 21 Mar 2017 477 References: Sec 3386 478 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 479 ntp-4.3.0 up to, but not including ntp-4.3.94. 480 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 481 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 482 Summary: 483 The NTP Mode 6 monitoring and control client, ntpq, uses the 484 function ntpq_stripquotes() to remove quotes and escape characters 485 from a given string. According to the documentation, the function 486 is supposed to return the number of copied bytes but due to 487 incorrect pointer usage this value is always zero. Although the 488 return value of this function is never used in the code, this 489 flaw could lead to a vulnerability in the future. Since relying 490 on wrong return values when performing memory operations is a 491 dangerous practice, it is recommended to return the correct value 492 in accordance with the documentation pertinent to the code. 493 Mitigation: 494 Implement BCP-38. 495 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 496 or the NTP Public Services Project Download Page 497 Properly monitor your ntpd instances, and auto-restart 498 ntpd (without -g) if it stops running. 499 Credit: 500 This weakness was discovered by Cure53. 501 502 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 503 Date Resolved: 21 Mar 2017 504 References: Sec 3385 505 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 506 ntp-4.3.0 up to, but not including ntp-4.3.94. 507 Summary: 508 NTP makes use of several wrappers around the standard heap memory 509 allocation functions that are provided by libc. This is mainly 510 done to introduce additional safety checks concentrated on 511 several goals. First, they seek to ensure that memory is not 512 accidentally freed, secondly they verify that a correct amount 513 is always allocated and, thirdly, that allocation failures are 514 correctly handled. There is an additional implementation for 515 scenarios where memory for a specific amount of items of the 516 same size needs to be allocated. The handling can be found in 517 the oreallocarray() function for which a further number-of-elements 518 parameter needs to be provided. Although no considerable threat 519 was identified as tied to a lack of use of this function, it is 520 recommended to correctly apply oreallocarray() as a preferred 521 option across all of the locations where it is possible. 522 Mitigation: 523 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 524 or the NTP Public Services Project Download Page 525 Credit: 526 This weakness was discovered by Cure53. 527 528 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 529 PPSAPI ONLY) (Low) 530 Date Resolved: 21 Mar 2017 531 References: Sec 3384 / CVE-2017-6455 / VU#325339 532 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 533 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 534 including ntp-4.3.94. 535 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 536 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 537 Summary: 538 The Windows NT port has the added capability to preload DLLs 539 defined in the inherited global local environment variable 540 PPSAPI_DLLS. The code contained within those libraries is then 541 called from the NTPD service, usually running with elevated 542 privileges. Depending on how securely the machine is setup and 543 configured, if ntpd is configured to use the PPSAPI under Windows 544 this can easily lead to a code injection. 545 Mitigation: 546 Implement BCP-38. 547 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 548 or the NTP Public Services Project Download Page 549 Credit: 550 This weakness was discovered by Cure53. 551 552 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 553 installer ONLY) (Low) 554 Date Resolved: 21 Mar 2017 555 References: Sec 3383 / CVE-2017-6452 / VU#325339 556 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 557 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 558 to, but not including ntp-4.3.94. 559 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 560 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 561 Summary: 562 The Windows installer for NTP calls strcat(), blindly appending 563 the string passed to the stack buffer in the addSourceToRegistry() 564 function. The stack buffer is 70 bytes smaller than the buffer 565 in the calling main() function. Together with the initially 566 copied Registry path, the combination causes a stack buffer 567 overflow and effectively overwrites the stack frame. The 568 passed application path is actually limited to 256 bytes by the 569 operating system, but this is not sufficient to assure that the 570 affected stack buffer is consistently protected against 571 overflowing at all times. 572 Mitigation: 573 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 574 or the NTP Public Services Project Download Page 575 Credit: 576 This weakness was discovered by Cure53. 577 578 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 579 installer ONLY) (Low) 580 Date Resolved: 21 Mar 2017 581 References: Sec 3382 / CVE-2017-6459 / VU#325339 582 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 583 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 584 up to, but not including ntp-4.3.94. 585 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 586 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 587 Summary: 588 The Windows installer for NTP calls strcpy() with an argument 589 that specifically contains multiple null bytes. strcpy() only 590 copies a single terminating null character into the target 591 buffer instead of copying the required double null bytes in the 592 addKeysToRegistry() function. As a consequence, a garbage 593 registry entry can be created. The additional arsize parameter 594 is erroneously set to contain two null bytes and the following 595 call to RegSetValueEx() claims to be passing in a multi-string 596 value, though this may not be true. 597 Mitigation: 598 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 599 or the NTP Public Services Project Download Page 600 Credit: 601 This weakness was discovered by Cure53. 602 603 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 604 References: Sec 3381 605 Summary: 606 The report says: Statically included external projects 607 potentially introduce several problems and the issue of having 608 extensive amounts of code that is "dead" in the resulting binary 609 must clearly be pointed out. The unnecessary unused code may or 610 may not contain bugs and, quite possibly, might be leveraged for 611 code-gadget-based branch-flow redirection exploits. Analogically, 612 having source trees statically included as well means a failure 613 in taking advantage of the free feature for periodical updates. 614 This solution is offered by the system's Package Manager. The 615 three libraries identified are libisc, libevent, and libopts. 616 Resolution: 617 For libisc, we already only use a portion of the original library. 618 We've found and fixed bugs in the original implementation (and 619 offered the patches to ISC), and plan to see what has changed 620 since we last upgraded the code. libisc is generally not 621 installed, and when it it we usually only see the static libisc.a 622 file installed. Until we know for sure that the bugs we've found 623 and fixed are fixed upstream, we're better off with the copy we 624 are using. 625 626 Version 1 of libevent was the only production version available 627 until recently, and we've been requiring version 2 for a long time. 628 But if the build system has at least version 2 of libevent 629 installed, we'll use the version that is installed on the system. 630 Otherwise, we provide a copy of libevent that we know works. 631 632 libopts is provided by GNU AutoGen, and that library and package 633 undergoes frequent API version updates. The version of autogen 634 used to generate the tables for the code must match the API 635 version in libopts. AutoGen can be ... difficult to build and 636 install, and very few developers really need it. So we have it 637 on our build and development machines, and we provide the 638 specific version of the libopts code in the distribution to make 639 sure that the proper API version of libopts is available. 640 641 As for the point about there being code in these libraries that 642 NTP doesn't use, OK. But other packages used these libraries as 643 well, and it is reasonable to assume that other people are paying 644 attention to security and code quality issues for the overall 645 libraries. It takes significant resources to analyze and 646 customize these libraries to only include what we need, and to 647 date we believe the cost of this effort does not justify the benefit. 648 Credit: 649 This issue was discovered by Cure53. 650 651 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 652 Date Resolved: 21 Mar 2017 653 References: Sec 3380 654 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 655 ntp-4.3.0 up to, but not including ntp-4.3.94. 656 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 657 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 658 Summary: 659 There is a fencepost error in a "recovery branch" of the code for 660 the Oncore GPS receiver if the communication link to the ONCORE 661 is weak / distorted and the decoding doesn't work. 662 Mitigation: 663 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 664 the NTP Public Services Project Download Page 665 Properly monitor your ntpd instances, and auto-restart 666 ntpd (without -g) if it stops running. 667 Credit: 668 This weakness was discovered by Cure53. 669 670 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 671 Date Resolved: 21 Mar 2017 672 References: Sec 3379 / CVE-2017-6458 / VU#325339 673 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 674 ntp-4.3.0 up to, but not including ntp-4.3.94. 675 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 676 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 677 Summary: 678 ntpd makes use of different wrappers around ctl_putdata() to 679 create name/value ntpq (mode 6) response strings. For example, 680 ctl_putstr() is usually used to send string data (variable names 681 or string data). The formatting code was missing a length check 682 for variable names. If somebody explicitly created any unusually 683 long variable names in ntpd (longer than 200-512 bytes, depending 684 on the type of variable), then if any of these variables are 685 added to the response list it would overflow a buffer. 686 Mitigation: 687 Implement BCP-38. 688 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 689 or the NTP Public Services Project Download Page 690 If you don't want to upgrade, then don't setvar variable names 691 longer than 200-512 bytes in your ntp.conf file. 692 Properly monitor your ntpd instances, and auto-restart 693 ntpd (without -g) if it stops running. 694 Credit: 695 This weakness was discovered by Cure53. 696 697 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 698 Date Resolved: 21 Mar 2017 699 References: Sec 3378 / CVE-2017-6451 / VU#325339 700 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 701 ntp-4.3.0 up to, but not including ntp-4.3.94. 702 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 703 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 704 Summary: 705 The legacy MX4200 refclock is only built if is specifically 706 enabled, and furthermore additional code changes are required to 707 compile and use it. But it uses the libc functions snprintf() 708 and vsnprintf() incorrectly, which can lead to an out-of-bounds 709 memory write due to an improper handling of the return value of 710 snprintf()/vsnprintf(). Since the return value is used as an 711 iterator and it can be larger than the buffer's size, it is 712 possible for the iterator to point somewhere outside of the 713 allocated buffer space. This results in an out-of-bound memory 714 write. This behavior can be leveraged to overwrite a saved 715 instruction pointer on the stack and gain control over the 716 execution flow. During testing it was not possible to identify 717 any malicious usage for this vulnerability. Specifically, no 718 way for an attacker to exploit this vulnerability was ultimately 719 unveiled. However, it has the potential to be exploited, so the 720 code should be fixed. 721 Mitigation, if you have a Magnavox MX4200 refclock: 722 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 723 or the NTP Public Services Project Download Page. 724 Properly monitor your ntpd instances, and auto-restart 725 ntpd (without -g) if it stops running. 726 Credit: 727 This weakness was discovered by Cure53. 728 729 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 730 malicious ntpd (Medium) 731 Date Resolved: 21 Mar 2017 732 References: Sec 3377 / CVE-2017-6460 / VU#325339 733 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 734 ntp-4.3.0 up to, but not including ntp-4.3.94. 735 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 736 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 737 Summary: 738 A stack buffer overflow in ntpq can be triggered by a malicious 739 ntpd server when ntpq requests the restriction list from the server. 740 This is due to a missing length check in the reslist() function. 741 It occurs whenever the function parses the server's response and 742 encounters a flagstr variable of an excessive length. The string 743 will be copied into a fixed-size buffer, leading to an overflow on 744 the function's stack-frame. Note well that this problem requires 745 a malicious server, and affects ntpq, not ntpd. 746 Mitigation: 747 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 748 or the NTP Public Services Project Download Page 749 If you can't upgrade your version of ntpq then if you want to know 750 the reslist of an instance of ntpd that you do not control, 751 know that if the target ntpd is malicious that it can send back 752 a response that intends to crash your ntpq process. 753 Credit: 754 This weakness was discovered by Cure53. 755 756 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 757 Date Resolved: 21 Mar 2017 758 References: Sec 3376 759 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 760 ntp-4.3.0 up to, but not including ntp-4.3.94. 761 CVSS2: N/A 762 CVSS3: N/A 763 Summary: 764 The build process for NTP has not, by default, provided compile 765 or link flags to offer "hardened" security options. Package 766 maintainers have always been able to provide hardening security 767 flags for their builds. As of ntp-4.2.8p10, the NTP build 768 system has a way to provide OS-specific hardening flags. Please 769 note that this is still not a really great solution because it 770 is specific to NTP builds. It's inefficient to have every 771 package supply, track and maintain this information for every 772 target build. It would be much better if there was a common way 773 for OSes to provide this information in a way that arbitrary 774 packages could benefit from it. 775 Mitigation: 776 Implement BCP-38. 777 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 778 or the NTP Public Services Project Download Page 779 Properly monitor your ntpd instances, and auto-restart 780 ntpd (without -g) if it stops running. 781 Credit: 782 This weakness was reported by Cure53. 783 784 * 0rigin DoS (Medium) 785 Date Resolved: 21 Mar 2017 786 References: Sec 3361 / CVE-2016-9042 / VU#325339 787 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 788 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 789 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 790 Summary: 791 An exploitable denial of service vulnerability exists in the 792 origin timestamp check functionality of ntpd 4.2.8p9. A specially 793 crafted unauthenticated network packet can be used to reset the 794 expected origin timestamp for target peers. Legitimate replies 795 from targeted peers will fail the origin timestamp check (TEST2) 796 causing the reply to be dropped and creating a denial of service 797 condition. This vulnerability can only be exploited if the 798 attacker can spoof all of the servers. 799 Mitigation: 800 Implement BCP-38. 801 Configure enough servers/peers that an attacker cannot target 802 all of your time sources. 803 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 804 or the NTP Public Services Project Download Page 805 Properly monitor your ntpd instances, and auto-restart 806 ntpd (without -g) if it stops running. 807 Credit: 808 This weakness was discovered by Matthew Van Gundy of Cisco. 809 810 Other fixes: 811 812 * [Bug 3393] clang scan-build findings <perlinger (a] ntp.org> 813 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes 814 - rework of patch set from <ntp.org (a] eroen.eu>. <perlinger (a] ntp.org> 815 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger (a] ntp.org> 816 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int 817 on 4.4BSD-Lite derived platforms <perlinger (a] ntp.org> 818 - original patch by Majdi S. Abbas 819 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger (a] ntp.org> 820 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger (a] ntp.org> 821 - initial patch by Christos Zoulas 822 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger (a] ntp.org> 823 - move loader API from 'inline' to proper source 824 - augment pathless dlls with absolute path to NTPD 825 - use 'msyslog()' instead of 'printf() 'for reporting trouble 826 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger (a] ntp.org> 827 - applied patch by Matthew Van Gundy 828 * [Bug 3065] Quiet warnings on NetBSD <perlinger (a] ntp.org> 829 - applied some of the patches provided by Havard. Not all of them 830 still match the current code base, and I did not touch libopt. 831 * [Bug 3062] Change the process name of forked DNS worker <perlinger (a] ntp.org> 832 - applied patch by Reinhard Max. See bugzilla for limitations. 833 * [Bug 2923] Trap Configuration Fail <perlinger (a] ntp.org> 834 - fixed dependency inversion from [Bug 2837] 835 * [Bug 2896] Nothing happens if minsane < maxclock < minclock 836 - produce ERROR log message about dysfunctional daemon. <perlinger (a] ntp.org> 837 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger (a] ntp.org> 838 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 839 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 840 - Fixed these and some more locations of this pattern. 841 Probably din't get them all, though. <perlinger (a] ntp.org> 842 * Update copyright year. 843 844 -- 845 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn (a] ntp.org> 846 847 * [Bug 3144] NTP does not build without openSSL. <perlinger (a] ntp.org> 848 - added missed changeset for automatic openssl lib detection 849 - fixed some minor warning issues 850 * [Bug 3095] More compatibility with openssl 1.1. <perlinger (a] ntp.org> 851 * configure.ac cleanup. stenn (a] ntp.org 852 * openssl configure cleanup. stenn (a] ntp.org 853 854 -- 855 NTP 4.2.8p9 (Harlan Stenn <stenn (a] ntp.org>, 2016/11/21) 856 857 Focus: Security, Bug fixes, enhancements. 858 859 Severity: HIGH 860 861 In addition to bug fixes and enhancements, this release fixes the 862 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 863 5 low-severity vulnerabilities, and provides 28 other non-security 864 fixes and improvements: 865 866 * Trap crash 867 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 868 References: Sec 3119 / CVE-2016-9311 / VU#633847 869 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 870 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 871 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 872 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 873 Summary: 874 ntpd does not enable trap service by default. If trap service 875 has been explicitly enabled, an attacker can send a specially 876 crafted packet to cause a null pointer dereference that will 877 crash ntpd, resulting in a denial of service. 878 Mitigation: 879 Implement BCP-38. 880 Use "restrict default noquery ..." in your ntp.conf file. Only 881 allow mode 6 queries from trusted networks and hosts. 882 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 883 or the NTP Public Services Project Download Page 884 Properly monitor your ntpd instances, and auto-restart ntpd 885 (without -g) if it stops running. 886 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 887 888 * Mode 6 information disclosure and DDoS vector 889 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 890 References: Sec 3118 / CVE-2016-9310 / VU#633847 891 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 892 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 893 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 894 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 895 Summary: 896 An exploitable configuration modification vulnerability exists 897 in the control mode (mode 6) functionality of ntpd. If, against 898 long-standing BCP recommendations, "restrict default noquery ..." 899 is not specified, a specially crafted control mode packet can set 900 ntpd traps, providing information disclosure and DDoS 901 amplification, and unset ntpd traps, disabling legitimate 902 monitoring. A remote, unauthenticated, network attacker can 903 trigger this vulnerability. 904 Mitigation: 905 Implement BCP-38. 906 Use "restrict default noquery ..." in your ntp.conf file. 907 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 908 or the NTP Public Services Project Download Page 909 Properly monitor your ntpd instances, and auto-restart ntpd 910 (without -g) if it stops running. 911 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 912 913 * Broadcast Mode Replay Prevention DoS 914 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 915 References: Sec 3114 / CVE-2016-7427 / VU#633847 916 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 917 ntp-4.3.90 up to, but not including ntp-4.3.94. 918 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 919 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 920 Summary: 921 The broadcast mode of NTP is expected to only be used in a 922 trusted network. If the broadcast network is accessible to an 923 attacker, a potentially exploitable denial of service 924 vulnerability in ntpd's broadcast mode replay prevention 925 functionality can be abused. An attacker with access to the NTP 926 broadcast domain can periodically inject specially crafted 927 broadcast mode NTP packets into the broadcast domain which, 928 while being logged by ntpd, can cause ntpd to reject broadcast 929 mode packets from legitimate NTP broadcast servers. 930 Mitigation: 931 Implement BCP-38. 932 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 933 or the NTP Public Services Project Download Page 934 Properly monitor your ntpd instances, and auto-restart ntpd 935 (without -g) if it stops running. 936 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 937 938 * Broadcast Mode Poll Interval Enforcement DoS 939 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 940 References: Sec 3113 / CVE-2016-7428 / VU#633847 941 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 942 ntp-4.3.90 up to, but not including ntp-4.3.94 943 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 944 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 945 Summary: 946 The broadcast mode of NTP is expected to only be used in a 947 trusted network. If the broadcast network is accessible to an 948 attacker, a potentially exploitable denial of service 949 vulnerability in ntpd's broadcast mode poll interval enforcement 950 functionality can be abused. To limit abuse, ntpd restricts the 951 rate at which each broadcast association will process incoming 952 packets. ntpd will reject broadcast mode packets that arrive 953 before the poll interval specified in the preceding broadcast 954 packet expires. An attacker with access to the NTP broadcast 955 domain can send specially crafted broadcast mode NTP packets to 956 the broadcast domain which, while being logged by ntpd, will 957 cause ntpd to reject broadcast mode packets from legitimate NTP 958 broadcast servers. 959 Mitigation: 960 Implement BCP-38. 961 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 962 or the NTP Public Services Project Download Page 963 Properly monitor your ntpd instances, and auto-restart ntpd 964 (without -g) if it stops running. 965 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 966 967 * Windows: ntpd DoS by oversized UDP packet 968 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 969 References: Sec 3110 / CVE-2016-9312 / VU#633847 970 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 971 and ntp-4.3.0 up to, but not including ntp-4.3.94. 972 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 973 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 974 Summary: 975 If a vulnerable instance of ntpd on Windows receives a crafted 976 malicious packet that is "too big", ntpd will stop working. 977 Mitigation: 978 Implement BCP-38. 979 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 980 or the NTP Public Services Project Download Page 981 Properly monitor your ntpd instances, and auto-restart ntpd 982 (without -g) if it stops running. 983 Credit: This weakness was discovered by Robert Pajak of ABB. 984 985 * 0rigin (zero origin) issues 986 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 987 References: Sec 3102 / CVE-2016-7431 / VU#633847 988 Affects: ntp-4.2.8p8, and ntp-4.3.93. 989 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 990 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 991 Summary: 992 Zero Origin timestamp problems were fixed by Bug 2945 in 993 ntp-4.2.8p6. However, subsequent timestamp validation checks 994 introduced a regression in the handling of some Zero origin 995 timestamp checks. 996 Mitigation: 997 Implement BCP-38. 998 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 999 or the NTP Public Services Project Download Page 1000 Properly monitor your ntpd instances, and auto-restart ntpd 1001 (without -g) if it stops running. 1002 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1003 Malhotra of Boston University. 1004 1005 * read_mru_list() does inadequate incoming packet checks 1006 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1007 References: Sec 3082 / CVE-2016-7434 / VU#633847 1008 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1009 ntp-4.3.0 up to, but not including ntp-4.3.94. 1010 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1011 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1012 Summary: 1013 If ntpd is configured to allow mrulist query requests from a 1014 server that sends a crafted malicious packet, ntpd will crash 1015 on receipt of that crafted malicious mrulist query packet. 1016 Mitigation: 1017 Only allow mrulist query packets from trusted hosts. 1018 Implement BCP-38. 1019 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1020 or the NTP Public Services Project Download Page 1021 Properly monitor your ntpd instances, and auto-restart ntpd 1022 (without -g) if it stops running. 1023 Credit: This weakness was discovered by Magnus Stubman. 1024 1025 * Attack on interface selection 1026 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1027 References: Sec 3072 / CVE-2016-7429 / VU#633847 1028 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1029 ntp-4.3.0 up to, but not including ntp-4.3.94 1030 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1031 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1032 Summary: 1033 When ntpd receives a server response on a socket that corresponds 1034 to a different interface than was used for the request, the peer 1035 structure is updated to use the interface for new requests. If 1036 ntpd is running on a host with multiple interfaces in separate 1037 networks and the operating system doesn't check source address in 1038 received packets (e.g. rp_filter on Linux is set to 0), an 1039 attacker that knows the address of the source can send a packet 1040 with spoofed source address which will cause ntpd to select wrong 1041 interface for the source and prevent it from sending new requests 1042 until the list of interfaces is refreshed, which happens on 1043 routing changes or every 5 minutes by default. If the attack is 1044 repeated often enough (once per second), ntpd will not be able to 1045 synchronize with the source. 1046 Mitigation: 1047 Implement BCP-38. 1048 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1049 or the NTP Public Services Project Download Page 1050 If you are going to configure your OS to disable source address 1051 checks, also configure your firewall configuration to control 1052 what interfaces can receive packets from what networks. 1053 Properly monitor your ntpd instances, and auto-restart ntpd 1054 (without -g) if it stops running. 1055 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1056 1057 * Client rate limiting and server responses 1058 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1059 References: Sec 3071 / CVE-2016-7426 / VU#633847 1060 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1061 ntp-4.3.0 up to, but not including ntp-4.3.94 1062 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1063 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1064 Summary: 1065 When ntpd is configured with rate limiting for all associations 1066 (restrict default limited in ntp.conf), the limits are applied 1067 also to responses received from its configured sources. An 1068 attacker who knows the sources (e.g., from an IPv4 refid in 1069 server response) and knows the system is (mis)configured in this 1070 way can periodically send packets with spoofed source address to 1071 keep the rate limiting activated and prevent ntpd from accepting 1072 valid responses from its sources. 1073 1074 While this blanket rate limiting can be useful to prevent 1075 brute-force attacks on the origin timestamp, it allows this DoS 1076 attack. Similarly, it allows the attacker to prevent mobilization 1077 of ephemeral associations. 1078 Mitigation: 1079 Implement BCP-38. 1080 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1081 or the NTP Public Services Project Download Page 1082 Properly monitor your ntpd instances, and auto-restart ntpd 1083 (without -g) if it stops running. 1084 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1085 1086 * Fix for bug 2085 broke initial sync calculations 1087 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1088 References: Sec 3067 / CVE-2016-7433 / VU#633847 1089 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1090 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1091 root-distance calculation in general is incorrect in all versions 1092 of ntp-4 until this release. 1093 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1094 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1095 Summary: 1096 Bug 2085 described a condition where the root delay was included 1097 twice, causing the jitter value to be higher than expected. Due 1098 to a misinterpretation of a small-print variable in The Book, the 1099 fix for this problem was incorrect, resulting in a root distance 1100 that did not include the peer dispersion. The calculations and 1101 formulae have been reviewed and reconciled, and the code has been 1102 updated accordingly. 1103 Mitigation: 1104 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1105 or the NTP Public Services Project Download Page 1106 Properly monitor your ntpd instances, and auto-restart ntpd 1107 (without -g) if it stops running. 1108 Credit: This weakness was discovered independently by Brian Utterback of 1109 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1110 1111 Other fixes: 1112 1113 * [Bug 3142] bug in netmask prefix length detection <perlinger (a] ntp.org> 1114 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn (a] ntp.org 1115 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1116 - moved retry decision where it belongs. <perlinger (a] ntp.org> 1117 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1118 using the loopback-ppsapi-provider.dll <perlinger (a] ntp.org> 1119 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger (a] ntp.org> 1120 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger (a] ntp.org> 1121 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1122 * [Bug 3095] Compatibility with openssl 1.1 <perlinger (a] ntp.org> 1123 - applied patches by Kurt Roeckx <kurt (a] roeckx.be> to source 1124 - added shim layer for SSL API calls with issues (both directions) 1125 * [Bug 3089] Serial Parser does not work anymore for hopfser like device 1126 - simplified / refactored hex-decoding in driver. <perlinger (a] ntp.org> 1127 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1128 * [Bug 3068] Linker warnings when building on Solaris. perlinger (a] ntp.org 1129 - applied patch thanks to Andrew Stormont <andyjstormont (a] gmail.com> 1130 * [Bug 3067] Root distance calculation needs improvement. HStenn 1131 * [Bug 3066] NMEA clock ignores pps. perlinger (a] ntp.org 1132 - PPS-HACK works again. 1133 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger (a] ntp.org> 1134 - applied patch by Brian Utterback <brian.utterback (a] oracle.com> 1135 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1136 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1137 <perlinger (a] ntp.org> 1138 - patches by Reinhard Max <max (a] suse.com> and Havard Eidnes <he (a] uninett.no> 1139 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe (a] ntp.org 1140 - Patch provided by Kuramatsu. 1141 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger (a] ntp.org> 1142 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1143 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1144 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1145 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1146 * [Bug 2959] refclock_jupiter: gps week correction <perlinger (a] ntp.org> 1147 - fixed GPS week expansion to work based on build date. Special thanks 1148 to Craig Leres for initial patch and testing. 1149 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1150 - fixed Makefile.am <perlinger (a] ntp.org> 1151 * [Bug 2689] ATOM driver processes last PPS pulse at startup, 1152 even if it is very old <perlinger (a] ntp.org> 1153 - make sure PPS source is alive before processing samples 1154 - improve stability close to the 500ms phase jump (phase gate) 1155 * Fix typos in include/ntp.h. 1156 * Shim X509_get_signature_nid() if needed 1157 * git author attribution cleanup 1158 * bk ignore file cleanup 1159 * remove locks in Windows IO, use rpc-like thread synchronisation instead 1160 1161 --- 1162 NTP 4.2.8p8 (Harlan Stenn <stenn (a] ntp.org>, 2016/06/02) 1163 1164 Focus: Security, Bug fixes, enhancements. 1165 1166 Severity: HIGH 1167 1168 In addition to bug fixes and enhancements, this release fixes the 1169 following 1 high- and 4 low-severity vulnerabilities: 1170 1171 * CRYPTO_NAK crash 1172 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1173 References: Sec 3046 / CVE-2016-4957 / VU#321640 1174 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1175 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1176 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1177 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1178 could cause ntpd to crash. 1179 Mitigation: 1180 Implement BCP-38. 1181 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1182 or the NTP Public Services Project Download Page 1183 If you cannot upgrade from 4.2.8p7, the only other alternatives 1184 are to patch your code or filter CRYPTO_NAK packets. 1185 Properly monitor your ntpd instances, and auto-restart ntpd 1186 (without -g) if it stops running. 1187 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1188 1189 * Bad authentication demobilizes ephemeral associations 1190 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1191 References: Sec 3045 / CVE-2016-4953 / VU#321640 1192 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1193 ntp-4.3.0 up to, but not including ntp-4.3.93. 1194 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1195 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1196 Summary: An attacker who knows the origin timestamp and can send a 1197 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1198 target before any other response is sent can demobilize that 1199 association. 1200 Mitigation: 1201 Implement BCP-38. 1202 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1203 or the NTP Public Services Project Download Page 1204 Properly monitor your ntpd instances. 1205 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1206 1207 * Processing spoofed server packets 1208 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1209 References: Sec 3044 / CVE-2016-4954 / VU#321640 1210 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1211 ntp-4.3.0 up to, but not including ntp-4.3.93. 1212 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1213 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1214 Summary: An attacker who is able to spoof packets with correct origin 1215 timestamps from enough servers before the expected response 1216 packets arrive at the target machine can affect some peer 1217 variables and, for example, cause a false leap indication to be set. 1218 Mitigation: 1219 Implement BCP-38. 1220 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1221 or the NTP Public Services Project Download Page 1222 Properly monitor your ntpd instances. 1223 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1224 1225 * Autokey association reset 1226 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1227 References: Sec 3043 / CVE-2016-4955 / VU#321640 1228 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1229 ntp-4.3.0 up to, but not including ntp-4.3.93. 1230 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1231 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1232 Summary: An attacker who is able to spoof a packet with a correct 1233 origin timestamp before the expected response packet arrives at 1234 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1235 the association's peer variables to be cleared. If this can be 1236 done often enough, it will prevent that association from working. 1237 Mitigation: 1238 Implement BCP-38. 1239 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1240 or the NTP Public Services Project Download Page 1241 Properly monitor your ntpd instances. 1242 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1243 1244 * Broadcast interleave 1245 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1246 References: Sec 3042 / CVE-2016-4956 / VU#321640 1247 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1248 ntp-4.3.0 up to, but not including ntp-4.3.93. 1249 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1250 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1251 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1252 so broadcast clients can be triggered to flip into interleave mode. 1253 Mitigation: 1254 Implement BCP-38. 1255 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1256 or the NTP Public Services Project Download Page 1257 Properly monitor your ntpd instances. 1258 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1259 1260 Other fixes: 1261 * [Bug 3038] NTP fails to build in VS2015. perlinger (a] ntp.org 1262 - provide build environment 1263 - 'wint_t' and 'struct timespec' defined by VS2015 1264 - fixed print()/scanf() format issues 1265 * [Bug 3052] Add a .gitignore file. Edmund Wong. 1266 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1267 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1268 JPerlinger, HStenn. 1269 * Fix typo in ntp-wait and plot_summary. HStenn. 1270 * Make sure we have an "author" file for git imports. HStenn. 1271 * Update the sntp problem tests for MacOS. HStenn. 1272 1273 --- 1274 NTP 4.2.8p7 (Harlan Stenn <stenn (a] ntp.org>, 2016/04/26) 1275 1276 Focus: Security, Bug fixes, enhancements. 1277 1278 Severity: MEDIUM 1279 1280 When building NTP from source, there is a new configure option 1281 available, --enable-dynamic-interleave. More information on this below. 1282 1283 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1284 versions of ntp. These events have almost certainly happened in the 1285 past, it's just that they were silently counted and not logged. With 1286 the increasing awareness around security, we feel it's better to clearly 1287 log these events to help detect abusive behavior. This increased 1288 logging can also help detect other problems, too. 1289 1290 In addition to bug fixes and enhancements, this release fixes the 1291 following 9 low- and medium-severity vulnerabilities: 1292 1293 * Improve NTP security against buffer comparison timing attacks, 1294 AKA: authdecrypt-timing 1295 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1296 References: Sec 2879 / CVE-2016-1550 1297 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1298 4.3.0 up to, but not including 4.3.92 1299 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1300 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1301 Summary: Packet authentication tests have been performed using 1302 memcmp() or possibly bcmp(), and it is potentially possible 1303 for a local or perhaps LAN-based attacker to send a packet with 1304 an authentication payload and indirectly observe how much of 1305 the digest has matched. 1306 Mitigation: 1307 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1308 or the NTP Public Services Project Download Page. 1309 Properly monitor your ntpd instances. 1310 Credit: This weakness was discovered independently by Loganaden 1311 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1312 1313 * Zero origin timestamp bypass: Additional KoD checks. 1314 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1315 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1316 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1317 1318 * peer associations were broken by the fix for NtpBug2899 1319 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1320 References: Sec 2952 / CVE-2015-7704 1321 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1322 4.3.0 up to, but not including 4.3.92 1323 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1324 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1325 associations did not address all of the issues. 1326 Mitigation: 1327 Implement BCP-38. 1328 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1329 or the NTP Public Services Project Download Page 1330 If you can't upgrade, use "server" associations instead of 1331 "peer" associations. 1332 Monitor your ntpd instances. 1333 Credit: This problem was discovered by Michael Tatarinov. 1334 1335 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1336 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1337 References: Sec 3007 / CVE-2016-1547 / VU#718152 1338 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1339 4.3.0 up to, but not including 4.3.92 1340 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1341 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1342 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1343 off-path attacker can cause a preemptable client association to 1344 be demobilized by sending a crypto NAK packet to a victim client 1345 with a spoofed source address of an existing associated peer. 1346 This is true even if authentication is enabled. 1347 1348 Furthermore, if the attacker keeps sending crypto NAK packets, 1349 for example one every second, the victim never has a chance to 1350 reestablish the association and synchronize time with that 1351 legitimate server. 1352 1353 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1354 stringent checks are performed on incoming packets, but there 1355 are still ways to exploit this vulnerability in versions before 1356 ntp-4.2.8p7. 1357 Mitigation: 1358 Implement BCP-38. 1359 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1360 or the NTP Public Services Project Download Page 1361 Properly monitor your ntpd instances 1362 Credit: This weakness was discovered by Stephen Gray and 1363 Matthew Van Gundy of Cisco ASIG. 1364 1365 * ctl_getitem() return value not always checked 1366 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1367 References: Sec 3008 / CVE-2016-2519 1368 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1369 4.3.0 up to, but not including 4.3.92 1370 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1371 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1372 Summary: ntpq and ntpdc can be used to store and retrieve information 1373 in ntpd. It is possible to store a data value that is larger 1374 than the size of the buffer that the ctl_getitem() function of 1375 ntpd uses to report the return value. If the length of the 1376 requested data value returned by ctl_getitem() is too large, 1377 the value NULL is returned instead. There are 2 cases where the 1378 return value from ctl_getitem() was not directly checked to make 1379 sure it's not NULL, but there are subsequent INSIST() checks 1380 that make sure the return value is not NULL. There are no data 1381 values ordinarily stored in ntpd that would exceed this buffer 1382 length. But if one has permission to store values and one stores 1383 a value that is "too large", then ntpd will abort if an attempt 1384 is made to read that oversized value. 1385 Mitigation: 1386 Implement BCP-38. 1387 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1388 or the NTP Public Services Project Download Page 1389 Properly monitor your ntpd instances. 1390 Credit: This weakness was discovered by Yihan Lian of the Cloud 1391 Security Team, Qihoo 360. 1392 1393 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1394 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1395 References: Sec 3009 / CVE-2016-2518 / VU#718152 1396 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1397 4.3.0 up to, but not including 4.3.92 1398 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1399 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1400 Summary: Using a crafted packet to create a peer association with 1401 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1402 out-of-bounds reference. 1403 Mitigation: 1404 Implement BCP-38. 1405 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1406 or the NTP Public Services Project Download Page 1407 Properly monitor your ntpd instances 1408 Credit: This weakness was discovered by Yihan Lian of the Cloud 1409 Security Team, Qihoo 360. 1410 1411 * remote configuration trustedkey/requestkey/controlkey values are not 1412 properly validated 1413 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1414 References: Sec 3010 / CVE-2016-2517 / VU#718152 1415 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1416 4.3.0 up to, but not including 4.3.92 1417 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1418 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1419 Summary: If ntpd was expressly configured to allow for remote 1420 configuration, a malicious user who knows the controlkey for 1421 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1422 can create a session with ntpd and then send a crafted packet to 1423 ntpd that will change the value of the trustedkey, controlkey, 1424 or requestkey to a value that will prevent any subsequent 1425 authentication with ntpd until ntpd is restarted. 1426 Mitigation: 1427 Implement BCP-38. 1428 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1429 or the NTP Public Services Project Download Page 1430 Properly monitor your ntpd instances 1431 Credit: This weakness was discovered by Yihan Lian of the Cloud 1432 Security Team, Qihoo 360. 1433 1434 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1435 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1436 References: Sec 3011 / CVE-2016-2516 / VU#718152 1437 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1438 4.3.0 up to, but not including 4.3.92 1439 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1440 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1441 Summary: If ntpd was expressly configured to allow for remote 1442 configuration, a malicious user who knows the controlkey for 1443 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1444 can create a session with ntpd and if an existing association is 1445 unconfigured using the same IP twice on the unconfig directive 1446 line, ntpd will abort. 1447 Mitigation: 1448 Implement BCP-38. 1449 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1450 or the NTP Public Services Project Download Page 1451 Properly monitor your ntpd instances 1452 Credit: This weakness was discovered by Yihan Lian of the Cloud 1453 Security Team, Qihoo 360. 1454 1455 * Refclock impersonation vulnerability 1456 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1457 References: Sec 3020 / CVE-2016-1551 1458 Affects: On a very limited number of OSes, all NTP releases up to but 1459 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1460 By "very limited number of OSes" we mean no general-purpose OSes 1461 have yet been identified that have this vulnerability. 1462 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1463 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1464 Summary: While most OSes implement martian packet filtering in their 1465 network stack, at least regarding 127.0.0.0/8, some will allow 1466 packets claiming to be from 127.0.0.0/8 that arrive over a 1467 physical network. On these OSes, if ntpd is configured to use a 1468 reference clock an attacker can inject packets over the network 1469 that look like they are coming from that reference clock. 1470 Mitigation: 1471 Implement martian packet filtering and BCP-38. 1472 Configure ntpd to use an adequate number of time sources. 1473 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1474 or the NTP Public Services Project Download Page 1475 If you are unable to upgrade and if you are running an OS that 1476 has this vulnerability, implement martian packet filters and 1477 lobby your OS vendor to fix this problem, or run your 1478 refclocks on computers that use OSes that are not vulnerable 1479 to these attacks and have your vulnerable machines get their 1480 time from protected resources. 1481 Properly monitor your ntpd instances. 1482 Credit: This weakness was discovered by Matt Street and others of 1483 Cisco ASIG. 1484 1485 The following issues were fixed in earlier releases and contain 1486 improvements in 4.2.8p7: 1487 1488 * Clients that receive a KoD should validate the origin timestamp field. 1489 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1490 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1491 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1492 1493 * Skeleton key: passive server with trusted key can serve time. 1494 References: Sec 2936 / CVE-2015-7974 1495 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1496 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1497 1498 Two other vulnerabilities have been reported, and the mitigations 1499 for these are as follows: 1500 1501 * Interleave-pivot 1502 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1503 References: Sec 2978 / CVE-2016-1548 1504 Affects: All ntp-4 releases. 1505 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1506 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1507 Summary: It is possible to change the time of an ntpd client or deny 1508 service to an ntpd client by forcing it to change from basic 1509 client/server mode to interleaved symmetric mode. An attacker 1510 can spoof a packet from a legitimate ntpd server with an origin 1511 timestamp that matches the peer->dst timestamp recorded for that 1512 server. After making this switch, the client will reject all 1513 future legitimate server responses. It is possible to force the 1514 victim client to move time after the mode has been changed. 1515 ntpq gives no indication that the mode has been switched. 1516 Mitigation: 1517 Implement BCP-38. 1518 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1519 or the NTP Public Services Project Download Page. These 1520 versions will not dynamically "flip" into interleave mode 1521 unless configured to do so. 1522 Properly monitor your ntpd instances. 1523 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1524 and separately by Jonathan Gardner of Cisco ASIG. 1525 1526 * Sybil vulnerability: ephemeral association attack 1527 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1528 References: Sec 3012 / CVE-2016-1549 1529 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1530 4.3.0 up to, but not including 4.3.92 1531 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1532 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1533 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1534 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1535 field in the ntp.keys file to specify which IPs can serve time, 1536 a malicious authenticated peer can create arbitrarily-many 1537 ephemeral associations in order to win the clock selection of 1538 ntpd and modify a victim's clock. 1539 Mitigation: 1540 Implement BCP-38. 1541 Use the 4th field in the ntp.keys file to specify which IPs 1542 can be time servers. 1543 Properly monitor your ntpd instances. 1544 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1545 1546 Other fixes: 1547 1548 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger (a] ntp.org 1549 - fixed yet another race condition in the threaded resolver code. 1550 * [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1551 * [Bug 2879] Improve NTP security against timing attacks. perlinger (a] ntp.org 1552 - integrated patches by Loganaden Velvidron <logan (a] ntp.org> 1553 with some modifications & unit tests 1554 * [Bug 2960] async name resolution fixes for chroot() environments. 1555 Reinhard Max. 1556 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger (a] ntp.org 1557 * [Bug 2995] Fixes to compile on Windows 1558 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger (a] ntp.org 1559 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger (a] ntp.org 1560 - Patch provided by Ch. Weisgerber 1561 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1562 - A change related to [Bug 2853] forbids trailing white space in 1563 remote config commands. perlinger (a] ntp.org 1564 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1565 - report and patch from Aleksandr Kostikov. 1566 - Overhaul of Windows IO completion port handling. perlinger (a] ntp.org 1567 * [Bug 3022] authkeys.c should be refactored. perlinger (a] ntp.org 1568 - fixed memory leak in access list (auth[read]keys.c) 1569 - refactored handling of key access lists (auth[read]keys.c) 1570 - reduced number of error branches (authreadkeys.c) 1571 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger (a] ntp.org 1572 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1573 * [Bug 3031] ntp broadcastclient unable to synchronize to an server 1574 when the time of server changed. perlinger (a] ntp.org 1575 - Check the initial delay calculation and reject/unpeer the broadcast 1576 server if the delay exceeds 50ms. Retry again after the next 1577 broadcast packet. 1578 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1579 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1580 * Update html/xleave.html documentation. Harlan Stenn. 1581 * Update ntp.conf documentation. Harlan Stenn. 1582 * Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1583 * Fix typo in html/monopt.html. Harlan Stenn. 1584 * Add README.pullrequests. Harlan Stenn. 1585 * Cleanup to include/ntp.h. Harlan Stenn. 1586 1587 New option to 'configure': 1588 1589 While looking in to the issues around Bug 2978, the "interleave pivot" 1590 issue, it became clear that there are some intricate and unresolved 1591 issues with interleave operations. We also realized that the interleave 1592 protocol was never added to the NTPv4 Standard, and it should have been. 1593 1594 Interleave mode was first released in July of 2008, and can be engaged 1595 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1596 contain the 'xleave' option, which will expressly enable interlave mode 1597 for that association. Additionally, if a time packet arrives and is 1598 found inconsistent with normal protocol behavior but has certain 1599 characteristics that are compatible with interleave mode, NTP will 1600 dynamically switch to interleave mode. With sufficient knowledge, an 1601 attacker can send a crafted forged packet to an NTP instance that 1602 triggers only one side to enter interleaved mode. 1603 1604 To prevent this attack until we can thoroughly document, describe, 1605 fix, and test the dynamic interleave mode, we've added a new 1606 'configure' option to the build process: 1607 1608 --enable-dynamic-interleave 1609 1610 This option controls whether or not NTP will, if conditions are right, 1611 engage dynamic interleave mode. Dynamic interleave mode is disabled by 1612 default in ntp-4.2.8p7. 1613 1614 --- 1615 NTP 4.2.8p6 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/20) 1616 1617 Focus: Security, Bug fixes, enhancements. 1618 1619 Severity: MEDIUM 1620 1621 In addition to bug fixes and enhancements, this release fixes the 1622 following 1 low- and 8 medium-severity vulnerabilities: 1623 1624 * Potential Infinite Loop in 'ntpq' 1625 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1626 References: Sec 2548 / CVE-2015-8158 1627 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1628 4.3.0 up to, but not including 4.3.90 1629 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1630 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1631 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1632 The loop's only stopping conditions are receiving a complete and 1633 correct response or hitting a small number of error conditions. 1634 If the packet contains incorrect values that don't trigger one of 1635 the error conditions, the loop continues to receive new packets. 1636 Note well, this is an attack against an instance of 'ntpq', not 1637 'ntpd', and this attack requires the attacker to do one of the 1638 following: 1639 * Own a malicious NTP server that the client trusts 1640 * Prevent a legitimate NTP server from sending packets to 1641 the 'ntpq' client 1642 * MITM the 'ntpq' communications between the 'ntpq' client 1643 and the NTP server 1644 Mitigation: 1645 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1646 or the NTP Public Services Project Download Page 1647 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1648 1649 * 0rigin: Zero Origin Timestamp Bypass 1650 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1651 References: Sec 2945 / CVE-2015-8138 1652 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1653 4.3.0 up to, but not including 4.3.90 1654 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1655 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1656 (3.7 - LOW if you score AC:L) 1657 Summary: To distinguish legitimate peer responses from forgeries, a 1658 client attempts to verify a response packet by ensuring that the 1659 origin timestamp in the packet matches the origin timestamp it 1660 transmitted in its last request. A logic error exists that 1661 allows packets with an origin timestamp of zero to bypass this 1662 check whenever there is not an outstanding request to the server. 1663 Mitigation: 1664 Configure 'ntpd' to get time from multiple sources. 1665 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1666 or the NTP Public Services Project Download Page. 1667 Monitor your 'ntpd' instances. 1668 Credit: This weakness was discovered by Matthey Van Gundy and 1669 Jonathan Gardner of Cisco ASIG. 1670 1671 * Stack exhaustion in recursive traversal of restriction list 1672 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1673 References: Sec 2940 / CVE-2015-7978 1674 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1675 4.3.0 up to, but not including 4.3.90 1676 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1677 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1678 segmentation fault in ntpd by exhausting the call stack. 1679 Mitigation: 1680 Implement BCP-38. 1681 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1682 or the NTP Public Services Project Download Page. 1683 If you are unable to upgrade: 1684 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1685 If you must enable mode 7: 1686 configure the use of a 'requestkey' to control who can 1687 issue mode 7 requests. 1688 configure 'restrict noquery' to further limit mode 7 1689 requests to trusted sources. 1690 Monitor your ntpd instances. 1691 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1692 1693 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1694 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1695 References: Sec 2942 / CVE-2015-7979 1696 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1697 4.3.0 up to, but not including 4.3.90 1698 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1699 Summary: An off-path attacker can send broadcast packets with bad 1700 authentication (wrong key, mismatched key, incorrect MAC, etc) 1701 to broadcast clients. It is observed that the broadcast client 1702 tears down the association with the broadcast server upon 1703 receiving just one bad packet. 1704 Mitigation: 1705 Implement BCP-38. 1706 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1707 or the NTP Public Services Project Download Page. 1708 Monitor your 'ntpd' instances. 1709 If this sort of attack is an active problem for you, you have 1710 deeper problems to investigate. In this case also consider 1711 having smaller NTP broadcast domains. 1712 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1713 University. 1714 1715 * reslist NULL pointer dereference 1716 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1717 References: Sec 2939 / CVE-2015-7977 1718 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1719 4.3.0 up to, but not including 4.3.90 1720 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1721 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1722 segmentation fault in ntpd by causing a NULL pointer dereference. 1723 Mitigation: 1724 Implement BCP-38. 1725 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1726 the NTP Public Services Project Download Page. 1727 If you are unable to upgrade: 1728 mode 7 is disabled by default. Don't enable it. 1729 If you must enable mode 7: 1730 configure the use of a 'requestkey' to control who can 1731 issue mode 7 requests. 1732 configure 'restrict noquery' to further limit mode 7 1733 requests to trusted sources. 1734 Monitor your ntpd instances. 1735 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1736 1737 * 'ntpq saveconfig' command allows dangerous characters in filenames. 1738 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1739 References: Sec 2938 / CVE-2015-7976 1740 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1741 4.3.0 up to, but not including 4.3.90 1742 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1743 Summary: The ntpq saveconfig command does not do adequate filtering 1744 of special characters from the supplied filename. 1745 Note well: The ability to use the saveconfig command is controlled 1746 by the 'restrict nomodify' directive, and the recommended default 1747 configuration is to disable this capability. If the ability to 1748 execute a 'saveconfig' is required, it can easily (and should) be 1749 limited and restricted to a known small number of IP addresses. 1750 Mitigation: 1751 Implement BCP-38. 1752 use 'restrict default nomodify' in your 'ntp.conf' file. 1753 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1754 If you are unable to upgrade: 1755 build NTP with 'configure --disable-saveconfig' if you will 1756 never need this capability, or 1757 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1758 careful about what IPs have the ability to send 'modify' 1759 requests to 'ntpd'. 1760 Monitor your ntpd instances. 1761 'saveconfig' requests are logged to syslog - monitor your syslog files. 1762 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1763 1764 * nextvar() missing length check in ntpq 1765 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1766 References: Sec 2937 / CVE-2015-7975 1767 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1768 4.3.0 up to, but not including 4.3.90 1769 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1770 If you score A:C, this becomes 4.0. 1771 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1772 Summary: ntpq may call nextvar() which executes a memcpy() into the 1773 name buffer without a proper length check against its maximum 1774 length of 256 bytes. Note well that we're taking about ntpq here. 1775 The usual worst-case effect of this vulnerability is that the 1776 specific instance of ntpq will crash and the person or process 1777 that did this will have stopped themselves. 1778 Mitigation: 1779 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1780 or the NTP Public Services Project Download Page. 1781 If you are unable to upgrade: 1782 If you have scripts that feed input to ntpq make sure there are 1783 some sanity checks on the input received from the "outside". 1784 This is potentially more dangerous if ntpq is run as root. 1785 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1786 1787 * Skeleton Key: Any trusted key system can serve time 1788 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1789 References: Sec 2936 / CVE-2015-7974 1790 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1791 4.3.0 up to, but not including 4.3.90 1792 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1793 Summary: Symmetric key encryption uses a shared trusted key. The 1794 reported title for this issue was "Missing key check allows 1795 impersonation between authenticated peers" and the report claimed 1796 "A key specified only for one server should only work to 1797 authenticate that server, other trusted keys should be refused." 1798 Except there has never been any correlation between this trusted 1799 key and server v. clients machines and there has never been any 1800 way to specify a key only for one server. We have treated this as 1801 an enhancement request, and ntp-4.2.8p6 includes other checks and 1802 tests to strengthen clients against attacks coming from broadcast 1803 servers. 1804 Mitigation: 1805 Implement BCP-38. 1806 If this scenario represents a real or a potential issue for you, 1807 upgrade to 4.2.8p6, or later, from the NTP Project Download 1808 Page or the NTP Public Services Project Download Page, and 1809 use the new field in the ntp.keys file that specifies the list 1810 of IPs that are allowed to serve time. Note that this alone 1811 will not protect against time packets with forged source IP 1812 addresses, however other changes in ntp-4.2.8p6 provide 1813 significant mitigation against broadcast attacks. MITM attacks 1814 are a different story. 1815 If you are unable to upgrade: 1816 Don't use broadcast mode if you cannot monitor your client 1817 servers. 1818 If you choose to use symmetric keys to authenticate time 1819 packets in a hostile environment where ephemeral time 1820 servers can be created, or if it is expected that malicious 1821 time servers will participate in an NTP broadcast domain, 1822 limit the number of participating systems that participate 1823 in the shared-key group. 1824 Monitor your ntpd instances. 1825 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1826 1827 * Deja Vu: Replay attack on authenticated broadcast mode 1828 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1829 References: Sec 2935 / CVE-2015-7973 1830 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1831 4.3.0 up to, but not including 4.3.90 1832 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1833 Summary: If an NTP network is configured for broadcast operations then 1834 either a man-in-the-middle attacker or a malicious participant 1835 that has the same trusted keys as the victim can replay time packets. 1836 Mitigation: 1837 Implement BCP-38. 1838 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1839 or the NTP Public Services Project Download Page. 1840 If you are unable to upgrade: 1841 Don't use broadcast mode if you cannot monitor your client servers. 1842 Monitor your ntpd instances. 1843 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1844 University. 1845 1846 Other fixes: 1847 1848 * [Bug 2772] adj_systime overflows tv_usec. perlinger (a] ntp.org 1849 * [Bug 2814] msyslog deadlock when signaled. perlinger (a] ntp.org 1850 - applied patch by shenpeng11 (a] huawei.com with minor adjustments 1851 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger (a] ntp.org 1852 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger (a] ntp.org 1853 * [Bug 2892] Several test cases assume IPv6 capabilities even when 1854 IPv6 is disabled in the build. perlinger (a] ntp.org 1855 - Found this already fixed, but validation led to cleanup actions. 1856 * [Bug 2905] DNS lookups broken. perlinger (a] ntp.org 1857 - added limits to stack consumption, fixed some return code handling 1858 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1859 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 1860 - make CTRL-C work for retrieval and printing od MRU list. perlinger (a] ntp.org 1861 * [Bug 2980] reduce number of warnings. perlinger (a] ntp.org 1862 - integrated several patches from Havard Eidnes (he (a] uninett.no) 1863 * [Bug 2985] bogus calculation in authkeys.c perlinger (a] ntp.org 1864 - implement 'auth_log2()' using integer bithack instead of float calculation 1865 * Make leapsec_query debug messages less verbose. Harlan Stenn. 1866 1867 --- 1868 NTP 4.2.8p5 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/07) 1869 1870 Focus: Security, Bug fixes, enhancements. 1871 1872 Severity: MEDIUM 1873 1874 In addition to bug fixes and enhancements, this release fixes the 1875 following medium-severity vulnerability: 1876 1877 * Small-step/big-step. Close the panic gate earlier. 1878 References: Sec 2956, CVE-2015-5300 1879 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1880 4.3.0 up to, but not including 4.3.78 1881 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1882 Summary: If ntpd is always started with the -g option, which is 1883 common and against long-standing recommendation, and if at the 1884 moment ntpd is restarted an attacker can immediately respond to 1885 enough requests from enough sources trusted by the target, which 1886 is difficult and not common, there is a window of opportunity 1887 where the attacker can cause ntpd to set the time to an 1888 arbitrary value. Similarly, if an attacker is able to respond 1889 to enough requests from enough sources trusted by the target, 1890 the attacker can cause ntpd to abort and restart, at which 1891 point it can tell the target to set the time to an arbitrary 1892 value if and only if ntpd was re-started against long-standing 1893 recommendation with the -g flag, or if ntpd was not given the 1894 -g flag, the attacker can move the target system's time by at 1895 most 900 seconds' time per attack. 1896 Mitigation: 1897 Configure ntpd to get time from multiple sources. 1898 Upgrade to 4.2.8p5, or later, from the NTP Project Download 1899 Page or the NTP Public Services Project Download Page 1900 As we've long documented, only use the -g option to ntpd in 1901 cold-start situations. 1902 Monitor your ntpd instances. 1903 Credit: This weakness was discovered by Aanchal Malhotra, 1904 Isaac E. Cohen, and Sharon Goldberg at Boston University. 1905 1906 NOTE WELL: The -g flag disables the limit check on the panic_gate 1907 in ntpd, which is 900 seconds by default. The bug identified by 1908 the researchers at Boston University is that the panic_gate 1909 check was only re-enabled after the first change to the system 1910 clock that was greater than 128 milliseconds, by default. The 1911 correct behavior is that the panic_gate check should be 1912 re-enabled after any initial time correction. 1913 1914 If an attacker is able to inject consistent but erroneous time 1915 responses to your systems via the network or "over the air", 1916 perhaps by spoofing radio, cellphone, or navigation satellite 1917 transmissions, they are in a great position to affect your 1918 system's clock. There comes a point where your very best 1919 defenses include: 1920 1921 Configure ntpd to get time from multiple sources. 1922 Monitor your ntpd instances. 1923 1924 Other fixes: 1925 1926 * Coverity submission process updated from Coverity 5 to Coverity 7. 1927 The NTP codebase has been undergoing regular Coverity scans on an 1928 ongoing basis since 2006. As part of our recent upgrade from 1929 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1930 the newly-written Unity test programs. These were fixed. 1931 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger (a] ntp.org 1932 * [Bug 2887] stratum -1 config results as showing value 99 1933 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 1934 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1935 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1936 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1937 - applied patch by Christos Zoulas. perlinger (a] ntp.org 1938 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1939 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1940 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 1941 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 1942 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 1943 - accept key file only if there are no parsing errors 1944 - fixed size_t/u_int format clash 1945 - fixed wrong use of 'strlcpy' 1946 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1947 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 1948 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 1949 - promote use of 'size_t' for values that express a size 1950 - use ptr-to-const for read-only arguments 1951 - make sure SOCKET values are not truncated (win32-specific) 1952 - format string fixes 1953 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 1954 * [Bug 2967] ntpdate command suffers an assertion failure 1955 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 1956 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 1957 lots of clients. perlinger (a] ntp.org 1958 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1959 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 1960 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 1961 * Unity test cleanup. Harlan Stenn. 1962 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 1963 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 1964 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 1965 * Quiet a warning from clang. Harlan Stenn. 1966 1967 --- 1968 NTP 4.2.8p4 (Harlan Stenn <stenn (a] ntp.org>, 2015/10/21) 1969 1970 Focus: Security, Bug fixes, enhancements. 1971 1972 Severity: MEDIUM 1973 1974 In addition to bug fixes and enhancements, this release fixes the 1975 following 13 low- and medium-severity vulnerabilities: 1976 1977 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 1978 to potential crashes or potential code injection/information leakage. 1979 1980 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 1981 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1982 and 4.3.0 up to, but not including 4.3.77 1983 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1984 Summary: The fix for CVE-2014-9750 was incomplete in that there were 1985 certain code paths where a packet with particular autokey operations 1986 that contained malicious data was not always being completely 1987 validated. Receipt of these packets can cause ntpd to crash. 1988 Mitigation: 1989 Don't use autokey. 1990 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1991 Page or the NTP Public Services Project Download Page 1992 Monitor your ntpd instances. 1993 Credit: This weakness was discovered by Tenable Network Security. 1994 1995 * Clients that receive a KoD should validate the origin timestamp field. 1996 1997 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1998 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1999 and 4.3.0 up to, but not including 4.3.77 2000 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2001 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2002 KoD messages that have been forged by an attacker, causing it to 2003 delay or stop querying its servers for time updates. Also, an 2004 attacker can forge packets that claim to be from the target and 2005 send them to servers often enough that a server that implements 2006 KoD rate limiting will send the target machine a KoD response to 2007 attempt to reduce the rate of incoming packets, or it may also 2008 trigger a firewall block at the server for packets from the target 2009 machine. For either of these attacks to succeed, the attacker must 2010 know what servers the target is communicating with. An attacker 2011 can be anywhere on the Internet and can frequently learn the 2012 identity of the target's time source by sending the target a 2013 time query. 2014 Mitigation: 2015 Implement BCP-38. 2016 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2017 or the NTP Public Services Project Download Page 2018 If you can't upgrade, restrict who can query ntpd to learn who 2019 its servers are, and what IPs are allowed to ask your system 2020 for the time. This mitigation is heavy-handed. 2021 Monitor your ntpd instances. 2022 Note: 2023 4.2.8p4 protects against the first attack. For the second attack, 2024 all we can do is warn when it is happening, which we do in 4.2.8p4. 2025 Credit: This weakness was discovered by Aanchal Malhotra, 2026 Issac E. Cohen, and Sharon Goldberg of Boston University. 2027 2028 * configuration directives to change "pidfile" and "driftfile" should 2029 only be allowed locally. 2030 2031 References: Sec 2902 / CVE-2015-5196 2032 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2033 and 4.3.0 up to, but not including 4.3.77 2034 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2035 Summary: If ntpd is configured to allow for remote configuration, 2036 and if the (possibly spoofed) source IP address is allowed to 2037 send remote configuration requests, and if the attacker knows 2038 the remote configuration password, it's possible for an attacker 2039 to use the "pidfile" or "driftfile" directives to potentially 2040 overwrite other files. 2041 Mitigation: 2042 Implement BCP-38. 2043 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2044 Page or the NTP Public Services Project Download Page 2045 If you cannot upgrade, don't enable remote configuration. 2046 If you must enable remote configuration and cannot upgrade, 2047 remote configuration of NTF's ntpd requires: 2048 - an explicitly configured trustedkey, and you should also 2049 configure a controlkey. 2050 - access from a permitted IP. You choose the IPs. 2051 - authentication. Don't disable it. Practice secure key safety. 2052 Monitor your ntpd instances. 2053 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2054 2055 * Slow memory leak in CRYPTO_ASSOC 2056 2057 References: Sec 2909 / CVE-2015-7701 2058 Affects: All ntp-4 releases that use autokey up to, but not 2059 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2060 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2061 4.6 otherwise 2062 Summary: If ntpd is configured to use autokey, then an attacker can 2063 send packets to ntpd that will, after several days of ongoing 2064 attack, cause it to run out of memory. 2065 Mitigation: 2066 Don't use autokey. 2067 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2068 Page or the NTP Public Services Project Download Page 2069 Monitor your ntpd instances. 2070 Credit: This weakness was discovered by Tenable Network Security. 2071 2072 * mode 7 loop counter underrun 2073 2074 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2075 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2076 and 4.3.0 up to, but not including 4.3.77 2077 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2078 Summary: If ntpd is configured to enable mode 7 packets, and if the 2079 use of mode 7 packets is not properly protected thru the use of 2080 the available mode 7 authentication and restriction mechanisms, 2081 and if the (possibly spoofed) source IP address is allowed to 2082 send mode 7 queries, then an attacker can send a crafted packet 2083 to ntpd that will cause it to crash. 2084 Mitigation: 2085 Implement BCP-38. 2086 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2087 Page or the NTP Public Services Project Download Page. 2088 If you are unable to upgrade: 2089 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2090 If you must enable mode 7: 2091 configure the use of a requestkey to control who can issue 2092 mode 7 requests. 2093 configure restrict noquery to further limit mode 7 requests 2094 to trusted sources. 2095 Monitor your ntpd instances. 2096 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2097 2098 * memory corruption in password store 2099 2100 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2101 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2102 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2103 Summary: If ntpd is configured to allow remote configuration, and if 2104 the (possibly spoofed) source IP address is allowed to send 2105 remote configuration requests, and if the attacker knows the 2106 remote configuration password or if ntpd was configured to 2107 disable authentication, then an attacker can send a set of 2108 packets to ntpd that may cause a crash or theoretically 2109 perform a code injection attack. 2110 Mitigation: 2111 Implement BCP-38. 2112 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2113 Page or the NTP Public Services Project Download Page. 2114 If you are unable to upgrade, remote configuration of NTF's 2115 ntpd requires: 2116 an explicitly configured "trusted" key. Only configure 2117 this if you need it. 2118 access from a permitted IP address. You choose the IPs. 2119 authentication. Don't disable it. Practice secure key safety. 2120 Monitor your ntpd instances. 2121 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2122 2123 * Infinite loop if extended logging enabled and the logfile and 2124 keyfile are the same. 2125 2126 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2127 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2128 and 4.3.0 up to, but not including 4.3.77 2129 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2130 Summary: If ntpd is configured to allow remote configuration, and if 2131 the (possibly spoofed) source IP address is allowed to send 2132 remote configuration requests, and if the attacker knows the 2133 remote configuration password or if ntpd was configured to 2134 disable authentication, then an attacker can send a set of 2135 packets to ntpd that will cause it to crash and/or create a 2136 potentially huge log file. Specifically, the attacker could 2137 enable extended logging, point the key file at the log file, 2138 and cause what amounts to an infinite loop. 2139 Mitigation: 2140 Implement BCP-38. 2141 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2142 Page or the NTP Public Services Project Download Page. 2143 If you are unable to upgrade, remote configuration of NTF's ntpd 2144 requires: 2145 an explicitly configured "trusted" key. Only configure this 2146 if you need it. 2147 access from a permitted IP address. You choose the IPs. 2148 authentication. Don't disable it. Practice secure key safety. 2149 Monitor your ntpd instances. 2150 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2151 2152 * Potential path traversal vulnerability in the config file saving of 2153 ntpd on VMS. 2154 2155 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2156 Affects: All ntp-4 releases running under VMS up to, but not 2157 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2158 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2159 Summary: If ntpd is configured to allow remote configuration, and if 2160 the (possibly spoofed) IP address is allowed to send remote 2161 configuration requests, and if the attacker knows the remote 2162 configuration password or if ntpd was configured to disable 2163 authentication, then an attacker can send a set of packets to 2164 ntpd that may cause ntpd to overwrite files. 2165 Mitigation: 2166 Implement BCP-38. 2167 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2168 Page or the NTP Public Services Project Download Page. 2169 If you are unable to upgrade, remote configuration of NTF's ntpd 2170 requires: 2171 an explicitly configured "trusted" key. Only configure 2172 this if you need it. 2173 access from permitted IP addresses. You choose the IPs. 2174 authentication. Don't disable it. Practice key security safety. 2175 Monitor your ntpd instances. 2176 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2177 2178 * ntpq atoascii() potential memory corruption 2179 2180 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2181 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2182 and 4.3.0 up to, but not including 4.3.77 2183 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2184 Summary: If an attacker can figure out the precise moment that ntpq 2185 is listening for data and the port number it is listening on or 2186 if the attacker can provide a malicious instance ntpd that 2187 victims will connect to then an attacker can send a set of 2188 crafted mode 6 response packets that, if received by ntpq, 2189 can cause ntpq to crash. 2190 Mitigation: 2191 Implement BCP-38. 2192 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2193 Page or the NTP Public Services Project Download Page. 2194 If you are unable to upgrade and you run ntpq against a server 2195 and ntpq crashes, try again using raw mode. Build or get a 2196 patched ntpq and see if that fixes the problem. Report new 2197 bugs in ntpq or abusive servers appropriately. 2198 If you use ntpq in scripts, make sure ntpq does what you expect 2199 in your scripts. 2200 Credit: This weakness was discovered by Yves Younan and 2201 Aleksander Nikolich of Cisco Talos. 2202 2203 * Invalid length data provided by a custom refclock driver could cause 2204 a buffer overflow. 2205 2206 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2207 Affects: Potentially all ntp-4 releases running up to, but not 2208 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2209 that have custom refclocks 2210 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2211 5.9 unusual worst case 2212 Summary: A negative value for the datalen parameter will overflow a 2213 data buffer. NTF's ntpd driver implementations always set this 2214 value to 0 and are therefore not vulnerable to this weakness. 2215 If you are running a custom refclock driver in ntpd and that 2216 driver supplies a negative value for datalen (no custom driver 2217 of even minimal competence would do this) then ntpd would 2218 overflow a data buffer. It is even hypothetically possible 2219 in this case that instead of simply crashing ntpd the attacker 2220 could effect a code injection attack. 2221 Mitigation: 2222 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2223 Page or the NTP Public Services Project Download Page. 2224 If you are unable to upgrade: 2225 If you are running custom refclock drivers, make sure 2226 the signed datalen value is either zero or positive. 2227 Monitor your ntpd instances. 2228 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2229 2230 * Password Length Memory Corruption Vulnerability 2231 2232 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2233 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2234 4.3.0 up to, but not including 4.3.77 2235 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2236 1.7 usual case, 6.8, worst case 2237 Summary: If ntpd is configured to allow remote configuration, and if 2238 the (possibly spoofed) source IP address is allowed to send 2239 remote configuration requests, and if the attacker knows the 2240 remote configuration password or if ntpd was (foolishly) 2241 configured to disable authentication, then an attacker can 2242 send a set of packets to ntpd that may cause it to crash, 2243 with the hypothetical possibility of a small code injection. 2244 Mitigation: 2245 Implement BCP-38. 2246 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2247 Page or the NTP Public Services Project Download Page. 2248 If you are unable to upgrade, remote configuration of NTF's 2249 ntpd requires: 2250 an explicitly configured "trusted" key. Only configure 2251 this if you need it. 2252 access from a permitted IP address. You choose the IPs. 2253 authentication. Don't disable it. Practice secure key safety. 2254 Monitor your ntpd instances. 2255 Credit: This weakness was discovered by Yves Younan and 2256 Aleksander Nikolich of Cisco Talos. 2257 2258 * decodenetnum() will ASSERT botch instead of returning FAIL on some 2259 bogus values. 2260 2261 References: Sec 2922 / CVE-2015-7855 2262 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2263 4.3.0 up to, but not including 4.3.77 2264 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2265 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2266 an unusually long data value where a network address is expected, 2267 the decodenetnum() function will abort with an assertion failure 2268 instead of simply returning a failure condition. 2269 Mitigation: 2270 Implement BCP-38. 2271 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2272 Page or the NTP Public Services Project Download Page. 2273 If you are unable to upgrade: 2274 mode 7 is disabled by default. Don't enable it. 2275 Use restrict noquery to limit who can send mode 6 2276 and mode 7 requests. 2277 Configure and use the controlkey and requestkey 2278 authentication directives to limit who can 2279 send mode 6 and mode 7 requests. 2280 Monitor your ntpd instances. 2281 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2282 2283 * NAK to the Future: Symmetric association authentication bypass via 2284 crypto-NAK. 2285 2286 References: Sec 2941 / CVE-2015-7871 2287 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2288 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2289 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2290 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2291 from unauthenticated ephemeral symmetric peers by bypassing the 2292 authentication required to mobilize peer associations. This 2293 vulnerability appears to have been introduced in ntp-4.2.5p186 2294 when the code handling mobilization of new passive symmetric 2295 associations (lines 1103-1165) was refactored. 2296 Mitigation: 2297 Implement BCP-38. 2298 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2299 Page or the NTP Public Services Project Download Page. 2300 If you are unable to upgrade: 2301 Apply the patch to the bottom of the "authentic" check 2302 block around line 1136 of ntp_proto.c. 2303 Monitor your ntpd instances. 2304 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2305 2306 Backward-Incompatible changes: 2307 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 2308 While the general default of 32M is still the case, under Linux 2309 the default value has been changed to -1 (do not lock ntpd into 2310 memory). A value of 0 means "lock ntpd into memory with whatever 2311 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2312 value in it, that value will continue to be used. 2313 2314 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 2315 If you've written a script that looks for this case in, say, the 2316 output of ntpq, you probably want to change your regex matches 2317 from 'outlyer' to 'outl[iy]er'. 2318 2319 New features in this release: 2320 * 'rlimit memlock' now has finer-grained control. A value of -1 means 2321 "don't lock ntpd into memore". This is the default for Linux boxes. 2322 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2323 the value is the number of megabytes of memory to lock. The default 2324 is 32 megabytes. 2325 2326 * The old Google Test framework has been replaced with a new framework, 2327 based on http://www.throwtheswitch.org/unity/ . 2328 2329 Bug Fixes and Improvements: 2330 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2331 privileges and limiting resources in NTPD removes the need to link 2332 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2333 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2334 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2335 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2336 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 2337 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2338 * [Bug 2849] Systems with more than one default route may never 2339 synchronize. Brian Utterback. Note that this patch might need to 2340 be reverted once Bug 2043 has been fixed. 2341 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2342 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2343 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2344 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2345 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2346 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2347 be configured for the distribution targets. Harlan Stenn. 2348 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2349 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 2350 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 2351 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 2352 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2353 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2354 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2355 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2356 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2357 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2358 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2359 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2360 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2361 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2362 * sntp/tests/ function parameter list cleanup. Damir Tomi. 2363 * tests/libntp/ function parameter list cleanup. Damir Tomi. 2364 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 2365 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2366 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2367 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 2368 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 2369 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2370 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2371 formatting; first declaration, then code (C90); deleted unnecessary comments; 2372 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2373 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2374 fix formatting, cleanup. Tomasz Flendrich 2375 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2376 Tomasz Flendrich 2377 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2378 fix formatting. Tomasz Flendrich 2379 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2380 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2381 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2382 Tomasz Flendrich 2383 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2384 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2385 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2386 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2387 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2388 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2389 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2390 fixed formatting. Tomasz Flendrich 2391 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2392 removed unnecessary comments, cleanup. Tomasz Flendrich 2393 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2394 comments, cleanup. Tomasz Flendrich 2395 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2396 Tomasz Flendrich 2397 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2398 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2399 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2400 Tomasz Flendrich 2401 * sntp/tests/kodDatabase.c added consts, deleted empty function, 2402 fixed formatting. Tomasz Flendrich 2403 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2404 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 2405 fixed formatting, deleted unused variable. Tomasz Flendrich 2406 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2407 Tomasz Flendrich 2408 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2409 fixed formatting. Tomasz Flendrich 2410 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 2411 the order of includes, fixed formatting, removed unnecessary comments. 2412 Tomasz Flendrich 2413 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2414 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2415 made one function do its job, deleted unnecessary prints, fixed formatting. 2416 Tomasz Flendrich 2417 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2418 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2419 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2420 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2421 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2422 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2423 * Don't build sntp/libevent/sample/. Harlan Stenn. 2424 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2425 * br-flock: --enable-local-libevent. Harlan Stenn. 2426 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2427 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2428 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2429 * Code cleanup. Harlan Stenn. 2430 * libntp/icom.c: Typo fix. Harlan Stenn. 2431 * util/ntptime.c: initialization nit. Harlan Stenn. 2432 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2433 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2434 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2435 Tomasz Flendrich 2436 * Changed progname to be const in many files - now it's consistent. Tomasz 2437 Flendrich 2438 * Typo fix for GCC warning suppression. Harlan Stenn. 2439 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 2440 * Added declarations to all Unity tests, and did minor fixes to them. 2441 Reduced the number of warnings by half. Damir Tomi. 2442 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2443 with the latest Unity updates from Mark. Damir Tomi. 2444 * Retire google test - phase I. Harlan Stenn. 2445 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2446 * Update the NEWS file. Harlan Stenn. 2447 * Autoconf cleanup. Harlan Stenn. 2448 * Unit test dist cleanup. Harlan Stenn. 2449 * Cleanup various test Makefile.am files. Harlan Stenn. 2450 * Pthread autoconf macro cleanup. Harlan Stenn. 2451 * Fix progname definition in unity runner scripts. Harlan Stenn. 2452 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2453 * Update the patch for bug 2817. Harlan Stenn. 2454 * More updates for bug 2817. Harlan Stenn. 2455 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2456 * gcc on older HPUX may need +allowdups. Harlan Stenn. 2457 * Adding missing MCAST protection. Harlan Stenn. 2458 * Disable certain test programs on certain platforms. Harlan Stenn. 2459 * Implement --enable-problem-tests (on by default). Harlan Stenn. 2460 * build system tweaks. Harlan Stenn. 2461 2462 --- 2463 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 2464 2465 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2466 2467 Severity: MEDIUM 2468 2469 Security Fix: 2470 2471 * [Sec 2853] Crafted remote config packet can crash some versions of 2472 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2473 2474 Under specific circumstances an attacker can send a crafted packet to 2475 cause a vulnerable ntpd instance to crash. This requires each of the 2476 following to be true: 2477 2478 1) ntpd set up to allow remote configuration (not allowed by default), and 2479 2) knowledge of the configuration password, and 2480 3) access to a computer entrusted to perform remote configuration. 2481 2482 This vulnerability is considered low-risk. 2483 2484 New features in this release: 2485 2486 Optional (disabled by default) support to have ntpd provide smeared 2487 leap second time. A specially built and configured ntpd will only 2488 offer smeared time in response to client packets. These response 2489 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2490 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2491 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2492 information. 2493 2494 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2495 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2496 2497 We've imported the Unity test framework, and have begun converting 2498 the existing google-test items to this new framework. If you want 2499 to write new tests or change old ones, you'll need to have ruby 2500 installed. You don't need ruby to run the test suite. 2501 2502 Bug Fixes and Improvements: 2503 2504 * CID 739725: Fix a rare resource leak in libevent/listener.c. 2505 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2506 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2507 * CID 1269537: Clean up a line of dead code in getShmTime(). 2508 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2509 * [Bug 2590] autogen-5.18.5. 2510 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2511 of 'limited'. 2512 * [Bug 2650] fix includefile processing. 2513 * [Bug 2745] ntpd -x steps clock on leap second 2514 Fixed an initial-value problem that caused misbehaviour in absence of 2515 any leapsecond information. 2516 Do leap second stepping only of the step adjustment is beyond the 2517 proper jump distance limit and step correction is allowed at all. 2518 * [Bug 2750] build for Win64 2519 Building for 32bit of loopback ppsapi needs def file 2520 * [Bug 2776] Improve ntpq's 'help keytype'. 2521 * [Bug 2778] Implement "apeers" ntpq command to include associd. 2522 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2523 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2524 interface is ignored as long as this flag is not set since the 2525 interface is not usable (e.g., no link). 2526 * [Bug 2794] Clean up kernel clock status reports. 2527 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 2528 of incompatible open/fdopen parameters. 2529 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 2530 * [Bug 2805] ntpd fails to join multicast group. 2531 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2532 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 2533 Fix crash during cleanup if GPS device not present and char device. 2534 Increase internal token buffer to parse all JSON data, even SKY. 2535 Defer logging of errors during driver init until the first unit is 2536 started, so the syslog is not cluttered when the driver is not used. 2537 Various improvements, see http://bugs.ntp.org/2808 for details. 2538 Changed libjsmn to a more recent version. 2539 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2540 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2541 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2542 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2543 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2544 * [Bug 2824] Convert update-leap to perl. (also see 2769) 2545 * [Bug 2825] Quiet file installation in html/ . 2546 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2547 NTPD transfers the current TAI (instead of an announcement) now. 2548 This might still needed improvement. 2549 Update autokey data ASAP when 'sys_tai' changes. 2550 Fix unit test that was broken by changes for autokey update. 2551 Avoid potential signature length issue and use DPRINTF where possible 2552 in ntp_crypto.c. 2553 * [Bug 2832] refclock_jjy.c supports the TDC-300. 2554 * [Bug 2834] Correct a broken html tag in html/refclock.html 2555 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2556 robust, and require 2 consecutive timestamps to be consistent. 2557 * [Bug 2837] Allow a configurable DSCP value. 2558 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2559 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2560 * [Bug 2842] Bug in mdoc2man. 2561 * [Bug 2843] make check fails on 4.3.36 2562 Fixed compiler warnings about numeric range overflow 2563 (The original topic was fixed in a byplay to bug#2830) 2564 * [Bug 2845] Harden memory allocation in ntpd. 2565 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2566 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2567 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2568 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2569 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2570 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2571 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2572 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2573 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2574 * html/drivers/driver22.html: typo fix. Harlan Stenn. 2575 * refidsmear test cleanup. Tomasz Flendrich. 2576 * refidsmear function support and tests. Harlan Stenn. 2577 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2578 something that was only in the 4.2.6 sntp. Harlan Stenn. 2579 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2580 Damir Tomi 2581 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2582 Damir Tomi 2583 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2584 Damir Tomi 2585 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2586 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 2587 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2588 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2589 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2590 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2591 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2592 Damir Tomi 2593 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2594 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2595 fileHandlingTest.h. Damir Tomi 2596 * Initial support for experimental leap smear code. Harlan Stenn. 2597 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2598 * Report select() debug messages at debug level 3 now. 2599 * sntp/scripts/genLocInfo: treat raspbian as debian. 2600 * Unity test framework fixes. 2601 ** Requires ruby for changes to tests. 2602 * Initial support for PACKAGE_VERSION tests. 2603 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2604 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 2605 * Add an assert to the ntpq ifstats code. 2606 * Clean up the RLIMIT_STACK code. 2607 * Improve the ntpq documentation around the controlkey keyid. 2608 * ntpq.c cleanup. 2609 * Windows port build cleanup. 2610 2611 --- 2612 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 2613 2614 Focus: Security and Bug fixes, enhancements. 2615 2616 Severity: MEDIUM 2617 2618 In addition to bug fixes and enhancements, this release fixes the 2619 following medium-severity vulnerabilities involving private key 2620 authentication: 2621 2622 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2623 2624 References: Sec 2779 / CVE-2015-1798 / VU#374268 2625 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2626 including ntp-4.2.8p2 where the installation uses symmetric keys 2627 to authenticate remote associations. 2628 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2629 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2630 Summary: When ntpd is configured to use a symmetric key to authenticate 2631 a remote NTP server/peer, it checks if the NTP message 2632 authentication code (MAC) in received packets is valid, but not if 2633 there actually is any MAC included. Packets without a MAC are 2634 accepted as if they had a valid MAC. This allows a MITM attacker to 2635 send false packets that are accepted by the client/peer without 2636 having to know the symmetric key. The attacker needs to know the 2637 transmit timestamp of the client to match it in the forged reply 2638 and the false reply needs to reach the client before the genuine 2639 reply from the server. The attacker doesn't necessarily need to be 2640 relaying the packets between the client and the server. 2641 2642 Authentication using autokey doesn't have this problem as there is 2643 a check that requires the key ID to be larger than NTP_MAXKEY, 2644 which fails for packets without a MAC. 2645 Mitigation: 2646 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2647 or the NTP Public Services Project Download Page 2648 Configure ntpd with enough time sources and monitor it properly. 2649 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2650 2651 * [Sec 2781] Authentication doesn't protect symmetric associations against 2652 DoS attacks. 2653 2654 References: Sec 2781 / CVE-2015-1799 / VU#374268 2655 Affects: All NTP releases starting with at least xntp3.3wy up to but 2656 not including ntp-4.2.8p2 where the installation uses symmetric 2657 key authentication. 2658 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2659 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2660 it could be higher than 5.4. 2661 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2662 Summary: An attacker knowing that NTP hosts A and B are peering with 2663 each other (symmetric association) can send a packet to host A 2664 with source address of B which will set the NTP state variables 2665 on A to the values sent by the attacker. Host A will then send 2666 on its next poll to B a packet with originate timestamp that 2667 doesn't match the transmit timestamp of B and the packet will 2668 be dropped. If the attacker does this periodically for both 2669 hosts, they won't be able to synchronize to each other. This is 2670 a known denial-of-service attack, described at 2671 https://www.eecis.udel.edu/~mills/onwire.html . 2672 2673 According to the document the NTP authentication is supposed to 2674 protect symmetric associations against this attack, but that 2675 doesn't seem to be the case. The state variables are updated even 2676 when authentication fails and the peers are sending packets with 2677 originate timestamps that don't match the transmit timestamps on 2678 the receiving side. 2679 2680 This seems to be a very old problem, dating back to at least 2681 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2682 specifications, so other NTP implementations with support for 2683 symmetric associations and authentication may be vulnerable too. 2684 An update to the NTP RFC to correct this error is in-process. 2685 Mitigation: 2686 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2687 or the NTP Public Services Project Download Page 2688 Note that for users of autokey, this specific style of MITM attack 2689 is simply a long-known potential problem. 2690 Configure ntpd with appropriate time sources and monitor ntpd. 2691 Alert your staff if problems are detected. 2692 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2693 2694 * New script: update-leap 2695 The update-leap script will verify and if necessary, update the 2696 leap-second definition file. 2697 It requires the following commands in order to work: 2698 2699 wget logger tr sed shasum 2700 2701 Some may choose to run this from cron. It needs more portability testing. 2702 2703 Bug Fixes and Improvements: 2704 2705 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2706 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2707 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 2708 * [Bug 2728] See if C99-style structure initialization works. 2709 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 2710 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2711 * [Bug 2751] jitter.h has stale copies of l_fp macros. 2712 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2713 * [Bug 2757] Quiet compiler warnings. 2714 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2715 * [Bug 2763] Allow different thresholds for forward and backward steps. 2716 * [Bug 2766] ntp-keygen output files should not be world-readable. 2717 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2718 * [Bug 2771] nonvolatile value is documented in wrong units. 2719 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2720 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 2721 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 2722 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2723 Removed non-ASCII characters from some copyright comments. 2724 Removed trailing whitespace. 2725 Updated definitions for Meinberg clocks from current Meinberg header files. 2726 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2727 Account for updated definitions pulled from Meinberg header files. 2728 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2729 Replaced some constant numbers by defines from ntp_calendar.h 2730 Modified creation of parse-specific variables for Meinberg devices 2731 in gps16x_message(). 2732 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2733 Modified mbg_tm_str() which now expexts an additional parameter controlling 2734 if the time status shall be printed. 2735 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2736 * [Sec 2781] Authentication doesn't protect symmetric associations against 2737 DoS attacks. 2738 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2739 * [Bug 2789] Quiet compiler warnings from libevent. 2740 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2741 pause briefly before measuring system clock precision to yield 2742 correct results. 2743 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2744 * Use predefined function types for parse driver functions 2745 used to set up function pointers. 2746 Account for changed prototype of parse_inp_fnc_t functions. 2747 Cast parse conversion results to appropriate types to avoid 2748 compiler warnings. 2749 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2750 when called with pointers to different types. 2751 2752 --- 2753 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 2754 2755 Focus: Security and Bug fixes, enhancements. 2756 2757 Severity: HIGH 2758 2759 In addition to bug fixes and enhancements, this release fixes the 2760 following high-severity vulnerabilities: 2761 2762 * vallen is not validated in several places in ntp_crypto.c, leading 2763 to a potential information leak or possibly a crash 2764 2765 References: Sec 2671 / CVE-2014-9297 / VU#852879 2766 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2767 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2768 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2769 Summary: The vallen packet value is not validated in several code 2770 paths in ntp_crypto.c which can lead to information leakage 2771 or perhaps a crash of the ntpd process. 2772 Mitigation - any of: 2773 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2774 or the NTP Public Services Project Download Page. 2775 Disable Autokey Authentication by removing, or commenting out, 2776 all configuration directives beginning with the "crypto" 2777 keyword in your ntp.conf file. 2778 Credit: This vulnerability was discovered by Stephen Roettger of the 2779 Google Security Team, with additional cases found by Sebastian 2780 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2781 Time Foundation. 2782 2783 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2784 can be bypassed. 2785 2786 References: Sec 2672 / CVE-2014-9298 / VU#852879 2787 Affects: All NTP4 releases before 4.2.8p1, under at least some 2788 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2789 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2790 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2791 Summary: While available kernels will prevent 127.0.0.1 addresses 2792 from "appearing" on non-localhost IPv4 interfaces, some kernels 2793 do not offer the same protection for ::1 source addresses on 2794 IPv6 interfaces. Since NTP's access control is based on source 2795 address and localhost addresses generally have no restrictions, 2796 an attacker can send malicious control and configuration packets 2797 by spoofing ::1 addresses from the outside. Note Well: This is 2798 not really a bug in NTP, it's a problem with some OSes. If you 2799 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2800 ACL restrictions on any application can be bypassed! 2801 Mitigation: 2802 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2803 or the NTP Public Services Project Download Page 2804 Install firewall rules to block packets claiming to come from 2805 ::1 from inappropriate network interfaces. 2806 Credit: This vulnerability was discovered by Stephen Roettger of 2807 the Google Security Team. 2808 2809 Additionally, over 30 bugfixes and improvements were made to the codebase. 2810 See the ChangeLog for more information. 2811 2812 --- 2813 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 2814 2815 Focus: Security and Bug fixes, enhancements. 2816 2817 Severity: HIGH 2818 2819 In addition to bug fixes and enhancements, this release fixes the 2820 following high-severity vulnerabilities: 2821 2822 ************************** vv NOTE WELL vv ***************************** 2823 2824 The vulnerabilities listed below can be significantly mitigated by 2825 following the BCP of putting 2826 2827 restrict default ... noquery 2828 2829 in the ntp.conf file. With the exception of: 2830 2831 receive(): missing return on error 2832 References: Sec 2670 / CVE-2014-9296 / VU#852879 2833 2834 below (which is a limited-risk vulnerability), none of the recent 2835 vulnerabilities listed below can be exploited if the source IP is 2836 restricted from sending a 'query'-class packet by your ntp.conf file. 2837 2838 ************************** ^^ NOTE WELL ^^ ***************************** 2839 2840 * Weak default key in config_auth(). 2841 2842 References: [Sec 2665] / CVE-2014-9293 / VU#852879 2843 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2844 Vulnerable Versions: all releases prior to 4.2.7p11 2845 Date Resolved: 28 Jan 2010 2846 2847 Summary: If no 'auth' key is set in the configuration file, ntpd 2848 would generate a random key on the fly. There were two 2849 problems with this: 1) the generated key was 31 bits in size, 2850 and 2) it used the (now weak) ntp_random() function, which was 2851 seeded with a 32-bit value and could only provide 32 bits of 2852 entropy. This was sufficient back in the late 1990s when the 2853 code was written. Not today. 2854 2855 Mitigation - any of: 2856 - Upgrade to 4.2.7p11 or later. 2857 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2858 2859 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2860 of the Google Security Team. 2861 2862 * Non-cryptographic random number generator with weak seed used by 2863 ntp-keygen to generate symmetric keys. 2864 2865 References: [Sec 2666] / CVE-2014-9294 / VU#852879 2866 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2867 Vulnerable Versions: All NTP4 releases before 4.2.7p230 2868 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2869 2870 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2871 prepare a random number generator that was of good quality back 2872 in the late 1990s. The random numbers produced was then used to 2873 generate symmetric keys. In ntp-4.2.8 we use a current-technology 2874 cryptographic random number generator, either RAND_bytes from 2875 OpenSSL, or arc4random(). 2876 2877 Mitigation - any of: 2878 - Upgrade to 4.2.7p230 or later. 2879 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2880 2881 Credit: This vulnerability was discovered in ntp-4.2.6 by 2882 Stephen Roettger of the Google Security Team. 2883 2884 * Buffer overflow in crypto_recv() 2885 2886 References: Sec 2667 / CVE-2014-9295 / VU#852879 2887 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2888 Versions: All releases before 4.2.8 2889 Date Resolved: Stable (4.2.8) 18 Dec 2014 2890 2891 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2892 file contains a 'crypto pw ...' directive) a remote attacker 2893 can send a carefully crafted packet that can overflow a stack 2894 buffer and potentially allow malicious code to be executed 2895 with the privilege level of the ntpd process. 2896 2897 Mitigation - any of: 2898 - Upgrade to 4.2.8, or later, or 2899 - Disable Autokey Authentication by removing, or commenting out, 2900 all configuration directives beginning with the crypto keyword 2901 in your ntp.conf file. 2902 2903 Credit: This vulnerability was discovered by Stephen Roettger of the 2904 Google Security Team. 2905 2906 * Buffer overflow in ctl_putdata() 2907 2908 References: Sec 2668 / CVE-2014-9295 / VU#852879 2909 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2910 Versions: All NTP4 releases before 4.2.8 2911 Date Resolved: Stable (4.2.8) 18 Dec 2014 2912 2913 Summary: A remote attacker can send a carefully crafted packet that 2914 can overflow a stack buffer and potentially allow malicious 2915 code to be executed with the privilege level of the ntpd process. 2916 2917 Mitigation - any of: 2918 - Upgrade to 4.2.8, or later. 2919 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2920 2921 Credit: This vulnerability was discovered by Stephen Roettger of the 2922 Google Security Team. 2923 2924 * Buffer overflow in configure() 2925 2926 References: Sec 2669 / CVE-2014-9295 / VU#852879 2927 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2928 Versions: All NTP4 releases before 4.2.8 2929 Date Resolved: Stable (4.2.8) 18 Dec 2014 2930 2931 Summary: A remote attacker can send a carefully crafted packet that 2932 can overflow a stack buffer and potentially allow malicious 2933 code to be executed with the privilege level of the ntpd process. 2934 2935 Mitigation - any of: 2936 - Upgrade to 4.2.8, or later. 2937 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2938 2939 Credit: This vulnerability was discovered by Stephen Roettger of the 2940 Google Security Team. 2941 2942 * receive(): missing return on error 2943 2944 References: Sec 2670 / CVE-2014-9296 / VU#852879 2945 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2946 Versions: All NTP4 releases before 4.2.8 2947 Date Resolved: Stable (4.2.8) 18 Dec 2014 2948 2949 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 2950 the code path where an error was detected, which meant 2951 processing did not stop when a specific rare error occurred. 2952 We haven't found a way for this bug to affect system integrity. 2953 If there is no way to affect system integrity the base CVSS 2954 score for this bug is 0. If there is one avenue through which 2955 system integrity can be partially affected, the base score 2956 becomes a 5. If system integrity can be partially affected 2957 via all three integrity metrics, the CVSS base score become 7.5. 2958 2959 Mitigation - any of: 2960 - Upgrade to 4.2.8, or later, 2961 - Remove or comment out all configuration directives 2962 beginning with the crypto keyword in your ntp.conf file. 2963 2964 Credit: This vulnerability was discovered by Stephen Roettger of the 2965 Google Security Team. 2966 2967 See http://support.ntp.org/security for more information. 2968 2969 New features / changes in this release: 2970 2971 Important Changes 2972 2973 * Internal NTP Era counters 2974 2975 The internal counters that track the "era" (range of years) we are in 2976 rolls over every 136 years'. The current "era" started at the stroke of 2977 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 2978 1 Jan 2036. 2979 In the past, we have used the "midpoint" of the range to decide which 2980 era we were in. Given the longevity of some products, it became clear 2981 that it would be more functional to "look back" less, and "look forward" 2982 more. We now compile a timestamp into the ntpd executable and when we 2983 get a timestamp we us the "built-on" to tell us what era we are in. 2984 This check "looks back" 10 years, and "looks forward" 126 years. 2985 2986 * ntpdc responses disabled by default 2987 2988 Dave Hart writes: 2989 2990 For a long time, ntpq and its mostly text-based mode 6 (control) 2991 protocol have been preferred over ntpdc and its mode 7 (private 2992 request) protocol for runtime queries and configuration. There has 2993 been a goal of deprecating ntpdc, previously held back by numerous 2994 capabilities exposed by ntpdc with no ntpq equivalent. I have been 2995 adding commands to ntpq to cover these cases, and I believe I've 2996 covered them all, though I've not compared command-by-command 2997 recently. 2998 2999 As I've said previously, the binary mode 7 protocol involves a lot of 3000 hand-rolled structure layout and byte-swapping code in both ntpd and 3001 ntpdc which is hard to get right. As ntpd grows and changes, the 3002 changes are difficult to expose via ntpdc while maintaining forward 3003 and backward compatibility between ntpdc and ntpd. In contrast, 3004 ntpq's text-based, label=value approach involves more code reuse and 3005 allows compatible changes without extra work in most cases. 3006 3007 Mode 7 has always been defined as vendor/implementation-specific while 3008 mode 6 is described in RFC 1305 and intended to be open to interoperate 3009 with other implementations. There is an early draft of an updated 3010 mode 6 description that likely will join the other NTPv4 RFCs 3011 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3012 3013 For these reasons, ntpd 4.2.7p230 by default disables processing of 3014 ntpdc queries, reducing ntpd's attack surface and functionally 3015 deprecating ntpdc. If you are in the habit of using ntpdc for certain 3016 operations, please try the ntpq equivalent. If there's no equivalent, 3017 please open a bug report at http://bugs.ntp.org./ 3018 3019 In addition to the above, over 1100 issues have been resolved between 3020 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3021 lists these. 3022 3023 --- 3024 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 3025 3026 Focus: Bug fixes 3027 3028 Severity: Medium 3029 3030 This is a recommended upgrade. 3031 3032 This release updates sys_rootdisp and sys_jitter calculations to match the 3033 RFC specification, fixes a potential IPv6 address matching error for the 3034 "nic" and "interface" configuration directives, suppresses the creation of 3035 extraneous ephemeral associations for certain broadcastclient and 3036 multicastclient configurations, cleans up some ntpq display issues, and 3037 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3038 3039 New features / changes in this release: 3040 3041 ntpd 3042 3043 * Updated "nic" and "interface" IPv6 address handling to prevent 3044 mismatches with localhost [::1] and wildcard [::] which resulted from 3045 using the address/prefix format (e.g. fe80::/64) 3046 * Fix orphan mode stratum incorrectly counting to infinity 3047 * Orphan parent selection metric updated to includes missing ntohl() 3048 * Non-printable stratum 16 refid no longer sent to ntp 3049 * Duplicate ephemeral associations suppressed for broadcastclient and 3050 multicastclient without broadcastdelay 3051 * Exclude undetermined sys_refid from use in loopback TEST12 3052 * Exclude MODE_SERVER responses from KoD rate limiting 3053 * Include root delay in clock_update() sys_rootdisp calculations 3054 * get_systime() updated to exclude sys_residual offset (which only 3055 affected bits "below" sys_tick, the precision threshold) 3056 * sys.peer jitter weighting corrected in sys_jitter calculation 3057 3058 ntpq 3059 3060 * -n option extended to include the billboard "server" column 3061 * IPv6 addresses in the local column truncated to prevent overruns 3062 3063 --- 3064 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 3065 3066 Focus: Bug fixes and portability improvements 3067 3068 Severity: Medium 3069 3070 This is a recommended upgrade. 3071 3072 This release includes build infrastructure updates, code 3073 clean-ups, minor bug fixes, fixes for a number of minor 3074 ref-clock issues, and documentation revisions. 3075 3076 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3077 3078 New features / changes in this release: 3079 3080 Build system 3081 3082 * Fix checking for struct rtattr 3083 * Update config.guess and config.sub for AIX 3084 * Upgrade required version of autogen and libopts for building 3085 from our source code repository 3086 3087 ntpd 3088 3089 * Back-ported several fixes for Coverity warnings from ntp-dev 3090 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3091 * Allow "logconfig =allall" configuration directive 3092 * Bind tentative IPv6 addresses on Linux 3093 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 3094 * Improved tally bit handling to prevent incorrect ntpq peer status reports 3095 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3096 candidate list unless they are designated a "prefer peer" 3097 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3098 selection during the 'tos orphanwait' period 3099 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3100 drivers 3101 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 3102 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3103 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3104 clock slew on Microsoft Windows 3105 * Code cleanup in libntpq 3106 3107 ntpdc 3108 3109 * Fix timerstats reporting 3110 3111 ntpdate 3112 3113 * Reduce time required to set clock 3114 * Allow a timeout greater than 2 seconds 3115 3116 sntp 3117 3118 * Backward incompatible command-line option change: 3119 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3120 3121 Documentation 3122 3123 * Update html2man. Fix some tags in the .html files 3124 * Distribute ntp-wait.html 3125 3126 --- 3127 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 3128 3129 Focus: Bug fixes and portability improvements 3130 3131 Severity: Medium 3132 3133 This is a recommended upgrade. 3134 3135 This release includes build infrastructure updates, code 3136 clean-ups, minor bug fixes, fixes for a number of minor 3137 ref-clock issues, and documentation revisions. 3138 3139 Portability improvements in this release affect AIX, Atari FreeMiNT, 3140 FreeBSD4, Linux and Microsoft Windows. 3141 3142 New features / changes in this release: 3143 3144 Build system 3145 * Use lsb_release to get information about Linux distributions. 3146 * 'test' is in /usr/bin (instead of /bin) on some systems. 3147 * Basic sanity checks for the ChangeLog file. 3148 * Source certain build files with ./filename for systems without . in PATH. 3149 * IRIX portability fix. 3150 * Use a single copy of the "libopts" code. 3151 * autogen/libopts upgrade. 3152 * configure.ac m4 quoting cleanup. 3153 3154 ntpd 3155 * Do not bind to IN6_IFF_ANYCAST addresses. 3156 * Log the reason for exiting under Windows. 3157 * Multicast fixes for Windows. 3158 * Interpolation fixes for Windows. 3159 * IPv4 and IPv6 Multicast fixes. 3160 * Manycast solicitation fixes and general repairs. 3161 * JJY refclock cleanup. 3162 * NMEA refclock improvements. 3163 * Oncore debug message cleanup. 3164 * Palisade refclock now builds under Linux. 3165 * Give RAWDCF more baud rates. 3166 * Support Truetime Satellite clocks under Windows. 3167 * Support Arbiter 1093C Satellite clocks under Windows. 3168 * Make sure that the "filegen" configuration command defaults to "enable". 3169 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3170 * Prohibit 'includefile' directive in remote configuration command. 3171 * Fix 'nic' interface bindings. 3172 * Fix the way we link with openssl if openssl is installed in the base 3173 system. 3174 3175 ntp-keygen 3176 * Fix -V coredump. 3177 * OpenSSL version display cleanup. 3178 3179 ntpdc 3180 * Many counters should be treated as unsigned. 3181 3182 ntpdate 3183 * Do not ignore replies with equal receive and transmit timestamps. 3184 3185 ntpq 3186 * libntpq warning cleanup. 3187 3188 ntpsnmpd 3189 * Correct SNMP type for "precision" and "resolution". 3190 * Update the MIB from the draft version to RFC-5907. 3191 3192 sntp 3193 * Display timezone offset when showing time for sntp in the local 3194 timezone. 3195 * Pay proper attention to RATE KoD packets. 3196 * Fix a miscalculation of the offset. 3197 * Properly parse empty lines in the key file. 3198 * Logging cleanup. 3199 * Use tv_usec correctly in set_time(). 3200 * Documentation cleanup. 3201 3202 --- 3203 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 3204 3205 Focus: Bug fixes and portability improvements 3206 3207 Severity: Medium 3208 3209 This is a recommended upgrade. 3210 3211 This release includes build infrastructure updates, code 3212 clean-ups, minor bug fixes, fixes for a number of minor 3213 ref-clock issues, improved KOD handling, OpenSSL related 3214 updates and documentation revisions. 3215 3216 Portability improvements in this release affect Irix, Linux, 3217 Mac OS, Microsoft Windows, OpenBSD and QNX6 3218 3219 New features / changes in this release: 3220 3221 ntpd 3222 * Range syntax for the trustedkey configuration directive 3223 * Unified IPv4 and IPv6 restrict lists 3224 3225 ntpdate 3226 * Rate limiting and KOD handling 3227 3228 ntpsnmpd 3229 * default connection to net-snmpd via a unix-domain socket 3230 * command-line 'socket name' option 3231 3232 ntpq / ntpdc 3233 * support for the "passwd ..." syntax 3234 * key-type specific password prompts 3235 3236 sntp 3237 * MD5 authentication of an ntpd 3238 * Broadcast and crypto 3239 * OpenSSL support 3240 3241 --- 3242 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 3243 3244 Focus: Bug fixes, portability fixes, and documentation improvements 3245 3246 Severity: Medium 3247 3248 This is a recommended upgrade. 3249 3250 --- 3251 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3252 3253 Focus: enhancements and bug fixes. 3254 3255 --- 3256 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3257 3258 Focus: Security Fixes 3259 3260 Severity: HIGH 3261 3262 This release fixes the following high-severity vulnerability: 3263 3264 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3265 3266 See http://support.ntp.org/security for more information. 3267 3268 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3269 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3270 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3271 request or a mode 7 error response from an address which is not listed 3272 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3273 reply with a mode 7 error response (and log a message). In this case: 3274 3275 * If an attacker spoofs the source address of ntpd host A in a 3276 mode 7 response packet sent to ntpd host B, both A and B will 3277 continuously send each other error responses, for as long as 3278 those packets get through. 3279 3280 * If an attacker spoofs an address of ntpd host A in a mode 7 3281 response packet sent to ntpd host A, A will respond to itself 3282 endlessly, consuming CPU and logging excessively. 3283 3284 Credit for finding this vulnerability goes to Robin Park and Dmitri 3285 Vinokurov of Alcatel-Lucent. 3286 3287 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3288 3289 --- 3290 ntpd now syncs to refclocks right away. 3291 3292 Backward-Incompatible changes: 3293 3294 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3295 Use '--var name' or '--dvar name' instead. (Bug 817) 3296 3297 --- 3298 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 3299 3300 Focus: Security and Bug Fixes 3301 3302 Severity: HIGH 3303 3304 This release fixes the following high-severity vulnerability: 3305 3306 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3307 3308 See http://support.ntp.org/security for more information. 3309 3310 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3311 line) then a carefully crafted packet sent to the machine will cause 3312 a buffer overflow and possible execution of injected code, running 3313 with the privileges of the ntpd process (often root). 3314 3315 Credit for finding this vulnerability goes to Chris Ries of CMU. 3316 3317 This release fixes the following low-severity vulnerabilities: 3318 3319 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3320 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3321 3322 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3323 Credit for finding this issue goes to Dave Hart. 3324 3325 This release fixes a number of bugs and adds some improvements: 3326 3327 * Improved logging 3328 * Fix many compiler warnings 3329 * Many fixes and improvements for Windows 3330 * Adds support for AIX 6.1 3331 * Resolves some issues under MacOS X and Solaris 3332 3333 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3334 3335 --- 3336 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 3337 3338 Focus: Security Fix 3339 3340 Severity: Low 3341 3342 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3343 the OpenSSL library relating to the incorrect checking of the return 3344 value of EVP_VerifyFinal function. 3345 3346 Credit for finding this issue goes to the Google Security Team for 3347 finding the original issue with OpenSSL, and to ocert.org for finding 3348 the problem in NTP and telling us about it. 3349 3350 This is a recommended upgrade. 3351 --- 3352 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 3353 3354 Focus: Minor Bugfixes 3355 3356 This release fixes a number of Windows-specific ntpd bugs and 3357 platform-independent ntpdate bugs. A logging bugfix has been applied 3358 to the ONCORE driver. 3359 3360 The "dynamic" keyword and is now obsolete and deferred binding to local 3361 interfaces is the new default. The minimum time restriction for the 3362 interface update interval has been dropped. 3363 3364 A number of minor build system and documentation fixes are included. 3365 3366 This is a recommended upgrade for Windows. 3367 3368 --- 3369 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 3370 3371 Focus: Minor Bugfixes 3372 3373 This release updates certain copyright information, fixes several display 3374 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3375 shutdown in the parse refclock driver, removes some lint from the code, 3376 stops accessing certain buffers immediately after they were freed, fixes 3377 a problem with non-command-line specification of -6, and allows the loopback 3378 interface to share addresses with other interfaces. 3379 3380 --- 3381 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 3382 3383 Focus: Minor Bugfixes 3384 3385 This release fixes a bug in Windows that made it difficult to 3386 terminate ntpd under windows. 3387 This is a recommended upgrade for Windows. 3388 3389 --- 3390 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 3391 3392 Focus: Minor Bugfixes 3393 3394 This release fixes a multicast mode authentication problem, 3395 an error in NTP packet handling on Windows that could lead to 3396 ntpd crashing, and several other minor bugs. Handling of 3397 multicast interfaces and logging configuration were improved. 3398 The required versions of autogen and libopts were incremented. 3399 This is a recommended upgrade for Windows and multicast users. 3400 3401 --- 3402 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 3403 3404 Focus: enhancements and bug fixes. 3405 3406 Dynamic interface rescanning was added to simplify the use of ntpd in 3407 conjunction with DHCP. GNU AutoGen is used for its command-line options 3408 processing. Separate PPS devices are supported for PARSE refclocks, MD5 3409 signatures are now provided for the release files. Drivers have been 3410 added for some new ref-clocks and have been removed for some older 3411 ref-clocks. This release also includes other improvements, documentation 3412 and bug fixes. 3413 3414 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3415 C support. 3416 3417 --- 3418 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 3419 3420 Focus: enhancements and bug fixes. 3421
Indexes created Mon Apr 20 00:23:12 UTC 2026