NEWS revision 1.1.1.16
1 --- 2 NTP 4.2.8p15 (Harlan Stenn <stenn (a] ntp.org>, 2020 Jun 23) 3 4 Focus: Security, Bug fixes 5 6 Severity: MEDIUM 7 8 This release fixes one vulnerability: Associations that use CMAC 9 authentication between ntpd from versions 4.2.8p11/4.3.97 and 10 4.2.8p14/4.3.100 will leak a small amount of memory for each packet. 11 Eventually, ntpd will run out of memory and abort. 12 13 It also fixes 13 other bugs. 14 15 * [Sec 3661] memory leak with AES128CMAC keys <perlinger (a] ntp.org> 16 * [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 17 - Thanks to Sylar Tao 18 * [Bug 3667] decodenetnum fails with numeric port <perlinger (a] ntp.org> 19 - rewrite 'decodenetnum()' in terms of inet_pton 20 * [Bug 3666] avoid unlimited receive buffer allocation <perlinger (a] ntp.org> 21 - limit number of receive buffers, with an iron reserve for refclocks 22 * [Bug 3664] Enable openSSL CMAC support on Windows <burnicki (a] ntp.org> 23 * [Bug 3662] Fix build errors on Windows with VS2008 <burnicki (a] ntp.org> 24 * [Bug 3660] Manycast orphan mode startup discovery problem. <stenn (a] ntp.org> 25 - integrated patch from Charles Claggett 26 * [Bug 3659] Move definition of psl[] from ntp_config.h to 27 ntp_config.h <perlinger (a] ntp.org> 28 * [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger (a] ntp.org> 29 * [Bug 3655] ntpdc memstats hash counts <perlinger (a] ntp.org> 30 - fix by Gerry garvey 31 * [Bug 3653] Refclock jitter RMS calculation <perlinger (a] ntp.org> 32 - thanks to Gerry Garvey 33 * [Bug 3646] Avoid sync with unsync orphan <perlinger (a] ntp.org> 34 - patch by Gerry Garvey 35 * [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger (a] ntp.org> 36 * [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe (a] ntp.org> 37 - applied patch by Takao Abe 38 39 --- 40 NTP 4.2.8p14 (Harlan Stenn <stenn (a] ntp.org>, 2020 Mar 03) 41 42 Focus: Security, Bug fixes, enhancements. 43 44 Severity: MEDIUM 45 46 This release fixes three vulnerabilities: a bug that causes causes an ntpd 47 instance that is explicitly configured to override the default and allow 48 ntpdc (mode 7) connections to be made to a server to read some uninitialized 49 memory; fixes the case where an unmonitored ntpd using an unauthenticated 50 association to its servers may be susceptible to a forged packet DoS attack; 51 and fixes an attack against a client instance that uses a single 52 unauthenticated time source. It also fixes 46 other bugs and addresses 53 4 other issues. 54 55 * [Sec 3610] process_control() should bail earlier on short packets. stenn@ 56 - Reported by Philippe Antoine 57 * [Sec 3596] Highly predictable timestamp attack. <stenn (a] ntp.org> 58 - Reported by Miroslav Lichvar 59 * [Sec 3592] DoS attack on client ntpd <perlinger (a] ntp.org> 60 - Reported by Miroslav Lichvar 61 * [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 62 * [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger (a] ntp.org> 63 * [Bug 3635] Make leapsecond file hash check optional <perlinger (a] ntp.org> 64 * [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 65 * [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 66 - implement Zeller's congruence in libparse and libntp <perlinger (a] ntp.org> 67 * [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger (a] ntp.org> 68 - integrated patch by Cy Schubert 69 * [Bug 3620] memory leak in ntpq sysinfo <perlinger (a] ntp.org> 70 - applied patch by Gerry Garvey 71 * [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger (a] ntp.org> 72 - applied patch by Gerry Garvey 73 * [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger (a] ntp.org> 74 - integrated patch by Richard Steedman 75 * [Bug 3615] accelerate refclock startup <perlinger (a] ntp.org> 76 * [Bug 3613] Propagate noselect to mobilized pool servers <stenn (a] ntp.org> 77 - Reported by Martin Burnicki 78 * [Bug 3612] Use-of-uninitialized-value in receive function <perlinger (a] ntp.org> 79 - Reported by Philippe Antoine 80 * [Bug 3611] NMEA time interpreted incorrectly <perlinger (a] ntp.org> 81 - officially document new "trust date" mode bit for NMEA driver 82 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 83 * [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger (a] ntp.org> 84 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 85 * [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger (a] ntp.org> 86 - removed ffs() and fls() prototypes as per Brian Utterback 87 * [Bug 3604] Wrong param byte order passing into record_raw_stats() in 88 ntp_io.c <perlinger (a] ntp.org> 89 - fixed byte and paramter order as suggested by wei6410 (a] sina.com 90 * [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger (a] ntp.org> 91 * [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger (a] ntp.org> 92 - added padding as suggested by John Paul Adrian Glaubitz 93 * [Bug 3594] ntpd discards messages coming through nmead <perlinger (a] ntp.org> 94 * [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger (a] ntp.org> 95 * [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger (a] ntp.org> 96 * [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger (a] ntp.org> 97 - stdout+stderr are set to line buffered during test setup now 98 * [Bug 3583] synchronization error <perlinger (a] ntp.org> 99 - set clock to base date if system time is before that limit 100 * [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger (a] ntp.org> 101 * [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger (a] ntp.org> 102 - Reported by Paulo Neves 103 * [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger (a] ntp.org> 104 - also updates for refclock_nmea.c and refclock_jupiter.c 105 * [Bug 3576] New GPS date function API <perlinger (a] ntp.org> 106 * [Bug 3573] nptdate: missleading error message <perlinger (a] ntp.org> 107 * [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger (a] ntp.org> 108 * [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger (a] ntp.org> 109 - sidekick: service port resolution in 'ntpdate' 110 * [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger (a] ntp.org> 111 - applied patch by Douglas Royds 112 * [Bug 3542] ntpdc monlist parameters cannot be set <perlinger (a] ntp.org> 113 * [Bug 3533] ntpdc peer_info ipv6 issues <perlinger (a] ntp.org> 114 - applied patch by Gerry Garvey 115 * [Bug 3531] make check: test-decodenetnum fails <perlinger (a] ntp.org> 116 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 117 - fix wrong cond-compile tests in unit tests 118 * [Bug 3517] Reducing build noise <perlinger (a] ntp.org> 119 * [Bug 3516] Require tooling from this decade <perlinger (a] ntp.org> 120 - patch by Philipp Prindeville 121 * [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger (a] ntp.org> 122 - patch by Philipp Prindeville 123 * [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger (a] ntp.org> 124 - patch by Philipp Prindeville 125 * [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger (a] ntp.org> 126 - partial application of patch by Philipp Prindeville 127 * [Bug 3491] Signed values of LFP datatypes should always display a sign 128 - applied patch by Gerry Garvey & fixed unit tests <perlinger (a] ntp.org> 129 * [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger (a] ntp.org> 130 - applied (modified) patch by Richard Steedman 131 * [Bug 3473] RefID of refclocks should always be text format <perlinger (a] ntp.org> 132 - applied patch by Gerry Garvey (with minor formatting changes) 133 * [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger (a] ntp.org> 134 - applied patch by Miroslav Lichvar 135 * [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 136 <perlinger (a] ntp.org> 137 * [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 138 is specified with -u <perlinger (a] ntp.org> 139 - monitor daemon child startup & propagate exit codes 140 * [Bug 1433] runtime check whether the kernel really supports capabilities 141 - (modified) patch by Kurt Roeckx <perlinger (a] ntp.org> 142 * Clean up sntp/networking.c:sendpkt() error message. <stenn (a] ntp.org> 143 * Provide more detail on unrecognized config file parser tokens. <stenn (a] ntp.org> 144 * Startup log improvements. <stenn (a] ntp.org> 145 * Update the copyright year. 146 147 --- 148 NTP 4.2.8p13 (Harlan Stenn <stenn (a] ntp.org>, 2019 Mar 07) 149 150 Focus: Security, Bug fixes, enhancements. 151 152 Severity: MEDIUM 153 154 This release fixes a bug that allows an attacker with access to an 155 explicitly trusted source to send a crafted malicious mode 6 (ntpq) 156 packet that can trigger a NULL pointer dereference, crashing ntpd. 157 It also provides 17 other bugfixes and 1 other improvement: 158 159 * [Sec 3565] Crafted null dereference attack in authenticated 160 mode 6 packet <perlinger (a] ntp.org> 161 - reported by Magnus Stubman 162 * [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger (a] ntp.org> 163 - applied patch by Ian Lepore 164 * [Bug 3558] Crash and integer size bug <perlinger (a] ntp.org> 165 - isolate and fix linux/windows specific code issue 166 * [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger (a] ntp.org> 167 - provide better function for incremental string formatting 168 * [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger (a] ntp.org> 169 - applied patch by Gerry Garvey 170 * [Bug 3554] config revoke stores incorrect value <perlinger (a] ntp.org> 171 - original finding by Gerry Garvey, additional cleanup needed 172 * [Bug 3549] Spurious initgroups() error message <perlinger (a] ntp.org> 173 - patch by Christous Zoulas 174 * [Bug 3548] Signature not verified on windows system <perlinger (a] ntp.org> 175 - finding by Chen Jiabin, plus another one by me 176 * [Bug 3541] patch to fix STA_NANO struct timex units <perlinger (a] ntp.org> 177 - applied patch by Maciej Szmigiero 178 * [Bug 3540] Cannot set minsane to 0 anymore <perlinger (a] ntp.org> 179 - applied patch by Andre Charbonneau 180 * [Bug 3539] work_fork build fails when droproot is not supported <perlinger (a] ntp.org> 181 - applied patch by Baruch Siach 182 * [Bug 3538] Build fails for no-MMU targets <perlinger (a] ntp.org> 183 - applied patch by Baruch Siach 184 * [Bug 3535] libparse won't handle GPS week rollover <perlinger (a] ntp.org> 185 - refactored handling of GPS era based on 'tos basedate' for 186 parse (TSIP) and JUPITER clocks 187 * [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger (a] ntp.org> 188 - patch by Daniel J. Luke; this does not fix a potential linker 189 regression issue on MacOS. 190 * [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 191 anomaly <perlinger (a] ntp.org>, reported by GGarvey. 192 - --enable-bug3527-fix support by HStenn 193 * [Bug 3526] Incorrect poll interval in packet <perlinger (a] ntp.org> 194 - applied patch by Gerry Garvey 195 * [Bug 3471] Check for openssl/[ch]mac.h. <perlinger (a] ntp.org> 196 - added missing check, reported by Reinhard Max <perlinger (a] ntp.org> 197 * [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 198 - this is a variant of [bug 3558] and should be fixed with it 199 * Implement 'configure --disable-signalled-io' 200 201 -- 202 NTP 4.2.8p12 (Harlan Stenn <stenn (a] ntp.org>, 2018/14/09) 203 204 Focus: Security, Bug fixes, enhancements. 205 206 Severity: MEDIUM 207 208 This release fixes a "hole" in the noepeer capability introduced to ntpd 209 in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 210 ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 211 212 * [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 213 214 * [Sec 3012] Fix a hole in the new "noepeer" processing. 215 216 * Bug Fixes: 217 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn (a] ntp.org> 218 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 219 other TrustedBSD platforms 220 - applied patch by Ian Lepore <perlinger (a] ntp.org> 221 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger (a] ntp.org> 222 - changed interaction with SCM to signal pending startup 223 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger (a] ntp.org> 224 - applied patch by Gerry Garvey 225 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger (a] ntp.org> 226 - applied patch by Gerry Garvey 227 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger (a] ntp.org> 228 - rework of ntpq 'nextvar()' key/value parsing 229 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger (a] ntp.org> 230 - applied patch by Gerry Garvey (with mods) 231 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger (a] ntp.org> 232 - applied patch by Gerry Garvey 233 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger (a] ntp.org> 234 - applied patch by Gerry Garvey (with mods) 235 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger (a] ntp.org> 236 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 237 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger (a] ntp.org> 238 - applied patch by Gerry Garvey 239 [Bug 3474] Missing pmode in mode7 peer info response <perlinger (a] ntp.org> 240 - applied patch by Gerry Garvey 241 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 242 - add #define ENABLE_CMAC support in configure. HStenn. 243 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger (a] ntp.org> 244 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger (a] ntp.org> 245 - patch by Stephen Friedl 246 [Bug 3467] Potential memory fault in ntpq [...] <perlinger (a] ntp.org> 247 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 248 [Bug 3465] Default TTL values cannot be used <perlinger (a] ntp.org> 249 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger (a] ntp.org> 250 - initial patch by Hal Murray; also fixed refclock_report() trouble 251 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn (a] ntp.org> 252 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 253 - According to Brooks Davis, there was only one location <perlinger (a] ntp.org> 254 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger (a] ntp.org> 255 - applied patch by Gerry Garvey 256 [Bug 3445] Symmetric peer won't sync on startup <perlinger (a] ntp.org> 257 - applied patch by Gerry Garvey 258 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 259 with modifications 260 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 261 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger (a] ntp.org> 262 - applied patch by Miroslav Lichvar 263 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 264 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger (a] ntp.org> 265 - integrated patch by Reinhard Max 266 [Bug 2821] minor build issues <perlinger (a] ntp.org> 267 - applied patches by Christos Zoulas, including real bug fixes 268 html/authopt.html: cleanup, from <stenn (a] ntp.org> 269 ntpd/ntpd.c: DROPROOT cleanup. <stenn (a] ntp.org> 270 Symmetric key range is 1-65535. Update docs. <stenn (a] ntp.org> 271 272 -- 273 NTP 4.2.8p11 (Harlan Stenn <stenn (a] ntp.org>, 2018/02/27) 274 275 Focus: Security, Bug fixes, enhancements. 276 277 Severity: MEDIUM 278 279 This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 280 vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 281 provides 65 other non-security fixes and improvements: 282 283 * NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 284 association (LOW/MED) 285 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 286 References: Sec 3454 / CVE-2018-7185 / VU#961909 287 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 288 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 289 2.9 and 6.8. 290 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 291 score between 2.6 and 3.1 292 Summary: 293 The NTP Protocol allows for both non-authenticated and 294 authenticated associations, in client/server, symmetric (peer), 295 and several broadcast modes. In addition to the basic NTP 296 operational modes, symmetric mode and broadcast servers can 297 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 298 was inadvertently introduced into the protocol engine that 299 allows a non-authenticated zero-origin (reset) packet to reset 300 an authenticated interleaved peer association. If an attacker 301 can send a packet with a zero-origin timestamp and the source 302 IP address of the "other side" of an interleaved association, 303 the 'victim' ntpd will reset its association. The attacker must 304 continue sending these packets in order to maintain the 305 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 306 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 307 interleaved mode must be explicitly configured/enabled. 308 Mitigation: 309 Implement BCP-38. 310 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 311 or the NTP Public Services Project Download Page. 312 If you are unable to upgrade to 4.2.8p11 or later and have 313 'peer HOST xleave' lines in your ntp.conf file, remove the 314 'xleave' option. 315 Have enough sources of time. 316 Properly monitor your ntpd instances. 317 If ntpd stops running, auto-restart it without -g . 318 Credit: 319 This weakness was discovered by Miroslav Lichvar of Red Hat. 320 321 * NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 322 state (LOW/MED) 323 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 324 References: Sec 3453 / CVE-2018-7184 / VU#961909 325 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 326 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 327 Could score between 2.9 and 6.8. 328 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 329 Could score between 2.6 and 6.0. 330 Summary: 331 The fix for NtpBug2952 was incomplete, and while it fixed one 332 problem it created another. Specifically, it drops bad packets 333 before updating the "received" timestamp. This means a 334 third-party can inject a packet with a zero-origin timestamp, 335 meaning the sender wants to reset the association, and the 336 transmit timestamp in this bogus packet will be saved as the 337 most recent "received" timestamp. The real remote peer does 338 not know this value and this will disrupt the association until 339 the association resets. 340 Mitigation: 341 Implement BCP-38. 342 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 343 or the NTP Public Services Project Download Page. 344 Use authentication with 'peer' mode. 345 Have enough sources of time. 346 Properly monitor your ntpd instances. 347 If ntpd stops running, auto-restart it without -g . 348 Credit: 349 This weakness was discovered by Miroslav Lichvar of Red Hat. 350 351 * NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 352 peering (LOW) 353 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 354 References: Sec 3415 / CVE-2018-7170 / VU#961909 355 Sec 3012 / CVE-2016-1549 / VU#718152 356 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 357 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 358 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 359 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 360 Summary: 361 ntpd can be vulnerable to Sybil attacks. If a system is set up to 362 use a trustedkey and if one is not using the feature introduced in 363 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 364 specify which IPs can serve time, a malicious authenticated peer 365 -- i.e. one where the attacker knows the private symmetric key -- 366 can create arbitrarily-many ephemeral associations in order to win 367 the clock selection of ntpd and modify a victim's clock. Three 368 additional protections are offered in ntp-4.2.8p11. One is the 369 new 'noepeer' directive, which disables symmetric passive 370 ephemeral peering. Another is the new 'ippeerlimit' directive, 371 which limits the number of peers that can be created from an IP. 372 The third extends the functionality of the 4th field in the 373 ntp.keys file to include specifying a subnet range. 374 Mitigation: 375 Implement BCP-38. 376 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 377 or the NTP Public Services Project Download Page. 378 Use the 'noepeer' directive to prohibit symmetric passive 379 ephemeral associations. 380 Use the 'ippeerlimit' directive to limit the number of peers 381 that can be created from an IP. 382 Use the 4th argument in the ntp.keys file to limit the IPs and 383 subnets that can be time servers. 384 Have enough sources of time. 385 Properly monitor your ntpd instances. 386 If ntpd stops running, auto-restart it without -g . 387 Credit: 388 This weakness was reported as Bug 3012 by Matthew Van Gundy of 389 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 390 391 * ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 392 Date Resolved: 27 Feb 2018 393 References: Sec 3414 / CVE-2018-7183 / VU#961909 394 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 395 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 396 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 397 Summary: 398 ntpq is a monitoring and control program for ntpd. decodearr() 399 is an internal function of ntpq that is used to -- wait for it -- 400 decode an array in a response string when formatted data is being 401 displayed. This is a problem in affected versions of ntpq if a 402 maliciously-altered ntpd returns an array result that will trip this 403 bug, or if a bad actor is able to read an ntpq request on its way to 404 a remote ntpd server and forge and send a response before the remote 405 ntpd sends its response. It's potentially possible that the 406 malicious data could become injectable/executable code. 407 Mitigation: 408 Implement BCP-38. 409 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 410 or the NTP Public Services Project Download Page. 411 Credit: 412 This weakness was discovered by Michael Macnair of Thales e-Security. 413 414 * NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 415 behavior and information leak (Info/Medium) 416 Date Resolved: 27 Feb 2018 417 References: Sec 3412 / CVE-2018-7182 / VU#961909 418 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 419 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 420 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 421 0.0 if C:N 422 Summary: 423 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 424 A malicious mode 6 packet can be sent to an ntpd instance, and 425 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 426 cause ctl_getitem() to read past the end of its buffer. 427 Mitigation: 428 Implement BCP-38. 429 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 430 or the NTP Public Services Project Download Page. 431 Have enough sources of time. 432 Properly monitor your ntpd instances. 433 If ntpd stops running, auto-restart it without -g . 434 Credit: 435 This weakness was discovered by Yihan Lian of Qihoo 360. 436 437 * NTP Bug 3012: Sybil vulnerability: ephemeral association attack 438 Also see Bug 3415, above. 439 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 440 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 441 References: Sec 3012 / CVE-2016-1549 / VU#718152 442 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 443 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 444 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 445 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 446 Summary: 447 ntpd can be vulnerable to Sybil attacks. If a system is set up 448 to use a trustedkey and if one is not using the feature 449 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 450 ntp.keys file to specify which IPs can serve time, a malicious 451 authenticated peer -- i.e. one where the attacker knows the 452 private symmetric key -- can create arbitrarily-many ephemeral 453 associations in order to win the clock selection of ntpd and 454 modify a victim's clock. Two additional protections are 455 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 456 disables symmetric passive ephemeral peering. The other extends 457 the functionality of the 4th field in the ntp.keys file to 458 include specifying a subnet range. 459 Mitigation: 460 Implement BCP-38. 461 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 462 the NTP Public Services Project Download Page. 463 Use the 'noepeer' directive to prohibit symmetric passive 464 ephemeral associations. 465 Use the 'ippeerlimit' directive to limit the number of peer 466 associations from an IP. 467 Use the 4th argument in the ntp.keys file to limit the IPs 468 and subnets that can be time servers. 469 Properly monitor your ntpd instances. 470 Credit: 471 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 472 473 * Bug fixes: 474 [Bug 3457] OpenSSL FIPS mode regression <perlinger (a] ntp.org> 475 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger (a] ntp.org> 476 - applied patch by Sean Haugh 477 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger (a] ntp.org> 478 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 479 - removed error log caused by rounding/slew, ensured postcondition <perlinger (a] ntp.org> 480 [Bug 3447] AES-128-CMAC (fixes) <perlinger (a] ntp.org> 481 - refactoring the MAC code, too 482 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn (a] ntp.org 483 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger (a] ntp.org> 484 - applied patch by ggarvey 485 [Bug 3438] Negative values and values > 999 days in... <perlinger (a] ntp.org> 486 - applied patch by ggarvey (with minor mods) 487 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 488 - applied patch (with mods) by Miroslav Lichvar <perlinger (a] ntp.org> 489 [Bug 3435] anchor NTP era alignment <perlinger (a] ntp.org> 490 [Bug 3433] sntp crashes when run with -a. <stenn (a] ntp.org> 491 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 492 - fixed several issues with hash algos in ntpd, sntp, ntpq, 493 ntpdc and the test suites <perlinger (a] ntp.org> 494 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger (a] ntp.org> 495 - initial patch by Daniel Pouzzner 496 [Bug 3423] QNX adjtime() implementation error checking is 497 wrong <perlinger (a] ntp.org> 498 [Bug 3417] ntpq ifstats packet counters can be negative 499 made IFSTATS counter quantities unsigned <perlinger (a] ntp.org> 500 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 501 - raised receive buffer size to 1200 <perlinger (a] ntp.org> 502 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 503 analysis tool. <abe (a] ntp.org> 504 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 505 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger (a] ntp.org> 506 - fix/drop assumptions on OpenSSL libs directory layout 507 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 508 - initial patch by timeflies (a] mail2tor.com <perlinger (a] ntp.org> 509 [Bug 3398] tests fail with core dump <perlinger (a] ntp.org> 510 - patch contributed by Alexander Bluhm 511 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 512 rework of formatting & data transfer stuff in 'ntp_control.c' 513 avoids unecessary buffers and size limitations. <perlinger (a] ntp.org> 514 [Bug 3394] Leap second deletion does not work on ntpd clients 515 - fixed handling of dynamic deletion w/o leap file <perlinger (a] ntp.org> 516 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 517 - increased mimimum stack size to 32kB <perlinger (a] ntp.org> 518 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger (a] ntp.org> 519 - reverted handling of PPS kernel consumer to 4.2.6 behavior 520 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe (a] ntp.org> 521 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 522 [Bug 3016] wrong error position reported for bad ":config pool" 523 - fixed location counter & ntpq output <perlinger (a] ntp.org> 524 [Bug 2900] libntp build order problem. HStenn. 525 [Bug 2878] Tests are cluttering up syslog <perlinger (a] ntp.org> 526 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs (a] bodosom.net, 527 perlinger (a] ntp.org 528 [Bug 2557] Fix Thunderbolt init. ntp-bugs (a] bodosom.net, perlinger@ntp. 529 [Bug 948] Trustedkey config directive leaks memory. <perlinger (a] ntp.org> 530 Use strlcpy() to copy strings, not memcpy(). HStenn. 531 Typos. HStenn. 532 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 533 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 534 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger (a] ntp.org 535 Fix trivial warnings from 'make check'. perlinger (a] ntp.org 536 Fix bug in the override portion of the compiler hardening macro. HStenn. 537 record_raw_stats(): Log entire packet. Log writes. HStenn. 538 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 539 sntp: tweak key file logging. HStenn. 540 sntp: pkt_output(): Improve debug output. HStenn. 541 update-leap: updates from Paul McMath. 542 When using pkg-config, report --modversion. HStenn. 543 Clean up libevent configure checks. HStenn. 544 sntp: show the IP of who sent us a crypto-NAK. HStenn. 545 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 546 authistrustedip() - use it in more places. HStenn, JPerlinger. 547 New sysstats: sys_lamport, sys_tsrounding. HStenn. 548 Update ntp.keys .../N documentation. HStenn. 549 Distribute testconf.yml. HStenn. 550 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 551 Rename the configuration flag fifo variables. HStenn. 552 Improve saveconfig output. HStenn. 553 Decode restrict flags on receive() debug output. HStenn. 554 Decode interface flags on receive() debug output. HStenn. 555 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 556 Update the documentation in ntp.conf.def . HStenn. 557 restrictions() must return restrict flags and ippeerlimit. HStenn. 558 Update ntpq peer documentation to describe the 'p' type. HStenn. 559 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 560 Provide dump_restricts() for debugging. HStenn. 561 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 562 563 * Other items: 564 565 * update-leap needs the following perl modules: 566 Net::SSLeay 567 IO::Socket::SSL 568 569 * New sysstats variables: sys_lamport, sys_tsrounding 570 See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 571 sys_lamport counts the number of observed Lamport violations, while 572 sys_tsrounding counts observed timestamp rounding events. 573 574 * New ntp.conf items: 575 576 - restrict ... noepeer 577 - restrict ... ippeerlimit N 578 579 The 'noepeer' directive will disallow all ephemeral/passive peer 580 requests. 581 582 The 'ippeerlimit' directive limits the number of time associations 583 for each IP in the designated set of addresses. This limit does not 584 apply to explicitly-configured associations. A value of -1, the current 585 default, means an unlimited number of associations may connect from a 586 single IP. 0 means "none", etc. Ordinarily the only way multiple 587 associations would come from the same IP would be if the remote side 588 was using a proxy. But a trusted machine might become compromised, 589 in which case an attacker might spin up multiple authenticated sessions 590 from different ports. This directive should be helpful in this case. 591 592 * New ntp.keys feature: Each IP in the optional list of IPs in the 4th 593 field may contain a /subnetbits specification, which identifies the 594 scope of IPs that may use this key. This IP/subnet restriction can be 595 used to limit the IPs that may use the key in most all situations where 596 a key is used. 597 -- 598 NTP 4.2.8p10 (Harlan Stenn <stenn (a] ntp.org>, 2017/03/21) 599 600 Focus: Security, Bug fixes, enhancements. 601 602 Severity: MEDIUM 603 604 This release fixes 5 medium-, 6 low-, and 4 informational-severity 605 vulnerabilities, and provides 15 other non-security fixes and improvements: 606 607 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 608 Date Resolved: 21 Mar 2017 609 References: Sec 3389 / CVE-2017-6464 / VU#325339 610 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 611 ntp-4.3.0 up to, but not including ntp-4.3.94. 612 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 613 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 614 Summary: 615 A vulnerability found in the NTP server makes it possible for an 616 authenticated remote user to crash ntpd via a malformed mode 617 configuration directive. 618 Mitigation: 619 Implement BCP-38. 620 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 621 the NTP Public Services Project Download Page 622 Properly monitor your ntpd instances, and auto-restart 623 ntpd (without -g) if it stops running. 624 Credit: 625 This weakness was discovered by Cure53. 626 627 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 628 Date Resolved: 21 Mar 2017 629 References: Sec 3388 / CVE-2017-6462 / VU#325339 630 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 631 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 632 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 633 Summary: 634 There is a potential for a buffer overflow in the legacy Datum 635 Programmable Time Server refclock driver. Here the packets are 636 processed from the /dev/datum device and handled in 637 datum_pts_receive(). Since an attacker would be required to 638 somehow control a malicious /dev/datum device, this does not 639 appear to be a practical attack and renders this issue "Low" in 640 terms of severity. 641 Mitigation: 642 If you have a Datum reference clock installed and think somebody 643 may maliciously change the device, upgrade to 4.2.8p10, or 644 later, from the NTP Project Download Page or the NTP Public 645 Services Project Download Page 646 Properly monitor your ntpd instances, and auto-restart 647 ntpd (without -g) if it stops running. 648 Credit: 649 This weakness was discovered by Cure53. 650 651 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 652 Date Resolved: 21 Mar 2017 653 References: Sec 3387 / CVE-2017-6463 / VU#325339 654 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 655 ntp-4.3.0 up to, but not including ntp-4.3.94. 656 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 657 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 658 Summary: 659 A vulnerability found in the NTP server allows an authenticated 660 remote attacker to crash the daemon by sending an invalid setting 661 via the :config directive. The unpeer option expects a number or 662 an address as an argument. In case the value is "0", a 663 segmentation fault occurs. 664 Mitigation: 665 Implement BCP-38. 666 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 667 or the NTP Public Services Project Download Page 668 Properly monitor your ntpd instances, and auto-restart 669 ntpd (without -g) if it stops running. 670 Credit: 671 This weakness was discovered by Cure53. 672 673 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 674 Date Resolved: 21 Mar 2017 675 References: Sec 3386 676 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 677 ntp-4.3.0 up to, but not including ntp-4.3.94. 678 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 679 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 680 Summary: 681 The NTP Mode 6 monitoring and control client, ntpq, uses the 682 function ntpq_stripquotes() to remove quotes and escape characters 683 from a given string. According to the documentation, the function 684 is supposed to return the number of copied bytes but due to 685 incorrect pointer usage this value is always zero. Although the 686 return value of this function is never used in the code, this 687 flaw could lead to a vulnerability in the future. Since relying 688 on wrong return values when performing memory operations is a 689 dangerous practice, it is recommended to return the correct value 690 in accordance with the documentation pertinent to the code. 691 Mitigation: 692 Implement BCP-38. 693 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 694 or the NTP Public Services Project Download Page 695 Properly monitor your ntpd instances, and auto-restart 696 ntpd (without -g) if it stops running. 697 Credit: 698 This weakness was discovered by Cure53. 699 700 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 701 Date Resolved: 21 Mar 2017 702 References: Sec 3385 703 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 704 ntp-4.3.0 up to, but not including ntp-4.3.94. 705 Summary: 706 NTP makes use of several wrappers around the standard heap memory 707 allocation functions that are provided by libc. This is mainly 708 done to introduce additional safety checks concentrated on 709 several goals. First, they seek to ensure that memory is not 710 accidentally freed, secondly they verify that a correct amount 711 is always allocated and, thirdly, that allocation failures are 712 correctly handled. There is an additional implementation for 713 scenarios where memory for a specific amount of items of the 714 same size needs to be allocated. The handling can be found in 715 the oreallocarray() function for which a further number-of-elements 716 parameter needs to be provided. Although no considerable threat 717 was identified as tied to a lack of use of this function, it is 718 recommended to correctly apply oreallocarray() as a preferred 719 option across all of the locations where it is possible. 720 Mitigation: 721 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 722 or the NTP Public Services Project Download Page 723 Credit: 724 This weakness was discovered by Cure53. 725 726 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 727 PPSAPI ONLY) (Low) 728 Date Resolved: 21 Mar 2017 729 References: Sec 3384 / CVE-2017-6455 / VU#325339 730 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 731 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 732 including ntp-4.3.94. 733 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 734 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 735 Summary: 736 The Windows NT port has the added capability to preload DLLs 737 defined in the inherited global local environment variable 738 PPSAPI_DLLS. The code contained within those libraries is then 739 called from the NTPD service, usually running with elevated 740 privileges. Depending on how securely the machine is setup and 741 configured, if ntpd is configured to use the PPSAPI under Windows 742 this can easily lead to a code injection. 743 Mitigation: 744 Implement BCP-38. 745 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 746 or the NTP Public Services Project Download Page 747 Credit: 748 This weakness was discovered by Cure53. 749 750 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 751 installer ONLY) (Low) 752 Date Resolved: 21 Mar 2017 753 References: Sec 3383 / CVE-2017-6452 / VU#325339 754 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 755 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 756 to, but not including ntp-4.3.94. 757 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 758 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 759 Summary: 760 The Windows installer for NTP calls strcat(), blindly appending 761 the string passed to the stack buffer in the addSourceToRegistry() 762 function. The stack buffer is 70 bytes smaller than the buffer 763 in the calling main() function. Together with the initially 764 copied Registry path, the combination causes a stack buffer 765 overflow and effectively overwrites the stack frame. The 766 passed application path is actually limited to 256 bytes by the 767 operating system, but this is not sufficient to assure that the 768 affected stack buffer is consistently protected against 769 overflowing at all times. 770 Mitigation: 771 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 772 or the NTP Public Services Project Download Page 773 Credit: 774 This weakness was discovered by Cure53. 775 776 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 777 installer ONLY) (Low) 778 Date Resolved: 21 Mar 2017 779 References: Sec 3382 / CVE-2017-6459 / VU#325339 780 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 781 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 782 up to, but not including ntp-4.3.94. 783 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 784 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 785 Summary: 786 The Windows installer for NTP calls strcpy() with an argument 787 that specifically contains multiple null bytes. strcpy() only 788 copies a single terminating null character into the target 789 buffer instead of copying the required double null bytes in the 790 addKeysToRegistry() function. As a consequence, a garbage 791 registry entry can be created. The additional arsize parameter 792 is erroneously set to contain two null bytes and the following 793 call to RegSetValueEx() claims to be passing in a multi-string 794 value, though this may not be true. 795 Mitigation: 796 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 797 or the NTP Public Services Project Download Page 798 Credit: 799 This weakness was discovered by Cure53. 800 801 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 802 References: Sec 3381 803 Summary: 804 The report says: Statically included external projects 805 potentially introduce several problems and the issue of having 806 extensive amounts of code that is "dead" in the resulting binary 807 must clearly be pointed out. The unnecessary unused code may or 808 may not contain bugs and, quite possibly, might be leveraged for 809 code-gadget-based branch-flow redirection exploits. Analogically, 810 having source trees statically included as well means a failure 811 in taking advantage of the free feature for periodical updates. 812 This solution is offered by the system's Package Manager. The 813 three libraries identified are libisc, libevent, and libopts. 814 Resolution: 815 For libisc, we already only use a portion of the original library. 816 We've found and fixed bugs in the original implementation (and 817 offered the patches to ISC), and plan to see what has changed 818 since we last upgraded the code. libisc is generally not 819 installed, and when it it we usually only see the static libisc.a 820 file installed. Until we know for sure that the bugs we've found 821 and fixed are fixed upstream, we're better off with the copy we 822 are using. 823 824 Version 1 of libevent was the only production version available 825 until recently, and we've been requiring version 2 for a long time. 826 But if the build system has at least version 2 of libevent 827 installed, we'll use the version that is installed on the system. 828 Otherwise, we provide a copy of libevent that we know works. 829 830 libopts is provided by GNU AutoGen, and that library and package 831 undergoes frequent API version updates. The version of autogen 832 used to generate the tables for the code must match the API 833 version in libopts. AutoGen can be ... difficult to build and 834 install, and very few developers really need it. So we have it 835 on our build and development machines, and we provide the 836 specific version of the libopts code in the distribution to make 837 sure that the proper API version of libopts is available. 838 839 As for the point about there being code in these libraries that 840 NTP doesn't use, OK. But other packages used these libraries as 841 well, and it is reasonable to assume that other people are paying 842 attention to security and code quality issues for the overall 843 libraries. It takes significant resources to analyze and 844 customize these libraries to only include what we need, and to 845 date we believe the cost of this effort does not justify the benefit. 846 Credit: 847 This issue was discovered by Cure53. 848 849 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 850 Date Resolved: 21 Mar 2017 851 References: Sec 3380 852 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 853 ntp-4.3.0 up to, but not including ntp-4.3.94. 854 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 855 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 856 Summary: 857 There is a fencepost error in a "recovery branch" of the code for 858 the Oncore GPS receiver if the communication link to the ONCORE 859 is weak / distorted and the decoding doesn't work. 860 Mitigation: 861 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 862 the NTP Public Services Project Download Page 863 Properly monitor your ntpd instances, and auto-restart 864 ntpd (without -g) if it stops running. 865 Credit: 866 This weakness was discovered by Cure53. 867 868 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 869 Date Resolved: 21 Mar 2017 870 References: Sec 3379 / CVE-2017-6458 / VU#325339 871 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 872 ntp-4.3.0 up to, but not including ntp-4.3.94. 873 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 874 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 875 Summary: 876 ntpd makes use of different wrappers around ctl_putdata() to 877 create name/value ntpq (mode 6) response strings. For example, 878 ctl_putstr() is usually used to send string data (variable names 879 or string data). The formatting code was missing a length check 880 for variable names. If somebody explicitly created any unusually 881 long variable names in ntpd (longer than 200-512 bytes, depending 882 on the type of variable), then if any of these variables are 883 added to the response list it would overflow a buffer. 884 Mitigation: 885 Implement BCP-38. 886 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 887 or the NTP Public Services Project Download Page 888 If you don't want to upgrade, then don't setvar variable names 889 longer than 200-512 bytes in your ntp.conf file. 890 Properly monitor your ntpd instances, and auto-restart 891 ntpd (without -g) if it stops running. 892 Credit: 893 This weakness was discovered by Cure53. 894 895 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 896 Date Resolved: 21 Mar 2017 897 References: Sec 3378 / CVE-2017-6451 / VU#325339 898 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 899 ntp-4.3.0 up to, but not including ntp-4.3.94. 900 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 901 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 902 Summary: 903 The legacy MX4200 refclock is only built if is specifically 904 enabled, and furthermore additional code changes are required to 905 compile and use it. But it uses the libc functions snprintf() 906 and vsnprintf() incorrectly, which can lead to an out-of-bounds 907 memory write due to an improper handling of the return value of 908 snprintf()/vsnprintf(). Since the return value is used as an 909 iterator and it can be larger than the buffer's size, it is 910 possible for the iterator to point somewhere outside of the 911 allocated buffer space. This results in an out-of-bound memory 912 write. This behavior can be leveraged to overwrite a saved 913 instruction pointer on the stack and gain control over the 914 execution flow. During testing it was not possible to identify 915 any malicious usage for this vulnerability. Specifically, no 916 way for an attacker to exploit this vulnerability was ultimately 917 unveiled. However, it has the potential to be exploited, so the 918 code should be fixed. 919 Mitigation, if you have a Magnavox MX4200 refclock: 920 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 921 or the NTP Public Services Project Download Page. 922 Properly monitor your ntpd instances, and auto-restart 923 ntpd (without -g) if it stops running. 924 Credit: 925 This weakness was discovered by Cure53. 926 927 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 928 malicious ntpd (Medium) 929 Date Resolved: 21 Mar 2017 930 References: Sec 3377 / CVE-2017-6460 / VU#325339 931 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 932 ntp-4.3.0 up to, but not including ntp-4.3.94. 933 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 934 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 935 Summary: 936 A stack buffer overflow in ntpq can be triggered by a malicious 937 ntpd server when ntpq requests the restriction list from the server. 938 This is due to a missing length check in the reslist() function. 939 It occurs whenever the function parses the server's response and 940 encounters a flagstr variable of an excessive length. The string 941 will be copied into a fixed-size buffer, leading to an overflow on 942 the function's stack-frame. Note well that this problem requires 943 a malicious server, and affects ntpq, not ntpd. 944 Mitigation: 945 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 946 or the NTP Public Services Project Download Page 947 If you can't upgrade your version of ntpq then if you want to know 948 the reslist of an instance of ntpd that you do not control, 949 know that if the target ntpd is malicious that it can send back 950 a response that intends to crash your ntpq process. 951 Credit: 952 This weakness was discovered by Cure53. 953 954 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 955 Date Resolved: 21 Mar 2017 956 References: Sec 3376 957 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 958 ntp-4.3.0 up to, but not including ntp-4.3.94. 959 CVSS2: N/A 960 CVSS3: N/A 961 Summary: 962 The build process for NTP has not, by default, provided compile 963 or link flags to offer "hardened" security options. Package 964 maintainers have always been able to provide hardening security 965 flags for their builds. As of ntp-4.2.8p10, the NTP build 966 system has a way to provide OS-specific hardening flags. Please 967 note that this is still not a really great solution because it 968 is specific to NTP builds. It's inefficient to have every 969 package supply, track and maintain this information for every 970 target build. It would be much better if there was a common way 971 for OSes to provide this information in a way that arbitrary 972 packages could benefit from it. 973 Mitigation: 974 Implement BCP-38. 975 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 976 or the NTP Public Services Project Download Page 977 Properly monitor your ntpd instances, and auto-restart 978 ntpd (without -g) if it stops running. 979 Credit: 980 This weakness was reported by Cure53. 981 982 * 0rigin DoS (Medium) 983 Date Resolved: 21 Mar 2017 984 References: Sec 3361 / CVE-2016-9042 / VU#325339 985 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 986 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 987 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 988 Summary: 989 An exploitable denial of service vulnerability exists in the 990 origin timestamp check functionality of ntpd 4.2.8p9. A specially 991 crafted unauthenticated network packet can be used to reset the 992 expected origin timestamp for target peers. Legitimate replies 993 from targeted peers will fail the origin timestamp check (TEST2) 994 causing the reply to be dropped and creating a denial of service 995 condition. This vulnerability can only be exploited if the 996 attacker can spoof all of the servers. 997 Mitigation: 998 Implement BCP-38. 999 Configure enough servers/peers that an attacker cannot target 1000 all of your time sources. 1001 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1002 or the NTP Public Services Project Download Page 1003 Properly monitor your ntpd instances, and auto-restart 1004 ntpd (without -g) if it stops running. 1005 Credit: 1006 This weakness was discovered by Matthew Van Gundy of Cisco. 1007 1008 Other fixes: 1009 1010 * [Bug 3393] clang scan-build findings <perlinger (a] ntp.org> 1011 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1012 - rework of patch set from <ntp.org (a] eroen.eu>. <perlinger (a] ntp.org> 1013 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger (a] ntp.org> 1014 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1015 on 4.4BSD-Lite derived platforms <perlinger (a] ntp.org> 1016 - original patch by Majdi S. Abbas 1017 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger (a] ntp.org> 1018 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger (a] ntp.org> 1019 - initial patch by Christos Zoulas 1020 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger (a] ntp.org> 1021 - move loader API from 'inline' to proper source 1022 - augment pathless dlls with absolute path to NTPD 1023 - use 'msyslog()' instead of 'printf() 'for reporting trouble 1024 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger (a] ntp.org> 1025 - applied patch by Matthew Van Gundy 1026 * [Bug 3065] Quiet warnings on NetBSD <perlinger (a] ntp.org> 1027 - applied some of the patches provided by Havard. Not all of them 1028 still match the current code base, and I did not touch libopt. 1029 * [Bug 3062] Change the process name of forked DNS worker <perlinger (a] ntp.org> 1030 - applied patch by Reinhard Max. See bugzilla for limitations. 1031 * [Bug 2923] Trap Configuration Fail <perlinger (a] ntp.org> 1032 - fixed dependency inversion from [Bug 2837] 1033 * [Bug 2896] Nothing happens if minsane < maxclock < minclock 1034 - produce ERROR log message about dysfunctional daemon. <perlinger (a] ntp.org> 1035 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger (a] ntp.org> 1036 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1037 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1038 - Fixed these and some more locations of this pattern. 1039 Probably din't get them all, though. <perlinger (a] ntp.org> 1040 * Update copyright year. 1041 1042 -- 1043 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn (a] ntp.org> 1044 1045 * [Bug 3144] NTP does not build without openSSL. <perlinger (a] ntp.org> 1046 - added missed changeset for automatic openssl lib detection 1047 - fixed some minor warning issues 1048 * [Bug 3095] More compatibility with openssl 1.1. <perlinger (a] ntp.org> 1049 * configure.ac cleanup. stenn (a] ntp.org 1050 * openssl configure cleanup. stenn (a] ntp.org 1051 1052 -- 1053 NTP 4.2.8p9 (Harlan Stenn <stenn (a] ntp.org>, 2016/11/21) 1054 1055 Focus: Security, Bug fixes, enhancements. 1056 1057 Severity: HIGH 1058 1059 In addition to bug fixes and enhancements, this release fixes the 1060 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 1061 5 low-severity vulnerabilities, and provides 28 other non-security 1062 fixes and improvements: 1063 1064 * Trap crash 1065 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1066 References: Sec 3119 / CVE-2016-9311 / VU#633847 1067 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1068 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1069 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1070 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1071 Summary: 1072 ntpd does not enable trap service by default. If trap service 1073 has been explicitly enabled, an attacker can send a specially 1074 crafted packet to cause a null pointer dereference that will 1075 crash ntpd, resulting in a denial of service. 1076 Mitigation: 1077 Implement BCP-38. 1078 Use "restrict default noquery ..." in your ntp.conf file. Only 1079 allow mode 6 queries from trusted networks and hosts. 1080 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1081 or the NTP Public Services Project Download Page 1082 Properly monitor your ntpd instances, and auto-restart ntpd 1083 (without -g) if it stops running. 1084 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1085 1086 * Mode 6 information disclosure and DDoS vector 1087 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1088 References: Sec 3118 / CVE-2016-9310 / VU#633847 1089 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1090 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1091 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1092 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1093 Summary: 1094 An exploitable configuration modification vulnerability exists 1095 in the control mode (mode 6) functionality of ntpd. If, against 1096 long-standing BCP recommendations, "restrict default noquery ..." 1097 is not specified, a specially crafted control mode packet can set 1098 ntpd traps, providing information disclosure and DDoS 1099 amplification, and unset ntpd traps, disabling legitimate 1100 monitoring. A remote, unauthenticated, network attacker can 1101 trigger this vulnerability. 1102 Mitigation: 1103 Implement BCP-38. 1104 Use "restrict default noquery ..." in your ntp.conf file. 1105 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1106 or the NTP Public Services Project Download Page 1107 Properly monitor your ntpd instances, and auto-restart ntpd 1108 (without -g) if it stops running. 1109 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1110 1111 * Broadcast Mode Replay Prevention DoS 1112 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1113 References: Sec 3114 / CVE-2016-7427 / VU#633847 1114 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1115 ntp-4.3.90 up to, but not including ntp-4.3.94. 1116 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1117 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1118 Summary: 1119 The broadcast mode of NTP is expected to only be used in a 1120 trusted network. If the broadcast network is accessible to an 1121 attacker, a potentially exploitable denial of service 1122 vulnerability in ntpd's broadcast mode replay prevention 1123 functionality can be abused. An attacker with access to the NTP 1124 broadcast domain can periodically inject specially crafted 1125 broadcast mode NTP packets into the broadcast domain which, 1126 while being logged by ntpd, can cause ntpd to reject broadcast 1127 mode packets from legitimate NTP broadcast servers. 1128 Mitigation: 1129 Implement BCP-38. 1130 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1131 or the NTP Public Services Project Download Page 1132 Properly monitor your ntpd instances, and auto-restart ntpd 1133 (without -g) if it stops running. 1134 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1135 1136 * Broadcast Mode Poll Interval Enforcement DoS 1137 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1138 References: Sec 3113 / CVE-2016-7428 / VU#633847 1139 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1140 ntp-4.3.90 up to, but not including ntp-4.3.94 1141 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1142 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1143 Summary: 1144 The broadcast mode of NTP is expected to only be used in a 1145 trusted network. If the broadcast network is accessible to an 1146 attacker, a potentially exploitable denial of service 1147 vulnerability in ntpd's broadcast mode poll interval enforcement 1148 functionality can be abused. To limit abuse, ntpd restricts the 1149 rate at which each broadcast association will process incoming 1150 packets. ntpd will reject broadcast mode packets that arrive 1151 before the poll interval specified in the preceding broadcast 1152 packet expires. An attacker with access to the NTP broadcast 1153 domain can send specially crafted broadcast mode NTP packets to 1154 the broadcast domain which, while being logged by ntpd, will 1155 cause ntpd to reject broadcast mode packets from legitimate NTP 1156 broadcast servers. 1157 Mitigation: 1158 Implement BCP-38. 1159 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1160 or the NTP Public Services Project Download Page 1161 Properly monitor your ntpd instances, and auto-restart ntpd 1162 (without -g) if it stops running. 1163 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1164 1165 * Windows: ntpd DoS by oversized UDP packet 1166 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1167 References: Sec 3110 / CVE-2016-9312 / VU#633847 1168 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1169 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1170 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1171 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1172 Summary: 1173 If a vulnerable instance of ntpd on Windows receives a crafted 1174 malicious packet that is "too big", ntpd will stop working. 1175 Mitigation: 1176 Implement BCP-38. 1177 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1178 or the NTP Public Services Project Download Page 1179 Properly monitor your ntpd instances, and auto-restart ntpd 1180 (without -g) if it stops running. 1181 Credit: This weakness was discovered by Robert Pajak of ABB. 1182 1183 * 0rigin (zero origin) issues 1184 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1185 References: Sec 3102 / CVE-2016-7431 / VU#633847 1186 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1187 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1188 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1189 Summary: 1190 Zero Origin timestamp problems were fixed by Bug 2945 in 1191 ntp-4.2.8p6. However, subsequent timestamp validation checks 1192 introduced a regression in the handling of some Zero origin 1193 timestamp checks. 1194 Mitigation: 1195 Implement BCP-38. 1196 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1197 or the NTP Public Services Project Download Page 1198 Properly monitor your ntpd instances, and auto-restart ntpd 1199 (without -g) if it stops running. 1200 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1201 Malhotra of Boston University. 1202 1203 * read_mru_list() does inadequate incoming packet checks 1204 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1205 References: Sec 3082 / CVE-2016-7434 / VU#633847 1206 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1207 ntp-4.3.0 up to, but not including ntp-4.3.94. 1208 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1209 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1210 Summary: 1211 If ntpd is configured to allow mrulist query requests from a 1212 server that sends a crafted malicious packet, ntpd will crash 1213 on receipt of that crafted malicious mrulist query packet. 1214 Mitigation: 1215 Only allow mrulist query packets from trusted hosts. 1216 Implement BCP-38. 1217 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1218 or the NTP Public Services Project Download Page 1219 Properly monitor your ntpd instances, and auto-restart ntpd 1220 (without -g) if it stops running. 1221 Credit: This weakness was discovered by Magnus Stubman. 1222 1223 * Attack on interface selection 1224 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1225 References: Sec 3072 / CVE-2016-7429 / VU#633847 1226 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1227 ntp-4.3.0 up to, but not including ntp-4.3.94 1228 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1229 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1230 Summary: 1231 When ntpd receives a server response on a socket that corresponds 1232 to a different interface than was used for the request, the peer 1233 structure is updated to use the interface for new requests. If 1234 ntpd is running on a host with multiple interfaces in separate 1235 networks and the operating system doesn't check source address in 1236 received packets (e.g. rp_filter on Linux is set to 0), an 1237 attacker that knows the address of the source can send a packet 1238 with spoofed source address which will cause ntpd to select wrong 1239 interface for the source and prevent it from sending new requests 1240 until the list of interfaces is refreshed, which happens on 1241 routing changes or every 5 minutes by default. If the attack is 1242 repeated often enough (once per second), ntpd will not be able to 1243 synchronize with the source. 1244 Mitigation: 1245 Implement BCP-38. 1246 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1247 or the NTP Public Services Project Download Page 1248 If you are going to configure your OS to disable source address 1249 checks, also configure your firewall configuration to control 1250 what interfaces can receive packets from what networks. 1251 Properly monitor your ntpd instances, and auto-restart ntpd 1252 (without -g) if it stops running. 1253 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1254 1255 * Client rate limiting and server responses 1256 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1257 References: Sec 3071 / CVE-2016-7426 / VU#633847 1258 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1259 ntp-4.3.0 up to, but not including ntp-4.3.94 1260 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1261 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1262 Summary: 1263 When ntpd is configured with rate limiting for all associations 1264 (restrict default limited in ntp.conf), the limits are applied 1265 also to responses received from its configured sources. An 1266 attacker who knows the sources (e.g., from an IPv4 refid in 1267 server response) and knows the system is (mis)configured in this 1268 way can periodically send packets with spoofed source address to 1269 keep the rate limiting activated and prevent ntpd from accepting 1270 valid responses from its sources. 1271 1272 While this blanket rate limiting can be useful to prevent 1273 brute-force attacks on the origin timestamp, it allows this DoS 1274 attack. Similarly, it allows the attacker to prevent mobilization 1275 of ephemeral associations. 1276 Mitigation: 1277 Implement BCP-38. 1278 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1279 or the NTP Public Services Project Download Page 1280 Properly monitor your ntpd instances, and auto-restart ntpd 1281 (without -g) if it stops running. 1282 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1283 1284 * Fix for bug 2085 broke initial sync calculations 1285 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1286 References: Sec 3067 / CVE-2016-7433 / VU#633847 1287 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1288 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1289 root-distance calculation in general is incorrect in all versions 1290 of ntp-4 until this release. 1291 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1292 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1293 Summary: 1294 Bug 2085 described a condition where the root delay was included 1295 twice, causing the jitter value to be higher than expected. Due 1296 to a misinterpretation of a small-print variable in The Book, the 1297 fix for this problem was incorrect, resulting in a root distance 1298 that did not include the peer dispersion. The calculations and 1299 formulae have been reviewed and reconciled, and the code has been 1300 updated accordingly. 1301 Mitigation: 1302 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1303 or the NTP Public Services Project Download Page 1304 Properly monitor your ntpd instances, and auto-restart ntpd 1305 (without -g) if it stops running. 1306 Credit: This weakness was discovered independently by Brian Utterback of 1307 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1308 1309 Other fixes: 1310 1311 * [Bug 3142] bug in netmask prefix length detection <perlinger (a] ntp.org> 1312 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn (a] ntp.org 1313 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1314 - moved retry decision where it belongs. <perlinger (a] ntp.org> 1315 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1316 using the loopback-ppsapi-provider.dll <perlinger (a] ntp.org> 1317 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger (a] ntp.org> 1318 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger (a] ntp.org> 1319 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1320 * [Bug 3095] Compatibility with openssl 1.1 <perlinger (a] ntp.org> 1321 - applied patches by Kurt Roeckx <kurt (a] roeckx.be> to source 1322 - added shim layer for SSL API calls with issues (both directions) 1323 * [Bug 3089] Serial Parser does not work anymore for hopfser like device 1324 - simplified / refactored hex-decoding in driver. <perlinger (a] ntp.org> 1325 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1326 * [Bug 3068] Linker warnings when building on Solaris. perlinger (a] ntp.org 1327 - applied patch thanks to Andrew Stormont <andyjstormont (a] gmail.com> 1328 * [Bug 3067] Root distance calculation needs improvement. HStenn 1329 * [Bug 3066] NMEA clock ignores pps. perlinger (a] ntp.org 1330 - PPS-HACK works again. 1331 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger (a] ntp.org> 1332 - applied patch by Brian Utterback <brian.utterback (a] oracle.com> 1333 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1334 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1335 <perlinger (a] ntp.org> 1336 - patches by Reinhard Max <max (a] suse.com> and Havard Eidnes <he (a] uninett.no> 1337 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe (a] ntp.org 1338 - Patch provided by Kuramatsu. 1339 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger (a] ntp.org> 1340 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1341 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1342 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1343 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1344 * [Bug 2959] refclock_jupiter: gps week correction <perlinger (a] ntp.org> 1345 - fixed GPS week expansion to work based on build date. Special thanks 1346 to Craig Leres for initial patch and testing. 1347 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1348 - fixed Makefile.am <perlinger (a] ntp.org> 1349 * [Bug 2689] ATOM driver processes last PPS pulse at startup, 1350 even if it is very old <perlinger (a] ntp.org> 1351 - make sure PPS source is alive before processing samples 1352 - improve stability close to the 500ms phase jump (phase gate) 1353 * Fix typos in include/ntp.h. 1354 * Shim X509_get_signature_nid() if needed 1355 * git author attribution cleanup 1356 * bk ignore file cleanup 1357 * remove locks in Windows IO, use rpc-like thread synchronisation instead 1358 1359 --- 1360 NTP 4.2.8p8 (Harlan Stenn <stenn (a] ntp.org>, 2016/06/02) 1361 1362 Focus: Security, Bug fixes, enhancements. 1363 1364 Severity: HIGH 1365 1366 In addition to bug fixes and enhancements, this release fixes the 1367 following 1 high- and 4 low-severity vulnerabilities: 1368 1369 * CRYPTO_NAK crash 1370 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1371 References: Sec 3046 / CVE-2016-4957 / VU#321640 1372 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1373 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1374 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1375 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1376 could cause ntpd to crash. 1377 Mitigation: 1378 Implement BCP-38. 1379 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1380 or the NTP Public Services Project Download Page 1381 If you cannot upgrade from 4.2.8p7, the only other alternatives 1382 are to patch your code or filter CRYPTO_NAK packets. 1383 Properly monitor your ntpd instances, and auto-restart ntpd 1384 (without -g) if it stops running. 1385 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1386 1387 * Bad authentication demobilizes ephemeral associations 1388 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1389 References: Sec 3045 / CVE-2016-4953 / VU#321640 1390 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1391 ntp-4.3.0 up to, but not including ntp-4.3.93. 1392 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1393 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1394 Summary: An attacker who knows the origin timestamp and can send a 1395 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1396 target before any other response is sent can demobilize that 1397 association. 1398 Mitigation: 1399 Implement BCP-38. 1400 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1401 or the NTP Public Services Project Download Page 1402 Properly monitor your ntpd instances. 1403 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1404 1405 * Processing spoofed server packets 1406 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1407 References: Sec 3044 / CVE-2016-4954 / VU#321640 1408 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1409 ntp-4.3.0 up to, but not including ntp-4.3.93. 1410 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1411 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1412 Summary: An attacker who is able to spoof packets with correct origin 1413 timestamps from enough servers before the expected response 1414 packets arrive at the target machine can affect some peer 1415 variables and, for example, cause a false leap indication to be set. 1416 Mitigation: 1417 Implement BCP-38. 1418 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1419 or the NTP Public Services Project Download Page 1420 Properly monitor your ntpd instances. 1421 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1422 1423 * Autokey association reset 1424 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1425 References: Sec 3043 / CVE-2016-4955 / VU#321640 1426 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1427 ntp-4.3.0 up to, but not including ntp-4.3.93. 1428 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1429 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1430 Summary: An attacker who is able to spoof a packet with a correct 1431 origin timestamp before the expected response packet arrives at 1432 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1433 the association's peer variables to be cleared. If this can be 1434 done often enough, it will prevent that association from working. 1435 Mitigation: 1436 Implement BCP-38. 1437 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1438 or the NTP Public Services Project Download Page 1439 Properly monitor your ntpd instances. 1440 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1441 1442 * Broadcast interleave 1443 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1444 References: Sec 3042 / CVE-2016-4956 / VU#321640 1445 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1446 ntp-4.3.0 up to, but not including ntp-4.3.93. 1447 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1448 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1449 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1450 so broadcast clients can be triggered to flip into interleave mode. 1451 Mitigation: 1452 Implement BCP-38. 1453 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1454 or the NTP Public Services Project Download Page 1455 Properly monitor your ntpd instances. 1456 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1457 1458 Other fixes: 1459 * [Bug 3038] NTP fails to build in VS2015. perlinger (a] ntp.org 1460 - provide build environment 1461 - 'wint_t' and 'struct timespec' defined by VS2015 1462 - fixed print()/scanf() format issues 1463 * [Bug 3052] Add a .gitignore file. Edmund Wong. 1464 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1465 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1466 JPerlinger, HStenn. 1467 * Fix typo in ntp-wait and plot_summary. HStenn. 1468 * Make sure we have an "author" file for git imports. HStenn. 1469 * Update the sntp problem tests for MacOS. HStenn. 1470 1471 --- 1472 NTP 4.2.8p7 (Harlan Stenn <stenn (a] ntp.org>, 2016/04/26) 1473 1474 Focus: Security, Bug fixes, enhancements. 1475 1476 Severity: MEDIUM 1477 1478 When building NTP from source, there is a new configure option 1479 available, --enable-dynamic-interleave. More information on this below. 1480 1481 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1482 versions of ntp. These events have almost certainly happened in the 1483 past, it's just that they were silently counted and not logged. With 1484 the increasing awareness around security, we feel it's better to clearly 1485 log these events to help detect abusive behavior. This increased 1486 logging can also help detect other problems, too. 1487 1488 In addition to bug fixes and enhancements, this release fixes the 1489 following 9 low- and medium-severity vulnerabilities: 1490 1491 * Improve NTP security against buffer comparison timing attacks, 1492 AKA: authdecrypt-timing 1493 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1494 References: Sec 2879 / CVE-2016-1550 1495 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1496 4.3.0 up to, but not including 4.3.92 1497 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1498 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1499 Summary: Packet authentication tests have been performed using 1500 memcmp() or possibly bcmp(), and it is potentially possible 1501 for a local or perhaps LAN-based attacker to send a packet with 1502 an authentication payload and indirectly observe how much of 1503 the digest has matched. 1504 Mitigation: 1505 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1506 or the NTP Public Services Project Download Page. 1507 Properly monitor your ntpd instances. 1508 Credit: This weakness was discovered independently by Loganaden 1509 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1510 1511 * Zero origin timestamp bypass: Additional KoD checks. 1512 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1513 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1514 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1515 1516 * peer associations were broken by the fix for NtpBug2899 1517 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1518 References: Sec 2952 / CVE-2015-7704 1519 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1520 4.3.0 up to, but not including 4.3.92 1521 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1522 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1523 associations did not address all of the issues. 1524 Mitigation: 1525 Implement BCP-38. 1526 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1527 or the NTP Public Services Project Download Page 1528 If you can't upgrade, use "server" associations instead of 1529 "peer" associations. 1530 Monitor your ntpd instances. 1531 Credit: This problem was discovered by Michael Tatarinov. 1532 1533 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1534 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1535 References: Sec 3007 / CVE-2016-1547 / VU#718152 1536 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1537 4.3.0 up to, but not including 4.3.92 1538 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1539 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1540 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1541 off-path attacker can cause a preemptable client association to 1542 be demobilized by sending a crypto NAK packet to a victim client 1543 with a spoofed source address of an existing associated peer. 1544 This is true even if authentication is enabled. 1545 1546 Furthermore, if the attacker keeps sending crypto NAK packets, 1547 for example one every second, the victim never has a chance to 1548 reestablish the association and synchronize time with that 1549 legitimate server. 1550 1551 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1552 stringent checks are performed on incoming packets, but there 1553 are still ways to exploit this vulnerability in versions before 1554 ntp-4.2.8p7. 1555 Mitigation: 1556 Implement BCP-38. 1557 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1558 or the NTP Public Services Project Download Page 1559 Properly monitor your ntpd instances 1560 Credit: This weakness was discovered by Stephen Gray and 1561 Matthew Van Gundy of Cisco ASIG. 1562 1563 * ctl_getitem() return value not always checked 1564 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1565 References: Sec 3008 / CVE-2016-2519 1566 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1567 4.3.0 up to, but not including 4.3.92 1568 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1569 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1570 Summary: ntpq and ntpdc can be used to store and retrieve information 1571 in ntpd. It is possible to store a data value that is larger 1572 than the size of the buffer that the ctl_getitem() function of 1573 ntpd uses to report the return value. If the length of the 1574 requested data value returned by ctl_getitem() is too large, 1575 the value NULL is returned instead. There are 2 cases where the 1576 return value from ctl_getitem() was not directly checked to make 1577 sure it's not NULL, but there are subsequent INSIST() checks 1578 that make sure the return value is not NULL. There are no data 1579 values ordinarily stored in ntpd that would exceed this buffer 1580 length. But if one has permission to store values and one stores 1581 a value that is "too large", then ntpd will abort if an attempt 1582 is made to read that oversized value. 1583 Mitigation: 1584 Implement BCP-38. 1585 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1586 or the NTP Public Services Project Download Page 1587 Properly monitor your ntpd instances. 1588 Credit: This weakness was discovered by Yihan Lian of the Cloud 1589 Security Team, Qihoo 360. 1590 1591 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1592 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1593 References: Sec 3009 / CVE-2016-2518 / VU#718152 1594 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1595 4.3.0 up to, but not including 4.3.92 1596 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1597 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1598 Summary: Using a crafted packet to create a peer association with 1599 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1600 out-of-bounds reference. 1601 Mitigation: 1602 Implement BCP-38. 1603 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1604 or the NTP Public Services Project Download Page 1605 Properly monitor your ntpd instances 1606 Credit: This weakness was discovered by Yihan Lian of the Cloud 1607 Security Team, Qihoo 360. 1608 1609 * remote configuration trustedkey/requestkey/controlkey values are not 1610 properly validated 1611 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1612 References: Sec 3010 / CVE-2016-2517 / VU#718152 1613 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1614 4.3.0 up to, but not including 4.3.92 1615 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1616 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1617 Summary: If ntpd was expressly configured to allow for remote 1618 configuration, a malicious user who knows the controlkey for 1619 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1620 can create a session with ntpd and then send a crafted packet to 1621 ntpd that will change the value of the trustedkey, controlkey, 1622 or requestkey to a value that will prevent any subsequent 1623 authentication with ntpd until ntpd is restarted. 1624 Mitigation: 1625 Implement BCP-38. 1626 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1627 or the NTP Public Services Project Download Page 1628 Properly monitor your ntpd instances 1629 Credit: This weakness was discovered by Yihan Lian of the Cloud 1630 Security Team, Qihoo 360. 1631 1632 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1633 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1634 References: Sec 3011 / CVE-2016-2516 / VU#718152 1635 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1636 4.3.0 up to, but not including 4.3.92 1637 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1638 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1639 Summary: If ntpd was expressly configured to allow for remote 1640 configuration, a malicious user who knows the controlkey for 1641 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1642 can create a session with ntpd and if an existing association is 1643 unconfigured using the same IP twice on the unconfig directive 1644 line, ntpd will abort. 1645 Mitigation: 1646 Implement BCP-38. 1647 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1648 or the NTP Public Services Project Download Page 1649 Properly monitor your ntpd instances 1650 Credit: This weakness was discovered by Yihan Lian of the Cloud 1651 Security Team, Qihoo 360. 1652 1653 * Refclock impersonation vulnerability 1654 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1655 References: Sec 3020 / CVE-2016-1551 1656 Affects: On a very limited number of OSes, all NTP releases up to but 1657 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1658 By "very limited number of OSes" we mean no general-purpose OSes 1659 have yet been identified that have this vulnerability. 1660 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1661 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1662 Summary: While most OSes implement martian packet filtering in their 1663 network stack, at least regarding 127.0.0.0/8, some will allow 1664 packets claiming to be from 127.0.0.0/8 that arrive over a 1665 physical network. On these OSes, if ntpd is configured to use a 1666 reference clock an attacker can inject packets over the network 1667 that look like they are coming from that reference clock. 1668 Mitigation: 1669 Implement martian packet filtering and BCP-38. 1670 Configure ntpd to use an adequate number of time sources. 1671 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1672 or the NTP Public Services Project Download Page 1673 If you are unable to upgrade and if you are running an OS that 1674 has this vulnerability, implement martian packet filters and 1675 lobby your OS vendor to fix this problem, or run your 1676 refclocks on computers that use OSes that are not vulnerable 1677 to these attacks and have your vulnerable machines get their 1678 time from protected resources. 1679 Properly monitor your ntpd instances. 1680 Credit: This weakness was discovered by Matt Street and others of 1681 Cisco ASIG. 1682 1683 The following issues were fixed in earlier releases and contain 1684 improvements in 4.2.8p7: 1685 1686 * Clients that receive a KoD should validate the origin timestamp field. 1687 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1688 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1689 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1690 1691 * Skeleton key: passive server with trusted key can serve time. 1692 References: Sec 2936 / CVE-2015-7974 1693 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1694 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1695 1696 Two other vulnerabilities have been reported, and the mitigations 1697 for these are as follows: 1698 1699 * Interleave-pivot 1700 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1701 References: Sec 2978 / CVE-2016-1548 1702 Affects: All ntp-4 releases. 1703 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1704 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1705 Summary: It is possible to change the time of an ntpd client or deny 1706 service to an ntpd client by forcing it to change from basic 1707 client/server mode to interleaved symmetric mode. An attacker 1708 can spoof a packet from a legitimate ntpd server with an origin 1709 timestamp that matches the peer->dst timestamp recorded for that 1710 server. After making this switch, the client will reject all 1711 future legitimate server responses. It is possible to force the 1712 victim client to move time after the mode has been changed. 1713 ntpq gives no indication that the mode has been switched. 1714 Mitigation: 1715 Implement BCP-38. 1716 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1717 or the NTP Public Services Project Download Page. These 1718 versions will not dynamically "flip" into interleave mode 1719 unless configured to do so. 1720 Properly monitor your ntpd instances. 1721 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1722 and separately by Jonathan Gardner of Cisco ASIG. 1723 1724 * Sybil vulnerability: ephemeral association attack 1725 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1726 References: Sec 3012 / CVE-2016-1549 1727 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1728 4.3.0 up to, but not including 4.3.92 1729 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1730 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1731 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1732 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1733 field in the ntp.keys file to specify which IPs can serve time, 1734 a malicious authenticated peer can create arbitrarily-many 1735 ephemeral associations in order to win the clock selection of 1736 ntpd and modify a victim's clock. 1737 Mitigation: 1738 Implement BCP-38. 1739 Use the 4th field in the ntp.keys file to specify which IPs 1740 can be time servers. 1741 Properly monitor your ntpd instances. 1742 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1743 1744 Other fixes: 1745 1746 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger (a] ntp.org 1747 - fixed yet another race condition in the threaded resolver code. 1748 * [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1749 * [Bug 2879] Improve NTP security against timing attacks. perlinger (a] ntp.org 1750 - integrated patches by Loganaden Velvidron <logan (a] ntp.org> 1751 with some modifications & unit tests 1752 * [Bug 2960] async name resolution fixes for chroot() environments. 1753 Reinhard Max. 1754 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger (a] ntp.org 1755 * [Bug 2995] Fixes to compile on Windows 1756 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger (a] ntp.org 1757 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger (a] ntp.org 1758 - Patch provided by Ch. Weisgerber 1759 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1760 - A change related to [Bug 2853] forbids trailing white space in 1761 remote config commands. perlinger (a] ntp.org 1762 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1763 - report and patch from Aleksandr Kostikov. 1764 - Overhaul of Windows IO completion port handling. perlinger (a] ntp.org 1765 * [Bug 3022] authkeys.c should be refactored. perlinger (a] ntp.org 1766 - fixed memory leak in access list (auth[read]keys.c) 1767 - refactored handling of key access lists (auth[read]keys.c) 1768 - reduced number of error branches (authreadkeys.c) 1769 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger (a] ntp.org 1770 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1771 * [Bug 3031] ntp broadcastclient unable to synchronize to an server 1772 when the time of server changed. perlinger (a] ntp.org 1773 - Check the initial delay calculation and reject/unpeer the broadcast 1774 server if the delay exceeds 50ms. Retry again after the next 1775 broadcast packet. 1776 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1777 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1778 * Update html/xleave.html documentation. Harlan Stenn. 1779 * Update ntp.conf documentation. Harlan Stenn. 1780 * Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1781 * Fix typo in html/monopt.html. Harlan Stenn. 1782 * Add README.pullrequests. Harlan Stenn. 1783 * Cleanup to include/ntp.h. Harlan Stenn. 1784 1785 New option to 'configure': 1786 1787 While looking in to the issues around Bug 2978, the "interleave pivot" 1788 issue, it became clear that there are some intricate and unresolved 1789 issues with interleave operations. We also realized that the interleave 1790 protocol was never added to the NTPv4 Standard, and it should have been. 1791 1792 Interleave mode was first released in July of 2008, and can be engaged 1793 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1794 contain the 'xleave' option, which will expressly enable interlave mode 1795 for that association. Additionally, if a time packet arrives and is 1796 found inconsistent with normal protocol behavior but has certain 1797 characteristics that are compatible with interleave mode, NTP will 1798 dynamically switch to interleave mode. With sufficient knowledge, an 1799 attacker can send a crafted forged packet to an NTP instance that 1800 triggers only one side to enter interleaved mode. 1801 1802 To prevent this attack until we can thoroughly document, describe, 1803 fix, and test the dynamic interleave mode, we've added a new 1804 'configure' option to the build process: 1805 1806 --enable-dynamic-interleave 1807 1808 This option controls whether or not NTP will, if conditions are right, 1809 engage dynamic interleave mode. Dynamic interleave mode is disabled by 1810 default in ntp-4.2.8p7. 1811 1812 --- 1813 NTP 4.2.8p6 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/20) 1814 1815 Focus: Security, Bug fixes, enhancements. 1816 1817 Severity: MEDIUM 1818 1819 In addition to bug fixes and enhancements, this release fixes the 1820 following 1 low- and 8 medium-severity vulnerabilities: 1821 1822 * Potential Infinite Loop in 'ntpq' 1823 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1824 References: Sec 2548 / CVE-2015-8158 1825 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1826 4.3.0 up to, but not including 4.3.90 1827 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1828 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1829 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1830 The loop's only stopping conditions are receiving a complete and 1831 correct response or hitting a small number of error conditions. 1832 If the packet contains incorrect values that don't trigger one of 1833 the error conditions, the loop continues to receive new packets. 1834 Note well, this is an attack against an instance of 'ntpq', not 1835 'ntpd', and this attack requires the attacker to do one of the 1836 following: 1837 * Own a malicious NTP server that the client trusts 1838 * Prevent a legitimate NTP server from sending packets to 1839 the 'ntpq' client 1840 * MITM the 'ntpq' communications between the 'ntpq' client 1841 and the NTP server 1842 Mitigation: 1843 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1844 or the NTP Public Services Project Download Page 1845 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1846 1847 * 0rigin: Zero Origin Timestamp Bypass 1848 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1849 References: Sec 2945 / CVE-2015-8138 1850 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1851 4.3.0 up to, but not including 4.3.90 1852 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1853 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1854 (3.7 - LOW if you score AC:L) 1855 Summary: To distinguish legitimate peer responses from forgeries, a 1856 client attempts to verify a response packet by ensuring that the 1857 origin timestamp in the packet matches the origin timestamp it 1858 transmitted in its last request. A logic error exists that 1859 allows packets with an origin timestamp of zero to bypass this 1860 check whenever there is not an outstanding request to the server. 1861 Mitigation: 1862 Configure 'ntpd' to get time from multiple sources. 1863 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1864 or the NTP Public Services Project Download Page. 1865 Monitor your 'ntpd' instances. 1866 Credit: This weakness was discovered by Matthey Van Gundy and 1867 Jonathan Gardner of Cisco ASIG. 1868 1869 * Stack exhaustion in recursive traversal of restriction list 1870 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1871 References: Sec 2940 / CVE-2015-7978 1872 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1873 4.3.0 up to, but not including 4.3.90 1874 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1875 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1876 segmentation fault in ntpd by exhausting the call stack. 1877 Mitigation: 1878 Implement BCP-38. 1879 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1880 or the NTP Public Services Project Download Page. 1881 If you are unable to upgrade: 1882 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1883 If you must enable mode 7: 1884 configure the use of a 'requestkey' to control who can 1885 issue mode 7 requests. 1886 configure 'restrict noquery' to further limit mode 7 1887 requests to trusted sources. 1888 Monitor your ntpd instances. 1889 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1890 1891 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1892 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1893 References: Sec 2942 / CVE-2015-7979 1894 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1895 4.3.0 up to, but not including 4.3.90 1896 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1897 Summary: An off-path attacker can send broadcast packets with bad 1898 authentication (wrong key, mismatched key, incorrect MAC, etc) 1899 to broadcast clients. It is observed that the broadcast client 1900 tears down the association with the broadcast server upon 1901 receiving just one bad packet. 1902 Mitigation: 1903 Implement BCP-38. 1904 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1905 or the NTP Public Services Project Download Page. 1906 Monitor your 'ntpd' instances. 1907 If this sort of attack is an active problem for you, you have 1908 deeper problems to investigate. In this case also consider 1909 having smaller NTP broadcast domains. 1910 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1911 University. 1912 1913 * reslist NULL pointer dereference 1914 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1915 References: Sec 2939 / CVE-2015-7977 1916 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1917 4.3.0 up to, but not including 4.3.90 1918 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1919 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1920 segmentation fault in ntpd by causing a NULL pointer dereference. 1921 Mitigation: 1922 Implement BCP-38. 1923 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1924 the NTP Public Services Project Download Page. 1925 If you are unable to upgrade: 1926 mode 7 is disabled by default. Don't enable it. 1927 If you must enable mode 7: 1928 configure the use of a 'requestkey' to control who can 1929 issue mode 7 requests. 1930 configure 'restrict noquery' to further limit mode 7 1931 requests to trusted sources. 1932 Monitor your ntpd instances. 1933 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1934 1935 * 'ntpq saveconfig' command allows dangerous characters in filenames. 1936 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1937 References: Sec 2938 / CVE-2015-7976 1938 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1939 4.3.0 up to, but not including 4.3.90 1940 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1941 Summary: The ntpq saveconfig command does not do adequate filtering 1942 of special characters from the supplied filename. 1943 Note well: The ability to use the saveconfig command is controlled 1944 by the 'restrict nomodify' directive, and the recommended default 1945 configuration is to disable this capability. If the ability to 1946 execute a 'saveconfig' is required, it can easily (and should) be 1947 limited and restricted to a known small number of IP addresses. 1948 Mitigation: 1949 Implement BCP-38. 1950 use 'restrict default nomodify' in your 'ntp.conf' file. 1951 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1952 If you are unable to upgrade: 1953 build NTP with 'configure --disable-saveconfig' if you will 1954 never need this capability, or 1955 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1956 careful about what IPs have the ability to send 'modify' 1957 requests to 'ntpd'. 1958 Monitor your ntpd instances. 1959 'saveconfig' requests are logged to syslog - monitor your syslog files. 1960 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1961 1962 * nextvar() missing length check in ntpq 1963 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1964 References: Sec 2937 / CVE-2015-7975 1965 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1966 4.3.0 up to, but not including 4.3.90 1967 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1968 If you score A:C, this becomes 4.0. 1969 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1970 Summary: ntpq may call nextvar() which executes a memcpy() into the 1971 name buffer without a proper length check against its maximum 1972 length of 256 bytes. Note well that we're taking about ntpq here. 1973 The usual worst-case effect of this vulnerability is that the 1974 specific instance of ntpq will crash and the person or process 1975 that did this will have stopped themselves. 1976 Mitigation: 1977 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1978 or the NTP Public Services Project Download Page. 1979 If you are unable to upgrade: 1980 If you have scripts that feed input to ntpq make sure there are 1981 some sanity checks on the input received from the "outside". 1982 This is potentially more dangerous if ntpq is run as root. 1983 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1984 1985 * Skeleton Key: Any trusted key system can serve time 1986 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1987 References: Sec 2936 / CVE-2015-7974 1988 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1989 4.3.0 up to, but not including 4.3.90 1990 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1991 Summary: Symmetric key encryption uses a shared trusted key. The 1992 reported title for this issue was "Missing key check allows 1993 impersonation between authenticated peers" and the report claimed 1994 "A key specified only for one server should only work to 1995 authenticate that server, other trusted keys should be refused." 1996 Except there has never been any correlation between this trusted 1997 key and server v. clients machines and there has never been any 1998 way to specify a key only for one server. We have treated this as 1999 an enhancement request, and ntp-4.2.8p6 includes other checks and 2000 tests to strengthen clients against attacks coming from broadcast 2001 servers. 2002 Mitigation: 2003 Implement BCP-38. 2004 If this scenario represents a real or a potential issue for you, 2005 upgrade to 4.2.8p6, or later, from the NTP Project Download 2006 Page or the NTP Public Services Project Download Page, and 2007 use the new field in the ntp.keys file that specifies the list 2008 of IPs that are allowed to serve time. Note that this alone 2009 will not protect against time packets with forged source IP 2010 addresses, however other changes in ntp-4.2.8p6 provide 2011 significant mitigation against broadcast attacks. MITM attacks 2012 are a different story. 2013 If you are unable to upgrade: 2014 Don't use broadcast mode if you cannot monitor your client 2015 servers. 2016 If you choose to use symmetric keys to authenticate time 2017 packets in a hostile environment where ephemeral time 2018 servers can be created, or if it is expected that malicious 2019 time servers will participate in an NTP broadcast domain, 2020 limit the number of participating systems that participate 2021 in the shared-key group. 2022 Monitor your ntpd instances. 2023 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 2024 2025 * Deja Vu: Replay attack on authenticated broadcast mode 2026 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2027 References: Sec 2935 / CVE-2015-7973 2028 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2029 4.3.0 up to, but not including 4.3.90 2030 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 2031 Summary: If an NTP network is configured for broadcast operations then 2032 either a man-in-the-middle attacker or a malicious participant 2033 that has the same trusted keys as the victim can replay time packets. 2034 Mitigation: 2035 Implement BCP-38. 2036 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2037 or the NTP Public Services Project Download Page. 2038 If you are unable to upgrade: 2039 Don't use broadcast mode if you cannot monitor your client servers. 2040 Monitor your ntpd instances. 2041 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2042 University. 2043 2044 Other fixes: 2045 2046 * [Bug 2772] adj_systime overflows tv_usec. perlinger (a] ntp.org 2047 * [Bug 2814] msyslog deadlock when signaled. perlinger (a] ntp.org 2048 - applied patch by shenpeng11 (a] huawei.com with minor adjustments 2049 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger (a] ntp.org 2050 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger (a] ntp.org 2051 * [Bug 2892] Several test cases assume IPv6 capabilities even when 2052 IPv6 is disabled in the build. perlinger (a] ntp.org 2053 - Found this already fixed, but validation led to cleanup actions. 2054 * [Bug 2905] DNS lookups broken. perlinger (a] ntp.org 2055 - added limits to stack consumption, fixed some return code handling 2056 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2057 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 2058 - make CTRL-C work for retrieval and printing od MRU list. perlinger (a] ntp.org 2059 * [Bug 2980] reduce number of warnings. perlinger (a] ntp.org 2060 - integrated several patches from Havard Eidnes (he (a] uninett.no) 2061 * [Bug 2985] bogus calculation in authkeys.c perlinger (a] ntp.org 2062 - implement 'auth_log2()' using integer bithack instead of float calculation 2063 * Make leapsec_query debug messages less verbose. Harlan Stenn. 2064 2065 --- 2066 NTP 4.2.8p5 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/07) 2067 2068 Focus: Security, Bug fixes, enhancements. 2069 2070 Severity: MEDIUM 2071 2072 In addition to bug fixes and enhancements, this release fixes the 2073 following medium-severity vulnerability: 2074 2075 * Small-step/big-step. Close the panic gate earlier. 2076 References: Sec 2956, CVE-2015-5300 2077 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2078 4.3.0 up to, but not including 4.3.78 2079 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2080 Summary: If ntpd is always started with the -g option, which is 2081 common and against long-standing recommendation, and if at the 2082 moment ntpd is restarted an attacker can immediately respond to 2083 enough requests from enough sources trusted by the target, which 2084 is difficult and not common, there is a window of opportunity 2085 where the attacker can cause ntpd to set the time to an 2086 arbitrary value. Similarly, if an attacker is able to respond 2087 to enough requests from enough sources trusted by the target, 2088 the attacker can cause ntpd to abort and restart, at which 2089 point it can tell the target to set the time to an arbitrary 2090 value if and only if ntpd was re-started against long-standing 2091 recommendation with the -g flag, or if ntpd was not given the 2092 -g flag, the attacker can move the target system's time by at 2093 most 900 seconds' time per attack. 2094 Mitigation: 2095 Configure ntpd to get time from multiple sources. 2096 Upgrade to 4.2.8p5, or later, from the NTP Project Download 2097 Page or the NTP Public Services Project Download Page 2098 As we've long documented, only use the -g option to ntpd in 2099 cold-start situations. 2100 Monitor your ntpd instances. 2101 Credit: This weakness was discovered by Aanchal Malhotra, 2102 Isaac E. Cohen, and Sharon Goldberg at Boston University. 2103 2104 NOTE WELL: The -g flag disables the limit check on the panic_gate 2105 in ntpd, which is 900 seconds by default. The bug identified by 2106 the researchers at Boston University is that the panic_gate 2107 check was only re-enabled after the first change to the system 2108 clock that was greater than 128 milliseconds, by default. The 2109 correct behavior is that the panic_gate check should be 2110 re-enabled after any initial time correction. 2111 2112 If an attacker is able to inject consistent but erroneous time 2113 responses to your systems via the network or "over the air", 2114 perhaps by spoofing radio, cellphone, or navigation satellite 2115 transmissions, they are in a great position to affect your 2116 system's clock. There comes a point where your very best 2117 defenses include: 2118 2119 Configure ntpd to get time from multiple sources. 2120 Monitor your ntpd instances. 2121 2122 Other fixes: 2123 2124 * Coverity submission process updated from Coverity 5 to Coverity 7. 2125 The NTP codebase has been undergoing regular Coverity scans on an 2126 ongoing basis since 2006. As part of our recent upgrade from 2127 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2128 the newly-written Unity test programs. These were fixed. 2129 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger (a] ntp.org 2130 * [Bug 2887] stratum -1 config results as showing value 99 2131 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 2132 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2133 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2134 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2135 - applied patch by Christos Zoulas. perlinger (a] ntp.org 2136 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2137 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2138 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 2139 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 2140 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 2141 - accept key file only if there are no parsing errors 2142 - fixed size_t/u_int format clash 2143 - fixed wrong use of 'strlcpy' 2144 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2145 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 2146 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2147 - promote use of 'size_t' for values that express a size 2148 - use ptr-to-const for read-only arguments 2149 - make sure SOCKET values are not truncated (win32-specific) 2150 - format string fixes 2151 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2152 * [Bug 2967] ntpdate command suffers an assertion failure 2153 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 2154 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2155 lots of clients. perlinger (a] ntp.org 2156 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2157 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 2158 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2159 * Unity test cleanup. Harlan Stenn. 2160 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2161 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2162 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2163 * Quiet a warning from clang. Harlan Stenn. 2164 2165 --- 2166 NTP 4.2.8p4 (Harlan Stenn <stenn (a] ntp.org>, 2015/10/21) 2167 2168 Focus: Security, Bug fixes, enhancements. 2169 2170 Severity: MEDIUM 2171 2172 In addition to bug fixes and enhancements, this release fixes the 2173 following 13 low- and medium-severity vulnerabilities: 2174 2175 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 2176 to potential crashes or potential code injection/information leakage. 2177 2178 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2179 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2180 and 4.3.0 up to, but not including 4.3.77 2181 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2182 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2183 certain code paths where a packet with particular autokey operations 2184 that contained malicious data was not always being completely 2185 validated. Receipt of these packets can cause ntpd to crash. 2186 Mitigation: 2187 Don't use autokey. 2188 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2189 Page or the NTP Public Services Project Download Page 2190 Monitor your ntpd instances. 2191 Credit: This weakness was discovered by Tenable Network Security. 2192 2193 * Clients that receive a KoD should validate the origin timestamp field. 2194 2195 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2196 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2197 and 4.3.0 up to, but not including 4.3.77 2198 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2199 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2200 KoD messages that have been forged by an attacker, causing it to 2201 delay or stop querying its servers for time updates. Also, an 2202 attacker can forge packets that claim to be from the target and 2203 send them to servers often enough that a server that implements 2204 KoD rate limiting will send the target machine a KoD response to 2205 attempt to reduce the rate of incoming packets, or it may also 2206 trigger a firewall block at the server for packets from the target 2207 machine. For either of these attacks to succeed, the attacker must 2208 know what servers the target is communicating with. An attacker 2209 can be anywhere on the Internet and can frequently learn the 2210 identity of the target's time source by sending the target a 2211 time query. 2212 Mitigation: 2213 Implement BCP-38. 2214 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2215 or the NTP Public Services Project Download Page 2216 If you can't upgrade, restrict who can query ntpd to learn who 2217 its servers are, and what IPs are allowed to ask your system 2218 for the time. This mitigation is heavy-handed. 2219 Monitor your ntpd instances. 2220 Note: 2221 4.2.8p4 protects against the first attack. For the second attack, 2222 all we can do is warn when it is happening, which we do in 4.2.8p4. 2223 Credit: This weakness was discovered by Aanchal Malhotra, 2224 Issac E. Cohen, and Sharon Goldberg of Boston University. 2225 2226 * configuration directives to change "pidfile" and "driftfile" should 2227 only be allowed locally. 2228 2229 References: Sec 2902 / CVE-2015-5196 2230 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2231 and 4.3.0 up to, but not including 4.3.77 2232 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2233 Summary: If ntpd is configured to allow for remote configuration, 2234 and if the (possibly spoofed) source IP address is allowed to 2235 send remote configuration requests, and if the attacker knows 2236 the remote configuration password, it's possible for an attacker 2237 to use the "pidfile" or "driftfile" directives to potentially 2238 overwrite other files. 2239 Mitigation: 2240 Implement BCP-38. 2241 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2242 Page or the NTP Public Services Project Download Page 2243 If you cannot upgrade, don't enable remote configuration. 2244 If you must enable remote configuration and cannot upgrade, 2245 remote configuration of NTF's ntpd requires: 2246 - an explicitly configured trustedkey, and you should also 2247 configure a controlkey. 2248 - access from a permitted IP. You choose the IPs. 2249 - authentication. Don't disable it. Practice secure key safety. 2250 Monitor your ntpd instances. 2251 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2252 2253 * Slow memory leak in CRYPTO_ASSOC 2254 2255 References: Sec 2909 / CVE-2015-7701 2256 Affects: All ntp-4 releases that use autokey up to, but not 2257 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2258 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2259 4.6 otherwise 2260 Summary: If ntpd is configured to use autokey, then an attacker can 2261 send packets to ntpd that will, after several days of ongoing 2262 attack, cause it to run out of memory. 2263 Mitigation: 2264 Don't use autokey. 2265 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2266 Page or the NTP Public Services Project Download Page 2267 Monitor your ntpd instances. 2268 Credit: This weakness was discovered by Tenable Network Security. 2269 2270 * mode 7 loop counter underrun 2271 2272 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2273 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2274 and 4.3.0 up to, but not including 4.3.77 2275 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2276 Summary: If ntpd is configured to enable mode 7 packets, and if the 2277 use of mode 7 packets is not properly protected thru the use of 2278 the available mode 7 authentication and restriction mechanisms, 2279 and if the (possibly spoofed) source IP address is allowed to 2280 send mode 7 queries, then an attacker can send a crafted packet 2281 to ntpd that will cause it to crash. 2282 Mitigation: 2283 Implement BCP-38. 2284 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2285 Page or the NTP Public Services Project Download Page. 2286 If you are unable to upgrade: 2287 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2288 If you must enable mode 7: 2289 configure the use of a requestkey to control who can issue 2290 mode 7 requests. 2291 configure restrict noquery to further limit mode 7 requests 2292 to trusted sources. 2293 Monitor your ntpd instances. 2294 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2295 2296 * memory corruption in password store 2297 2298 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2299 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2300 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2301 Summary: If ntpd is configured to allow remote configuration, and if 2302 the (possibly spoofed) source IP address is allowed to send 2303 remote configuration requests, and if the attacker knows the 2304 remote configuration password or if ntpd was configured to 2305 disable authentication, then an attacker can send a set of 2306 packets to ntpd that may cause a crash or theoretically 2307 perform a code injection attack. 2308 Mitigation: 2309 Implement BCP-38. 2310 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2311 Page or the NTP Public Services Project Download Page. 2312 If you are unable to upgrade, remote configuration of NTF's 2313 ntpd requires: 2314 an explicitly configured "trusted" key. Only configure 2315 this if you need it. 2316 access from a permitted IP address. You choose the IPs. 2317 authentication. Don't disable it. Practice secure key safety. 2318 Monitor your ntpd instances. 2319 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2320 2321 * Infinite loop if extended logging enabled and the logfile and 2322 keyfile are the same. 2323 2324 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2325 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2326 and 4.3.0 up to, but not including 4.3.77 2327 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2328 Summary: If ntpd is configured to allow remote configuration, and if 2329 the (possibly spoofed) source IP address is allowed to send 2330 remote configuration requests, and if the attacker knows the 2331 remote configuration password or if ntpd was configured to 2332 disable authentication, then an attacker can send a set of 2333 packets to ntpd that will cause it to crash and/or create a 2334 potentially huge log file. Specifically, the attacker could 2335 enable extended logging, point the key file at the log file, 2336 and cause what amounts to an infinite loop. 2337 Mitigation: 2338 Implement BCP-38. 2339 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2340 Page or the NTP Public Services Project Download Page. 2341 If you are unable to upgrade, remote configuration of NTF's ntpd 2342 requires: 2343 an explicitly configured "trusted" key. Only configure this 2344 if you need it. 2345 access from a permitted IP address. You choose the IPs. 2346 authentication. Don't disable it. Practice secure key safety. 2347 Monitor your ntpd instances. 2348 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2349 2350 * Potential path traversal vulnerability in the config file saving of 2351 ntpd on VMS. 2352 2353 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2354 Affects: All ntp-4 releases running under VMS up to, but not 2355 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2356 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2357 Summary: If ntpd is configured to allow remote configuration, and if 2358 the (possibly spoofed) IP address is allowed to send remote 2359 configuration requests, and if the attacker knows the remote 2360 configuration password or if ntpd was configured to disable 2361 authentication, then an attacker can send a set of packets to 2362 ntpd that may cause ntpd to overwrite files. 2363 Mitigation: 2364 Implement BCP-38. 2365 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2366 Page or the NTP Public Services Project Download Page. 2367 If you are unable to upgrade, remote configuration of NTF's ntpd 2368 requires: 2369 an explicitly configured "trusted" key. Only configure 2370 this if you need it. 2371 access from permitted IP addresses. You choose the IPs. 2372 authentication. Don't disable it. Practice key security safety. 2373 Monitor your ntpd instances. 2374 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2375 2376 * ntpq atoascii() potential memory corruption 2377 2378 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2379 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2380 and 4.3.0 up to, but not including 4.3.77 2381 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2382 Summary: If an attacker can figure out the precise moment that ntpq 2383 is listening for data and the port number it is listening on or 2384 if the attacker can provide a malicious instance ntpd that 2385 victims will connect to then an attacker can send a set of 2386 crafted mode 6 response packets that, if received by ntpq, 2387 can cause ntpq to crash. 2388 Mitigation: 2389 Implement BCP-38. 2390 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2391 Page or the NTP Public Services Project Download Page. 2392 If you are unable to upgrade and you run ntpq against a server 2393 and ntpq crashes, try again using raw mode. Build or get a 2394 patched ntpq and see if that fixes the problem. Report new 2395 bugs in ntpq or abusive servers appropriately. 2396 If you use ntpq in scripts, make sure ntpq does what you expect 2397 in your scripts. 2398 Credit: This weakness was discovered by Yves Younan and 2399 Aleksander Nikolich of Cisco Talos. 2400 2401 * Invalid length data provided by a custom refclock driver could cause 2402 a buffer overflow. 2403 2404 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2405 Affects: Potentially all ntp-4 releases running up to, but not 2406 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2407 that have custom refclocks 2408 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2409 5.9 unusual worst case 2410 Summary: A negative value for the datalen parameter will overflow a 2411 data buffer. NTF's ntpd driver implementations always set this 2412 value to 0 and are therefore not vulnerable to this weakness. 2413 If you are running a custom refclock driver in ntpd and that 2414 driver supplies a negative value for datalen (no custom driver 2415 of even minimal competence would do this) then ntpd would 2416 overflow a data buffer. It is even hypothetically possible 2417 in this case that instead of simply crashing ntpd the attacker 2418 could effect a code injection attack. 2419 Mitigation: 2420 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2421 Page or the NTP Public Services Project Download Page. 2422 If you are unable to upgrade: 2423 If you are running custom refclock drivers, make sure 2424 the signed datalen value is either zero or positive. 2425 Monitor your ntpd instances. 2426 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2427 2428 * Password Length Memory Corruption Vulnerability 2429 2430 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2431 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2432 4.3.0 up to, but not including 4.3.77 2433 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2434 1.7 usual case, 6.8, worst case 2435 Summary: If ntpd is configured to allow remote configuration, and if 2436 the (possibly spoofed) source IP address is allowed to send 2437 remote configuration requests, and if the attacker knows the 2438 remote configuration password or if ntpd was (foolishly) 2439 configured to disable authentication, then an attacker can 2440 send a set of packets to ntpd that may cause it to crash, 2441 with the hypothetical possibility of a small code injection. 2442 Mitigation: 2443 Implement BCP-38. 2444 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2445 Page or the NTP Public Services Project Download Page. 2446 If you are unable to upgrade, remote configuration of NTF's 2447 ntpd requires: 2448 an explicitly configured "trusted" key. Only configure 2449 this if you need it. 2450 access from a permitted IP address. You choose the IPs. 2451 authentication. Don't disable it. Practice secure key safety. 2452 Monitor your ntpd instances. 2453 Credit: This weakness was discovered by Yves Younan and 2454 Aleksander Nikolich of Cisco Talos. 2455 2456 * decodenetnum() will ASSERT botch instead of returning FAIL on some 2457 bogus values. 2458 2459 References: Sec 2922 / CVE-2015-7855 2460 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2461 4.3.0 up to, but not including 4.3.77 2462 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2463 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2464 an unusually long data value where a network address is expected, 2465 the decodenetnum() function will abort with an assertion failure 2466 instead of simply returning a failure condition. 2467 Mitigation: 2468 Implement BCP-38. 2469 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2470 Page or the NTP Public Services Project Download Page. 2471 If you are unable to upgrade: 2472 mode 7 is disabled by default. Don't enable it. 2473 Use restrict noquery to limit who can send mode 6 2474 and mode 7 requests. 2475 Configure and use the controlkey and requestkey 2476 authentication directives to limit who can 2477 send mode 6 and mode 7 requests. 2478 Monitor your ntpd instances. 2479 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2480 2481 * NAK to the Future: Symmetric association authentication bypass via 2482 crypto-NAK. 2483 2484 References: Sec 2941 / CVE-2015-7871 2485 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2486 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2487 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2488 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2489 from unauthenticated ephemeral symmetric peers by bypassing the 2490 authentication required to mobilize peer associations. This 2491 vulnerability appears to have been introduced in ntp-4.2.5p186 2492 when the code handling mobilization of new passive symmetric 2493 associations (lines 1103-1165) was refactored. 2494 Mitigation: 2495 Implement BCP-38. 2496 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2497 Page or the NTP Public Services Project Download Page. 2498 If you are unable to upgrade: 2499 Apply the patch to the bottom of the "authentic" check 2500 block around line 1136 of ntp_proto.c. 2501 Monitor your ntpd instances. 2502 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2503 2504 Backward-Incompatible changes: 2505 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 2506 While the general default of 32M is still the case, under Linux 2507 the default value has been changed to -1 (do not lock ntpd into 2508 memory). A value of 0 means "lock ntpd into memory with whatever 2509 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2510 value in it, that value will continue to be used. 2511 2512 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 2513 If you've written a script that looks for this case in, say, the 2514 output of ntpq, you probably want to change your regex matches 2515 from 'outlyer' to 'outl[iy]er'. 2516 2517 New features in this release: 2518 * 'rlimit memlock' now has finer-grained control. A value of -1 means 2519 "don't lock ntpd into memore". This is the default for Linux boxes. 2520 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2521 the value is the number of megabytes of memory to lock. The default 2522 is 32 megabytes. 2523 2524 * The old Google Test framework has been replaced with a new framework, 2525 based on http://www.throwtheswitch.org/unity/ . 2526 2527 Bug Fixes and Improvements: 2528 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2529 privileges and limiting resources in NTPD removes the need to link 2530 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2531 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2532 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2533 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2534 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 2535 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2536 * [Bug 2849] Systems with more than one default route may never 2537 synchronize. Brian Utterback. Note that this patch might need to 2538 be reverted once Bug 2043 has been fixed. 2539 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2540 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2541 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2542 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2543 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2544 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2545 be configured for the distribution targets. Harlan Stenn. 2546 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2547 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 2548 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 2549 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 2550 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2551 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2552 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2553 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2554 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2555 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2556 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2557 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2558 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2559 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2560 * sntp/tests/ function parameter list cleanup. Damir Tomi. 2561 * tests/libntp/ function parameter list cleanup. Damir Tomi. 2562 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 2563 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2564 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2565 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 2566 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 2567 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2568 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2569 formatting; first declaration, then code (C90); deleted unnecessary comments; 2570 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2571 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2572 fix formatting, cleanup. Tomasz Flendrich 2573 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2574 Tomasz Flendrich 2575 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2576 fix formatting. Tomasz Flendrich 2577 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2578 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2579 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2580 Tomasz Flendrich 2581 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2582 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2583 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2584 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2585 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2586 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2587 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2588 fixed formatting. Tomasz Flendrich 2589 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2590 removed unnecessary comments, cleanup. Tomasz Flendrich 2591 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2592 comments, cleanup. Tomasz Flendrich 2593 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2594 Tomasz Flendrich 2595 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2596 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2597 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2598 Tomasz Flendrich 2599 * sntp/tests/kodDatabase.c added consts, deleted empty function, 2600 fixed formatting. Tomasz Flendrich 2601 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2602 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 2603 fixed formatting, deleted unused variable. Tomasz Flendrich 2604 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2605 Tomasz Flendrich 2606 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2607 fixed formatting. Tomasz Flendrich 2608 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 2609 the order of includes, fixed formatting, removed unnecessary comments. 2610 Tomasz Flendrich 2611 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2612 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2613 made one function do its job, deleted unnecessary prints, fixed formatting. 2614 Tomasz Flendrich 2615 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2616 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2617 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2618 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2619 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2620 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2621 * Don't build sntp/libevent/sample/. Harlan Stenn. 2622 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2623 * br-flock: --enable-local-libevent. Harlan Stenn. 2624 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2625 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2626 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2627 * Code cleanup. Harlan Stenn. 2628 * libntp/icom.c: Typo fix. Harlan Stenn. 2629 * util/ntptime.c: initialization nit. Harlan Stenn. 2630 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2631 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2632 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2633 Tomasz Flendrich 2634 * Changed progname to be const in many files - now it's consistent. Tomasz 2635 Flendrich 2636 * Typo fix for GCC warning suppression. Harlan Stenn. 2637 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 2638 * Added declarations to all Unity tests, and did minor fixes to them. 2639 Reduced the number of warnings by half. Damir Tomi. 2640 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2641 with the latest Unity updates from Mark. Damir Tomi. 2642 * Retire google test - phase I. Harlan Stenn. 2643 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2644 * Update the NEWS file. Harlan Stenn. 2645 * Autoconf cleanup. Harlan Stenn. 2646 * Unit test dist cleanup. Harlan Stenn. 2647 * Cleanup various test Makefile.am files. Harlan Stenn. 2648 * Pthread autoconf macro cleanup. Harlan Stenn. 2649 * Fix progname definition in unity runner scripts. Harlan Stenn. 2650 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2651 * Update the patch for bug 2817. Harlan Stenn. 2652 * More updates for bug 2817. Harlan Stenn. 2653 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2654 * gcc on older HPUX may need +allowdups. Harlan Stenn. 2655 * Adding missing MCAST protection. Harlan Stenn. 2656 * Disable certain test programs on certain platforms. Harlan Stenn. 2657 * Implement --enable-problem-tests (on by default). Harlan Stenn. 2658 * build system tweaks. Harlan Stenn. 2659 2660 --- 2661 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 2662 2663 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2664 2665 Severity: MEDIUM 2666 2667 Security Fix: 2668 2669 * [Sec 2853] Crafted remote config packet can crash some versions of 2670 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2671 2672 Under specific circumstances an attacker can send a crafted packet to 2673 cause a vulnerable ntpd instance to crash. This requires each of the 2674 following to be true: 2675 2676 1) ntpd set up to allow remote configuration (not allowed by default), and 2677 2) knowledge of the configuration password, and 2678 3) access to a computer entrusted to perform remote configuration. 2679 2680 This vulnerability is considered low-risk. 2681 2682 New features in this release: 2683 2684 Optional (disabled by default) support to have ntpd provide smeared 2685 leap second time. A specially built and configured ntpd will only 2686 offer smeared time in response to client packets. These response 2687 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2688 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2689 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2690 information. 2691 2692 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2693 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2694 2695 We've imported the Unity test framework, and have begun converting 2696 the existing google-test items to this new framework. If you want 2697 to write new tests or change old ones, you'll need to have ruby 2698 installed. You don't need ruby to run the test suite. 2699 2700 Bug Fixes and Improvements: 2701 2702 * CID 739725: Fix a rare resource leak in libevent/listener.c. 2703 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2704 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2705 * CID 1269537: Clean up a line of dead code in getShmTime(). 2706 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2707 * [Bug 2590] autogen-5.18.5. 2708 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2709 of 'limited'. 2710 * [Bug 2650] fix includefile processing. 2711 * [Bug 2745] ntpd -x steps clock on leap second 2712 Fixed an initial-value problem that caused misbehaviour in absence of 2713 any leapsecond information. 2714 Do leap second stepping only of the step adjustment is beyond the 2715 proper jump distance limit and step correction is allowed at all. 2716 * [Bug 2750] build for Win64 2717 Building for 32bit of loopback ppsapi needs def file 2718 * [Bug 2776] Improve ntpq's 'help keytype'. 2719 * [Bug 2778] Implement "apeers" ntpq command to include associd. 2720 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2721 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2722 interface is ignored as long as this flag is not set since the 2723 interface is not usable (e.g., no link). 2724 * [Bug 2794] Clean up kernel clock status reports. 2725 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 2726 of incompatible open/fdopen parameters. 2727 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 2728 * [Bug 2805] ntpd fails to join multicast group. 2729 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2730 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 2731 Fix crash during cleanup if GPS device not present and char device. 2732 Increase internal token buffer to parse all JSON data, even SKY. 2733 Defer logging of errors during driver init until the first unit is 2734 started, so the syslog is not cluttered when the driver is not used. 2735 Various improvements, see http://bugs.ntp.org/2808 for details. 2736 Changed libjsmn to a more recent version. 2737 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2738 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2739 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2740 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2741 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2742 * [Bug 2824] Convert update-leap to perl. (also see 2769) 2743 * [Bug 2825] Quiet file installation in html/ . 2744 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2745 NTPD transfers the current TAI (instead of an announcement) now. 2746 This might still needed improvement. 2747 Update autokey data ASAP when 'sys_tai' changes. 2748 Fix unit test that was broken by changes for autokey update. 2749 Avoid potential signature length issue and use DPRINTF where possible 2750 in ntp_crypto.c. 2751 * [Bug 2832] refclock_jjy.c supports the TDC-300. 2752 * [Bug 2834] Correct a broken html tag in html/refclock.html 2753 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2754 robust, and require 2 consecutive timestamps to be consistent. 2755 * [Bug 2837] Allow a configurable DSCP value. 2756 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2757 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2758 * [Bug 2842] Bug in mdoc2man. 2759 * [Bug 2843] make check fails on 4.3.36 2760 Fixed compiler warnings about numeric range overflow 2761 (The original topic was fixed in a byplay to bug#2830) 2762 * [Bug 2845] Harden memory allocation in ntpd. 2763 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2764 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2765 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2766 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2767 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2768 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2769 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2770 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2771 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2772 * html/drivers/driver22.html: typo fix. Harlan Stenn. 2773 * refidsmear test cleanup. Tomasz Flendrich. 2774 * refidsmear function support and tests. Harlan Stenn. 2775 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2776 something that was only in the 4.2.6 sntp. Harlan Stenn. 2777 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2778 Damir Tomi 2779 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2780 Damir Tomi 2781 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2782 Damir Tomi 2783 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2784 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 2785 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2786 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2787 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2788 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2789 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2790 Damir Tomi 2791 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2792 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2793 fileHandlingTest.h. Damir Tomi 2794 * Initial support for experimental leap smear code. Harlan Stenn. 2795 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2796 * Report select() debug messages at debug level 3 now. 2797 * sntp/scripts/genLocInfo: treat raspbian as debian. 2798 * Unity test framework fixes. 2799 ** Requires ruby for changes to tests. 2800 * Initial support for PACKAGE_VERSION tests. 2801 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2802 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 2803 * Add an assert to the ntpq ifstats code. 2804 * Clean up the RLIMIT_STACK code. 2805 * Improve the ntpq documentation around the controlkey keyid. 2806 * ntpq.c cleanup. 2807 * Windows port build cleanup. 2808 2809 --- 2810 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 2811 2812 Focus: Security and Bug fixes, enhancements. 2813 2814 Severity: MEDIUM 2815 2816 In addition to bug fixes and enhancements, this release fixes the 2817 following medium-severity vulnerabilities involving private key 2818 authentication: 2819 2820 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2821 2822 References: Sec 2779 / CVE-2015-1798 / VU#374268 2823 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2824 including ntp-4.2.8p2 where the installation uses symmetric keys 2825 to authenticate remote associations. 2826 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2827 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2828 Summary: When ntpd is configured to use a symmetric key to authenticate 2829 a remote NTP server/peer, it checks if the NTP message 2830 authentication code (MAC) in received packets is valid, but not if 2831 there actually is any MAC included. Packets without a MAC are 2832 accepted as if they had a valid MAC. This allows a MITM attacker to 2833 send false packets that are accepted by the client/peer without 2834 having to know the symmetric key. The attacker needs to know the 2835 transmit timestamp of the client to match it in the forged reply 2836 and the false reply needs to reach the client before the genuine 2837 reply from the server. The attacker doesn't necessarily need to be 2838 relaying the packets between the client and the server. 2839 2840 Authentication using autokey doesn't have this problem as there is 2841 a check that requires the key ID to be larger than NTP_MAXKEY, 2842 which fails for packets without a MAC. 2843 Mitigation: 2844 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2845 or the NTP Public Services Project Download Page 2846 Configure ntpd with enough time sources and monitor it properly. 2847 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2848 2849 * [Sec 2781] Authentication doesn't protect symmetric associations against 2850 DoS attacks. 2851 2852 References: Sec 2781 / CVE-2015-1799 / VU#374268 2853 Affects: All NTP releases starting with at least xntp3.3wy up to but 2854 not including ntp-4.2.8p2 where the installation uses symmetric 2855 key authentication. 2856 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2857 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2858 it could be higher than 5.4. 2859 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2860 Summary: An attacker knowing that NTP hosts A and B are peering with 2861 each other (symmetric association) can send a packet to host A 2862 with source address of B which will set the NTP state variables 2863 on A to the values sent by the attacker. Host A will then send 2864 on its next poll to B a packet with originate timestamp that 2865 doesn't match the transmit timestamp of B and the packet will 2866 be dropped. If the attacker does this periodically for both 2867 hosts, they won't be able to synchronize to each other. This is 2868 a known denial-of-service attack, described at 2869 https://www.eecis.udel.edu/~mills/onwire.html . 2870 2871 According to the document the NTP authentication is supposed to 2872 protect symmetric associations against this attack, but that 2873 doesn't seem to be the case. The state variables are updated even 2874 when authentication fails and the peers are sending packets with 2875 originate timestamps that don't match the transmit timestamps on 2876 the receiving side. 2877 2878 This seems to be a very old problem, dating back to at least 2879 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2880 specifications, so other NTP implementations with support for 2881 symmetric associations and authentication may be vulnerable too. 2882 An update to the NTP RFC to correct this error is in-process. 2883 Mitigation: 2884 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2885 or the NTP Public Services Project Download Page 2886 Note that for users of autokey, this specific style of MITM attack 2887 is simply a long-known potential problem. 2888 Configure ntpd with appropriate time sources and monitor ntpd. 2889 Alert your staff if problems are detected. 2890 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2891 2892 * New script: update-leap 2893 The update-leap script will verify and if necessary, update the 2894 leap-second definition file. 2895 It requires the following commands in order to work: 2896 2897 wget logger tr sed shasum 2898 2899 Some may choose to run this from cron. It needs more portability testing. 2900 2901 Bug Fixes and Improvements: 2902 2903 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2904 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2905 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 2906 * [Bug 2728] See if C99-style structure initialization works. 2907 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 2908 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2909 * [Bug 2751] jitter.h has stale copies of l_fp macros. 2910 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2911 * [Bug 2757] Quiet compiler warnings. 2912 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2913 * [Bug 2763] Allow different thresholds for forward and backward steps. 2914 * [Bug 2766] ntp-keygen output files should not be world-readable. 2915 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2916 * [Bug 2771] nonvolatile value is documented in wrong units. 2917 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2918 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 2919 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 2920 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2921 Removed non-ASCII characters from some copyright comments. 2922 Removed trailing whitespace. 2923 Updated definitions for Meinberg clocks from current Meinberg header files. 2924 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2925 Account for updated definitions pulled from Meinberg header files. 2926 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2927 Replaced some constant numbers by defines from ntp_calendar.h 2928 Modified creation of parse-specific variables for Meinberg devices 2929 in gps16x_message(). 2930 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2931 Modified mbg_tm_str() which now expexts an additional parameter controlling 2932 if the time status shall be printed. 2933 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2934 * [Sec 2781] Authentication doesn't protect symmetric associations against 2935 DoS attacks. 2936 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2937 * [Bug 2789] Quiet compiler warnings from libevent. 2938 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2939 pause briefly before measuring system clock precision to yield 2940 correct results. 2941 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2942 * Use predefined function types for parse driver functions 2943 used to set up function pointers. 2944 Account for changed prototype of parse_inp_fnc_t functions. 2945 Cast parse conversion results to appropriate types to avoid 2946 compiler warnings. 2947 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2948 when called with pointers to different types. 2949 2950 --- 2951 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 2952 2953 Focus: Security and Bug fixes, enhancements. 2954 2955 Severity: HIGH 2956 2957 In addition to bug fixes and enhancements, this release fixes the 2958 following high-severity vulnerabilities: 2959 2960 * vallen is not validated in several places in ntp_crypto.c, leading 2961 to a potential information leak or possibly a crash 2962 2963 References: Sec 2671 / CVE-2014-9297 / VU#852879 2964 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2965 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2966 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2967 Summary: The vallen packet value is not validated in several code 2968 paths in ntp_crypto.c which can lead to information leakage 2969 or perhaps a crash of the ntpd process. 2970 Mitigation - any of: 2971 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2972 or the NTP Public Services Project Download Page. 2973 Disable Autokey Authentication by removing, or commenting out, 2974 all configuration directives beginning with the "crypto" 2975 keyword in your ntp.conf file. 2976 Credit: This vulnerability was discovered by Stephen Roettger of the 2977 Google Security Team, with additional cases found by Sebastian 2978 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2979 Time Foundation. 2980 2981 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2982 can be bypassed. 2983 2984 References: Sec 2672 / CVE-2014-9298 / VU#852879 2985 Affects: All NTP4 releases before 4.2.8p1, under at least some 2986 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2987 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2988 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2989 Summary: While available kernels will prevent 127.0.0.1 addresses 2990 from "appearing" on non-localhost IPv4 interfaces, some kernels 2991 do not offer the same protection for ::1 source addresses on 2992 IPv6 interfaces. Since NTP's access control is based on source 2993 address and localhost addresses generally have no restrictions, 2994 an attacker can send malicious control and configuration packets 2995 by spoofing ::1 addresses from the outside. Note Well: This is 2996 not really a bug in NTP, it's a problem with some OSes. If you 2997 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2998 ACL restrictions on any application can be bypassed! 2999 Mitigation: 3000 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3001 or the NTP Public Services Project Download Page 3002 Install firewall rules to block packets claiming to come from 3003 ::1 from inappropriate network interfaces. 3004 Credit: This vulnerability was discovered by Stephen Roettger of 3005 the Google Security Team. 3006 3007 Additionally, over 30 bugfixes and improvements were made to the codebase. 3008 See the ChangeLog for more information. 3009 3010 --- 3011 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 3012 3013 Focus: Security and Bug fixes, enhancements. 3014 3015 Severity: HIGH 3016 3017 In addition to bug fixes and enhancements, this release fixes the 3018 following high-severity vulnerabilities: 3019 3020 ************************** vv NOTE WELL vv ***************************** 3021 3022 The vulnerabilities listed below can be significantly mitigated by 3023 following the BCP of putting 3024 3025 restrict default ... noquery 3026 3027 in the ntp.conf file. With the exception of: 3028 3029 receive(): missing return on error 3030 References: Sec 2670 / CVE-2014-9296 / VU#852879 3031 3032 below (which is a limited-risk vulnerability), none of the recent 3033 vulnerabilities listed below can be exploited if the source IP is 3034 restricted from sending a 'query'-class packet by your ntp.conf file. 3035 3036 ************************** ^^ NOTE WELL ^^ ***************************** 3037 3038 * Weak default key in config_auth(). 3039 3040 References: [Sec 2665] / CVE-2014-9293 / VU#852879 3041 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3042 Vulnerable Versions: all releases prior to 4.2.7p11 3043 Date Resolved: 28 Jan 2010 3044 3045 Summary: If no 'auth' key is set in the configuration file, ntpd 3046 would generate a random key on the fly. There were two 3047 problems with this: 1) the generated key was 31 bits in size, 3048 and 2) it used the (now weak) ntp_random() function, which was 3049 seeded with a 32-bit value and could only provide 32 bits of 3050 entropy. This was sufficient back in the late 1990s when the 3051 code was written. Not today. 3052 3053 Mitigation - any of: 3054 - Upgrade to 4.2.7p11 or later. 3055 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3056 3057 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3058 of the Google Security Team. 3059 3060 * Non-cryptographic random number generator with weak seed used by 3061 ntp-keygen to generate symmetric keys. 3062 3063 References: [Sec 2666] / CVE-2014-9294 / VU#852879 3064 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3065 Vulnerable Versions: All NTP4 releases before 4.2.7p230 3066 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3067 3068 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3069 prepare a random number generator that was of good quality back 3070 in the late 1990s. The random numbers produced was then used to 3071 generate symmetric keys. In ntp-4.2.8 we use a current-technology 3072 cryptographic random number generator, either RAND_bytes from 3073 OpenSSL, or arc4random(). 3074 3075 Mitigation - any of: 3076 - Upgrade to 4.2.7p230 or later. 3077 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3078 3079 Credit: This vulnerability was discovered in ntp-4.2.6 by 3080 Stephen Roettger of the Google Security Team. 3081 3082 * Buffer overflow in crypto_recv() 3083 3084 References: Sec 2667 / CVE-2014-9295 / VU#852879 3085 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3086 Versions: All releases before 4.2.8 3087 Date Resolved: Stable (4.2.8) 18 Dec 2014 3088 3089 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3090 file contains a 'crypto pw ...' directive) a remote attacker 3091 can send a carefully crafted packet that can overflow a stack 3092 buffer and potentially allow malicious code to be executed 3093 with the privilege level of the ntpd process. 3094 3095 Mitigation - any of: 3096 - Upgrade to 4.2.8, or later, or 3097 - Disable Autokey Authentication by removing, or commenting out, 3098 all configuration directives beginning with the crypto keyword 3099 in your ntp.conf file. 3100 3101 Credit: This vulnerability was discovered by Stephen Roettger of the 3102 Google Security Team. 3103 3104 * Buffer overflow in ctl_putdata() 3105 3106 References: Sec 2668 / CVE-2014-9295 / VU#852879 3107 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3108 Versions: All NTP4 releases before 4.2.8 3109 Date Resolved: Stable (4.2.8) 18 Dec 2014 3110 3111 Summary: A remote attacker can send a carefully crafted packet that 3112 can overflow a stack buffer and potentially allow malicious 3113 code to be executed with the privilege level of the ntpd process. 3114 3115 Mitigation - any of: 3116 - Upgrade to 4.2.8, or later. 3117 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3118 3119 Credit: This vulnerability was discovered by Stephen Roettger of the 3120 Google Security Team. 3121 3122 * Buffer overflow in configure() 3123 3124 References: Sec 2669 / CVE-2014-9295 / VU#852879 3125 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3126 Versions: All NTP4 releases before 4.2.8 3127 Date Resolved: Stable (4.2.8) 18 Dec 2014 3128 3129 Summary: A remote attacker can send a carefully crafted packet that 3130 can overflow a stack buffer and potentially allow malicious 3131 code to be executed with the privilege level of the ntpd process. 3132 3133 Mitigation - any of: 3134 - Upgrade to 4.2.8, or later. 3135 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3136 3137 Credit: This vulnerability was discovered by Stephen Roettger of the 3138 Google Security Team. 3139 3140 * receive(): missing return on error 3141 3142 References: Sec 2670 / CVE-2014-9296 / VU#852879 3143 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3144 Versions: All NTP4 releases before 4.2.8 3145 Date Resolved: Stable (4.2.8) 18 Dec 2014 3146 3147 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3148 the code path where an error was detected, which meant 3149 processing did not stop when a specific rare error occurred. 3150 We haven't found a way for this bug to affect system integrity. 3151 If there is no way to affect system integrity the base CVSS 3152 score for this bug is 0. If there is one avenue through which 3153 system integrity can be partially affected, the base score 3154 becomes a 5. If system integrity can be partially affected 3155 via all three integrity metrics, the CVSS base score become 7.5. 3156 3157 Mitigation - any of: 3158 - Upgrade to 4.2.8, or later, 3159 - Remove or comment out all configuration directives 3160 beginning with the crypto keyword in your ntp.conf file. 3161 3162 Credit: This vulnerability was discovered by Stephen Roettger of the 3163 Google Security Team. 3164 3165 See http://support.ntp.org/security for more information. 3166 3167 New features / changes in this release: 3168 3169 Important Changes 3170 3171 * Internal NTP Era counters 3172 3173 The internal counters that track the "era" (range of years) we are in 3174 rolls over every 136 years'. The current "era" started at the stroke of 3175 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 3176 1 Jan 2036. 3177 In the past, we have used the "midpoint" of the range to decide which 3178 era we were in. Given the longevity of some products, it became clear 3179 that it would be more functional to "look back" less, and "look forward" 3180 more. We now compile a timestamp into the ntpd executable and when we 3181 get a timestamp we us the "built-on" to tell us what era we are in. 3182 This check "looks back" 10 years, and "looks forward" 126 years. 3183 3184 * ntpdc responses disabled by default 3185 3186 Dave Hart writes: 3187 3188 For a long time, ntpq and its mostly text-based mode 6 (control) 3189 protocol have been preferred over ntpdc and its mode 7 (private 3190 request) protocol for runtime queries and configuration. There has 3191 been a goal of deprecating ntpdc, previously held back by numerous 3192 capabilities exposed by ntpdc with no ntpq equivalent. I have been 3193 adding commands to ntpq to cover these cases, and I believe I've 3194 covered them all, though I've not compared command-by-command 3195 recently. 3196 3197 As I've said previously, the binary mode 7 protocol involves a lot of 3198 hand-rolled structure layout and byte-swapping code in both ntpd and 3199 ntpdc which is hard to get right. As ntpd grows and changes, the 3200 changes are difficult to expose via ntpdc while maintaining forward 3201 and backward compatibility between ntpdc and ntpd. In contrast, 3202 ntpq's text-based, label=value approach involves more code reuse and 3203 allows compatible changes without extra work in most cases. 3204 3205 Mode 7 has always been defined as vendor/implementation-specific while 3206 mode 6 is described in RFC 1305 and intended to be open to interoperate 3207 with other implementations. There is an early draft of an updated 3208 mode 6 description that likely will join the other NTPv4 RFCs 3209 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3210 3211 For these reasons, ntpd 4.2.7p230 by default disables processing of 3212 ntpdc queries, reducing ntpd's attack surface and functionally 3213 deprecating ntpdc. If you are in the habit of using ntpdc for certain 3214 operations, please try the ntpq equivalent. If there's no equivalent, 3215 please open a bug report at http://bugs.ntp.org./ 3216 3217 In addition to the above, over 1100 issues have been resolved between 3218 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3219 lists these. 3220 3221 --- 3222 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 3223 3224 Focus: Bug fixes 3225 3226 Severity: Medium 3227 3228 This is a recommended upgrade. 3229 3230 This release updates sys_rootdisp and sys_jitter calculations to match the 3231 RFC specification, fixes a potential IPv6 address matching error for the 3232 "nic" and "interface" configuration directives, suppresses the creation of 3233 extraneous ephemeral associations for certain broadcastclient and 3234 multicastclient configurations, cleans up some ntpq display issues, and 3235 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3236 3237 New features / changes in this release: 3238 3239 ntpd 3240 3241 * Updated "nic" and "interface" IPv6 address handling to prevent 3242 mismatches with localhost [::1] and wildcard [::] which resulted from 3243 using the address/prefix format (e.g. fe80::/64) 3244 * Fix orphan mode stratum incorrectly counting to infinity 3245 * Orphan parent selection metric updated to includes missing ntohl() 3246 * Non-printable stratum 16 refid no longer sent to ntp 3247 * Duplicate ephemeral associations suppressed for broadcastclient and 3248 multicastclient without broadcastdelay 3249 * Exclude undetermined sys_refid from use in loopback TEST12 3250 * Exclude MODE_SERVER responses from KoD rate limiting 3251 * Include root delay in clock_update() sys_rootdisp calculations 3252 * get_systime() updated to exclude sys_residual offset (which only 3253 affected bits "below" sys_tick, the precision threshold) 3254 * sys.peer jitter weighting corrected in sys_jitter calculation 3255 3256 ntpq 3257 3258 * -n option extended to include the billboard "server" column 3259 * IPv6 addresses in the local column truncated to prevent overruns 3260 3261 --- 3262 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 3263 3264 Focus: Bug fixes and portability improvements 3265 3266 Severity: Medium 3267 3268 This is a recommended upgrade. 3269 3270 This release includes build infrastructure updates, code 3271 clean-ups, minor bug fixes, fixes for a number of minor 3272 ref-clock issues, and documentation revisions. 3273 3274 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3275 3276 New features / changes in this release: 3277 3278 Build system 3279 3280 * Fix checking for struct rtattr 3281 * Update config.guess and config.sub for AIX 3282 * Upgrade required version of autogen and libopts for building 3283 from our source code repository 3284 3285 ntpd 3286 3287 * Back-ported several fixes for Coverity warnings from ntp-dev 3288 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3289 * Allow "logconfig =allall" configuration directive 3290 * Bind tentative IPv6 addresses on Linux 3291 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 3292 * Improved tally bit handling to prevent incorrect ntpq peer status reports 3293 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3294 candidate list unless they are designated a "prefer peer" 3295 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3296 selection during the 'tos orphanwait' period 3297 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3298 drivers 3299 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 3300 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3301 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3302 clock slew on Microsoft Windows 3303 * Code cleanup in libntpq 3304 3305 ntpdc 3306 3307 * Fix timerstats reporting 3308 3309 ntpdate 3310 3311 * Reduce time required to set clock 3312 * Allow a timeout greater than 2 seconds 3313 3314 sntp 3315 3316 * Backward incompatible command-line option change: 3317 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3318 3319 Documentation 3320 3321 * Update html2man. Fix some tags in the .html files 3322 * Distribute ntp-wait.html 3323 3324 --- 3325 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 3326 3327 Focus: Bug fixes and portability improvements 3328 3329 Severity: Medium 3330 3331 This is a recommended upgrade. 3332 3333 This release includes build infrastructure updates, code 3334 clean-ups, minor bug fixes, fixes for a number of minor 3335 ref-clock issues, and documentation revisions. 3336 3337 Portability improvements in this release affect AIX, Atari FreeMiNT, 3338 FreeBSD4, Linux and Microsoft Windows. 3339 3340 New features / changes in this release: 3341 3342 Build system 3343 * Use lsb_release to get information about Linux distributions. 3344 * 'test' is in /usr/bin (instead of /bin) on some systems. 3345 * Basic sanity checks for the ChangeLog file. 3346 * Source certain build files with ./filename for systems without . in PATH. 3347 * IRIX portability fix. 3348 * Use a single copy of the "libopts" code. 3349 * autogen/libopts upgrade. 3350 * configure.ac m4 quoting cleanup. 3351 3352 ntpd 3353 * Do not bind to IN6_IFF_ANYCAST addresses. 3354 * Log the reason for exiting under Windows. 3355 * Multicast fixes for Windows. 3356 * Interpolation fixes for Windows. 3357 * IPv4 and IPv6 Multicast fixes. 3358 * Manycast solicitation fixes and general repairs. 3359 * JJY refclock cleanup. 3360 * NMEA refclock improvements. 3361 * Oncore debug message cleanup. 3362 * Palisade refclock now builds under Linux. 3363 * Give RAWDCF more baud rates. 3364 * Support Truetime Satellite clocks under Windows. 3365 * Support Arbiter 1093C Satellite clocks under Windows. 3366 * Make sure that the "filegen" configuration command defaults to "enable". 3367 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3368 * Prohibit 'includefile' directive in remote configuration command. 3369 * Fix 'nic' interface bindings. 3370 * Fix the way we link with openssl if openssl is installed in the base 3371 system. 3372 3373 ntp-keygen 3374 * Fix -V coredump. 3375 * OpenSSL version display cleanup. 3376 3377 ntpdc 3378 * Many counters should be treated as unsigned. 3379 3380 ntpdate 3381 * Do not ignore replies with equal receive and transmit timestamps. 3382 3383 ntpq 3384 * libntpq warning cleanup. 3385 3386 ntpsnmpd 3387 * Correct SNMP type for "precision" and "resolution". 3388 * Update the MIB from the draft version to RFC-5907. 3389 3390 sntp 3391 * Display timezone offset when showing time for sntp in the local 3392 timezone. 3393 * Pay proper attention to RATE KoD packets. 3394 * Fix a miscalculation of the offset. 3395 * Properly parse empty lines in the key file. 3396 * Logging cleanup. 3397 * Use tv_usec correctly in set_time(). 3398 * Documentation cleanup. 3399 3400 --- 3401 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 3402 3403 Focus: Bug fixes and portability improvements 3404 3405 Severity: Medium 3406 3407 This is a recommended upgrade. 3408 3409 This release includes build infrastructure updates, code 3410 clean-ups, minor bug fixes, fixes for a number of minor 3411 ref-clock issues, improved KOD handling, OpenSSL related 3412 updates and documentation revisions. 3413 3414 Portability improvements in this release affect Irix, Linux, 3415 Mac OS, Microsoft Windows, OpenBSD and QNX6 3416 3417 New features / changes in this release: 3418 3419 ntpd 3420 * Range syntax for the trustedkey configuration directive 3421 * Unified IPv4 and IPv6 restrict lists 3422 3423 ntpdate 3424 * Rate limiting and KOD handling 3425 3426 ntpsnmpd 3427 * default connection to net-snmpd via a unix-domain socket 3428 * command-line 'socket name' option 3429 3430 ntpq / ntpdc 3431 * support for the "passwd ..." syntax 3432 * key-type specific password prompts 3433 3434 sntp 3435 * MD5 authentication of an ntpd 3436 * Broadcast and crypto 3437 * OpenSSL support 3438 3439 --- 3440 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 3441 3442 Focus: Bug fixes, portability fixes, and documentation improvements 3443 3444 Severity: Medium 3445 3446 This is a recommended upgrade. 3447 3448 --- 3449 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3450 3451 Focus: enhancements and bug fixes. 3452 3453 --- 3454 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 3455 3456 Focus: Security Fixes 3457 3458 Severity: HIGH 3459 3460 This release fixes the following high-severity vulnerability: 3461 3462 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3463 3464 See http://support.ntp.org/security for more information. 3465 3466 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3467 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3468 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3469 request or a mode 7 error response from an address which is not listed 3470 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3471 reply with a mode 7 error response (and log a message). In this case: 3472 3473 * If an attacker spoofs the source address of ntpd host A in a 3474 mode 7 response packet sent to ntpd host B, both A and B will 3475 continuously send each other error responses, for as long as 3476 those packets get through. 3477 3478 * If an attacker spoofs an address of ntpd host A in a mode 7 3479 response packet sent to ntpd host A, A will respond to itself 3480 endlessly, consuming CPU and logging excessively. 3481 3482 Credit for finding this vulnerability goes to Robin Park and Dmitri 3483 Vinokurov of Alcatel-Lucent. 3484 3485 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3486 3487 --- 3488 ntpd now syncs to refclocks right away. 3489 3490 Backward-Incompatible changes: 3491 3492 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3493 Use '--var name' or '--dvar name' instead. (Bug 817) 3494 3495 --- 3496 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 3497 3498 Focus: Security and Bug Fixes 3499 3500 Severity: HIGH 3501 3502 This release fixes the following high-severity vulnerability: 3503 3504 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3505 3506 See http://support.ntp.org/security for more information. 3507 3508 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3509 line) then a carefully crafted packet sent to the machine will cause 3510 a buffer overflow and possible execution of injected code, running 3511 with the privileges of the ntpd process (often root). 3512 3513 Credit for finding this vulnerability goes to Chris Ries of CMU. 3514 3515 This release fixes the following low-severity vulnerabilities: 3516 3517 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3518 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3519 3520 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3521 Credit for finding this issue goes to Dave Hart. 3522 3523 This release fixes a number of bugs and adds some improvements: 3524 3525 * Improved logging 3526 * Fix many compiler warnings 3527 * Many fixes and improvements for Windows 3528 * Adds support for AIX 6.1 3529 * Resolves some issues under MacOS X and Solaris 3530 3531 THIS IS A STRONGLY RECOMMENDED UPGRADE. 3532 3533 --- 3534 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 3535 3536 Focus: Security Fix 3537 3538 Severity: Low 3539 3540 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3541 the OpenSSL library relating to the incorrect checking of the return 3542 value of EVP_VerifyFinal function. 3543 3544 Credit for finding this issue goes to the Google Security Team for 3545 finding the original issue with OpenSSL, and to ocert.org for finding 3546 the problem in NTP and telling us about it. 3547 3548 This is a recommended upgrade. 3549 --- 3550 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 3551 3552 Focus: Minor Bugfixes 3553 3554 This release fixes a number of Windows-specific ntpd bugs and 3555 platform-independent ntpdate bugs. A logging bugfix has been applied 3556 to the ONCORE driver. 3557 3558 The "dynamic" keyword and is now obsolete and deferred binding to local 3559 interfaces is the new default. The minimum time restriction for the 3560 interface update interval has been dropped. 3561 3562 A number of minor build system and documentation fixes are included. 3563 3564 This is a recommended upgrade for Windows. 3565 3566 --- 3567 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 3568 3569 Focus: Minor Bugfixes 3570 3571 This release updates certain copyright information, fixes several display 3572 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3573 shutdown in the parse refclock driver, removes some lint from the code, 3574 stops accessing certain buffers immediately after they were freed, fixes 3575 a problem with non-command-line specification of -6, and allows the loopback 3576 interface to share addresses with other interfaces. 3577 3578 --- 3579 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 3580 3581 Focus: Minor Bugfixes 3582 3583 This release fixes a bug in Windows that made it difficult to 3584 terminate ntpd under windows. 3585 This is a recommended upgrade for Windows. 3586 3587 --- 3588 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 3589 3590 Focus: Minor Bugfixes 3591 3592 This release fixes a multicast mode authentication problem, 3593 an error in NTP packet handling on Windows that could lead to 3594 ntpd crashing, and several other minor bugs. Handling of 3595 multicast interfaces and logging configuration were improved. 3596 The required versions of autogen and libopts were incremented. 3597 This is a recommended upgrade for Windows and multicast users. 3598 3599 --- 3600 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 3601 3602 Focus: enhancements and bug fixes. 3603 3604 Dynamic interface rescanning was added to simplify the use of ntpd in 3605 conjunction with DHCP. GNU AutoGen is used for its command-line options 3606 processing. Separate PPS devices are supported for PARSE refclocks, MD5 3607 signatures are now provided for the release files. Drivers have been 3608 added for some new ref-clocks and have been removed for some older 3609 ref-clocks. This release also includes other improvements, documentation 3610 and bug fixes. 3611 3612 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3613 C support. 3614 3615 --- 3616 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 3617 3618 Focus: enhancements and bug fixes. 3619
Indexes created Mon Apr 20 00:23:12 UTC 2026