NEWS revision 1.1.1.2.2.2
1 --- 2 NTP 4.2.8p4 3 4 Focus: Security, Bug fies, enhancements. 5 6 Severity: MEDIUM 7 8 In addition to bug fixes and enhancements, this release fixes the 9 following 13 low- and medium-severity vulnerabilities: 10 11 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 12 to potential crashes or potential code injection/information leakage. 13 14 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 15 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 16 and 4.3.0 up to, but not including 4.3.77 17 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 18 Summary: The fix for CVE-2014-9750 was incomplete in that there were 19 certain code paths where a packet with particular autokey operations 20 that contained malicious data was not always being completely 21 validated. Receipt of these packets can cause ntpd to crash. 22 Mitigation: 23 Don't use autokey. 24 Upgrade to 4.2.8p4, or later, from the NTP Project Download 25 Page or the NTP Public Services Project Download Page 26 Monitor your ntpd instances. 27 Credit: This weakness was discovered by Tenable Network Security. 28 29 * Clients that receive a KoD should validate the origin timestamp field. 30 31 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 32 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 33 and 4.3.0 up to, but not including 4.3.77 34 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 35 Summary: An ntpd client that honors Kiss-of-Death responses will honor 36 KoD messages that have been forged by an attacker, causing it to 37 delay or stop querying its servers for time updates. Also, an 38 attacker can forge packets that claim to be from the target and 39 send them to servers often enough that a server that implements 40 KoD rate limiting will send the target machine a KoD response to 41 attempt to reduce the rate of incoming packets, or it may also 42 trigger a firewall block at the server for packets from the target 43 machine. For either of these attacks to succeed, the attacker must 44 know what servers the target is communicating with. An attacker 45 can be anywhere on the Internet and can frequently learn the 46 identity of the target's time source by sending the target a 47 time query. 48 Mitigation: 49 Implement BCP-38. 50 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 51 or the NTP Public Services Project Download Page 52 If you can't upgrade, restrict who can query ntpd to learn who 53 its servers are, and what IPs are allowed to ask your system 54 for the time. This mitigation is heavy-handed. 55 Monitor your ntpd instances. 56 Note: 57 4.2.8p4 protects against the first attack. For the second attack, 58 all we can do is warn when it is happening, which we do in 4.2.8p4. 59 Credit: This weakness was discovered by Aanchal Malhotra, 60 Issac E. Cohen, and Sharon Goldberg of Boston University. 61 62 * configuration directives to change "pidfile" and "driftfile" should 63 only be allowed locally. 64 65 References: Sec 2902 / CVE-2015-5196 66 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 67 and 4.3.0 up to, but not including 4.3.77 68 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 69 Summary: If ntpd is configured to allow for remote configuration, 70 and if the (possibly spoofed) source IP address is allowed to 71 send remote configuration requests, and if the attacker knows 72 the remote configuration password, it's possible for an attacker 73 to use the "pidfile" or "driftfile" directives to potentially 74 overwrite other files. 75 Mitigation: 76 Implement BCP-38. 77 Upgrade to 4.2.8p4, or later, from the NTP Project Download 78 Page or the NTP Public Services Project Download Page 79 If you cannot upgrade, don't enable remote configuration. 80 If you must enable remote configuration and cannot upgrade, 81 remote configuration of NTF's ntpd requires: 82 - an explicitly configured trustedkey, and you should also 83 configure a controlkey. 84 - access from a permitted IP. You choose the IPs. 85 - authentication. Don't disable it. Practice secure key safety. 86 Monitor your ntpd instances. 87 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 88 89 * Slow memory leak in CRYPTO_ASSOC 90 91 References: Sec 2909 / CVE-2015-7701 92 Affects: All ntp-4 releases that use autokey up to, but not 93 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 94 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 95 4.6 otherwise 96 Summary: If ntpd is configured to use autokey, then an attacker can 97 send packets to ntpd that will, after several days of ongoing 98 attack, cause it to run out of memory. 99 Mitigation: 100 Don't use autokey. 101 Upgrade to 4.2.8p4, or later, from the NTP Project Download 102 Page or the NTP Public Services Project Download Page 103 Monitor your ntpd instances. 104 Credit: This weakness was discovered by Tenable Network Security. 105 106 * mode 7 loop counter underrun 107 108 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 109 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 110 and 4.3.0 up to, but not including 4.3.77 111 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 112 Summary: If ntpd is configured to enable mode 7 packets, and if the 113 use of mode 7 packets is not properly protected thru the use of 114 the available mode 7 authentication and restriction mechanisms, 115 and if the (possibly spoofed) source IP address is allowed to 116 send mode 7 queries, then an attacker can send a crafted packet 117 to ntpd that will cause it to crash. 118 Mitigation: 119 Implement BCP-38. 120 Upgrade to 4.2.8p4, or later, from the NTP Project Download 121 Page or the NTP Public Services Project Download Page. 122 If you are unable to upgrade: 123 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 124 If you must enable mode 7: 125 configure the use of a requestkey to control who can issue 126 mode 7 requests. 127 configure restrict noquery to further limit mode 7 requests 128 to trusted sources. 129 Monitor your ntpd instances. 130 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 131 132 * memory corruption in password store 133 134 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 135 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 136 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 137 Summary: If ntpd is configured to allow remote configuration, and if 138 the (possibly spoofed) source IP address is allowed to send 139 remote configuration requests, and if the attacker knows the 140 remote configuration password or if ntpd was configured to 141 disable authentication, then an attacker can send a set of 142 packets to ntpd that may cause a crash or theoretically 143 perform a code injection attack. 144 Mitigation: 145 Implement BCP-38. 146 Upgrade to 4.2.8p4, or later, from the NTP Project Download 147 Page or the NTP Public Services Project Download Page. 148 If you are unable to upgrade, remote configuration of NTF's 149 ntpd requires: 150 an explicitly configured "trusted" key. Only configure 151 this if you need it. 152 access from a permitted IP address. You choose the IPs. 153 authentication. Don't disable it. Practice secure key safety. 154 Monitor your ntpd instances. 155 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 156 157 * Infinite loop if extended logging enabled and the logfile and 158 keyfile are the same. 159 160 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 161 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 162 and 4.3.0 up to, but not including 4.3.77 163 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 164 Summary: If ntpd is configured to allow remote configuration, and if 165 the (possibly spoofed) source IP address is allowed to send 166 remote configuration requests, and if the attacker knows the 167 remote configuration password or if ntpd was configured to 168 disable authentication, then an attacker can send a set of 169 packets to ntpd that will cause it to crash and/or create a 170 potentially huge log file. Specifically, the attacker could 171 enable extended logging, point the key file at the log file, 172 and cause what amounts to an infinite loop. 173 Mitigation: 174 Implement BCP-38. 175 Upgrade to 4.2.8p4, or later, from the NTP Project Download 176 Page or the NTP Public Services Project Download Page. 177 If you are unable to upgrade, remote configuration of NTF's ntpd 178 requires: 179 an explicitly configured "trusted" key. Only configure this 180 if you need it. 181 access from a permitted IP address. You choose the IPs. 182 authentication. Don't disable it. Practice secure key safety. 183 Monitor your ntpd instances. 184 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 185 186 * Potential path traversal vulnerability in the config file saving of 187 ntpd on VMS. 188 189 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 190 Affects: All ntp-4 releases running under VMS up to, but not 191 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 192 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 193 Summary: If ntpd is configured to allow remote configuration, and if 194 the (possibly spoofed) IP address is allowed to send remote 195 configuration requests, and if the attacker knows the remote 196 configuration password or if ntpd was configured to disable 197 authentication, then an attacker can send a set of packets to 198 ntpd that may cause ntpd to overwrite files. 199 Mitigation: 200 Implement BCP-38. 201 Upgrade to 4.2.8p4, or later, from the NTP Project Download 202 Page or the NTP Public Services Project Download Page. 203 If you are unable to upgrade, remote configuration of NTF's ntpd 204 requires: 205 an explicitly configured "trusted" key. Only configure 206 this if you need it. 207 access from permitted IP addresses. You choose the IPs. 208 authentication. Don't disable it. Practice key security safety. 209 Monitor your ntpd instances. 210 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 211 212 * ntpq atoascii() potential memory corruption 213 214 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 215 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 216 and 4.3.0 up to, but not including 4.3.77 217 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 218 Summary: If an attacker can figure out the precise moment that ntpq 219 is listening for data and the port number it is listening on or 220 if the attacker can provide a malicious instance ntpd that 221 victims will connect to then an attacker can send a set of 222 crafted mode 6 response packets that, if received by ntpq, 223 can cause ntpq to crash. 224 Mitigation: 225 Implement BCP-38. 226 Upgrade to 4.2.8p4, or later, from the NTP Project Download 227 Page or the NTP Public Services Project Download Page. 228 If you are unable to upgrade and you run ntpq against a server 229 and ntpq crashes, try again using raw mode. Build or get a 230 patched ntpq and see if that fixes the problem. Report new 231 bugs in ntpq or abusive servers appropriately. 232 If you use ntpq in scripts, make sure ntpq does what you expect 233 in your scripts. 234 Credit: This weakness was discovered by Yves Younan and 235 Aleksander Nikolich of Cisco Talos. 236 237 * Invalid length data provided by a custom refclock driver could cause 238 a buffer overflow. 239 240 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 241 Affects: Potentially all ntp-4 releases running up to, but not 242 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 243 that have custom refclocks 244 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 245 5.9 unusual worst case 246 Summary: A negative value for the datalen parameter will overflow a 247 data buffer. NTF's ntpd driver implementations always set this 248 value to 0 and are therefore not vulnerable to this weakness. 249 If you are running a custom refclock driver in ntpd and that 250 driver supplies a negative value for datalen (no custom driver 251 of even minimal competence would do this) then ntpd would 252 overflow a data buffer. It is even hypothetically possible 253 in this case that instead of simply crashing ntpd the attacker 254 could effect a code injection attack. 255 Mitigation: 256 Upgrade to 4.2.8p4, or later, from the NTP Project Download 257 Page or the NTP Public Services Project Download Page. 258 If you are unable to upgrade: 259 If you are running custom refclock drivers, make sure 260 the signed datalen value is either zero or positive. 261 Monitor your ntpd instances. 262 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 263 264 * Password Length Memory Corruption Vulnerability 265 266 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 267 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 268 4.3.0 up to, but not including 4.3.77 269 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 270 1.7 usual case, 6.8, worst case 271 Summary: If ntpd is configured to allow remote configuration, and if 272 the (possibly spoofed) source IP address is allowed to send 273 remote configuration requests, and if the attacker knows the 274 remote configuration password or if ntpd was (foolishly) 275 configured to disable authentication, then an attacker can 276 send a set of packets to ntpd that may cause it to crash, 277 with the hypothetical possibility of a small code injection. 278 Mitigation: 279 Implement BCP-38. 280 Upgrade to 4.2.8p4, or later, from the NTP Project Download 281 Page or the NTP Public Services Project Download Page. 282 If you are unable to upgrade, remote configuration of NTF's 283 ntpd requires: 284 an explicitly configured "trusted" key. Only configure 285 this if you need it. 286 access from a permitted IP address. You choose the IPs. 287 authentication. Don't disable it. Practice secure key safety. 288 Monitor your ntpd instances. 289 Credit: This weakness was discovered by Yves Younan and 290 Aleksander Nikolich of Cisco Talos. 291 292 * decodenetnum() will ASSERT botch instead of returning FAIL on some 293 bogus values. 294 295 References: Sec 2922 / CVE-2015-7855 296 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 297 4.3.0 up to, but not including 4.3.77 298 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 299 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 300 an unusually long data value where a network address is expected, 301 the decodenetnum() function will abort with an assertion failure 302 instead of simply returning a failure condition. 303 Mitigation: 304 Implement BCP-38. 305 Upgrade to 4.2.8p4, or later, from the NTP Project Download 306 Page or the NTP Public Services Project Download Page. 307 If you are unable to upgrade: 308 mode 7 is disabled by default. Don't enable it. 309 Use restrict noquery to limit who can send mode 6 310 and mode 7 requests. 311 Configure and use the controlkey and requestkey 312 authentication directives to limit who can 313 send mode 6 and mode 7 requests. 314 Monitor your ntpd instances. 315 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 316 317 * NAK to the Future: Symmetric association authentication bypass via 318 crypto-NAK. 319 320 References: Sec 2941 / CVE-2015-7871 321 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 322 4.2.8p4, and 4.3.0 up to but not including 4.3.77 323 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 324 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 325 from unauthenticated ephemeral symmetric peers by bypassing the 326 authentication required to mobilize peer associations. This 327 vulnerability appears to have been introduced in ntp-4.2.5p186 328 when the code handling mobilization of new passive symmetric 329 associations (lines 1103-1165) was refactored. 330 Mitigation: 331 Implement BCP-38. 332 Upgrade to 4.2.8p4, or later, from the NTP Project Download 333 Page or the NTP Public Services Project Download Page. 334 If you are unable to upgrade: 335 Apply the patch to the bottom of the "authentic" check 336 block around line 1136 of ntp_proto.c. 337 Monitor your ntpd instances. 338 Credit: This weakness was discovered by Stephen Gray <stepgray (a] cisco.com>. 339 340 Backward-Incompatible changes: 341 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 342 While the general default of 32M is still the case, under Linux 343 the default value has been changed to -1 (do not lock ntpd into 344 memory). A value of 0 means "lock ntpd into memory with whatever 345 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 346 value in it, that value will continue to be used. 347 348 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 349 If you've written a script that looks for this case in, say, the 350 output of ntpq, you probably want to change your regex matches 351 from 'outlyer' to 'outl[iy]er'. 352 353 New features in this release: 354 * 'rlimit memlock' now has finer-grained control. A value of -1 means 355 "don't lock ntpd into memore". This is the default for Linux boxes. 356 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 357 the value is the number of megabytes of memory to lock. The default 358 is 32 megabytes. 359 360 * The old Google Test framework has been replaced with a new framework, 361 based on http://www.throwtheswitch.org/unity/ . 362 363 Bug Fixes and Improvements: 364 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 365 privileges and limiting resources in NTPD removes the need to link 366 forcefully against 'libgcc_s' which does not always work. J.Perlinger 367 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 368 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 369 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 370 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 371 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 372 * [Bug 2849] Systems with more than one default route may never 373 synchronize. Brian Utterback. Note that this patch might need to 374 be reverted once Bug 2043 has been fixed. 375 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 376 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 377 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 378 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 379 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 380 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 381 be configured for the distribution targets. Harlan Stenn. 382 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 383 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 384 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 385 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 386 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 387 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 388 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 389 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 390 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 391 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 392 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 393 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 394 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 395 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 396 * sntp/tests/ function parameter list cleanup. Damir Tomi. 397 * tests/libntp/ function parameter list cleanup. Damir Tomi. 398 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 399 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 400 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 401 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 402 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 403 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 404 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 405 formatting; first declaration, then code (C90); deleted unnecessary comments; 406 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 407 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 408 fix formatting, cleanup. Tomasz Flendrich 409 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 410 Tomasz Flendrich 411 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 412 fix formatting. Tomasz Flendrich 413 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 414 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 415 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 416 Tomasz Flendrich 417 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 418 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 419 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 420 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 421 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 422 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 423 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 424 fixed formatting. Tomasz Flendrich 425 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 426 removed unnecessary comments, cleanup. Tomasz Flendrich 427 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 428 comments, cleanup. Tomasz Flendrich 429 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 430 Tomasz Flendrich 431 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 432 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 433 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 434 Tomasz Flendrich 435 * sntp/tests/kodDatabase.c added consts, deleted empty function, 436 fixed formatting. Tomasz Flendrich 437 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 438 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 439 fixed formatting, deleted unused variable. Tomasz Flendrich 440 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 441 Tomasz Flendrich 442 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 443 fixed formatting. Tomasz Flendrich 444 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 445 the order of includes, fixed formatting, removed unnecessary comments. 446 Tomasz Flendrich 447 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 448 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 449 made one function do its job, deleted unnecessary prints, fixed formatting. 450 Tomasz Flendrich 451 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 452 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 453 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 454 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 455 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 456 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 457 * Don't build sntp/libevent/sample/. Harlan Stenn. 458 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 459 * br-flock: --enable-local-libevent. Harlan Stenn. 460 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 461 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 462 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 463 * Code cleanup. Harlan Stenn. 464 * libntp/icom.c: Typo fix. Harlan Stenn. 465 * util/ntptime.c: initialization nit. Harlan Stenn. 466 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 467 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 468 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 469 Tomasz Flendrich 470 * Changed progname to be const in many files - now it's consistent. Tomasz 471 Flendrich 472 * Typo fix for GCC warning suppression. Harlan Stenn. 473 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 474 * Added declarations to all Unity tests, and did minor fixes to them. 475 Reduced the number of warnings by half. Damir Tomi. 476 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 477 with the latest Unity updates from Mark. Damir Tomi. 478 * Retire google test - phase I. Harlan Stenn. 479 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 480 * Update the NEWS file. Harlan Stenn. 481 * Autoconf cleanup. Harlan Stenn. 482 * Unit test dist cleanup. Harlan Stenn. 483 * Cleanup various test Makefile.am files. Harlan Stenn. 484 * Pthread autoconf macro cleanup. Harlan Stenn. 485 * Fix progname definition in unity runner scripts. Harlan Stenn. 486 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 487 * Update the patch for bug 2817. Harlan Stenn. 488 * More updates for bug 2817. Harlan Stenn. 489 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 490 * gcc on older HPUX may need +allowdups. Harlan Stenn. 491 * Adding missing MCAST protection. Harlan Stenn. 492 * Disable certain test programs on certain platforms. Harlan Stenn. 493 * Implement --enable-problem-tests (on by default). Harlan Stenn. 494 * build system tweaks. Harlan Stenn. 495 496 --- 497 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 498 499 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 500 501 Severity: MEDIUM 502 503 Security Fix: 504 505 * [Sec 2853] Crafted remote config packet can crash some versions of 506 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 507 508 Under specific circumstances an attacker can send a crafted packet to 509 cause a vulnerable ntpd instance to crash. This requires each of the 510 following to be true: 511 512 1) ntpd set up to allow remote configuration (not allowed by default), and 513 2) knowledge of the configuration password, and 514 3) access to a computer entrusted to perform remote configuration. 515 516 This vulnerability is considered low-risk. 517 518 New features in this release: 519 520 Optional (disabled by default) support to have ntpd provide smeared 521 leap second time. A specially built and configured ntpd will only 522 offer smeared time in response to client packets. These response 523 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 524 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 525 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 526 information. 527 528 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 529 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 530 531 We've imported the Unity test framework, and have begun converting 532 the existing google-test items to this new framework. If you want 533 to write new tests or change old ones, you'll need to have ruby 534 installed. You don't need ruby to run the test suite. 535 536 Bug Fixes and Improvements: 537 538 * CID 739725: Fix a rare resource leak in libevent/listener.c. 539 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 540 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 541 * CID 1269537: Clean up a line of dead code in getShmTime(). 542 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 543 * [Bug 2590] autogen-5.18.5. 544 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 545 of 'limited'. 546 * [Bug 2650] fix includefile processing. 547 * [Bug 2745] ntpd -x steps clock on leap second 548 Fixed an initial-value problem that caused misbehaviour in absence of 549 any leapsecond information. 550 Do leap second stepping only of the step adjustment is beyond the 551 proper jump distance limit and step correction is allowed at all. 552 * [Bug 2750] build for Win64 553 Building for 32bit of loopback ppsapi needs def file 554 * [Bug 2776] Improve ntpq's 'help keytype'. 555 * [Bug 2778] Implement "apeers" ntpq command to include associd. 556 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 557 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 558 interface is ignored as long as this flag is not set since the 559 interface is not usable (e.g., no link). 560 * [Bug 2794] Clean up kernel clock status reports. 561 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 562 of incompatible open/fdopen parameters. 563 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 564 * [Bug 2805] ntpd fails to join multicast group. 565 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 566 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 567 Fix crash during cleanup if GPS device not present and char device. 568 Increase internal token buffer to parse all JSON data, even SKY. 569 Defer logging of errors during driver init until the first unit is 570 started, so the syslog is not cluttered when the driver is not used. 571 Various improvements, see http://bugs.ntp.org/2808 for details. 572 Changed libjsmn to a more recent version. 573 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 574 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 575 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 576 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 577 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 578 * [Bug 2824] Convert update-leap to perl. (also see 2769) 579 * [Bug 2825] Quiet file installation in html/ . 580 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 581 NTPD transfers the current TAI (instead of an announcement) now. 582 This might still needed improvement. 583 Update autokey data ASAP when 'sys_tai' changes. 584 Fix unit test that was broken by changes for autokey update. 585 Avoid potential signature length issue and use DPRINTF where possible 586 in ntp_crypto.c. 587 * [Bug 2832] refclock_jjy.c supports the TDC-300. 588 * [Bug 2834] Correct a broken html tag in html/refclock.html 589 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 590 robust, and require 2 consecutive timestamps to be consistent. 591 * [Bug 2837] Allow a configurable DSCP value. 592 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 593 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 594 * [Bug 2842] Bug in mdoc2man. 595 * [Bug 2843] make check fails on 4.3.36 596 Fixed compiler warnings about numeric range overflow 597 (The original topic was fixed in a byplay to bug#2830) 598 * [Bug 2845] Harden memory allocation in ntpd. 599 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 600 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 601 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 602 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 603 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 604 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 605 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 606 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 607 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 608 * html/drivers/driver22.html: typo fix. Harlan Stenn. 609 * refidsmear test cleanup. Tomasz Flendrich. 610 * refidsmear function support and tests. Harlan Stenn. 611 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 612 something that was only in the 4.2.6 sntp. Harlan Stenn. 613 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 614 Damir Tomi 615 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 616 Damir Tomi 617 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 618 Damir Tomi 619 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 620 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 621 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 622 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 623 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 624 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 625 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 626 Damir Tomi 627 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 628 networking.c, keyFile.c, utilities.cpp, sntptest.h, 629 fileHandlingTest.h. Damir Tomi 630 * Initial support for experimental leap smear code. Harlan Stenn. 631 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 632 * Report select() debug messages at debug level 3 now. 633 * sntp/scripts/genLocInfo: treat raspbian as debian. 634 * Unity test framework fixes. 635 ** Requires ruby for changes to tests. 636 * Initial support for PACKAGE_VERSION tests. 637 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 638 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 639 * Add an assert to the ntpq ifstats code. 640 * Clean up the RLIMIT_STACK code. 641 * Improve the ntpq documentation around the controlkey keyid. 642 * ntpq.c cleanup. 643 * Windows port build cleanup. 644 645 --- 646 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 647 648 Focus: Security and Bug fixes, enhancements. 649 650 Severity: MEDIUM 651 652 In addition to bug fixes and enhancements, this release fixes the 653 following medium-severity vulnerabilities involving private key 654 authentication: 655 656 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 657 658 References: Sec 2779 / CVE-2015-1798 / VU#374268 659 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 660 including ntp-4.2.8p2 where the installation uses symmetric keys 661 to authenticate remote associations. 662 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 663 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 664 Summary: When ntpd is configured to use a symmetric key to authenticate 665 a remote NTP server/peer, it checks if the NTP message 666 authentication code (MAC) in received packets is valid, but not if 667 there actually is any MAC included. Packets without a MAC are 668 accepted as if they had a valid MAC. This allows a MITM attacker to 669 send false packets that are accepted by the client/peer without 670 having to know the symmetric key. The attacker needs to know the 671 transmit timestamp of the client to match it in the forged reply 672 and the false reply needs to reach the client before the genuine 673 reply from the server. The attacker doesn't necessarily need to be 674 relaying the packets between the client and the server. 675 676 Authentication using autokey doesn't have this problem as there is 677 a check that requires the key ID to be larger than NTP_MAXKEY, 678 which fails for packets without a MAC. 679 Mitigation: 680 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 681 or the NTP Public Services Project Download Page 682 Configure ntpd with enough time sources and monitor it properly. 683 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 684 685 * [Sec 2781] Authentication doesn't protect symmetric associations against 686 DoS attacks. 687 688 References: Sec 2781 / CVE-2015-1799 / VU#374268 689 Affects: All NTP releases starting with at least xntp3.3wy up to but 690 not including ntp-4.2.8p2 where the installation uses symmetric 691 key authentication. 692 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 693 Note: the CVSS base Score for this issue could be 4.3 or lower, and 694 it could be higher than 5.4. 695 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 696 Summary: An attacker knowing that NTP hosts A and B are peering with 697 each other (symmetric association) can send a packet to host A 698 with source address of B which will set the NTP state variables 699 on A to the values sent by the attacker. Host A will then send 700 on its next poll to B a packet with originate timestamp that 701 doesn't match the transmit timestamp of B and the packet will 702 be dropped. If the attacker does this periodically for both 703 hosts, they won't be able to synchronize to each other. This is 704 a known denial-of-service attack, described at 705 https://www.eecis.udel.edu/~mills/onwire.html . 706 707 According to the document the NTP authentication is supposed to 708 protect symmetric associations against this attack, but that 709 doesn't seem to be the case. The state variables are updated even 710 when authentication fails and the peers are sending packets with 711 originate timestamps that don't match the transmit timestamps on 712 the receiving side. 713 714 This seems to be a very old problem, dating back to at least 715 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 716 specifications, so other NTP implementations with support for 717 symmetric associations and authentication may be vulnerable too. 718 An update to the NTP RFC to correct this error is in-process. 719 Mitigation: 720 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 721 or the NTP Public Services Project Download Page 722 Note that for users of autokey, this specific style of MITM attack 723 is simply a long-known potential problem. 724 Configure ntpd with appropriate time sources and monitor ntpd. 725 Alert your staff if problems are detected. 726 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 727 728 * New script: update-leap 729 The update-leap script will verify and if necessary, update the 730 leap-second definition file. 731 It requires the following commands in order to work: 732 733 wget logger tr sed shasum 734 735 Some may choose to run this from cron. It needs more portability testing. 736 737 Bug Fixes and Improvements: 738 739 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 740 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 741 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 742 * [Bug 2728] See if C99-style structure initialization works. 743 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 744 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 745 * [Bug 2751] jitter.h has stale copies of l_fp macros. 746 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 747 * [Bug 2757] Quiet compiler warnings. 748 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 749 * [Bug 2763] Allow different thresholds for forward and backward steps. 750 * [Bug 2766] ntp-keygen output files should not be world-readable. 751 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 752 * [Bug 2771] nonvolatile value is documented in wrong units. 753 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 754 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 755 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 756 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 757 Removed non-ASCII characters from some copyright comments. 758 Removed trailing whitespace. 759 Updated definitions for Meinberg clocks from current Meinberg header files. 760 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 761 Account for updated definitions pulled from Meinberg header files. 762 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 763 Replaced some constant numbers by defines from ntp_calendar.h 764 Modified creation of parse-specific variables for Meinberg devices 765 in gps16x_message(). 766 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 767 Modified mbg_tm_str() which now expexts an additional parameter controlling 768 if the time status shall be printed. 769 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 770 * [Sec 2781] Authentication doesn't protect symmetric associations against 771 DoS attacks. 772 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 773 * [Bug 2789] Quiet compiler warnings from libevent. 774 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 775 pause briefly before measuring system clock precision to yield 776 correct results. 777 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 778 * Use predefined function types for parse driver functions 779 used to set up function pointers. 780 Account for changed prototype of parse_inp_fnc_t functions. 781 Cast parse conversion results to appropriate types to avoid 782 compiler warnings. 783 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 784 when called with pointers to different types. 785 786 --- 787 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 788 789 Focus: Security and Bug fixes, enhancements. 790 791 Severity: HIGH 792 793 In addition to bug fixes and enhancements, this release fixes the 794 following high-severity vulnerabilities: 795 796 * vallen is not validated in several places in ntp_crypto.c, leading 797 to a potential information leak or possibly a crash 798 799 References: Sec 2671 / CVE-2014-9297 / VU#852879 800 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 801 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 802 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 803 Summary: The vallen packet value is not validated in several code 804 paths in ntp_crypto.c which can lead to information leakage 805 or perhaps a crash of the ntpd process. 806 Mitigation - any of: 807 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 808 or the NTP Public Services Project Download Page. 809 Disable Autokey Authentication by removing, or commenting out, 810 all configuration directives beginning with the "crypto" 811 keyword in your ntp.conf file. 812 Credit: This vulnerability was discovered by Stephen Roettger of the 813 Google Security Team, with additional cases found by Sebastian 814 Krahmer of the SUSE Security Team and Harlan Stenn of Network 815 Time Foundation. 816 817 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 818 can be bypassed. 819 820 References: Sec 2672 / CVE-2014-9298 / VU#852879 821 Affects: All NTP4 releases before 4.2.8p1, under at least some 822 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 823 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 824 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 825 Summary: While available kernels will prevent 127.0.0.1 addresses 826 from "appearing" on non-localhost IPv4 interfaces, some kernels 827 do not offer the same protection for ::1 source addresses on 828 IPv6 interfaces. Since NTP's access control is based on source 829 address and localhost addresses generally have no restrictions, 830 an attacker can send malicious control and configuration packets 831 by spoofing ::1 addresses from the outside. Note Well: This is 832 not really a bug in NTP, it's a problem with some OSes. If you 833 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 834 ACL restrictions on any application can be bypassed! 835 Mitigation: 836 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 837 or the NTP Public Services Project Download Page 838 Install firewall rules to block packets claiming to come from 839 ::1 from inappropriate network interfaces. 840 Credit: This vulnerability was discovered by Stephen Roettger of 841 the Google Security Team. 842 843 Additionally, over 30 bugfixes and improvements were made to the codebase. 844 See the ChangeLog for more information. 845 846 --- 847 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 848 849 Focus: Security and Bug fixes, enhancements. 850 851 Severity: HIGH 852 853 In addition to bug fixes and enhancements, this release fixes the 854 following high-severity vulnerabilities: 855 856 ************************** vv NOTE WELL vv ***************************** 857 858 The vulnerabilities listed below can be significantly mitigated by 859 following the BCP of putting 860 861 restrict default ... noquery 862 863 in the ntp.conf file. With the exception of: 864 865 receive(): missing return on error 866 References: Sec 2670 / CVE-2014-9296 / VU#852879 867 868 below (which is a limited-risk vulnerability), none of the recent 869 vulnerabilities listed below can be exploited if the source IP is 870 restricted from sending a 'query'-class packet by your ntp.conf file. 871 872 ************************** ^^ NOTE WELL ^^ ***************************** 873 874 * Weak default key in config_auth(). 875 876 References: [Sec 2665] / CVE-2014-9293 / VU#852879 877 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 878 Vulnerable Versions: all releases prior to 4.2.7p11 879 Date Resolved: 28 Jan 2010 880 881 Summary: If no 'auth' key is set in the configuration file, ntpd 882 would generate a random key on the fly. There were two 883 problems with this: 1) the generated key was 31 bits in size, 884 and 2) it used the (now weak) ntp_random() function, which was 885 seeded with a 32-bit value and could only provide 32 bits of 886 entropy. This was sufficient back in the late 1990s when the 887 code was written. Not today. 888 889 Mitigation - any of: 890 - Upgrade to 4.2.7p11 or later. 891 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 892 893 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 894 of the Google Security Team. 895 896 * Non-cryptographic random number generator with weak seed used by 897 ntp-keygen to generate symmetric keys. 898 899 References: [Sec 2666] / CVE-2014-9294 / VU#852879 900 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 901 Vulnerable Versions: All NTP4 releases before 4.2.7p230 902 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 903 904 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 905 prepare a random number generator that was of good quality back 906 in the late 1990s. The random numbers produced was then used to 907 generate symmetric keys. In ntp-4.2.8 we use a current-technology 908 cryptographic random number generator, either RAND_bytes from 909 OpenSSL, or arc4random(). 910 911 Mitigation - any of: 912 - Upgrade to 4.2.7p230 or later. 913 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 914 915 Credit: This vulnerability was discovered in ntp-4.2.6 by 916 Stephen Roettger of the Google Security Team. 917 918 * Buffer overflow in crypto_recv() 919 920 References: Sec 2667 / CVE-2014-9295 / VU#852879 921 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 922 Versions: All releases before 4.2.8 923 Date Resolved: Stable (4.2.8) 18 Dec 2014 924 925 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 926 file contains a 'crypto pw ...' directive) a remote attacker 927 can send a carefully crafted packet that can overflow a stack 928 buffer and potentially allow malicious code to be executed 929 with the privilege level of the ntpd process. 930 931 Mitigation - any of: 932 - Upgrade to 4.2.8, or later, or 933 - Disable Autokey Authentication by removing, or commenting out, 934 all configuration directives beginning with the crypto keyword 935 in your ntp.conf file. 936 937 Credit: This vulnerability was discovered by Stephen Roettger of the 938 Google Security Team. 939 940 * Buffer overflow in ctl_putdata() 941 942 References: Sec 2668 / CVE-2014-9295 / VU#852879 943 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 944 Versions: All NTP4 releases before 4.2.8 945 Date Resolved: Stable (4.2.8) 18 Dec 2014 946 947 Summary: A remote attacker can send a carefully crafted packet that 948 can overflow a stack buffer and potentially allow malicious 949 code to be executed with the privilege level of the ntpd process. 950 951 Mitigation - any of: 952 - Upgrade to 4.2.8, or later. 953 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 954 955 Credit: This vulnerability was discovered by Stephen Roettger of the 956 Google Security Team. 957 958 * Buffer overflow in configure() 959 960 References: Sec 2669 / CVE-2014-9295 / VU#852879 961 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 962 Versions: All NTP4 releases before 4.2.8 963 Date Resolved: Stable (4.2.8) 18 Dec 2014 964 965 Summary: A remote attacker can send a carefully crafted packet that 966 can overflow a stack buffer and potentially allow malicious 967 code to be executed with the privilege level of the ntpd process. 968 969 Mitigation - any of: 970 - Upgrade to 4.2.8, or later. 971 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 972 973 Credit: This vulnerability was discovered by Stephen Roettger of the 974 Google Security Team. 975 976 * receive(): missing return on error 977 978 References: Sec 2670 / CVE-2014-9296 / VU#852879 979 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 980 Versions: All NTP4 releases before 4.2.8 981 Date Resolved: Stable (4.2.8) 18 Dec 2014 982 983 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 984 the code path where an error was detected, which meant 985 processing did not stop when a specific rare error occurred. 986 We haven't found a way for this bug to affect system integrity. 987 If there is no way to affect system integrity the base CVSS 988 score for this bug is 0. If there is one avenue through which 989 system integrity can be partially affected, the base score 990 becomes a 5. If system integrity can be partially affected 991 via all three integrity metrics, the CVSS base score become 7.5. 992 993 Mitigation - any of: 994 - Upgrade to 4.2.8, or later, 995 - Remove or comment out all configuration directives 996 beginning with the crypto keyword in your ntp.conf file. 997 998 Credit: This vulnerability was discovered by Stephen Roettger of the 999 Google Security Team. 1000 1001 See http://support.ntp.org/security for more information. 1002 1003 New features / changes in this release: 1004 1005 Important Changes 1006 1007 * Internal NTP Era counters 1008 1009 The internal counters that track the "era" (range of years) we are in 1010 rolls over every 136 years'. The current "era" started at the stroke of 1011 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 1012 1 Jan 2036. 1013 In the past, we have used the "midpoint" of the range to decide which 1014 era we were in. Given the longevity of some products, it became clear 1015 that it would be more functional to "look back" less, and "look forward" 1016 more. We now compile a timestamp into the ntpd executable and when we 1017 get a timestamp we us the "built-on" to tell us what era we are in. 1018 This check "looks back" 10 years, and "looks forward" 126 years. 1019 1020 * ntpdc responses disabled by default 1021 1022 Dave Hart writes: 1023 1024 For a long time, ntpq and its mostly text-based mode 6 (control) 1025 protocol have been preferred over ntpdc and its mode 7 (private 1026 request) protocol for runtime queries and configuration. There has 1027 been a goal of deprecating ntpdc, previously held back by numerous 1028 capabilities exposed by ntpdc with no ntpq equivalent. I have been 1029 adding commands to ntpq to cover these cases, and I believe I've 1030 covered them all, though I've not compared command-by-command 1031 recently. 1032 1033 As I've said previously, the binary mode 7 protocol involves a lot of 1034 hand-rolled structure layout and byte-swapping code in both ntpd and 1035 ntpdc which is hard to get right. As ntpd grows and changes, the 1036 changes are difficult to expose via ntpdc while maintaining forward 1037 and backward compatibility between ntpdc and ntpd. In contrast, 1038 ntpq's text-based, label=value approach involves more code reuse and 1039 allows compatible changes without extra work in most cases. 1040 1041 Mode 7 has always been defined as vendor/implementation-specific while 1042 mode 6 is described in RFC 1305 and intended to be open to interoperate 1043 with other implementations. There is an early draft of an updated 1044 mode 6 description that likely will join the other NTPv4 RFCs 1045 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 1046 1047 For these reasons, ntpd 4.2.7p230 by default disables processing of 1048 ntpdc queries, reducing ntpd's attack surface and functionally 1049 deprecating ntpdc. If you are in the habit of using ntpdc for certain 1050 operations, please try the ntpq equivalent. If there's no equivalent, 1051 please open a bug report at http://bugs.ntp.org./ 1052 1053 In addition to the above, over 1100 issues have been resolved between 1054 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 1055 lists these. 1056 1057 --- 1058 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 1059 1060 Focus: Bug fixes 1061 1062 Severity: Medium 1063 1064 This is a recommended upgrade. 1065 1066 This release updates sys_rootdisp and sys_jitter calculations to match the 1067 RFC specification, fixes a potential IPv6 address matching error for the 1068 "nic" and "interface" configuration directives, suppresses the creation of 1069 extraneous ephemeral associations for certain broadcastclient and 1070 multicastclient configurations, cleans up some ntpq display issues, and 1071 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 1072 1073 New features / changes in this release: 1074 1075 ntpd 1076 1077 * Updated "nic" and "interface" IPv6 address handling to prevent 1078 mismatches with localhost [::1] and wildcard [::] which resulted from 1079 using the address/prefix format (e.g. fe80::/64) 1080 * Fix orphan mode stratum incorrectly counting to infinity 1081 * Orphan parent selection metric updated to includes missing ntohl() 1082 * Non-printable stratum 16 refid no longer sent to ntp 1083 * Duplicate ephemeral associations suppressed for broadcastclient and 1084 multicastclient without broadcastdelay 1085 * Exclude undetermined sys_refid from use in loopback TEST12 1086 * Exclude MODE_SERVER responses from KoD rate limiting 1087 * Include root delay in clock_update() sys_rootdisp calculations 1088 * get_systime() updated to exclude sys_residual offset (which only 1089 affected bits "below" sys_tick, the precision threshold) 1090 * sys.peer jitter weighting corrected in sys_jitter calculation 1091 1092 ntpq 1093 1094 * -n option extended to include the billboard "server" column 1095 * IPv6 addresses in the local column truncated to prevent overruns 1096 1097 --- 1098 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 1099 1100 Focus: Bug fixes and portability improvements 1101 1102 Severity: Medium 1103 1104 This is a recommended upgrade. 1105 1106 This release includes build infrastructure updates, code 1107 clean-ups, minor bug fixes, fixes for a number of minor 1108 ref-clock issues, and documentation revisions. 1109 1110 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 1111 1112 New features / changes in this release: 1113 1114 Build system 1115 1116 * Fix checking for struct rtattr 1117 * Update config.guess and config.sub for AIX 1118 * Upgrade required version of autogen and libopts for building 1119 from our source code repository 1120 1121 ntpd 1122 1123 * Back-ported several fixes for Coverity warnings from ntp-dev 1124 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 1125 * Allow "logconfig =allall" configuration directive 1126 * Bind tentative IPv6 addresses on Linux 1127 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 1128 * Improved tally bit handling to prevent incorrect ntpq peer status reports 1129 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 1130 candidate list unless they are designated a "prefer peer" 1131 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 1132 selection during the 'tos orphanwait' period 1133 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 1134 drivers 1135 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 1136 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 1137 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 1138 clock slew on Microsoft Windows 1139 * Code cleanup in libntpq 1140 1141 ntpdc 1142 1143 * Fix timerstats reporting 1144 1145 ntpdate 1146 1147 * Reduce time required to set clock 1148 * Allow a timeout greater than 2 seconds 1149 1150 sntp 1151 1152 * Backward incompatible command-line option change: 1153 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 1154 1155 Documentation 1156 1157 * Update html2man. Fix some tags in the .html files 1158 * Distribute ntp-wait.html 1159 1160 --- 1161 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 1162 1163 Focus: Bug fixes and portability improvements 1164 1165 Severity: Medium 1166 1167 This is a recommended upgrade. 1168 1169 This release includes build infrastructure updates, code 1170 clean-ups, minor bug fixes, fixes for a number of minor 1171 ref-clock issues, and documentation revisions. 1172 1173 Portability improvements in this release affect AIX, Atari FreeMiNT, 1174 FreeBSD4, Linux and Microsoft Windows. 1175 1176 New features / changes in this release: 1177 1178 Build system 1179 * Use lsb_release to get information about Linux distributions. 1180 * 'test' is in /usr/bin (instead of /bin) on some systems. 1181 * Basic sanity checks for the ChangeLog file. 1182 * Source certain build files with ./filename for systems without . in PATH. 1183 * IRIX portability fix. 1184 * Use a single copy of the "libopts" code. 1185 * autogen/libopts upgrade. 1186 * configure.ac m4 quoting cleanup. 1187 1188 ntpd 1189 * Do not bind to IN6_IFF_ANYCAST addresses. 1190 * Log the reason for exiting under Windows. 1191 * Multicast fixes for Windows. 1192 * Interpolation fixes for Windows. 1193 * IPv4 and IPv6 Multicast fixes. 1194 * Manycast solicitation fixes and general repairs. 1195 * JJY refclock cleanup. 1196 * NMEA refclock improvements. 1197 * Oncore debug message cleanup. 1198 * Palisade refclock now builds under Linux. 1199 * Give RAWDCF more baud rates. 1200 * Support Truetime Satellite clocks under Windows. 1201 * Support Arbiter 1093C Satellite clocks under Windows. 1202 * Make sure that the "filegen" configuration command defaults to "enable". 1203 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 1204 * Prohibit 'includefile' directive in remote configuration command. 1205 * Fix 'nic' interface bindings. 1206 * Fix the way we link with openssl if openssl is installed in the base 1207 system. 1208 1209 ntp-keygen 1210 * Fix -V coredump. 1211 * OpenSSL version display cleanup. 1212 1213 ntpdc 1214 * Many counters should be treated as unsigned. 1215 1216 ntpdate 1217 * Do not ignore replies with equal receive and transmit timestamps. 1218 1219 ntpq 1220 * libntpq warning cleanup. 1221 1222 ntpsnmpd 1223 * Correct SNMP type for "precision" and "resolution". 1224 * Update the MIB from the draft version to RFC-5907. 1225 1226 sntp 1227 * Display timezone offset when showing time for sntp in the local 1228 timezone. 1229 * Pay proper attention to RATE KoD packets. 1230 * Fix a miscalculation of the offset. 1231 * Properly parse empty lines in the key file. 1232 * Logging cleanup. 1233 * Use tv_usec correctly in set_time(). 1234 * Documentation cleanup. 1235 1236 --- 1237 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 1238 1239 Focus: Bug fixes and portability improvements 1240 1241 Severity: Medium 1242 1243 This is a recommended upgrade. 1244 1245 This release includes build infrastructure updates, code 1246 clean-ups, minor bug fixes, fixes for a number of minor 1247 ref-clock issues, improved KOD handling, OpenSSL related 1248 updates and documentation revisions. 1249 1250 Portability improvements in this release affect Irix, Linux, 1251 Mac OS, Microsoft Windows, OpenBSD and QNX6 1252 1253 New features / changes in this release: 1254 1255 ntpd 1256 * Range syntax for the trustedkey configuration directive 1257 * Unified IPv4 and IPv6 restrict lists 1258 1259 ntpdate 1260 * Rate limiting and KOD handling 1261 1262 ntpsnmpd 1263 * default connection to net-snmpd via a unix-domain socket 1264 * command-line 'socket name' option 1265 1266 ntpq / ntpdc 1267 * support for the "passwd ..." syntax 1268 * key-type specific password prompts 1269 1270 sntp 1271 * MD5 authentication of an ntpd 1272 * Broadcast and crypto 1273 * OpenSSL support 1274 1275 --- 1276 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 1277 1278 Focus: Bug fixes, portability fixes, and documentation improvements 1279 1280 Severity: Medium 1281 1282 This is a recommended upgrade. 1283 1284 --- 1285 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 1286 1287 Focus: enhancements and bug fixes. 1288 1289 --- 1290 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 1291 1292 Focus: Security Fixes 1293 1294 Severity: HIGH 1295 1296 This release fixes the following high-severity vulnerability: 1297 1298 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 1299 1300 See http://support.ntp.org/security for more information. 1301 1302 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 1303 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 1304 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 1305 request or a mode 7 error response from an address which is not listed 1306 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 1307 reply with a mode 7 error response (and log a message). In this case: 1308 1309 * If an attacker spoofs the source address of ntpd host A in a 1310 mode 7 response packet sent to ntpd host B, both A and B will 1311 continuously send each other error responses, for as long as 1312 those packets get through. 1313 1314 * If an attacker spoofs an address of ntpd host A in a mode 7 1315 response packet sent to ntpd host A, A will respond to itself 1316 endlessly, consuming CPU and logging excessively. 1317 1318 Credit for finding this vulnerability goes to Robin Park and Dmitri 1319 Vinokurov of Alcatel-Lucent. 1320 1321 THIS IS A STRONGLY RECOMMENDED UPGRADE. 1322 1323 --- 1324 ntpd now syncs to refclocks right away. 1325 1326 Backward-Incompatible changes: 1327 1328 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 1329 Use '--var name' or '--dvar name' instead. (Bug 817) 1330 1331 --- 1332 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 1333 1334 Focus: Security and Bug Fixes 1335 1336 Severity: HIGH 1337 1338 This release fixes the following high-severity vulnerability: 1339 1340 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 1341 1342 See http://support.ntp.org/security for more information. 1343 1344 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 1345 line) then a carefully crafted packet sent to the machine will cause 1346 a buffer overflow and possible execution of injected code, running 1347 with the privileges of the ntpd process (often root). 1348 1349 Credit for finding this vulnerability goes to Chris Ries of CMU. 1350 1351 This release fixes the following low-severity vulnerabilities: 1352 1353 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 1354 Credit for finding this vulnerability goes to Geoff Keating of Apple. 1355 1356 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 1357 Credit for finding this issue goes to Dave Hart. 1358 1359 This release fixes a number of bugs and adds some improvements: 1360 1361 * Improved logging 1362 * Fix many compiler warnings 1363 * Many fixes and improvements for Windows 1364 * Adds support for AIX 6.1 1365 * Resolves some issues under MacOS X and Solaris 1366 1367 THIS IS A STRONGLY RECOMMENDED UPGRADE. 1368 1369 --- 1370 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 1371 1372 Focus: Security Fix 1373 1374 Severity: Low 1375 1376 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 1377 the OpenSSL library relating to the incorrect checking of the return 1378 value of EVP_VerifyFinal function. 1379 1380 Credit for finding this issue goes to the Google Security Team for 1381 finding the original issue with OpenSSL, and to ocert.org for finding 1382 the problem in NTP and telling us about it. 1383 1384 This is a recommended upgrade. 1385 --- 1386 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 1387 1388 Focus: Minor Bugfixes 1389 1390 This release fixes a number of Windows-specific ntpd bugs and 1391 platform-independent ntpdate bugs. A logging bugfix has been applied 1392 to the ONCORE driver. 1393 1394 The "dynamic" keyword and is now obsolete and deferred binding to local 1395 interfaces is the new default. The minimum time restriction for the 1396 interface update interval has been dropped. 1397 1398 A number of minor build system and documentation fixes are included. 1399 1400 This is a recommended upgrade for Windows. 1401 1402 --- 1403 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 1404 1405 Focus: Minor Bugfixes 1406 1407 This release updates certain copyright information, fixes several display 1408 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 1409 shutdown in the parse refclock driver, removes some lint from the code, 1410 stops accessing certain buffers immediately after they were freed, fixes 1411 a problem with non-command-line specification of -6, and allows the loopback 1412 interface to share addresses with other interfaces. 1413 1414 --- 1415 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 1416 1417 Focus: Minor Bugfixes 1418 1419 This release fixes a bug in Windows that made it difficult to 1420 terminate ntpd under windows. 1421 This is a recommended upgrade for Windows. 1422 1423 --- 1424 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 1425 1426 Focus: Minor Bugfixes 1427 1428 This release fixes a multicast mode authentication problem, 1429 an error in NTP packet handling on Windows that could lead to 1430 ntpd crashing, and several other minor bugs. Handling of 1431 multicast interfaces and logging configuration were improved. 1432 The required versions of autogen and libopts were incremented. 1433 This is a recommended upgrade for Windows and multicast users. 1434 1435 --- 1436 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 1437 1438 Focus: enhancements and bug fixes. 1439 1440 Dynamic interface rescanning was added to simplify the use of ntpd in 1441 conjunction with DHCP. GNU AutoGen is used for its command-line options 1442 processing. Separate PPS devices are supported for PARSE refclocks, MD5 1443 signatures are now provided for the release files. Drivers have been 1444 added for some new ref-clocks and have been removed for some older 1445 ref-clocks. This release also includes other improvements, documentation 1446 and bug fixes. 1447 1448 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 1449 C support. 1450 1451 --- 1452 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 1453 1454 Focus: enhancements and bug fixes. 1455
Indexes created Mon Apr 20 00:23:12 UTC 2026