NEWS revision 1.1.1.3.4.2.2.5
1 -- 2 NTP 4.2.8p10 (Harlan Stenn <stenn (a] ntp.org>, 2017/03/21) 3 4 Focus: Security, Bug fixes, enhancements. 5 6 Severity: MEDIUM 7 8 This release fixes 5 medium-, 6 low-, and 4 informational-severity 9 vulnerabilities, and provides 15 other non-security fixes and improvements: 10 11 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 12 Date Resolved: 21 Mar 2017 13 References: Sec 3389 / CVE-2017-6464 / VU#325339 14 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 15 ntp-4.3.0 up to, but not including ntp-4.3.94. 16 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 17 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 18 Summary: 19 A vulnerability found in the NTP server makes it possible for an 20 authenticated remote user to crash ntpd via a malformed mode 21 configuration directive. 22 Mitigation: 23 Implement BCP-38. 24 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 25 the NTP Public Services Project Download Page 26 Properly monitor your ntpd instances, and auto-restart 27 ntpd (without -g) if it stops running. 28 Credit: 29 This weakness was discovered by Cure53. 30 31 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 32 Date Resolved: 21 Mar 2017 33 References: Sec 3388 / CVE-2017-6462 / VU#325339 34 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 35 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 36 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 37 Summary: 38 There is a potential for a buffer overflow in the legacy Datum 39 Programmable Time Server refclock driver. Here the packets are 40 processed from the /dev/datum device and handled in 41 datum_pts_receive(). Since an attacker would be required to 42 somehow control a malicious /dev/datum device, this does not 43 appear to be a practical attack and renders this issue "Low" in 44 terms of severity. 45 Mitigation: 46 If you have a Datum reference clock installed and think somebody 47 may maliciously change the device, upgrade to 4.2.8p10, or 48 later, from the NTP Project Download Page or the NTP Public 49 Services Project Download Page 50 Properly monitor your ntpd instances, and auto-restart 51 ntpd (without -g) if it stops running. 52 Credit: 53 This weakness was discovered by Cure53. 54 55 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 56 Date Resolved: 21 Mar 2017 57 References: Sec 3387 / CVE-2017-6463 / VU#325339 58 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 59 ntp-4.3.0 up to, but not including ntp-4.3.94. 60 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 61 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 62 Summary: 63 A vulnerability found in the NTP server allows an authenticated 64 remote attacker to crash the daemon by sending an invalid setting 65 via the :config directive. The unpeer option expects a number or 66 an address as an argument. In case the value is "0", a 67 segmentation fault occurs. 68 Mitigation: 69 Implement BCP-38. 70 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 71 or the NTP Public Services Project Download Page 72 Properly monitor your ntpd instances, and auto-restart 73 ntpd (without -g) if it stops running. 74 Credit: 75 This weakness was discovered by Cure53. 76 77 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 78 Date Resolved: 21 Mar 2017 79 References: Sec 3386 80 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 81 ntp-4.3.0 up to, but not including ntp-4.3.94. 82 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 83 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 84 Summary: 85 The NTP Mode 6 monitoring and control client, ntpq, uses the 86 function ntpq_stripquotes() to remove quotes and escape characters 87 from a given string. According to the documentation, the function 88 is supposed to return the number of copied bytes but due to 89 incorrect pointer usage this value is always zero. Although the 90 return value of this function is never used in the code, this 91 flaw could lead to a vulnerability in the future. Since relying 92 on wrong return values when performing memory operations is a 93 dangerous practice, it is recommended to return the correct value 94 in accordance with the documentation pertinent to the code. 95 Mitigation: 96 Implement BCP-38. 97 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 98 or the NTP Public Services Project Download Page 99 Properly monitor your ntpd instances, and auto-restart 100 ntpd (without -g) if it stops running. 101 Credit: 102 This weakness was discovered by Cure53. 103 104 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 105 Date Resolved: 21 Mar 2017 106 References: Sec 3385 107 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 108 ntp-4.3.0 up to, but not including ntp-4.3.94. 109 Summary: 110 NTP makes use of several wrappers around the standard heap memory 111 allocation functions that are provided by libc. This is mainly 112 done to introduce additional safety checks concentrated on 113 several goals. First, they seek to ensure that memory is not 114 accidentally freed, secondly they verify that a correct amount 115 is always allocated and, thirdly, that allocation failures are 116 correctly handled. There is an additional implementation for 117 scenarios where memory for a specific amount of items of the 118 same size needs to be allocated. The handling can be found in 119 the oreallocarray() function for which a further number-of-elements 120 parameter needs to be provided. Although no considerable threat 121 was identified as tied to a lack of use of this function, it is 122 recommended to correctly apply oreallocarray() as a preferred 123 option across all of the locations where it is possible. 124 Mitigation: 125 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 126 or the NTP Public Services Project Download Page 127 Credit: 128 This weakness was discovered by Cure53. 129 130 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 131 PPSAPI ONLY) (Low) 132 Date Resolved: 21 Mar 2017 133 References: Sec 3384 / CVE-2017-6455 / VU#325339 134 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 135 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 136 including ntp-4.3.94. 137 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 138 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 139 Summary: 140 The Windows NT port has the added capability to preload DLLs 141 defined in the inherited global local environment variable 142 PPSAPI_DLLS. The code contained within those libraries is then 143 called from the NTPD service, usually running with elevated 144 privileges. Depending on how securely the machine is setup and 145 configured, if ntpd is configured to use the PPSAPI under Windows 146 this can easily lead to a code injection. 147 Mitigation: 148 Implement BCP-38. 149 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 150 or the NTP Public Services Project Download Page 151 Credit: 152 This weakness was discovered by Cure53. 153 154 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 155 installer ONLY) (Low) 156 Date Resolved: 21 Mar 2017 157 References: Sec 3383 / CVE-2017-6452 / VU#325339 158 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 159 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 160 to, but not including ntp-4.3.94. 161 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 162 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 163 Summary: 164 The Windows installer for NTP calls strcat(), blindly appending 165 the string passed to the stack buffer in the addSourceToRegistry() 166 function. The stack buffer is 70 bytes smaller than the buffer 167 in the calling main() function. Together with the initially 168 copied Registry path, the combination causes a stack buffer 169 overflow and effectively overwrites the stack frame. The 170 passed application path is actually limited to 256 bytes by the 171 operating system, but this is not sufficient to assure that the 172 affected stack buffer is consistently protected against 173 overflowing at all times. 174 Mitigation: 175 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 176 or the NTP Public Services Project Download Page 177 Credit: 178 This weakness was discovered by Cure53. 179 180 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 181 installer ONLY) (Low) 182 Date Resolved: 21 Mar 2017 183 References: Sec 3382 / CVE-2017-6459 / VU#325339 184 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 185 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 186 up to, but not including ntp-4.3.94. 187 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 188 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 189 Summary: 190 The Windows installer for NTP calls strcpy() with an argument 191 that specifically contains multiple null bytes. strcpy() only 192 copies a single terminating null character into the target 193 buffer instead of copying the required double null bytes in the 194 addKeysToRegistry() function. As a consequence, a garbage 195 registry entry can be created. The additional arsize parameter 196 is erroneously set to contain two null bytes and the following 197 call to RegSetValueEx() claims to be passing in a multi-string 198 value, though this may not be true. 199 Mitigation: 200 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 201 or the NTP Public Services Project Download Page 202 Credit: 203 This weakness was discovered by Cure53. 204 205 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 206 References: Sec 3381 207 Summary: 208 The report says: Statically included external projects 209 potentially introduce several problems and the issue of having 210 extensive amounts of code that is "dead" in the resulting binary 211 must clearly be pointed out. The unnecessary unused code may or 212 may not contain bugs and, quite possibly, might be leveraged for 213 code-gadget-based branch-flow redirection exploits. Analogically, 214 having source trees statically included as well means a failure 215 in taking advantage of the free feature for periodical updates. 216 This solution is offered by the system's Package Manager. The 217 three libraries identified are libisc, libevent, and libopts. 218 Resolution: 219 For libisc, we already only use a portion of the original library. 220 We've found and fixed bugs in the original implementation (and 221 offered the patches to ISC), and plan to see what has changed 222 since we last upgraded the code. libisc is generally not 223 installed, and when it it we usually only see the static libisc.a 224 file installed. Until we know for sure that the bugs we've found 225 and fixed are fixed upstream, we're better off with the copy we 226 are using. 227 228 Version 1 of libevent was the only production version available 229 until recently, and we've been requiring version 2 for a long time. 230 But if the build system has at least version 2 of libevent 231 installed, we'll use the version that is installed on the system. 232 Otherwise, we provide a copy of libevent that we know works. 233 234 libopts is provided by GNU AutoGen, and that library and package 235 undergoes frequent API version updates. The version of autogen 236 used to generate the tables for the code must match the API 237 version in libopts. AutoGen can be ... difficult to build and 238 install, and very few developers really need it. So we have it 239 on our build and development machines, and we provide the 240 specific version of the libopts code in the distribution to make 241 sure that the proper API version of libopts is available. 242 243 As for the point about there being code in these libraries that 244 NTP doesn't use, OK. But other packages used these libraries as 245 well, and it is reasonable to assume that other people are paying 246 attention to security and code quality issues for the overall 247 libraries. It takes significant resources to analyze and 248 customize these libraries to only include what we need, and to 249 date we believe the cost of this effort does not justify the benefit. 250 Credit: 251 This issue was discovered by Cure53. 252 253 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 254 Date Resolved: 21 Mar 2017 255 References: Sec 3380 256 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 257 ntp-4.3.0 up to, but not including ntp-4.3.94. 258 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 259 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 260 Summary: 261 There is a fencepost error in a "recovery branch" of the code for 262 the Oncore GPS receiver if the communication link to the ONCORE 263 is weak / distorted and the decoding doesn't work. 264 Mitigation: 265 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 266 the NTP Public Services Project Download Page 267 Properly monitor your ntpd instances, and auto-restart 268 ntpd (without -g) if it stops running. 269 Credit: 270 This weakness was discovered by Cure53. 271 272 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 273 Date Resolved: 21 Mar 2017 274 References: Sec 3379 / CVE-2017-6458 / VU#325339 275 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 276 ntp-4.3.0 up to, but not including ntp-4.3.94. 277 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 278 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 279 Summary: 280 ntpd makes use of different wrappers around ctl_putdata() to 281 create name/value ntpq (mode 6) response strings. For example, 282 ctl_putstr() is usually used to send string data (variable names 283 or string data). The formatting code was missing a length check 284 for variable names. If somebody explicitly created any unusually 285 long variable names in ntpd (longer than 200-512 bytes, depending 286 on the type of variable), then if any of these variables are 287 added to the response list it would overflow a buffer. 288 Mitigation: 289 Implement BCP-38. 290 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 291 or the NTP Public Services Project Download Page 292 If you don't want to upgrade, then don't setvar variable names 293 longer than 200-512 bytes in your ntp.conf file. 294 Properly monitor your ntpd instances, and auto-restart 295 ntpd (without -g) if it stops running. 296 Credit: 297 This weakness was discovered by Cure53. 298 299 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 300 Date Resolved: 21 Mar 2017 301 References: Sec 3378 / CVE-2017-6451 / VU#325339 302 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 303 ntp-4.3.0 up to, but not including ntp-4.3.94. 304 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 305 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 306 Summary: 307 The legacy MX4200 refclock is only built if is specifically 308 enabled, and furthermore additional code changes are required to 309 compile and use it. But it uses the libc functions snprintf() 310 and vsnprintf() incorrectly, which can lead to an out-of-bounds 311 memory write due to an improper handling of the return value of 312 snprintf()/vsnprintf(). Since the return value is used as an 313 iterator and it can be larger than the buffer's size, it is 314 possible for the iterator to point somewhere outside of the 315 allocated buffer space. This results in an out-of-bound memory 316 write. This behavior can be leveraged to overwrite a saved 317 instruction pointer on the stack and gain control over the 318 execution flow. During testing it was not possible to identify 319 any malicious usage for this vulnerability. Specifically, no 320 way for an attacker to exploit this vulnerability was ultimately 321 unveiled. However, it has the potential to be exploited, so the 322 code should be fixed. 323 Mitigation, if you have a Magnavox MX4200 refclock: 324 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 325 or the NTP Public Services Project Download Page. 326 Properly monitor your ntpd instances, and auto-restart 327 ntpd (without -g) if it stops running. 328 Credit: 329 This weakness was discovered by Cure53. 330 331 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 332 malicious ntpd (Medium) 333 Date Resolved: 21 Mar 2017 334 References: Sec 3377 / CVE-2017-6460 / VU#325339 335 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 336 ntp-4.3.0 up to, but not including ntp-4.3.94. 337 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 338 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 339 Summary: 340 A stack buffer overflow in ntpq can be triggered by a malicious 341 ntpd server when ntpq requests the restriction list from the server. 342 This is due to a missing length check in the reslist() function. 343 It occurs whenever the function parses the server's response and 344 encounters a flagstr variable of an excessive length. The string 345 will be copied into a fixed-size buffer, leading to an overflow on 346 the function's stack-frame. Note well that this problem requires 347 a malicious server, and affects ntpq, not ntpd. 348 Mitigation: 349 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 350 or the NTP Public Services Project Download Page 351 If you can't upgrade your version of ntpq then if you want to know 352 the reslist of an instance of ntpd that you do not control, 353 know that if the target ntpd is malicious that it can send back 354 a response that intends to crash your ntpq process. 355 Credit: 356 This weakness was discovered by Cure53. 357 358 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 359 Date Resolved: 21 Mar 2017 360 References: Sec 3376 361 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 362 ntp-4.3.0 up to, but not including ntp-4.3.94. 363 CVSS2: N/A 364 CVSS3: N/A 365 Summary: 366 The build process for NTP has not, by default, provided compile 367 or link flags to offer "hardened" security options. Package 368 maintainers have always been able to provide hardening security 369 flags for their builds. As of ntp-4.2.8p10, the NTP build 370 system has a way to provide OS-specific hardening flags. Please 371 note that this is still not a really great solution because it 372 is specific to NTP builds. It's inefficient to have every 373 package supply, track and maintain this information for every 374 target build. It would be much better if there was a common way 375 for OSes to provide this information in a way that arbitrary 376 packages could benefit from it. 377 Mitigation: 378 Implement BCP-38. 379 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 380 or the NTP Public Services Project Download Page 381 Properly monitor your ntpd instances, and auto-restart 382 ntpd (without -g) if it stops running. 383 Credit: 384 This weakness was reported by Cure53. 385 386 * 0rigin DoS (Medium) 387 Date Resolved: 21 Mar 2017 388 References: Sec 3361 / CVE-2016-9042 / VU#325339 389 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 390 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 391 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 392 Summary: 393 An exploitable denial of service vulnerability exists in the 394 origin timestamp check functionality of ntpd 4.2.8p9. A specially 395 crafted unauthenticated network packet can be used to reset the 396 expected origin timestamp for target peers. Legitimate replies 397 from targeted peers will fail the origin timestamp check (TEST2) 398 causing the reply to be dropped and creating a denial of service 399 condition. This vulnerability can only be exploited if the 400 attacker can spoof all of the servers. 401 Mitigation: 402 Implement BCP-38. 403 Configure enough servers/peers that an attacker cannot target 404 all of your time sources. 405 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 406 or the NTP Public Services Project Download Page 407 Properly monitor your ntpd instances, and auto-restart 408 ntpd (without -g) if it stops running. 409 Credit: 410 This weakness was discovered by Matthew Van Gundy of Cisco. 411 412 Other fixes: 413 414 * [Bug 3393] clang scan-build findings <perlinger (a] ntp.org> 415 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes 416 - rework of patch set from <ntp.org (a] eroen.eu>. <perlinger (a] ntp.org> 417 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger (a] ntp.org> 418 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int 419 on 4.4BSD-Lite derived platforms <perlinger (a] ntp.org> 420 - original patch by Majdi S. Abbas 421 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger (a] ntp.org> 422 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger (a] ntp.org> 423 - initial patch by Christos Zoulas 424 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger (a] ntp.org> 425 - move loader API from 'inline' to proper source 426 - augment pathless dlls with absolute path to NTPD 427 - use 'msyslog()' instead of 'printf() 'for reporting trouble 428 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger (a] ntp.org> 429 - applied patch by Matthew Van Gundy 430 * [Bug 3065] Quiet warnings on NetBSD <perlinger (a] ntp.org> 431 - applied some of the patches provided by Havard. Not all of them 432 still match the current code base, and I did not touch libopt. 433 * [Bug 3062] Change the process name of forked DNS worker <perlinger (a] ntp.org> 434 - applied patch by Reinhard Max. See bugzilla for limitations. 435 * [Bug 2923] Trap Configuration Fail <perlinger (a] ntp.org> 436 - fixed dependency inversion from [Bug 2837] 437 * [Bug 2896] Nothing happens if minsane < maxclock < minclock 438 - produce ERROR log message about dysfunctional daemon. <perlinger (a] ntp.org> 439 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger (a] ntp.org> 440 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 441 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 442 - Fixed these and some more locations of this pattern. 443 Probably din't get them all, though. <perlinger (a] ntp.org> 444 * Update copyright year. 445 446 -- 447 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn (a] ntp.org> 448 449 * [Bug 3144] NTP does not build without openSSL. <perlinger (a] ntp.org> 450 - added missed changeset for automatic openssl lib detection 451 - fixed some minor warning issues 452 * [Bug 3095] More compatibility with openssl 1.1. <perlinger (a] ntp.org> 453 * configure.ac cleanup. stenn (a] ntp.org 454 * openssl configure cleanup. stenn (a] ntp.org 455 456 -- 457 NTP 4.2.8p9 (Harlan Stenn <stenn (a] ntp.org>, 2016/11/21) 458 459 Focus: Security, Bug fixes, enhancements. 460 461 Severity: HIGH 462 463 In addition to bug fixes and enhancements, this release fixes the 464 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 465 5 low-severity vulnerabilities, and provides 28 other non-security 466 fixes and improvements: 467 468 * Trap crash 469 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 470 References: Sec 3119 / CVE-2016-9311 / VU#633847 471 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 472 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 473 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 474 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 475 Summary: 476 ntpd does not enable trap service by default. If trap service 477 has been explicitly enabled, an attacker can send a specially 478 crafted packet to cause a null pointer dereference that will 479 crash ntpd, resulting in a denial of service. 480 Mitigation: 481 Implement BCP-38. 482 Use "restrict default noquery ..." in your ntp.conf file. Only 483 allow mode 6 queries from trusted networks and hosts. 484 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 485 or the NTP Public Services Project Download Page 486 Properly monitor your ntpd instances, and auto-restart ntpd 487 (without -g) if it stops running. 488 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 489 490 * Mode 6 information disclosure and DDoS vector 491 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 492 References: Sec 3118 / CVE-2016-9310 / VU#633847 493 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 494 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 495 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 496 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 497 Summary: 498 An exploitable configuration modification vulnerability exists 499 in the control mode (mode 6) functionality of ntpd. If, against 500 long-standing BCP recommendations, "restrict default noquery ..." 501 is not specified, a specially crafted control mode packet can set 502 ntpd traps, providing information disclosure and DDoS 503 amplification, and unset ntpd traps, disabling legitimate 504 monitoring. A remote, unauthenticated, network attacker can 505 trigger this vulnerability. 506 Mitigation: 507 Implement BCP-38. 508 Use "restrict default noquery ..." in your ntp.conf file. 509 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 510 or the NTP Public Services Project Download Page 511 Properly monitor your ntpd instances, and auto-restart ntpd 512 (without -g) if it stops running. 513 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 514 515 * Broadcast Mode Replay Prevention DoS 516 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 517 References: Sec 3114 / CVE-2016-7427 / VU#633847 518 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 519 ntp-4.3.90 up to, but not including ntp-4.3.94. 520 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 521 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 522 Summary: 523 The broadcast mode of NTP is expected to only be used in a 524 trusted network. If the broadcast network is accessible to an 525 attacker, a potentially exploitable denial of service 526 vulnerability in ntpd's broadcast mode replay prevention 527 functionality can be abused. An attacker with access to the NTP 528 broadcast domain can periodically inject specially crafted 529 broadcast mode NTP packets into the broadcast domain which, 530 while being logged by ntpd, can cause ntpd to reject broadcast 531 mode packets from legitimate NTP broadcast servers. 532 Mitigation: 533 Implement BCP-38. 534 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 535 or the NTP Public Services Project Download Page 536 Properly monitor your ntpd instances, and auto-restart ntpd 537 (without -g) if it stops running. 538 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 539 540 * Broadcast Mode Poll Interval Enforcement DoS 541 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 542 References: Sec 3113 / CVE-2016-7428 / VU#633847 543 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 544 ntp-4.3.90 up to, but not including ntp-4.3.94 545 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 546 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 547 Summary: 548 The broadcast mode of NTP is expected to only be used in a 549 trusted network. If the broadcast network is accessible to an 550 attacker, a potentially exploitable denial of service 551 vulnerability in ntpd's broadcast mode poll interval enforcement 552 functionality can be abused. To limit abuse, ntpd restricts the 553 rate at which each broadcast association will process incoming 554 packets. ntpd will reject broadcast mode packets that arrive 555 before the poll interval specified in the preceding broadcast 556 packet expires. An attacker with access to the NTP broadcast 557 domain can send specially crafted broadcast mode NTP packets to 558 the broadcast domain which, while being logged by ntpd, will 559 cause ntpd to reject broadcast mode packets from legitimate NTP 560 broadcast servers. 561 Mitigation: 562 Implement BCP-38. 563 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 564 or the NTP Public Services Project Download Page 565 Properly monitor your ntpd instances, and auto-restart ntpd 566 (without -g) if it stops running. 567 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 568 569 * Windows: ntpd DoS by oversized UDP packet 570 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 571 References: Sec 3110 / CVE-2016-9312 / VU#633847 572 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 573 and ntp-4.3.0 up to, but not including ntp-4.3.94. 574 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 575 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 576 Summary: 577 If a vulnerable instance of ntpd on Windows receives a crafted 578 malicious packet that is "too big", ntpd will stop working. 579 Mitigation: 580 Implement BCP-38. 581 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 582 or the NTP Public Services Project Download Page 583 Properly monitor your ntpd instances, and auto-restart ntpd 584 (without -g) if it stops running. 585 Credit: This weakness was discovered by Robert Pajak of ABB. 586 587 * 0rigin (zero origin) issues 588 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 589 References: Sec 3102 / CVE-2016-7431 / VU#633847 590 Affects: ntp-4.2.8p8, and ntp-4.3.93. 591 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 592 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 593 Summary: 594 Zero Origin timestamp problems were fixed by Bug 2945 in 595 ntp-4.2.8p6. However, subsequent timestamp validation checks 596 introduced a regression in the handling of some Zero origin 597 timestamp checks. 598 Mitigation: 599 Implement BCP-38. 600 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 601 or the NTP Public Services Project Download Page 602 Properly monitor your ntpd instances, and auto-restart ntpd 603 (without -g) if it stops running. 604 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 605 Malhotra of Boston University. 606 607 * read_mru_list() does inadequate incoming packet checks 608 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 609 References: Sec 3082 / CVE-2016-7434 / VU#633847 610 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 611 ntp-4.3.0 up to, but not including ntp-4.3.94. 612 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 613 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 614 Summary: 615 If ntpd is configured to allow mrulist query requests from a 616 server that sends a crafted malicious packet, ntpd will crash 617 on receipt of that crafted malicious mrulist query packet. 618 Mitigation: 619 Only allow mrulist query packets from trusted hosts. 620 Implement BCP-38. 621 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 622 or the NTP Public Services Project Download Page 623 Properly monitor your ntpd instances, and auto-restart ntpd 624 (without -g) if it stops running. 625 Credit: This weakness was discovered by Magnus Stubman. 626 627 * Attack on interface selection 628 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 629 References: Sec 3072 / CVE-2016-7429 / VU#633847 630 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 631 ntp-4.3.0 up to, but not including ntp-4.3.94 632 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 633 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 634 Summary: 635 When ntpd receives a server response on a socket that corresponds 636 to a different interface than was used for the request, the peer 637 structure is updated to use the interface for new requests. If 638 ntpd is running on a host with multiple interfaces in separate 639 networks and the operating system doesn't check source address in 640 received packets (e.g. rp_filter on Linux is set to 0), an 641 attacker that knows the address of the source can send a packet 642 with spoofed source address which will cause ntpd to select wrong 643 interface for the source and prevent it from sending new requests 644 until the list of interfaces is refreshed, which happens on 645 routing changes or every 5 minutes by default. If the attack is 646 repeated often enough (once per second), ntpd will not be able to 647 synchronize with the source. 648 Mitigation: 649 Implement BCP-38. 650 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 651 or the NTP Public Services Project Download Page 652 If you are going to configure your OS to disable source address 653 checks, also configure your firewall configuration to control 654 what interfaces can receive packets from what networks. 655 Properly monitor your ntpd instances, and auto-restart ntpd 656 (without -g) if it stops running. 657 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 658 659 * Client rate limiting and server responses 660 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 661 References: Sec 3071 / CVE-2016-7426 / VU#633847 662 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 663 ntp-4.3.0 up to, but not including ntp-4.3.94 664 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 665 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 666 Summary: 667 When ntpd is configured with rate limiting for all associations 668 (restrict default limited in ntp.conf), the limits are applied 669 also to responses received from its configured sources. An 670 attacker who knows the sources (e.g., from an IPv4 refid in 671 server response) and knows the system is (mis)configured in this 672 way can periodically send packets with spoofed source address to 673 keep the rate limiting activated and prevent ntpd from accepting 674 valid responses from its sources. 675 676 While this blanket rate limiting can be useful to prevent 677 brute-force attacks on the origin timestamp, it allows this DoS 678 attack. Similarly, it allows the attacker to prevent mobilization 679 of ephemeral associations. 680 Mitigation: 681 Implement BCP-38. 682 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 683 or the NTP Public Services Project Download Page 684 Properly monitor your ntpd instances, and auto-restart ntpd 685 (without -g) if it stops running. 686 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 687 688 * Fix for bug 2085 broke initial sync calculations 689 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 690 References: Sec 3067 / CVE-2016-7433 / VU#633847 691 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 692 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 693 root-distance calculation in general is incorrect in all versions 694 of ntp-4 until this release. 695 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 696 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 697 Summary: 698 Bug 2085 described a condition where the root delay was included 699 twice, causing the jitter value to be higher than expected. Due 700 to a misinterpretation of a small-print variable in The Book, the 701 fix for this problem was incorrect, resulting in a root distance 702 that did not include the peer dispersion. The calculations and 703 formulae have been reviewed and reconciled, and the code has been 704 updated accordingly. 705 Mitigation: 706 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 707 or the NTP Public Services Project Download Page 708 Properly monitor your ntpd instances, and auto-restart ntpd 709 (without -g) if it stops running. 710 Credit: This weakness was discovered independently by Brian Utterback of 711 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 712 713 Other fixes: 714 715 * [Bug 3142] bug in netmask prefix length detection <perlinger (a] ntp.org> 716 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn (a] ntp.org 717 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop 718 - moved retry decision where it belongs. <perlinger (a] ntp.org> 719 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 720 using the loopback-ppsapi-provider.dll <perlinger (a] ntp.org> 721 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger (a] ntp.org> 722 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger (a] ntp.org> 723 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 724 * [Bug 3095] Compatibility with openssl 1.1 <perlinger (a] ntp.org> 725 - applied patches by Kurt Roeckx <kurt (a] roeckx.be> to source 726 - added shim layer for SSL API calls with issues (both directions) 727 * [Bug 3089] Serial Parser does not work anymore for hopfser like device 728 - simplified / refactored hex-decoding in driver. <perlinger (a] ntp.org> 729 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 730 * [Bug 3068] Linker warnings when building on Solaris. perlinger (a] ntp.org 731 - applied patch thanks to Andrew Stormont <andyjstormont (a] gmail.com> 732 * [Bug 3067] Root distance calculation needs improvement. HStenn 733 * [Bug 3066] NMEA clock ignores pps. perlinger (a] ntp.org 734 - PPS-HACK works again. 735 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger (a] ntp.org> 736 - applied patch by Brian Utterback <brian.utterback (a] oracle.com> 737 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 738 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 739 <perlinger (a] ntp.org> 740 - patches by Reinhard Max <max (a] suse.com> and Havard Eidnes <he (a] uninett.no> 741 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe (a] ntp.org 742 - Patch provided by Kuramatsu. 743 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger (a] ntp.org> 744 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 745 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 746 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 747 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 748 * [Bug 2959] refclock_jupiter: gps week correction <perlinger (a] ntp.org> 749 - fixed GPS week expansion to work based on build date. Special thanks 750 to Craig Leres for initial patch and testing. 751 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 752 - fixed Makefile.am <perlinger (a] ntp.org> 753 * [Bug 2689] ATOM driver processes last PPS pulse at startup, 754 even if it is very old <perlinger (a] ntp.org> 755 - make sure PPS source is alive before processing samples 756 - improve stability close to the 500ms phase jump (phase gate) 757 * Fix typos in include/ntp.h. 758 * Shim X509_get_signature_nid() if needed 759 * git author attribution cleanup 760 * bk ignore file cleanup 761 * remove locks in Windows IO, use rpc-like thread synchronisation instead 762 763 --- 764 NTP 4.2.8p8 (Harlan Stenn <stenn (a] ntp.org>, 2016/06/02) 765 766 Focus: Security, Bug fixes, enhancements. 767 768 Severity: HIGH 769 770 In addition to bug fixes and enhancements, this release fixes the 771 following 1 high- and 4 low-severity vulnerabilities: 772 773 * CRYPTO_NAK crash 774 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 775 References: Sec 3046 / CVE-2016-4957 / VU#321640 776 Affects: ntp-4.2.8p7, and ntp-4.3.92. 777 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 778 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 779 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 780 could cause ntpd to crash. 781 Mitigation: 782 Implement BCP-38. 783 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 784 or the NTP Public Services Project Download Page 785 If you cannot upgrade from 4.2.8p7, the only other alternatives 786 are to patch your code or filter CRYPTO_NAK packets. 787 Properly monitor your ntpd instances, and auto-restart ntpd 788 (without -g) if it stops running. 789 Credit: This weakness was discovered by Nicolas Edet of Cisco. 790 791 * Bad authentication demobilizes ephemeral associations 792 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 793 References: Sec 3045 / CVE-2016-4953 / VU#321640 794 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 795 ntp-4.3.0 up to, but not including ntp-4.3.93. 796 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 797 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 798 Summary: An attacker who knows the origin timestamp and can send a 799 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 800 target before any other response is sent can demobilize that 801 association. 802 Mitigation: 803 Implement BCP-38. 804 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 805 or the NTP Public Services Project Download Page 806 Properly monitor your ntpd instances. 807 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 808 809 * Processing spoofed server packets 810 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 811 References: Sec 3044 / CVE-2016-4954 / VU#321640 812 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 813 ntp-4.3.0 up to, but not including ntp-4.3.93. 814 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 815 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 816 Summary: An attacker who is able to spoof packets with correct origin 817 timestamps from enough servers before the expected response 818 packets arrive at the target machine can affect some peer 819 variables and, for example, cause a false leap indication to be set. 820 Mitigation: 821 Implement BCP-38. 822 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 823 or the NTP Public Services Project Download Page 824 Properly monitor your ntpd instances. 825 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 826 827 * Autokey association reset 828 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 829 References: Sec 3043 / CVE-2016-4955 / VU#321640 830 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 831 ntp-4.3.0 up to, but not including ntp-4.3.93. 832 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 833 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 834 Summary: An attacker who is able to spoof a packet with a correct 835 origin timestamp before the expected response packet arrives at 836 the target machine can send a CRYPTO_NAK or a bad MAC and cause 837 the association's peer variables to be cleared. If this can be 838 done often enough, it will prevent that association from working. 839 Mitigation: 840 Implement BCP-38. 841 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 842 or the NTP Public Services Project Download Page 843 Properly monitor your ntpd instances. 844 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 845 846 * Broadcast interleave 847 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 848 References: Sec 3042 / CVE-2016-4956 / VU#321640 849 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 850 ntp-4.3.0 up to, but not including ntp-4.3.93. 851 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 852 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 853 Summary: The fix for NtpBug2978 does not cover broadcast associations, 854 so broadcast clients can be triggered to flip into interleave mode. 855 Mitigation: 856 Implement BCP-38. 857 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 858 or the NTP Public Services Project Download Page 859 Properly monitor your ntpd instances. 860 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 861 862 Other fixes: 863 * [Bug 3038] NTP fails to build in VS2015. perlinger (a] ntp.org 864 - provide build environment 865 - 'wint_t' and 'struct timespec' defined by VS2015 866 - fixed print()/scanf() format issues 867 * [Bug 3052] Add a .gitignore file. Edmund Wong. 868 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 869 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 870 JPerlinger, HStenn. 871 * Fix typo in ntp-wait and plot_summary. HStenn. 872 * Make sure we have an "author" file for git imports. HStenn. 873 * Update the sntp problem tests for MacOS. HStenn. 874 875 --- 876 NTP 4.2.8p7 (Harlan Stenn <stenn (a] ntp.org>, 2016/04/26) 877 878 Focus: Security, Bug fixes, enhancements. 879 880 Severity: MEDIUM 881 882 When building NTP from source, there is a new configure option 883 available, --enable-dynamic-interleave. More information on this below. 884 885 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 886 versions of ntp. These events have almost certainly happened in the 887 past, it's just that they were silently counted and not logged. With 888 the increasing awareness around security, we feel it's better to clearly 889 log these events to help detect abusive behavior. This increased 890 logging can also help detect other problems, too. 891 892 In addition to bug fixes and enhancements, this release fixes the 893 following 9 low- and medium-severity vulnerabilities: 894 895 * Improve NTP security against buffer comparison timing attacks, 896 AKA: authdecrypt-timing 897 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 898 References: Sec 2879 / CVE-2016-1550 899 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 900 4.3.0 up to, but not including 4.3.92 901 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 902 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 903 Summary: Packet authentication tests have been performed using 904 memcmp() or possibly bcmp(), and it is potentially possible 905 for a local or perhaps LAN-based attacker to send a packet with 906 an authentication payload and indirectly observe how much of 907 the digest has matched. 908 Mitigation: 909 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 910 or the NTP Public Services Project Download Page. 911 Properly monitor your ntpd instances. 912 Credit: This weakness was discovered independently by Loganaden 913 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 914 915 * Zero origin timestamp bypass: Additional KoD checks. 916 References: Sec 2945 / Sec 2901 / CVE-2015-8138 917 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 918 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 919 920 * peer associations were broken by the fix for NtpBug2899 921 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 922 References: Sec 2952 / CVE-2015-7704 923 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 924 4.3.0 up to, but not including 4.3.92 925 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 926 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 927 associations did not address all of the issues. 928 Mitigation: 929 Implement BCP-38. 930 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 931 or the NTP Public Services Project Download Page 932 If you can't upgrade, use "server" associations instead of 933 "peer" associations. 934 Monitor your ntpd instances. 935 Credit: This problem was discovered by Michael Tatarinov. 936 937 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 938 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 939 References: Sec 3007 / CVE-2016-1547 / VU#718152 940 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 941 4.3.0 up to, but not including 4.3.92 942 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 943 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 944 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 945 off-path attacker can cause a preemptable client association to 946 be demobilized by sending a crypto NAK packet to a victim client 947 with a spoofed source address of an existing associated peer. 948 This is true even if authentication is enabled. 949 950 Furthermore, if the attacker keeps sending crypto NAK packets, 951 for example one every second, the victim never has a chance to 952 reestablish the association and synchronize time with that 953 legitimate server. 954 955 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 956 stringent checks are performed on incoming packets, but there 957 are still ways to exploit this vulnerability in versions before 958 ntp-4.2.8p7. 959 Mitigation: 960 Implement BCP-38. 961 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 962 or the NTP Public Services Project Download Page 963 Properly monitor your =ntpd= instances 964 Credit: This weakness was discovered by Stephen Gray and 965 Matthew Van Gundy of Cisco ASIG. 966 967 * ctl_getitem() return value not always checked 968 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 969 References: Sec 3008 / CVE-2016-2519 970 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 971 4.3.0 up to, but not including 4.3.92 972 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 973 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 974 Summary: ntpq and ntpdc can be used to store and retrieve information 975 in ntpd. It is possible to store a data value that is larger 976 than the size of the buffer that the ctl_getitem() function of 977 ntpd uses to report the return value. If the length of the 978 requested data value returned by ctl_getitem() is too large, 979 the value NULL is returned instead. There are 2 cases where the 980 return value from ctl_getitem() was not directly checked to make 981 sure it's not NULL, but there are subsequent INSIST() checks 982 that make sure the return value is not NULL. There are no data 983 values ordinarily stored in ntpd that would exceed this buffer 984 length. But if one has permission to store values and one stores 985 a value that is "too large", then ntpd will abort if an attempt 986 is made to read that oversized value. 987 Mitigation: 988 Implement BCP-38. 989 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 990 or the NTP Public Services Project Download Page 991 Properly monitor your ntpd instances. 992 Credit: This weakness was discovered by Yihan Lian of the Cloud 993 Security Team, Qihoo 360. 994 995 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 996 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 997 References: Sec 3009 / CVE-2016-2518 / VU#718152 998 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 999 4.3.0 up to, but not including 4.3.92 1000 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1001 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1002 Summary: Using a crafted packet to create a peer association with 1003 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1004 out-of-bounds reference. 1005 Mitigation: 1006 Implement BCP-38. 1007 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1008 or the NTP Public Services Project Download Page 1009 Properly monitor your ntpd instances 1010 Credit: This weakness was discovered by Yihan Lian of the Cloud 1011 Security Team, Qihoo 360. 1012 1013 * remote configuration trustedkey/requestkey/controlkey values are not 1014 properly validated 1015 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1016 References: Sec 3010 / CVE-2016-2517 / VU#718152 1017 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1018 4.3.0 up to, but not including 4.3.92 1019 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1020 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1021 Summary: If ntpd was expressly configured to allow for remote 1022 configuration, a malicious user who knows the controlkey for 1023 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1024 can create a session with ntpd and then send a crafted packet to 1025 ntpd that will change the value of the trustedkey, controlkey, 1026 or requestkey to a value that will prevent any subsequent 1027 authentication with ntpd until ntpd is restarted. 1028 Mitigation: 1029 Implement BCP-38. 1030 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1031 or the NTP Public Services Project Download Page 1032 Properly monitor your =ntpd= instances 1033 Credit: This weakness was discovered by Yihan Lian of the Cloud 1034 Security Team, Qihoo 360. 1035 1036 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1037 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1038 References: Sec 3011 / CVE-2016-2516 / VU#718152 1039 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1040 4.3.0 up to, but not including 4.3.92 1041 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1042 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1043 Summary: If ntpd was expressly configured to allow for remote 1044 configuration, a malicious user who knows the controlkey for 1045 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1046 can create a session with ntpd and if an existing association is 1047 unconfigured using the same IP twice on the unconfig directive 1048 line, ntpd will abort. 1049 Mitigation: 1050 Implement BCP-38. 1051 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1052 or the NTP Public Services Project Download Page 1053 Properly monitor your ntpd instances 1054 Credit: This weakness was discovered by Yihan Lian of the Cloud 1055 Security Team, Qihoo 360. 1056 1057 * Refclock impersonation vulnerability 1058 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1059 References: Sec 3020 / CVE-2016-1551 1060 Affects: On a very limited number of OSes, all NTP releases up to but 1061 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1062 By "very limited number of OSes" we mean no general-purpose OSes 1063 have yet been identified that have this vulnerability. 1064 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1065 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1066 Summary: While most OSes implement martian packet filtering in their 1067 network stack, at least regarding 127.0.0.0/8, some will allow 1068 packets claiming to be from 127.0.0.0/8 that arrive over a 1069 physical network. On these OSes, if ntpd is configured to use a 1070 reference clock an attacker can inject packets over the network 1071 that look like they are coming from that reference clock. 1072 Mitigation: 1073 Implement martian packet filtering and BCP-38. 1074 Configure ntpd to use an adequate number of time sources. 1075 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1076 or the NTP Public Services Project Download Page 1077 If you are unable to upgrade and if you are running an OS that 1078 has this vulnerability, implement martian packet filters and 1079 lobby your OS vendor to fix this problem, or run your 1080 refclocks on computers that use OSes that are not vulnerable 1081 to these attacks and have your vulnerable machines get their 1082 time from protected resources. 1083 Properly monitor your ntpd instances. 1084 Credit: This weakness was discovered by Matt Street and others of 1085 Cisco ASIG. 1086 1087 The following issues were fixed in earlier releases and contain 1088 improvements in 4.2.8p7: 1089 1090 * Clients that receive a KoD should validate the origin timestamp field. 1091 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1092 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1093 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1094 1095 * Skeleton key: passive server with trusted key can serve time. 1096 References: Sec 2936 / CVE-2015-7974 1097 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1098 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1099 1100 Two other vulnerabilities have been reported, and the mitigations 1101 for these are as follows: 1102 1103 * Interleave-pivot 1104 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1105 References: Sec 2978 / CVE-2016-1548 1106 Affects: All ntp-4 releases. 1107 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1108 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1109 Summary: It is possible to change the time of an ntpd client or deny 1110 service to an ntpd client by forcing it to change from basic 1111 client/server mode to interleaved symmetric mode. An attacker 1112 can spoof a packet from a legitimate ntpd server with an origin 1113 timestamp that matches the peer->dst timestamp recorded for that 1114 server. After making this switch, the client will reject all 1115 future legitimate server responses. It is possible to force the 1116 victim client to move time after the mode has been changed. 1117 ntpq gives no indication that the mode has been switched. 1118 Mitigation: 1119 Implement BCP-38. 1120 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1121 or the NTP Public Services Project Download Page. These 1122 versions will not dynamically "flip" into interleave mode 1123 unless configured to do so. 1124 Properly monitor your ntpd instances. 1125 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1126 and separately by Jonathan Gardner of Cisco ASIG. 1127 1128 * Sybil vulnerability: ephemeral association attack 1129 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1130 References: Sec 3012 / CVE-2016-1549 1131 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1132 4.3.0 up to, but not including 4.3.92 1133 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1134 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1135 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1136 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1137 field in the ntp.keys file to specify which IPs can serve time, 1138 a malicious authenticated peer can create arbitrarily-many 1139 ephemeral associations in order to win the clock selection of 1140 ntpd and modify a victim's clock. 1141 Mitigation: 1142 Implement BCP-38. 1143 Use the 4th field in the ntp.keys file to specify which IPs 1144 can be time servers. 1145 Properly monitor your ntpd instances. 1146 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1147 1148 Other fixes: 1149 1150 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger (a] ntp.org 1151 - fixed yet another race condition in the threaded resolver code. 1152 * [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1153 * [Bug 2879] Improve NTP security against timing attacks. perlinger (a] ntp.org 1154 - integrated patches by Loganaden Velvidron <logan (a] ntp.org> 1155 with some modifications & unit tests 1156 * [Bug 2960] async name resolution fixes for chroot() environments. 1157 Reinhard Max. 1158 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger (a] ntp.org 1159 * [Bug 2995] Fixes to compile on Windows 1160 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger (a] ntp.org 1161 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger (a] ntp.org 1162 - Patch provided by Ch. Weisgerber 1163 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1164 - A change related to [Bug 2853] forbids trailing white space in 1165 remote config commands. perlinger (a] ntp.org 1166 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1167 - report and patch from Aleksandr Kostikov. 1168 - Overhaul of Windows IO completion port handling. perlinger (a] ntp.org 1169 * [Bug 3022] authkeys.c should be refactored. perlinger (a] ntp.org 1170 - fixed memory leak in access list (auth[read]keys.c) 1171 - refactored handling of key access lists (auth[read]keys.c) 1172 - reduced number of error branches (authreadkeys.c) 1173 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger (a] ntp.org 1174 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1175 * [Bug 3031] ntp broadcastclient unable to synchronize to an server 1176 when the time of server changed. perlinger (a] ntp.org 1177 - Check the initial delay calculation and reject/unpeer the broadcast 1178 server if the delay exceeds 50ms. Retry again after the next 1179 broadcast packet. 1180 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1181 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1182 * Update html/xleave.html documentation. Harlan Stenn. 1183 * Update ntp.conf documentation. Harlan Stenn. 1184 * Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1185 * Fix typo in html/monopt.html. Harlan Stenn. 1186 * Add README.pullrequests. Harlan Stenn. 1187 * Cleanup to include/ntp.h. Harlan Stenn. 1188 1189 New option to 'configure': 1190 1191 While looking in to the issues around Bug 2978, the "interleave pivot" 1192 issue, it became clear that there are some intricate and unresolved 1193 issues with interleave operations. We also realized that the interleave 1194 protocol was never added to the NTPv4 Standard, and it should have been. 1195 1196 Interleave mode was first released in July of 2008, and can be engaged 1197 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1198 contain the 'xleave' option, which will expressly enable interlave mode 1199 for that association. Additionally, if a time packet arrives and is 1200 found inconsistent with normal protocol behavior but has certain 1201 characteristics that are compatible with interleave mode, NTP will 1202 dynamically switch to interleave mode. With sufficient knowledge, an 1203 attacker can send a crafted forged packet to an NTP instance that 1204 triggers only one side to enter interleaved mode. 1205 1206 To prevent this attack until we can thoroughly document, describe, 1207 fix, and test the dynamic interleave mode, we've added a new 1208 'configure' option to the build process: 1209 1210 --enable-dynamic-interleave 1211 1212 This option controls whether or not NTP will, if conditions are right, 1213 engage dynamic interleave mode. Dynamic interleave mode is disabled by 1214 default in ntp-4.2.8p7. 1215 1216 --- 1217 NTP 4.2.8p6 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/20) 1218 1219 Focus: Security, Bug fixes, enhancements. 1220 1221 Severity: MEDIUM 1222 1223 In addition to bug fixes and enhancements, this release fixes the 1224 following 1 low- and 8 medium-severity vulnerabilities: 1225 1226 * Potential Infinite Loop in 'ntpq' 1227 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1228 References: Sec 2548 / CVE-2015-8158 1229 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1230 4.3.0 up to, but not including 4.3.90 1231 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1232 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1233 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1234 The loop's only stopping conditions are receiving a complete and 1235 correct response or hitting a small number of error conditions. 1236 If the packet contains incorrect values that don't trigger one of 1237 the error conditions, the loop continues to receive new packets. 1238 Note well, this is an attack against an instance of 'ntpq', not 1239 'ntpd', and this attack requires the attacker to do one of the 1240 following: 1241 * Own a malicious NTP server that the client trusts 1242 * Prevent a legitimate NTP server from sending packets to 1243 the 'ntpq' client 1244 * MITM the 'ntpq' communications between the 'ntpq' client 1245 and the NTP server 1246 Mitigation: 1247 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1248 or the NTP Public Services Project Download Page 1249 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1250 1251 * 0rigin: Zero Origin Timestamp Bypass 1252 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1253 References: Sec 2945 / CVE-2015-8138 1254 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1255 4.3.0 up to, but not including 4.3.90 1256 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1257 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1258 (3.7 - LOW if you score AC:L) 1259 Summary: To distinguish legitimate peer responses from forgeries, a 1260 client attempts to verify a response packet by ensuring that the 1261 origin timestamp in the packet matches the origin timestamp it 1262 transmitted in its last request. A logic error exists that 1263 allows packets with an origin timestamp of zero to bypass this 1264 check whenever there is not an outstanding request to the server. 1265 Mitigation: 1266 Configure 'ntpd' to get time from multiple sources. 1267 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1268 or the NTP Public Services Project Download Page. 1269 Monitor your 'ntpd= instances. 1270 Credit: This weakness was discovered by Matthey Van Gundy and 1271 Jonathan Gardner of Cisco ASIG. 1272 1273 * Stack exhaustion in recursive traversal of restriction list 1274 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1275 References: Sec 2940 / CVE-2015-7978 1276 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1277 4.3.0 up to, but not including 4.3.90 1278 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1279 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1280 segmentation fault in ntpd by exhausting the call stack. 1281 Mitigation: 1282 Implement BCP-38. 1283 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1284 or the NTP Public Services Project Download Page. 1285 If you are unable to upgrade: 1286 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1287 If you must enable mode 7: 1288 configure the use of a 'requestkey' to control who can 1289 issue mode 7 requests. 1290 configure 'restrict noquery' to further limit mode 7 1291 requests to trusted sources. 1292 Monitor your ntpd instances. 1293 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1294 1295 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1296 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1297 References: Sec 2942 / CVE-2015-7979 1298 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1299 4.3.0 up to, but not including 4.3.90 1300 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1301 Summary: An off-path attacker can send broadcast packets with bad 1302 authentication (wrong key, mismatched key, incorrect MAC, etc) 1303 to broadcast clients. It is observed that the broadcast client 1304 tears down the association with the broadcast server upon 1305 receiving just one bad packet. 1306 Mitigation: 1307 Implement BCP-38. 1308 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1309 or the NTP Public Services Project Download Page. 1310 Monitor your 'ntpd' instances. 1311 If this sort of attack is an active problem for you, you have 1312 deeper problems to investigate. In this case also consider 1313 having smaller NTP broadcast domains. 1314 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1315 University. 1316 1317 * reslist NULL pointer dereference 1318 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1319 References: Sec 2939 / CVE-2015-7977 1320 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1321 4.3.0 up to, but not including 4.3.90 1322 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1323 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1324 segmentation fault in ntpd by causing a NULL pointer dereference. 1325 Mitigation: 1326 Implement BCP-38. 1327 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1328 the NTP Public Services Project Download Page. 1329 If you are unable to upgrade: 1330 mode 7 is disabled by default. Don't enable it. 1331 If you must enable mode 7: 1332 configure the use of a 'requestkey' to control who can 1333 issue mode 7 requests. 1334 configure 'restrict noquery' to further limit mode 7 1335 requests to trusted sources. 1336 Monitor your ntpd instances. 1337 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1338 1339 * 'ntpq saveconfig' command allows dangerous characters in filenames. 1340 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1341 References: Sec 2938 / CVE-2015-7976 1342 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1343 4.3.0 up to, but not including 4.3.90 1344 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1345 Summary: The ntpq saveconfig command does not do adequate filtering 1346 of special characters from the supplied filename. 1347 Note well: The ability to use the saveconfig command is controlled 1348 by the 'restrict nomodify' directive, and the recommended default 1349 configuration is to disable this capability. If the ability to 1350 execute a 'saveconfig' is required, it can easily (and should) be 1351 limited and restricted to a known small number of IP addresses. 1352 Mitigation: 1353 Implement BCP-38. 1354 use 'restrict default nomodify' in your 'ntp.conf' file. 1355 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1356 If you are unable to upgrade: 1357 build NTP with 'configure --disable-saveconfig' if you will 1358 never need this capability, or 1359 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1360 careful about what IPs have the ability to send 'modify' 1361 requests to 'ntpd'. 1362 Monitor your ntpd instances. 1363 'saveconfig' requests are logged to syslog - monitor your syslog files. 1364 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1365 1366 * nextvar() missing length check in ntpq 1367 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1368 References: Sec 2937 / CVE-2015-7975 1369 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1370 4.3.0 up to, but not including 4.3.90 1371 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1372 If you score A:C, this becomes 4.0. 1373 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1374 Summary: ntpq may call nextvar() which executes a memcpy() into the 1375 name buffer without a proper length check against its maximum 1376 length of 256 bytes. Note well that we're taking about ntpq here. 1377 The usual worst-case effect of this vulnerability is that the 1378 specific instance of ntpq will crash and the person or process 1379 that did this will have stopped themselves. 1380 Mitigation: 1381 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1382 or the NTP Public Services Project Download Page. 1383 If you are unable to upgrade: 1384 If you have scripts that feed input to ntpq make sure there are 1385 some sanity checks on the input received from the "outside". 1386 This is potentially more dangerous if ntpq is run as root. 1387 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1388 1389 * Skeleton Key: Any trusted key system can serve time 1390 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1391 References: Sec 2936 / CVE-2015-7974 1392 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1393 4.3.0 up to, but not including 4.3.90 1394 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1395 Summary: Symmetric key encryption uses a shared trusted key. The 1396 reported title for this issue was "Missing key check allows 1397 impersonation between authenticated peers" and the report claimed 1398 "A key specified only for one server should only work to 1399 authenticate that server, other trusted keys should be refused." 1400 Except there has never been any correlation between this trusted 1401 key and server v. clients machines and there has never been any 1402 way to specify a key only for one server. We have treated this as 1403 an enhancement request, and ntp-4.2.8p6 includes other checks and 1404 tests to strengthen clients against attacks coming from broadcast 1405 servers. 1406 Mitigation: 1407 Implement BCP-38. 1408 If this scenario represents a real or a potential issue for you, 1409 upgrade to 4.2.8p6, or later, from the NTP Project Download 1410 Page or the NTP Public Services Project Download Page, and 1411 use the new field in the ntp.keys file that specifies the list 1412 of IPs that are allowed to serve time. Note that this alone 1413 will not protect against time packets with forged source IP 1414 addresses, however other changes in ntp-4.2.8p6 provide 1415 significant mitigation against broadcast attacks. MITM attacks 1416 are a different story. 1417 If you are unable to upgrade: 1418 Don't use broadcast mode if you cannot monitor your client 1419 servers. 1420 If you choose to use symmetric keys to authenticate time 1421 packets in a hostile environment where ephemeral time 1422 servers can be created, or if it is expected that malicious 1423 time servers will participate in an NTP broadcast domain, 1424 limit the number of participating systems that participate 1425 in the shared-key group. 1426 Monitor your ntpd instances. 1427 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1428 1429 * Deja Vu: Replay attack on authenticated broadcast mode 1430 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1431 References: Sec 2935 / CVE-2015-7973 1432 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1433 4.3.0 up to, but not including 4.3.90 1434 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1435 Summary: If an NTP network is configured for broadcast operations then 1436 either a man-in-the-middle attacker or a malicious participant 1437 that has the same trusted keys as the victim can replay time packets. 1438 Mitigation: 1439 Implement BCP-38. 1440 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1441 or the NTP Public Services Project Download Page. 1442 If you are unable to upgrade: 1443 Don't use broadcast mode if you cannot monitor your client servers. 1444 Monitor your ntpd instances. 1445 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1446 University. 1447 1448 Other fixes: 1449 1450 * [Bug 2772] adj_systime overflows tv_usec. perlinger (a] ntp.org 1451 * [Bug 2814] msyslog deadlock when signaled. perlinger (a] ntp.org 1452 - applied patch by shenpeng11 (a] huawei.com with minor adjustments 1453 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger (a] ntp.org 1454 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger (a] ntp.org 1455 * [Bug 2892] Several test cases assume IPv6 capabilities even when 1456 IPv6 is disabled in the build. perlinger (a] ntp.org 1457 - Found this already fixed, but validation led to cleanup actions. 1458 * [Bug 2905] DNS lookups broken. perlinger (a] ntp.org 1459 - added limits to stack consumption, fixed some return code handling 1460 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1461 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 1462 - make CTRL-C work for retrieval and printing od MRU list. perlinger (a] ntp.org 1463 * [Bug 2980] reduce number of warnings. perlinger (a] ntp.org 1464 - integrated several patches from Havard Eidnes (he (a] uninett.no) 1465 * [Bug 2985] bogus calculation in authkeys.c perlinger (a] ntp.org 1466 - implement 'auth_log2()' using integer bithack instead of float calculation 1467 * Make leapsec_query debug messages less verbose. Harlan Stenn. 1468 1469 --- 1470 NTP 4.2.8p5 (Harlan Stenn <stenn (a] ntp.org>, 2016/01/07) 1471 1472 Focus: Security, Bug fixes, enhancements. 1473 1474 Severity: MEDIUM 1475 1476 In addition to bug fixes and enhancements, this release fixes the 1477 following medium-severity vulnerability: 1478 1479 * Small-step/big-step. Close the panic gate earlier. 1480 References: Sec 2956, CVE-2015-5300 1481 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1482 4.3.0 up to, but not including 4.3.78 1483 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1484 Summary: If ntpd is always started with the -g option, which is 1485 common and against long-standing recommendation, and if at the 1486 moment ntpd is restarted an attacker can immediately respond to 1487 enough requests from enough sources trusted by the target, which 1488 is difficult and not common, there is a window of opportunity 1489 where the attacker can cause ntpd to set the time to an 1490 arbitrary value. Similarly, if an attacker is able to respond 1491 to enough requests from enough sources trusted by the target, 1492 the attacker can cause ntpd to abort and restart, at which 1493 point it can tell the target to set the time to an arbitrary 1494 value if and only if ntpd was re-started against long-standing 1495 recommendation with the -g flag, or if ntpd was not given the 1496 -g flag, the attacker can move the target system's time by at 1497 most 900 seconds' time per attack. 1498 Mitigation: 1499 Configure ntpd to get time from multiple sources. 1500 Upgrade to 4.2.8p5, or later, from the NTP Project Download 1501 Page or the NTP Public Services Project Download Page 1502 As we've long documented, only use the -g option to ntpd in 1503 cold-start situations. 1504 Monitor your ntpd instances. 1505 Credit: This weakness was discovered by Aanchal Malhotra, 1506 Isaac E. Cohen, and Sharon Goldberg at Boston University. 1507 1508 NOTE WELL: The -g flag disables the limit check on the panic_gate 1509 in ntpd, which is 900 seconds by default. The bug identified by 1510 the researchers at Boston University is that the panic_gate 1511 check was only re-enabled after the first change to the system 1512 clock that was greater than 128 milliseconds, by default. The 1513 correct behavior is that the panic_gate check should be 1514 re-enabled after any initial time correction. 1515 1516 If an attacker is able to inject consistent but erroneous time 1517 responses to your systems via the network or "over the air", 1518 perhaps by spoofing radio, cellphone, or navigation satellite 1519 transmissions, they are in a great position to affect your 1520 system's clock. There comes a point where your very best 1521 defenses include: 1522 1523 Configure ntpd to get time from multiple sources. 1524 Monitor your ntpd instances. 1525 1526 Other fixes: 1527 1528 * Coverity submission process updated from Coverity 5 to Coverity 7. 1529 The NTP codebase has been undergoing regular Coverity scans on an 1530 ongoing basis since 2006. As part of our recent upgrade from 1531 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1532 the newly-written Unity test programs. These were fixed. 1533 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger (a] ntp.org 1534 * [Bug 2887] stratum -1 config results as showing value 99 1535 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 1536 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1537 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1538 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1539 - applied patch by Christos Zoulas. perlinger (a] ntp.org 1540 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1541 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1542 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 1543 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 1544 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 1545 - accept key file only if there are no parsing errors 1546 - fixed size_t/u_int format clash 1547 - fixed wrong use of 'strlcpy' 1548 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1549 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 1550 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 1551 - promote use of 'size_t' for values that express a size 1552 - use ptr-to-const for read-only arguments 1553 - make sure SOCKET values are not truncated (win32-specific) 1554 - format string fixes 1555 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 1556 * [Bug 2967] ntpdate command suffers an assertion failure 1557 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 1558 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 1559 lots of clients. perlinger (a] ntp.org 1560 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1561 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 1562 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 1563 * Unity test cleanup. Harlan Stenn. 1564 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 1565 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 1566 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 1567 * Quiet a warning from clang. Harlan Stenn. 1568 1569 --- 1570 NTP 4.2.8p4 (Harlan Stenn <stenn (a] ntp.org>, 2015/10/21) 1571 1572 Focus: Security, Bug fixes, enhancements. 1573 1574 Severity: MEDIUM 1575 1576 In addition to bug fixes and enhancements, this release fixes the 1577 following 13 low- and medium-severity vulnerabilities: 1578 1579 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 1580 to potential crashes or potential code injection/information leakage. 1581 1582 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 1583 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1584 and 4.3.0 up to, but not including 4.3.77 1585 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1586 Summary: The fix for CVE-2014-9750 was incomplete in that there were 1587 certain code paths where a packet with particular autokey operations 1588 that contained malicious data was not always being completely 1589 validated. Receipt of these packets can cause ntpd to crash. 1590 Mitigation: 1591 Don't use autokey. 1592 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1593 Page or the NTP Public Services Project Download Page 1594 Monitor your ntpd instances. 1595 Credit: This weakness was discovered by Tenable Network Security. 1596 1597 * Clients that receive a KoD should validate the origin timestamp field. 1598 1599 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1600 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1601 and 4.3.0 up to, but not including 4.3.77 1602 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 1603 Summary: An ntpd client that honors Kiss-of-Death responses will honor 1604 KoD messages that have been forged by an attacker, causing it to 1605 delay or stop querying its servers for time updates. Also, an 1606 attacker can forge packets that claim to be from the target and 1607 send them to servers often enough that a server that implements 1608 KoD rate limiting will send the target machine a KoD response to 1609 attempt to reduce the rate of incoming packets, or it may also 1610 trigger a firewall block at the server for packets from the target 1611 machine. For either of these attacks to succeed, the attacker must 1612 know what servers the target is communicating with. An attacker 1613 can be anywhere on the Internet and can frequently learn the 1614 identity of the target's time source by sending the target a 1615 time query. 1616 Mitigation: 1617 Implement BCP-38. 1618 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 1619 or the NTP Public Services Project Download Page 1620 If you can't upgrade, restrict who can query ntpd to learn who 1621 its servers are, and what IPs are allowed to ask your system 1622 for the time. This mitigation is heavy-handed. 1623 Monitor your ntpd instances. 1624 Note: 1625 4.2.8p4 protects against the first attack. For the second attack, 1626 all we can do is warn when it is happening, which we do in 4.2.8p4. 1627 Credit: This weakness was discovered by Aanchal Malhotra, 1628 Issac E. Cohen, and Sharon Goldberg of Boston University. 1629 1630 * configuration directives to change "pidfile" and "driftfile" should 1631 only be allowed locally. 1632 1633 References: Sec 2902 / CVE-2015-5196 1634 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1635 and 4.3.0 up to, but not including 4.3.77 1636 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 1637 Summary: If ntpd is configured to allow for remote configuration, 1638 and if the (possibly spoofed) source IP address is allowed to 1639 send remote configuration requests, and if the attacker knows 1640 the remote configuration password, it's possible for an attacker 1641 to use the "pidfile" or "driftfile" directives to potentially 1642 overwrite other files. 1643 Mitigation: 1644 Implement BCP-38. 1645 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1646 Page or the NTP Public Services Project Download Page 1647 If you cannot upgrade, don't enable remote configuration. 1648 If you must enable remote configuration and cannot upgrade, 1649 remote configuration of NTF's ntpd requires: 1650 - an explicitly configured trustedkey, and you should also 1651 configure a controlkey. 1652 - access from a permitted IP. You choose the IPs. 1653 - authentication. Don't disable it. Practice secure key safety. 1654 Monitor your ntpd instances. 1655 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1656 1657 * Slow memory leak in CRYPTO_ASSOC 1658 1659 References: Sec 2909 / CVE-2015-7701 1660 Affects: All ntp-4 releases that use autokey up to, but not 1661 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1662 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 1663 4.6 otherwise 1664 Summary: If ntpd is configured to use autokey, then an attacker can 1665 send packets to ntpd that will, after several days of ongoing 1666 attack, cause it to run out of memory. 1667 Mitigation: 1668 Don't use autokey. 1669 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1670 Page or the NTP Public Services Project Download Page 1671 Monitor your ntpd instances. 1672 Credit: This weakness was discovered by Tenable Network Security. 1673 1674 * mode 7 loop counter underrun 1675 1676 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 1677 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1678 and 4.3.0 up to, but not including 4.3.77 1679 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1680 Summary: If ntpd is configured to enable mode 7 packets, and if the 1681 use of mode 7 packets is not properly protected thru the use of 1682 the available mode 7 authentication and restriction mechanisms, 1683 and if the (possibly spoofed) source IP address is allowed to 1684 send mode 7 queries, then an attacker can send a crafted packet 1685 to ntpd that will cause it to crash. 1686 Mitigation: 1687 Implement BCP-38. 1688 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1689 Page or the NTP Public Services Project Download Page. 1690 If you are unable to upgrade: 1691 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1692 If you must enable mode 7: 1693 configure the use of a requestkey to control who can issue 1694 mode 7 requests. 1695 configure restrict noquery to further limit mode 7 requests 1696 to trusted sources. 1697 Monitor your ntpd instances. 1698 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 1699 1700 * memory corruption in password store 1701 1702 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 1703 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1704 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 1705 Summary: If ntpd is configured to allow remote configuration, and if 1706 the (possibly spoofed) source IP address is allowed to send 1707 remote configuration requests, and if the attacker knows the 1708 remote configuration password or if ntpd was configured to 1709 disable authentication, then an attacker can send a set of 1710 packets to ntpd that may cause a crash or theoretically 1711 perform a code injection attack. 1712 Mitigation: 1713 Implement BCP-38. 1714 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1715 Page or the NTP Public Services Project Download Page. 1716 If you are unable to upgrade, remote configuration of NTF's 1717 ntpd requires: 1718 an explicitly configured "trusted" key. Only configure 1719 this if you need it. 1720 access from a permitted IP address. You choose the IPs. 1721 authentication. Don't disable it. Practice secure key safety. 1722 Monitor your ntpd instances. 1723 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1724 1725 * Infinite loop if extended logging enabled and the logfile and 1726 keyfile are the same. 1727 1728 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 1729 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1730 and 4.3.0 up to, but not including 4.3.77 1731 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 1732 Summary: If ntpd is configured to allow remote configuration, and if 1733 the (possibly spoofed) source IP address is allowed to send 1734 remote configuration requests, and if the attacker knows the 1735 remote configuration password or if ntpd was configured to 1736 disable authentication, then an attacker can send a set of 1737 packets to ntpd that will cause it to crash and/or create a 1738 potentially huge log file. Specifically, the attacker could 1739 enable extended logging, point the key file at the log file, 1740 and cause what amounts to an infinite loop. 1741 Mitigation: 1742 Implement BCP-38. 1743 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1744 Page or the NTP Public Services Project Download Page. 1745 If you are unable to upgrade, remote configuration of NTF's ntpd 1746 requires: 1747 an explicitly configured "trusted" key. Only configure this 1748 if you need it. 1749 access from a permitted IP address. You choose the IPs. 1750 authentication. Don't disable it. Practice secure key safety. 1751 Monitor your ntpd instances. 1752 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1753 1754 * Potential path traversal vulnerability in the config file saving of 1755 ntpd on VMS. 1756 1757 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 1758 Affects: All ntp-4 releases running under VMS up to, but not 1759 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1760 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 1761 Summary: If ntpd is configured to allow remote configuration, and if 1762 the (possibly spoofed) IP address is allowed to send remote 1763 configuration requests, and if the attacker knows the remote 1764 configuration password or if ntpd was configured to disable 1765 authentication, then an attacker can send a set of packets to 1766 ntpd that may cause ntpd to overwrite files. 1767 Mitigation: 1768 Implement BCP-38. 1769 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1770 Page or the NTP Public Services Project Download Page. 1771 If you are unable to upgrade, remote configuration of NTF's ntpd 1772 requires: 1773 an explicitly configured "trusted" key. Only configure 1774 this if you need it. 1775 access from permitted IP addresses. You choose the IPs. 1776 authentication. Don't disable it. Practice key security safety. 1777 Monitor your ntpd instances. 1778 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1779 1780 * ntpq atoascii() potential memory corruption 1781 1782 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 1783 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 1784 and 4.3.0 up to, but not including 4.3.77 1785 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 1786 Summary: If an attacker can figure out the precise moment that ntpq 1787 is listening for data and the port number it is listening on or 1788 if the attacker can provide a malicious instance ntpd that 1789 victims will connect to then an attacker can send a set of 1790 crafted mode 6 response packets that, if received by ntpq, 1791 can cause ntpq to crash. 1792 Mitigation: 1793 Implement BCP-38. 1794 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1795 Page or the NTP Public Services Project Download Page. 1796 If you are unable to upgrade and you run ntpq against a server 1797 and ntpq crashes, try again using raw mode. Build or get a 1798 patched ntpq and see if that fixes the problem. Report new 1799 bugs in ntpq or abusive servers appropriately. 1800 If you use ntpq in scripts, make sure ntpq does what you expect 1801 in your scripts. 1802 Credit: This weakness was discovered by Yves Younan and 1803 Aleksander Nikolich of Cisco Talos. 1804 1805 * Invalid length data provided by a custom refclock driver could cause 1806 a buffer overflow. 1807 1808 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 1809 Affects: Potentially all ntp-4 releases running up to, but not 1810 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1811 that have custom refclocks 1812 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 1813 5.9 unusual worst case 1814 Summary: A negative value for the datalen parameter will overflow a 1815 data buffer. NTF's ntpd driver implementations always set this 1816 value to 0 and are therefore not vulnerable to this weakness. 1817 If you are running a custom refclock driver in ntpd and that 1818 driver supplies a negative value for datalen (no custom driver 1819 of even minimal competence would do this) then ntpd would 1820 overflow a data buffer. It is even hypothetically possible 1821 in this case that instead of simply crashing ntpd the attacker 1822 could effect a code injection attack. 1823 Mitigation: 1824 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1825 Page or the NTP Public Services Project Download Page. 1826 If you are unable to upgrade: 1827 If you are running custom refclock drivers, make sure 1828 the signed datalen value is either zero or positive. 1829 Monitor your ntpd instances. 1830 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1831 1832 * Password Length Memory Corruption Vulnerability 1833 1834 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 1835 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1836 4.3.0 up to, but not including 4.3.77 1837 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 1838 1.7 usual case, 6.8, worst case 1839 Summary: If ntpd is configured to allow remote configuration, and if 1840 the (possibly spoofed) source IP address is allowed to send 1841 remote configuration requests, and if the attacker knows the 1842 remote configuration password or if ntpd was (foolishly) 1843 configured to disable authentication, then an attacker can 1844 send a set of packets to ntpd that may cause it to crash, 1845 with the hypothetical possibility of a small code injection. 1846 Mitigation: 1847 Implement BCP-38. 1848 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1849 Page or the NTP Public Services Project Download Page. 1850 If you are unable to upgrade, remote configuration of NTF's 1851 ntpd requires: 1852 an explicitly configured "trusted" key. Only configure 1853 this if you need it. 1854 access from a permitted IP address. You choose the IPs. 1855 authentication. Don't disable it. Practice secure key safety. 1856 Monitor your ntpd instances. 1857 Credit: This weakness was discovered by Yves Younan and 1858 Aleksander Nikolich of Cisco Talos. 1859 1860 * decodenetnum() will ASSERT botch instead of returning FAIL on some 1861 bogus values. 1862 1863 References: Sec 2922 / CVE-2015-7855 1864 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1865 4.3.0 up to, but not including 4.3.77 1866 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 1867 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 1868 an unusually long data value where a network address is expected, 1869 the decodenetnum() function will abort with an assertion failure 1870 instead of simply returning a failure condition. 1871 Mitigation: 1872 Implement BCP-38. 1873 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1874 Page or the NTP Public Services Project Download Page. 1875 If you are unable to upgrade: 1876 mode 7 is disabled by default. Don't enable it. 1877 Use restrict noquery to limit who can send mode 6 1878 and mode 7 requests. 1879 Configure and use the controlkey and requestkey 1880 authentication directives to limit who can 1881 send mode 6 and mode 7 requests. 1882 Monitor your ntpd instances. 1883 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 1884 1885 * NAK to the Future: Symmetric association authentication bypass via 1886 crypto-NAK. 1887 1888 References: Sec 2941 / CVE-2015-7871 1889 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 1890 4.2.8p4, and 4.3.0 up to but not including 4.3.77 1891 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 1892 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 1893 from unauthenticated ephemeral symmetric peers by bypassing the 1894 authentication required to mobilize peer associations. This 1895 vulnerability appears to have been introduced in ntp-4.2.5p186 1896 when the code handling mobilization of new passive symmetric 1897 associations (lines 1103-1165) was refactored. 1898 Mitigation: 1899 Implement BCP-38. 1900 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1901 Page or the NTP Public Services Project Download Page. 1902 If you are unable to upgrade: 1903 Apply the patch to the bottom of the "authentic" check 1904 block around line 1136 of ntp_proto.c. 1905 Monitor your ntpd instances. 1906 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1907 1908 Backward-Incompatible changes: 1909 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 1910 While the general default of 32M is still the case, under Linux 1911 the default value has been changed to -1 (do not lock ntpd into 1912 memory). A value of 0 means "lock ntpd into memory with whatever 1913 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 1914 value in it, that value will continue to be used. 1915 1916 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 1917 If you've written a script that looks for this case in, say, the 1918 output of ntpq, you probably want to change your regex matches 1919 from 'outlyer' to 'outl[iy]er'. 1920 1921 New features in this release: 1922 * 'rlimit memlock' now has finer-grained control. A value of -1 means 1923 "don't lock ntpd into memore". This is the default for Linux boxes. 1924 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 1925 the value is the number of megabytes of memory to lock. The default 1926 is 32 megabytes. 1927 1928 * The old Google Test framework has been replaced with a new framework, 1929 based on http://www.throwtheswitch.org/unity/ . 1930 1931 Bug Fixes and Improvements: 1932 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 1933 privileges and limiting resources in NTPD removes the need to link 1934 forcefully against 'libgcc_s' which does not always work. J.Perlinger 1935 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 1936 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 1937 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 1938 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 1939 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 1940 * [Bug 2849] Systems with more than one default route may never 1941 synchronize. Brian Utterback. Note that this patch might need to 1942 be reverted once Bug 2043 has been fixed. 1943 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 1944 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 1945 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 1946 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 1947 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 1948 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 1949 be configured for the distribution targets. Harlan Stenn. 1950 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 1951 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 1952 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 1953 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 1954 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 1955 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 1956 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 1957 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 1958 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 1959 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 1960 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 1961 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 1962 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 1963 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 1964 * sntp/tests/ function parameter list cleanup. Damir Tomi. 1965 * tests/libntp/ function parameter list cleanup. Damir Tomi. 1966 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 1967 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 1968 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 1969 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 1970 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 1971 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1972 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 1973 formatting; first declaration, then code (C90); deleted unnecessary comments; 1974 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 1975 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 1976 fix formatting, cleanup. Tomasz Flendrich 1977 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 1978 Tomasz Flendrich 1979 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 1980 fix formatting. Tomasz Flendrich 1981 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 1982 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 1983 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 1984 Tomasz Flendrich 1985 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 1986 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 1987 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 1988 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 1989 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 1990 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 1991 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 1992 fixed formatting. Tomasz Flendrich 1993 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 1994 removed unnecessary comments, cleanup. Tomasz Flendrich 1995 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 1996 comments, cleanup. Tomasz Flendrich 1997 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 1998 Tomasz Flendrich 1999 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2000 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2001 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2002 Tomasz Flendrich 2003 * sntp/tests/kodDatabase.c added consts, deleted empty function, 2004 fixed formatting. Tomasz Flendrich 2005 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2006 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 2007 fixed formatting, deleted unused variable. Tomasz Flendrich 2008 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2009 Tomasz Flendrich 2010 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2011 fixed formatting. Tomasz Flendrich 2012 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 2013 the order of includes, fixed formatting, removed unnecessary comments. 2014 Tomasz Flendrich 2015 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2016 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2017 made one function do its job, deleted unnecessary prints, fixed formatting. 2018 Tomasz Flendrich 2019 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2020 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2021 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2022 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2023 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2024 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2025 * Don't build sntp/libevent/sample/. Harlan Stenn. 2026 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2027 * br-flock: --enable-local-libevent. Harlan Stenn. 2028 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2029 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2030 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2031 * Code cleanup. Harlan Stenn. 2032 * libntp/icom.c: Typo fix. Harlan Stenn. 2033 * util/ntptime.c: initialization nit. Harlan Stenn. 2034 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2035 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2036 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2037 Tomasz Flendrich 2038 * Changed progname to be const in many files - now it's consistent. Tomasz 2039 Flendrich 2040 * Typo fix for GCC warning suppression. Harlan Stenn. 2041 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 2042 * Added declarations to all Unity tests, and did minor fixes to them. 2043 Reduced the number of warnings by half. Damir Tomi. 2044 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2045 with the latest Unity updates from Mark. Damir Tomi. 2046 * Retire google test - phase I. Harlan Stenn. 2047 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2048 * Update the NEWS file. Harlan Stenn. 2049 * Autoconf cleanup. Harlan Stenn. 2050 * Unit test dist cleanup. Harlan Stenn. 2051 * Cleanup various test Makefile.am files. Harlan Stenn. 2052 * Pthread autoconf macro cleanup. Harlan Stenn. 2053 * Fix progname definition in unity runner scripts. Harlan Stenn. 2054 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2055 * Update the patch for bug 2817. Harlan Stenn. 2056 * More updates for bug 2817. Harlan Stenn. 2057 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2058 * gcc on older HPUX may need +allowdups. Harlan Stenn. 2059 * Adding missing MCAST protection. Harlan Stenn. 2060 * Disable certain test programs on certain platforms. Harlan Stenn. 2061 * Implement --enable-problem-tests (on by default). Harlan Stenn. 2062 * build system tweaks. Harlan Stenn. 2063 2064 --- 2065 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 2066 2067 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2068 2069 Severity: MEDIUM 2070 2071 Security Fix: 2072 2073 * [Sec 2853] Crafted remote config packet can crash some versions of 2074 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2075 2076 Under specific circumstances an attacker can send a crafted packet to 2077 cause a vulnerable ntpd instance to crash. This requires each of the 2078 following to be true: 2079 2080 1) ntpd set up to allow remote configuration (not allowed by default), and 2081 2) knowledge of the configuration password, and 2082 3) access to a computer entrusted to perform remote configuration. 2083 2084 This vulnerability is considered low-risk. 2085 2086 New features in this release: 2087 2088 Optional (disabled by default) support to have ntpd provide smeared 2089 leap second time. A specially built and configured ntpd will only 2090 offer smeared time in response to client packets. These response 2091 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2092 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2093 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2094 information. 2095 2096 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2097 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2098 2099 We've imported the Unity test framework, and have begun converting 2100 the existing google-test items to this new framework. If you want 2101 to write new tests or change old ones, you'll need to have ruby 2102 installed. You don't need ruby to run the test suite. 2103 2104 Bug Fixes and Improvements: 2105 2106 * CID 739725: Fix a rare resource leak in libevent/listener.c. 2107 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2108 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2109 * CID 1269537: Clean up a line of dead code in getShmTime(). 2110 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2111 * [Bug 2590] autogen-5.18.5. 2112 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2113 of 'limited'. 2114 * [Bug 2650] fix includefile processing. 2115 * [Bug 2745] ntpd -x steps clock on leap second 2116 Fixed an initial-value problem that caused misbehaviour in absence of 2117 any leapsecond information. 2118 Do leap second stepping only of the step adjustment is beyond the 2119 proper jump distance limit and step correction is allowed at all. 2120 * [Bug 2750] build for Win64 2121 Building for 32bit of loopback ppsapi needs def file 2122 * [Bug 2776] Improve ntpq's 'help keytype'. 2123 * [Bug 2778] Implement "apeers" ntpq command to include associd. 2124 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2125 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2126 interface is ignored as long as this flag is not set since the 2127 interface is not usable (e.g., no link). 2128 * [Bug 2794] Clean up kernel clock status reports. 2129 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 2130 of incompatible open/fdopen parameters. 2131 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 2132 * [Bug 2805] ntpd fails to join multicast group. 2133 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2134 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 2135 Fix crash during cleanup if GPS device not present and char device. 2136 Increase internal token buffer to parse all JSON data, even SKY. 2137 Defer logging of errors during driver init until the first unit is 2138 started, so the syslog is not cluttered when the driver is not used. 2139 Various improvements, see http://bugs.ntp.org/2808 for details. 2140 Changed libjsmn to a more recent version. 2141 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2142 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2143 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2144 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2145 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2146 * [Bug 2824] Convert update-leap to perl. (also see 2769) 2147 * [Bug 2825] Quiet file installation in html/ . 2148 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2149 NTPD transfers the current TAI (instead of an announcement) now. 2150 This might still needed improvement. 2151 Update autokey data ASAP when 'sys_tai' changes. 2152 Fix unit test that was broken by changes for autokey update. 2153 Avoid potential signature length issue and use DPRINTF where possible 2154 in ntp_crypto.c. 2155 * [Bug 2832] refclock_jjy.c supports the TDC-300. 2156 * [Bug 2834] Correct a broken html tag in html/refclock.html 2157 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2158 robust, and require 2 consecutive timestamps to be consistent. 2159 * [Bug 2837] Allow a configurable DSCP value. 2160 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2161 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2162 * [Bug 2842] Bug in mdoc2man. 2163 * [Bug 2843] make check fails on 4.3.36 2164 Fixed compiler warnings about numeric range overflow 2165 (The original topic was fixed in a byplay to bug#2830) 2166 * [Bug 2845] Harden memory allocation in ntpd. 2167 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2168 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2169 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2170 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2171 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2172 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2173 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2174 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2175 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2176 * html/drivers/driver22.html: typo fix. Harlan Stenn. 2177 * refidsmear test cleanup. Tomasz Flendrich. 2178 * refidsmear function support and tests. Harlan Stenn. 2179 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2180 something that was only in the 4.2.6 sntp. Harlan Stenn. 2181 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2182 Damir Tomi 2183 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2184 Damir Tomi 2185 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2186 Damir Tomi 2187 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2188 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 2189 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2190 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2191 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2192 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2193 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2194 Damir Tomi 2195 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2196 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2197 fileHandlingTest.h. Damir Tomi 2198 * Initial support for experimental leap smear code. Harlan Stenn. 2199 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2200 * Report select() debug messages at debug level 3 now. 2201 * sntp/scripts/genLocInfo: treat raspbian as debian. 2202 * Unity test framework fixes. 2203 ** Requires ruby for changes to tests. 2204 * Initial support for PACKAGE_VERSION tests. 2205 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2206 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 2207 * Add an assert to the ntpq ifstats code. 2208 * Clean up the RLIMIT_STACK code. 2209 * Improve the ntpq documentation around the controlkey keyid. 2210 * ntpq.c cleanup. 2211 * Windows port build cleanup. 2212 2213 --- 2214 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 2215 2216 Focus: Security and Bug fixes, enhancements. 2217 2218 Severity: MEDIUM 2219 2220 In addition to bug fixes and enhancements, this release fixes the 2221 following medium-severity vulnerabilities involving private key 2222 authentication: 2223 2224 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2225 2226 References: Sec 2779 / CVE-2015-1798 / VU#374268 2227 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2228 including ntp-4.2.8p2 where the installation uses symmetric keys 2229 to authenticate remote associations. 2230 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2231 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2232 Summary: When ntpd is configured to use a symmetric key to authenticate 2233 a remote NTP server/peer, it checks if the NTP message 2234 authentication code (MAC) in received packets is valid, but not if 2235 there actually is any MAC included. Packets without a MAC are 2236 accepted as if they had a valid MAC. This allows a MITM attacker to 2237 send false packets that are accepted by the client/peer without 2238 having to know the symmetric key. The attacker needs to know the 2239 transmit timestamp of the client to match it in the forged reply 2240 and the false reply needs to reach the client before the genuine 2241 reply from the server. The attacker doesn't necessarily need to be 2242 relaying the packets between the client and the server. 2243 2244 Authentication using autokey doesn't have this problem as there is 2245 a check that requires the key ID to be larger than NTP_MAXKEY, 2246 which fails for packets without a MAC. 2247 Mitigation: 2248 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2249 or the NTP Public Services Project Download Page 2250 Configure ntpd with enough time sources and monitor it properly. 2251 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2252 2253 * [Sec 2781] Authentication doesn't protect symmetric associations against 2254 DoS attacks. 2255 2256 References: Sec 2781 / CVE-2015-1799 / VU#374268 2257 Affects: All NTP releases starting with at least xntp3.3wy up to but 2258 not including ntp-4.2.8p2 where the installation uses symmetric 2259 key authentication. 2260 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2261 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2262 it could be higher than 5.4. 2263 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2264 Summary: An attacker knowing that NTP hosts A and B are peering with 2265 each other (symmetric association) can send a packet to host A 2266 with source address of B which will set the NTP state variables 2267 on A to the values sent by the attacker. Host A will then send 2268 on its next poll to B a packet with originate timestamp that 2269 doesn't match the transmit timestamp of B and the packet will 2270 be dropped. If the attacker does this periodically for both 2271 hosts, they won't be able to synchronize to each other. This is 2272 a known denial-of-service attack, described at 2273 https://www.eecis.udel.edu/~mills/onwire.html . 2274 2275 According to the document the NTP authentication is supposed to 2276 protect symmetric associations against this attack, but that 2277 doesn't seem to be the case. The state variables are updated even 2278 when authentication fails and the peers are sending packets with 2279 originate timestamps that don't match the transmit timestamps on 2280 the receiving side. 2281 2282 This seems to be a very old problem, dating back to at least 2283 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2284 specifications, so other NTP implementations with support for 2285 symmetric associations and authentication may be vulnerable too. 2286 An update to the NTP RFC to correct this error is in-process. 2287 Mitigation: 2288 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2289 or the NTP Public Services Project Download Page 2290 Note that for users of autokey, this specific style of MITM attack 2291 is simply a long-known potential problem. 2292 Configure ntpd with appropriate time sources and monitor ntpd. 2293 Alert your staff if problems are detected. 2294 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2295 2296 * New script: update-leap 2297 The update-leap script will verify and if necessary, update the 2298 leap-second definition file. 2299 It requires the following commands in order to work: 2300 2301 wget logger tr sed shasum 2302 2303 Some may choose to run this from cron. It needs more portability testing. 2304 2305 Bug Fixes and Improvements: 2306 2307 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2308 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2309 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 2310 * [Bug 2728] See if C99-style structure initialization works. 2311 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 2312 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2313 * [Bug 2751] jitter.h has stale copies of l_fp macros. 2314 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2315 * [Bug 2757] Quiet compiler warnings. 2316 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2317 * [Bug 2763] Allow different thresholds for forward and backward steps. 2318 * [Bug 2766] ntp-keygen output files should not be world-readable. 2319 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2320 * [Bug 2771] nonvolatile value is documented in wrong units. 2321 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2322 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 2323 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 2324 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2325 Removed non-ASCII characters from some copyright comments. 2326 Removed trailing whitespace. 2327 Updated definitions for Meinberg clocks from current Meinberg header files. 2328 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2329 Account for updated definitions pulled from Meinberg header files. 2330 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2331 Replaced some constant numbers by defines from ntp_calendar.h 2332 Modified creation of parse-specific variables for Meinberg devices 2333 in gps16x_message(). 2334 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2335 Modified mbg_tm_str() which now expexts an additional parameter controlling 2336 if the time status shall be printed. 2337 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2338 * [Sec 2781] Authentication doesn't protect symmetric associations against 2339 DoS attacks. 2340 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2341 * [Bug 2789] Quiet compiler warnings from libevent. 2342 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2343 pause briefly before measuring system clock precision to yield 2344 correct results. 2345 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2346 * Use predefined function types for parse driver functions 2347 used to set up function pointers. 2348 Account for changed prototype of parse_inp_fnc_t functions. 2349 Cast parse conversion results to appropriate types to avoid 2350 compiler warnings. 2351 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2352 when called with pointers to different types. 2353 2354 --- 2355 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 2356 2357 Focus: Security and Bug fixes, enhancements. 2358 2359 Severity: HIGH 2360 2361 In addition to bug fixes and enhancements, this release fixes the 2362 following high-severity vulnerabilities: 2363 2364 * vallen is not validated in several places in ntp_crypto.c, leading 2365 to a potential information leak or possibly a crash 2366 2367 References: Sec 2671 / CVE-2014-9297 / VU#852879 2368 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2369 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2370 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2371 Summary: The vallen packet value is not validated in several code 2372 paths in ntp_crypto.c which can lead to information leakage 2373 or perhaps a crash of the ntpd process. 2374 Mitigation - any of: 2375 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2376 or the NTP Public Services Project Download Page. 2377 Disable Autokey Authentication by removing, or commenting out, 2378 all configuration directives beginning with the "crypto" 2379 keyword in your ntp.conf file. 2380 Credit: This vulnerability was discovered by Stephen Roettger of the 2381 Google Security Team, with additional cases found by Sebastian 2382 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2383 Time Foundation. 2384 2385 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2386 can be bypassed. 2387 2388 References: Sec 2672 / CVE-2014-9298 / VU#852879 2389 Affects: All NTP4 releases before 4.2.8p1, under at least some 2390 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2391 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2392 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2393 Summary: While available kernels will prevent 127.0.0.1 addresses 2394 from "appearing" on non-localhost IPv4 interfaces, some kernels 2395 do not offer the same protection for ::1 source addresses on 2396 IPv6 interfaces. Since NTP's access control is based on source 2397 address and localhost addresses generally have no restrictions, 2398 an attacker can send malicious control and configuration packets 2399 by spoofing ::1 addresses from the outside. Note Well: This is 2400 not really a bug in NTP, it's a problem with some OSes. If you 2401 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2402 ACL restrictions on any application can be bypassed! 2403 Mitigation: 2404 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2405 or the NTP Public Services Project Download Page 2406 Install firewall rules to block packets claiming to come from 2407 ::1 from inappropriate network interfaces. 2408 Credit: This vulnerability was discovered by Stephen Roettger of 2409 the Google Security Team. 2410 2411 Additionally, over 30 bugfixes and improvements were made to the codebase. 2412 See the ChangeLog for more information. 2413 2414 --- 2415 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 2416 2417 Focus: Security and Bug fixes, enhancements. 2418 2419 Severity: HIGH 2420 2421 In addition to bug fixes and enhancements, this release fixes the 2422 following high-severity vulnerabilities: 2423 2424 ************************** vv NOTE WELL vv ***************************** 2425 2426 The vulnerabilities listed below can be significantly mitigated by 2427 following the BCP of putting 2428 2429 restrict default ... noquery 2430 2431 in the ntp.conf file. With the exception of: 2432 2433 receive(): missing return on error 2434 References: Sec 2670 / CVE-2014-9296 / VU#852879 2435 2436 below (which is a limited-risk vulnerability), none of the recent 2437 vulnerabilities listed below can be exploited if the source IP is 2438 restricted from sending a 'query'-class packet by your ntp.conf file. 2439 2440 ************************** ^^ NOTE WELL ^^ ***************************** 2441 2442 * Weak default key in config_auth(). 2443 2444 References: [Sec 2665] / CVE-2014-9293 / VU#852879 2445 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2446 Vulnerable Versions: all releases prior to 4.2.7p11 2447 Date Resolved: 28 Jan 2010 2448 2449 Summary: If no 'auth' key is set in the configuration file, ntpd 2450 would generate a random key on the fly. There were two 2451 problems with this: 1) the generated key was 31 bits in size, 2452 and 2) it used the (now weak) ntp_random() function, which was 2453 seeded with a 32-bit value and could only provide 32 bits of 2454 entropy. This was sufficient back in the late 1990s when the 2455 code was written. Not today. 2456 2457 Mitigation - any of: 2458 - Upgrade to 4.2.7p11 or later. 2459 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2460 2461 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2462 of the Google Security Team. 2463 2464 * Non-cryptographic random number generator with weak seed used by 2465 ntp-keygen to generate symmetric keys. 2466 2467 References: [Sec 2666] / CVE-2014-9294 / VU#852879 2468 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2469 Vulnerable Versions: All NTP4 releases before 4.2.7p230 2470 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2471 2472 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2473 prepare a random number generator that was of good quality back 2474 in the late 1990s. The random numbers produced was then used to 2475 generate symmetric keys. In ntp-4.2.8 we use a current-technology 2476 cryptographic random number generator, either RAND_bytes from 2477 OpenSSL, or arc4random(). 2478 2479 Mitigation - any of: 2480 - Upgrade to 4.2.7p230 or later. 2481 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2482 2483 Credit: This vulnerability was discovered in ntp-4.2.6 by 2484 Stephen Roettger of the Google Security Team. 2485 2486 * Buffer overflow in crypto_recv() 2487 2488 References: Sec 2667 / CVE-2014-9295 / VU#852879 2489 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2490 Versions: All releases before 4.2.8 2491 Date Resolved: Stable (4.2.8) 18 Dec 2014 2492 2493 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2494 file contains a 'crypto pw ...' directive) a remote attacker 2495 can send a carefully crafted packet that can overflow a stack 2496 buffer and potentially allow malicious code to be executed 2497 with the privilege level of the ntpd process. 2498 2499 Mitigation - any of: 2500 - Upgrade to 4.2.8, or later, or 2501 - Disable Autokey Authentication by removing, or commenting out, 2502 all configuration directives beginning with the crypto keyword 2503 in your ntp.conf file. 2504 2505 Credit: This vulnerability was discovered by Stephen Roettger of the 2506 Google Security Team. 2507 2508 * Buffer overflow in ctl_putdata() 2509 2510 References: Sec 2668 / CVE-2014-9295 / VU#852879 2511 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2512 Versions: All NTP4 releases before 4.2.8 2513 Date Resolved: Stable (4.2.8) 18 Dec 2014 2514 2515 Summary: A remote attacker can send a carefully crafted packet that 2516 can overflow a stack buffer and potentially allow malicious 2517 code to be executed with the privilege level of the ntpd process. 2518 2519 Mitigation - any of: 2520 - Upgrade to 4.2.8, or later. 2521 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2522 2523 Credit: This vulnerability was discovered by Stephen Roettger of the 2524 Google Security Team. 2525 2526 * Buffer overflow in configure() 2527 2528 References: Sec 2669 / CVE-2014-9295 / VU#852879 2529 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2530 Versions: All NTP4 releases before 4.2.8 2531 Date Resolved: Stable (4.2.8) 18 Dec 2014 2532 2533 Summary: A remote attacker can send a carefully crafted packet that 2534 can overflow a stack buffer and potentially allow malicious 2535 code to be executed with the privilege level of the ntpd process. 2536 2537 Mitigation - any of: 2538 - Upgrade to 4.2.8, or later. 2539 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2540 2541 Credit: This vulnerability was discovered by Stephen Roettger of the 2542 Google Security Team. 2543 2544 * receive(): missing return on error 2545 2546 References: Sec 2670 / CVE-2014-9296 / VU#852879 2547 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2548 Versions: All NTP4 releases before 4.2.8 2549 Date Resolved: Stable (4.2.8) 18 Dec 2014 2550 2551 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 2552 the code path where an error was detected, which meant 2553 processing did not stop when a specific rare error occurred. 2554 We haven't found a way for this bug to affect system integrity. 2555 If there is no way to affect system integrity the base CVSS 2556 score for this bug is 0. If there is one avenue through which 2557 system integrity can be partially affected, the base score 2558 becomes a 5. If system integrity can be partially affected 2559 via all three integrity metrics, the CVSS base score become 7.5. 2560 2561 Mitigation - any of: 2562 - Upgrade to 4.2.8, or later, 2563 - Remove or comment out all configuration directives 2564 beginning with the crypto keyword in your ntp.conf file. 2565 2566 Credit: This vulnerability was discovered by Stephen Roettger of the 2567 Google Security Team. 2568 2569 See http://support.ntp.org/security for more information. 2570 2571 New features / changes in this release: 2572 2573 Important Changes 2574 2575 * Internal NTP Era counters 2576 2577 The internal counters that track the "era" (range of years) we are in 2578 rolls over every 136 years'. The current "era" started at the stroke of 2579 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 2580 1 Jan 2036. 2581 In the past, we have used the "midpoint" of the range to decide which 2582 era we were in. Given the longevity of some products, it became clear 2583 that it would be more functional to "look back" less, and "look forward" 2584 more. We now compile a timestamp into the ntpd executable and when we 2585 get a timestamp we us the "built-on" to tell us what era we are in. 2586 This check "looks back" 10 years, and "looks forward" 126 years. 2587 2588 * ntpdc responses disabled by default 2589 2590 Dave Hart writes: 2591 2592 For a long time, ntpq and its mostly text-based mode 6 (control) 2593 protocol have been preferred over ntpdc and its mode 7 (private 2594 request) protocol for runtime queries and configuration. There has 2595 been a goal of deprecating ntpdc, previously held back by numerous 2596 capabilities exposed by ntpdc with no ntpq equivalent. I have been 2597 adding commands to ntpq to cover these cases, and I believe I've 2598 covered them all, though I've not compared command-by-command 2599 recently. 2600 2601 As I've said previously, the binary mode 7 protocol involves a lot of 2602 hand-rolled structure layout and byte-swapping code in both ntpd and 2603 ntpdc which is hard to get right. As ntpd grows and changes, the 2604 changes are difficult to expose via ntpdc while maintaining forward 2605 and backward compatibility between ntpdc and ntpd. In contrast, 2606 ntpq's text-based, label=value approach involves more code reuse and 2607 allows compatible changes without extra work in most cases. 2608 2609 Mode 7 has always been defined as vendor/implementation-specific while 2610 mode 6 is described in RFC 1305 and intended to be open to interoperate 2611 with other implementations. There is an early draft of an updated 2612 mode 6 description that likely will join the other NTPv4 RFCs 2613 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 2614 2615 For these reasons, ntpd 4.2.7p230 by default disables processing of 2616 ntpdc queries, reducing ntpd's attack surface and functionally 2617 deprecating ntpdc. If you are in the habit of using ntpdc for certain 2618 operations, please try the ntpq equivalent. If there's no equivalent, 2619 please open a bug report at http://bugs.ntp.org./ 2620 2621 In addition to the above, over 1100 issues have been resolved between 2622 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 2623 lists these. 2624 2625 --- 2626 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 2627 2628 Focus: Bug fixes 2629 2630 Severity: Medium 2631 2632 This is a recommended upgrade. 2633 2634 This release updates sys_rootdisp and sys_jitter calculations to match the 2635 RFC specification, fixes a potential IPv6 address matching error for the 2636 "nic" and "interface" configuration directives, suppresses the creation of 2637 extraneous ephemeral associations for certain broadcastclient and 2638 multicastclient configurations, cleans up some ntpq display issues, and 2639 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 2640 2641 New features / changes in this release: 2642 2643 ntpd 2644 2645 * Updated "nic" and "interface" IPv6 address handling to prevent 2646 mismatches with localhost [::1] and wildcard [::] which resulted from 2647 using the address/prefix format (e.g. fe80::/64) 2648 * Fix orphan mode stratum incorrectly counting to infinity 2649 * Orphan parent selection metric updated to includes missing ntohl() 2650 * Non-printable stratum 16 refid no longer sent to ntp 2651 * Duplicate ephemeral associations suppressed for broadcastclient and 2652 multicastclient without broadcastdelay 2653 * Exclude undetermined sys_refid from use in loopback TEST12 2654 * Exclude MODE_SERVER responses from KoD rate limiting 2655 * Include root delay in clock_update() sys_rootdisp calculations 2656 * get_systime() updated to exclude sys_residual offset (which only 2657 affected bits "below" sys_tick, the precision threshold) 2658 * sys.peer jitter weighting corrected in sys_jitter calculation 2659 2660 ntpq 2661 2662 * -n option extended to include the billboard "server" column 2663 * IPv6 addresses in the local column truncated to prevent overruns 2664 2665 --- 2666 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 2667 2668 Focus: Bug fixes and portability improvements 2669 2670 Severity: Medium 2671 2672 This is a recommended upgrade. 2673 2674 This release includes build infrastructure updates, code 2675 clean-ups, minor bug fixes, fixes for a number of minor 2676 ref-clock issues, and documentation revisions. 2677 2678 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 2679 2680 New features / changes in this release: 2681 2682 Build system 2683 2684 * Fix checking for struct rtattr 2685 * Update config.guess and config.sub for AIX 2686 * Upgrade required version of autogen and libopts for building 2687 from our source code repository 2688 2689 ntpd 2690 2691 * Back-ported several fixes for Coverity warnings from ntp-dev 2692 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 2693 * Allow "logconfig =allall" configuration directive 2694 * Bind tentative IPv6 addresses on Linux 2695 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 2696 * Improved tally bit handling to prevent incorrect ntpq peer status reports 2697 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 2698 candidate list unless they are designated a "prefer peer" 2699 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 2700 selection during the 'tos orphanwait' period 2701 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 2702 drivers 2703 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 2704 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 2705 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 2706 clock slew on Microsoft Windows 2707 * Code cleanup in libntpq 2708 2709 ntpdc 2710 2711 * Fix timerstats reporting 2712 2713 ntpdate 2714 2715 * Reduce time required to set clock 2716 * Allow a timeout greater than 2 seconds 2717 2718 sntp 2719 2720 * Backward incompatible command-line option change: 2721 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 2722 2723 Documentation 2724 2725 * Update html2man. Fix some tags in the .html files 2726 * Distribute ntp-wait.html 2727 2728 --- 2729 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 2730 2731 Focus: Bug fixes and portability improvements 2732 2733 Severity: Medium 2734 2735 This is a recommended upgrade. 2736 2737 This release includes build infrastructure updates, code 2738 clean-ups, minor bug fixes, fixes for a number of minor 2739 ref-clock issues, and documentation revisions. 2740 2741 Portability improvements in this release affect AIX, Atari FreeMiNT, 2742 FreeBSD4, Linux and Microsoft Windows. 2743 2744 New features / changes in this release: 2745 2746 Build system 2747 * Use lsb_release to get information about Linux distributions. 2748 * 'test' is in /usr/bin (instead of /bin) on some systems. 2749 * Basic sanity checks for the ChangeLog file. 2750 * Source certain build files with ./filename for systems without . in PATH. 2751 * IRIX portability fix. 2752 * Use a single copy of the "libopts" code. 2753 * autogen/libopts upgrade. 2754 * configure.ac m4 quoting cleanup. 2755 2756 ntpd 2757 * Do not bind to IN6_IFF_ANYCAST addresses. 2758 * Log the reason for exiting under Windows. 2759 * Multicast fixes for Windows. 2760 * Interpolation fixes for Windows. 2761 * IPv4 and IPv6 Multicast fixes. 2762 * Manycast solicitation fixes and general repairs. 2763 * JJY refclock cleanup. 2764 * NMEA refclock improvements. 2765 * Oncore debug message cleanup. 2766 * Palisade refclock now builds under Linux. 2767 * Give RAWDCF more baud rates. 2768 * Support Truetime Satellite clocks under Windows. 2769 * Support Arbiter 1093C Satellite clocks under Windows. 2770 * Make sure that the "filegen" configuration command defaults to "enable". 2771 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 2772 * Prohibit 'includefile' directive in remote configuration command. 2773 * Fix 'nic' interface bindings. 2774 * Fix the way we link with openssl if openssl is installed in the base 2775 system. 2776 2777 ntp-keygen 2778 * Fix -V coredump. 2779 * OpenSSL version display cleanup. 2780 2781 ntpdc 2782 * Many counters should be treated as unsigned. 2783 2784 ntpdate 2785 * Do not ignore replies with equal receive and transmit timestamps. 2786 2787 ntpq 2788 * libntpq warning cleanup. 2789 2790 ntpsnmpd 2791 * Correct SNMP type for "precision" and "resolution". 2792 * Update the MIB from the draft version to RFC-5907. 2793 2794 sntp 2795 * Display timezone offset when showing time for sntp in the local 2796 timezone. 2797 * Pay proper attention to RATE KoD packets. 2798 * Fix a miscalculation of the offset. 2799 * Properly parse empty lines in the key file. 2800 * Logging cleanup. 2801 * Use tv_usec correctly in set_time(). 2802 * Documentation cleanup. 2803 2804 --- 2805 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 2806 2807 Focus: Bug fixes and portability improvements 2808 2809 Severity: Medium 2810 2811 This is a recommended upgrade. 2812 2813 This release includes build infrastructure updates, code 2814 clean-ups, minor bug fixes, fixes for a number of minor 2815 ref-clock issues, improved KOD handling, OpenSSL related 2816 updates and documentation revisions. 2817 2818 Portability improvements in this release affect Irix, Linux, 2819 Mac OS, Microsoft Windows, OpenBSD and QNX6 2820 2821 New features / changes in this release: 2822 2823 ntpd 2824 * Range syntax for the trustedkey configuration directive 2825 * Unified IPv4 and IPv6 restrict lists 2826 2827 ntpdate 2828 * Rate limiting and KOD handling 2829 2830 ntpsnmpd 2831 * default connection to net-snmpd via a unix-domain socket 2832 * command-line 'socket name' option 2833 2834 ntpq / ntpdc 2835 * support for the "passwd ..." syntax 2836 * key-type specific password prompts 2837 2838 sntp 2839 * MD5 authentication of an ntpd 2840 * Broadcast and crypto 2841 * OpenSSL support 2842 2843 --- 2844 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 2845 2846 Focus: Bug fixes, portability fixes, and documentation improvements 2847 2848 Severity: Medium 2849 2850 This is a recommended upgrade. 2851 2852 --- 2853 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 2854 2855 Focus: enhancements and bug fixes. 2856 2857 --- 2858 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 2859 2860 Focus: Security Fixes 2861 2862 Severity: HIGH 2863 2864 This release fixes the following high-severity vulnerability: 2865 2866 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 2867 2868 See http://support.ntp.org/security for more information. 2869 2870 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 2871 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 2872 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 2873 request or a mode 7 error response from an address which is not listed 2874 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 2875 reply with a mode 7 error response (and log a message). In this case: 2876 2877 * If an attacker spoofs the source address of ntpd host A in a 2878 mode 7 response packet sent to ntpd host B, both A and B will 2879 continuously send each other error responses, for as long as 2880 those packets get through. 2881 2882 * If an attacker spoofs an address of ntpd host A in a mode 7 2883 response packet sent to ntpd host A, A will respond to itself 2884 endlessly, consuming CPU and logging excessively. 2885 2886 Credit for finding this vulnerability goes to Robin Park and Dmitri 2887 Vinokurov of Alcatel-Lucent. 2888 2889 THIS IS A STRONGLY RECOMMENDED UPGRADE. 2890 2891 --- 2892 ntpd now syncs to refclocks right away. 2893 2894 Backward-Incompatible changes: 2895 2896 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 2897 Use '--var name' or '--dvar name' instead. (Bug 817) 2898 2899 --- 2900 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 2901 2902 Focus: Security and Bug Fixes 2903 2904 Severity: HIGH 2905 2906 This release fixes the following high-severity vulnerability: 2907 2908 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 2909 2910 See http://support.ntp.org/security for more information. 2911 2912 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 2913 line) then a carefully crafted packet sent to the machine will cause 2914 a buffer overflow and possible execution of injected code, running 2915 with the privileges of the ntpd process (often root). 2916 2917 Credit for finding this vulnerability goes to Chris Ries of CMU. 2918 2919 This release fixes the following low-severity vulnerabilities: 2920 2921 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 2922 Credit for finding this vulnerability goes to Geoff Keating of Apple. 2923 2924 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 2925 Credit for finding this issue goes to Dave Hart. 2926 2927 This release fixes a number of bugs and adds some improvements: 2928 2929 * Improved logging 2930 * Fix many compiler warnings 2931 * Many fixes and improvements for Windows 2932 * Adds support for AIX 6.1 2933 * Resolves some issues under MacOS X and Solaris 2934 2935 THIS IS A STRONGLY RECOMMENDED UPGRADE. 2936 2937 --- 2938 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 2939 2940 Focus: Security Fix 2941 2942 Severity: Low 2943 2944 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 2945 the OpenSSL library relating to the incorrect checking of the return 2946 value of EVP_VerifyFinal function. 2947 2948 Credit for finding this issue goes to the Google Security Team for 2949 finding the original issue with OpenSSL, and to ocert.org for finding 2950 the problem in NTP and telling us about it. 2951 2952 This is a recommended upgrade. 2953 --- 2954 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 2955 2956 Focus: Minor Bugfixes 2957 2958 This release fixes a number of Windows-specific ntpd bugs and 2959 platform-independent ntpdate bugs. A logging bugfix has been applied 2960 to the ONCORE driver. 2961 2962 The "dynamic" keyword and is now obsolete and deferred binding to local 2963 interfaces is the new default. The minimum time restriction for the 2964 interface update interval has been dropped. 2965 2966 A number of minor build system and documentation fixes are included. 2967 2968 This is a recommended upgrade for Windows. 2969 2970 --- 2971 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 2972 2973 Focus: Minor Bugfixes 2974 2975 This release updates certain copyright information, fixes several display 2976 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 2977 shutdown in the parse refclock driver, removes some lint from the code, 2978 stops accessing certain buffers immediately after they were freed, fixes 2979 a problem with non-command-line specification of -6, and allows the loopback 2980 interface to share addresses with other interfaces. 2981 2982 --- 2983 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 2984 2985 Focus: Minor Bugfixes 2986 2987 This release fixes a bug in Windows that made it difficult to 2988 terminate ntpd under windows. 2989 This is a recommended upgrade for Windows. 2990 2991 --- 2992 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 2993 2994 Focus: Minor Bugfixes 2995 2996 This release fixes a multicast mode authentication problem, 2997 an error in NTP packet handling on Windows that could lead to 2998 ntpd crashing, and several other minor bugs. Handling of 2999 multicast interfaces and logging configuration were improved. 3000 The required versions of autogen and libopts were incremented. 3001 This is a recommended upgrade for Windows and multicast users. 3002 3003 --- 3004 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 3005 3006 Focus: enhancements and bug fixes. 3007 3008 Dynamic interface rescanning was added to simplify the use of ntpd in 3009 conjunction with DHCP. GNU AutoGen is used for its command-line options 3010 processing. Separate PPS devices are supported for PARSE refclocks, MD5 3011 signatures are now provided for the release files. Drivers have been 3012 added for some new ref-clocks and have been removed for some older 3013 ref-clocks. This release also includes other improvements, documentation 3014 and bug fixes. 3015 3016 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3017 C support. 3018 3019 --- 3020 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 3021 3022 Focus: enhancements and bug fixes. 3023
Indexes created Mon Apr 20 00:23:12 UTC 2026