2 NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
4 Focus: Security, Bug fixes, enhancements.
8 This release fixes 5 medium-, 6 low-, and 4 informational-severity
9 vulnerabilities, and provides 15 other non-security fixes and improvements:
11 * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
12 Date Resolved: 21 Mar 2017
13 References: Sec 3389 / CVE-2017-6464 / VU#325339
14 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
15 ntp-4.3.0 up to, but not including ntp-4.3.94.
16 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
17 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
19 A vulnerability found in the NTP server makes it possible for an
20 authenticated remote user to crash ntpd via a malformed mode
21 configuration directive.
24 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
25 the NTP Public Services Project Download Page
26 Properly monitor your ntpd instances, and auto-restart
27 ntpd (without -g) if it stops running.
29 This weakness was discovered by Cure53.
31 * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
32 Date Resolved: 21 Mar 2017
33 References: Sec 3388 / CVE-2017-6462 / VU#325339
34 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
35 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
36 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
38 There is a potential for a buffer overflow in the legacy Datum
39 Programmable Time Server refclock driver. Here the packets are
40 processed from the /dev/datum device and handled in
41 datum_pts_receive(). Since an attacker would be required to
42 somehow control a malicious /dev/datum device, this does not
43 appear to be a practical attack and renders this issue "Low" in
46 If you have a Datum reference clock installed and think somebody
47 may maliciously change the device, upgrade to 4.2.8p10, or
48 later, from the NTP Project Download Page or the NTP Public
49 Services Project Download Page
50 Properly monitor your ntpd instances, and auto-restart
51 ntpd (without -g) if it stops running.
53 This weakness was discovered by Cure53.
55 * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
56 Date Resolved: 21 Mar 2017
57 References: Sec 3387 / CVE-2017-6463 / VU#325339
58 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
59 ntp-4.3.0 up to, but not including ntp-4.3.94.
60 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
61 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
63 A vulnerability found in the NTP server allows an authenticated
64 remote attacker to crash the daemon by sending an invalid setting
65 via the :config directive. The unpeer option expects a number or
66 an address as an argument. In case the value is "0", a
67 segmentation fault occurs.
70 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
71 or the NTP Public Services Project Download Page
72 Properly monitor your ntpd instances, and auto-restart
73 ntpd (without -g) if it stops running.
75 This weakness was discovered by Cure53.
77 * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
78 Date Resolved: 21 Mar 2017
80 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
81 ntp-4.3.0 up to, but not including ntp-4.3.94.
82 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
83 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
85 The NTP Mode 6 monitoring and control client, ntpq, uses the
86 function ntpq_stripquotes() to remove quotes and escape characters
87 from a given string. According to the documentation, the function
88 is supposed to return the number of copied bytes but due to
89 incorrect pointer usage this value is always zero. Although the
90 return value of this function is never used in the code, this
91 flaw could lead to a vulnerability in the future. Since relying
92 on wrong return values when performing memory operations is a
93 dangerous practice, it is recommended to return the correct value
94 in accordance with the documentation pertinent to the code.
97 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
98 or the NTP Public Services Project Download Page
99 Properly monitor your ntpd instances, and auto-restart
100 ntpd (without -g) if it stops running.
102 This weakness was discovered by Cure53.
104 * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
105 Date Resolved: 21 Mar 2017
107 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
108 ntp-4.3.0 up to, but not including ntp-4.3.94.
110 NTP makes use of several wrappers around the standard heap memory
111 allocation functions that are provided by libc. This is mainly
112 done to introduce additional safety checks concentrated on
113 several goals. First, they seek to ensure that memory is not
114 accidentally freed, secondly they verify that a correct amount
115 is always allocated and, thirdly, that allocation failures are
116 correctly handled. There is an additional implementation for
117 scenarios where memory for a specific amount of items of the
118 same size needs to be allocated. The handling can be found in
119 the oreallocarray() function for which a further number-of-elements
120 parameter needs to be provided. Although no considerable threat
121 was identified as tied to a lack of use of this function, it is
122 recommended to correctly apply oreallocarray() as a preferred
123 option across all of the locations where it is possible.
125 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
126 or the NTP Public Services Project Download Page
128 This weakness was discovered by Cure53.
130 * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
132 Date Resolved: 21 Mar 2017
133 References: Sec 3384 / CVE-2017-6455 / VU#325339
134 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
135 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
136 including ntp-4.3.94.
137 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
138 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
140 The Windows NT port has the added capability to preload DLLs
141 defined in the inherited global local environment variable
142 PPSAPI_DLLS. The code contained within those libraries is then
143 called from the NTPD service, usually running with elevated
144 privileges. Depending on how securely the machine is setup and
145 configured, if ntpd is configured to use the PPSAPI under Windows
146 this can easily lead to a code injection.
149 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
150 or the NTP Public Services Project Download Page
152 This weakness was discovered by Cure53.
154 * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
155 installer ONLY) (Low)
156 Date Resolved: 21 Mar 2017
157 References: Sec 3383 / CVE-2017-6452 / VU#325339
158 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
159 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
160 to, but not including ntp-4.3.94.
161 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
162 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
164 The Windows installer for NTP calls strcat(), blindly appending
165 the string passed to the stack buffer in the addSourceToRegistry()
166 function. The stack buffer is 70 bytes smaller than the buffer
167 in the calling main() function. Together with the initially
168 copied Registry path, the combination causes a stack buffer
169 overflow and effectively overwrites the stack frame. The
170 passed application path is actually limited to 256 bytes by the
171 operating system, but this is not sufficient to assure that the
172 affected stack buffer is consistently protected against
173 overflowing at all times.
175 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
176 or the NTP Public Services Project Download Page
178 This weakness was discovered by Cure53.
180 * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
181 installer ONLY) (Low)
182 Date Resolved: 21 Mar 2017
183 References: Sec 3382 / CVE-2017-6459 / VU#325339
184 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
185 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
186 up to, but not including ntp-4.3.94.
187 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
188 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
190 The Windows installer for NTP calls strcpy() with an argument
191 that specifically contains multiple null bytes. strcpy() only
192 copies a single terminating null character into the target
193 buffer instead of copying the required double null bytes in the
194 addKeysToRegistry() function. As a consequence, a garbage
195 registry entry can be created. The additional arsize parameter
196 is erroneously set to contain two null bytes and the following
197 call to RegSetValueEx() claims to be passing in a multi-string
198 value, though this may not be true.
200 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
201 or the NTP Public Services Project Download Page
203 This weakness was discovered by Cure53.
205 * NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
208 The report says: Statically included external projects
209 potentially introduce several problems and the issue of having
210 extensive amounts of code that is "dead" in the resulting binary
211 must clearly be pointed out. The unnecessary unused code may or
212 may not contain bugs and, quite possibly, might be leveraged for
213 code-gadget-based branch-flow redirection exploits. Analogically,
214 having source trees statically included as well means a failure
215 in taking advantage of the free feature for periodical updates.
216 This solution is offered by the system's Package Manager. The
217 three libraries identified are libisc, libevent, and libopts.
219 For libisc, we already only use a portion of the original library.
220 We've found and fixed bugs in the original implementation (and
221 offered the patches to ISC), and plan to see what has changed
222 since we last upgraded the code. libisc is generally not
223 installed, and when it it we usually only see the static libisc.a
224 file installed. Until we know for sure that the bugs we've found
225 and fixed are fixed upstream, we're better off with the copy we
228 Version 1 of libevent was the only production version available
229 until recently, and we've been requiring version 2 for a long time.
230 But if the build system has at least version 2 of libevent
231 installed, we'll use the version that is installed on the system.
232 Otherwise, we provide a copy of libevent that we know works.
234 libopts is provided by GNU AutoGen, and that library and package
235 undergoes frequent API version updates. The version of autogen
236 used to generate the tables for the code must match the API
237 version in libopts. AutoGen can be ... difficult to build and
238 install, and very few developers really need it. So we have it
239 on our build and development machines, and we provide the
240 specific version of the libopts code in the distribution to make
241 sure that the proper API version of libopts is available.
243 As for the point about there being code in these libraries that
244 NTP doesn't use, OK. But other packages used these libraries as
245 well, and it is reasonable to assume that other people are paying
246 attention to security and code quality issues for the overall
247 libraries. It takes significant resources to analyze and
248 customize these libraries to only include what we need, and to
249 date we believe the cost of this effort does not justify the benefit.
251 This issue was discovered by Cure53.
253 * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
254 Date Resolved: 21 Mar 2017
256 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
257 ntp-4.3.0 up to, but not including ntp-4.3.94.
258 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
259 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
261 There is a fencepost error in a "recovery branch" of the code for
262 the Oncore GPS receiver if the communication link to the ONCORE
263 is weak / distorted and the decoding doesn't work.
265 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
266 the NTP Public Services Project Download Page
267 Properly monitor your ntpd instances, and auto-restart
268 ntpd (without -g) if it stops running.
270 This weakness was discovered by Cure53.
272 * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
273 Date Resolved: 21 Mar 2017
274 References: Sec 3379 / CVE-2017-6458 / VU#325339
275 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
276 ntp-4.3.0 up to, but not including ntp-4.3.94.
277 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
278 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
280 ntpd makes use of different wrappers around ctl_putdata() to
281 create name/value ntpq (mode 6) response strings. For example,
282 ctl_putstr() is usually used to send string data (variable names
283 or string data). The formatting code was missing a length check
284 for variable names. If somebody explicitly created any unusually
285 long variable names in ntpd (longer than 200-512 bytes, depending
286 on the type of variable), then if any of these variables are
287 added to the response list it would overflow a buffer.
290 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
291 or the NTP Public Services Project Download Page
292 If you don't want to upgrade, then don't setvar variable names
293 longer than 200-512 bytes in your ntp.conf file.
294 Properly monitor your ntpd instances, and auto-restart
295 ntpd (without -g) if it stops running.
297 This weakness was discovered by Cure53.
299 * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
300 Date Resolved: 21 Mar 2017
301 References: Sec 3378 / CVE-2017-6451 / VU#325339
302 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
303 ntp-4.3.0 up to, but not including ntp-4.3.94.
304 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
305 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
307 The legacy MX4200 refclock is only built if is specifically
308 enabled, and furthermore additional code changes are required to
309 compile and use it. But it uses the libc functions snprintf()
310 and vsnprintf() incorrectly, which can lead to an out-of-bounds
311 memory write due to an improper handling of the return value of
312 snprintf()/vsnprintf(). Since the return value is used as an
313 iterator and it can be larger than the buffer's size, it is
314 possible for the iterator to point somewhere outside of the
315 allocated buffer space. This results in an out-of-bound memory
316 write. This behavior can be leveraged to overwrite a saved
317 instruction pointer on the stack and gain control over the
318 execution flow. During testing it was not possible to identify
319 any malicious usage for this vulnerability. Specifically, no
320 way for an attacker to exploit this vulnerability was ultimately
321 unveiled. However, it has the potential to be exploited, so the
322 code should be fixed.
323 Mitigation, if you have a Magnavox MX4200 refclock:
324 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
325 or the NTP Public Services Project Download Page.
326 Properly monitor your ntpd instances, and auto-restart
327 ntpd (without -g) if it stops running.
329 This weakness was discovered by Cure53.
331 * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
332 malicious ntpd (Medium)
333 Date Resolved: 21 Mar 2017
334 References: Sec 3377 / CVE-2017-6460 / VU#325339
335 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
336 ntp-4.3.0 up to, but not including ntp-4.3.94.
337 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
338 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
340 A stack buffer overflow in ntpq can be triggered by a malicious
341 ntpd server when ntpq requests the restriction list from the server.
342 This is due to a missing length check in the reslist() function.
343 It occurs whenever the function parses the server's response and
344 encounters a flagstr variable of an excessive length. The string
345 will be copied into a fixed-size buffer, leading to an overflow on
346 the function's stack-frame. Note well that this problem requires
347 a malicious server, and affects ntpq, not ntpd.
349 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
350 or the NTP Public Services Project Download Page
351 If you can't upgrade your version of ntpq then if you want to know
352 the reslist of an instance of ntpd that you do not control,
353 know that if the target ntpd is malicious that it can send back
354 a response that intends to crash your ntpq process.
356 This weakness was discovered by Cure53.
358 * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
359 Date Resolved: 21 Mar 2017
361 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
362 ntp-4.3.0 up to, but not including ntp-4.3.94.
366 The build process for NTP has not, by default, provided compile
367 or link flags to offer "hardened" security options. Package
368 maintainers have always been able to provide hardening security
369 flags for their builds. As of ntp-4.2.8p10, the NTP build
370 system has a way to provide OS-specific hardening flags. Please
371 note that this is still not a really great solution because it
372 is specific to NTP builds. It's inefficient to have every
373 package supply, track and maintain this information for every
374 target build. It would be much better if there was a common way
375 for OSes to provide this information in a way that arbitrary
376 packages could benefit from it.
379 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
380 or the NTP Public Services Project Download Page
381 Properly monitor your ntpd instances, and auto-restart
382 ntpd (without -g) if it stops running.
384 This weakness was reported by Cure53.
386 * 0rigin DoS (Medium)
387 Date Resolved: 21 Mar 2017
388 References: Sec 3361 / CVE-2016-9042 / VU#325339
389 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
390 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
391 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
393 An exploitable denial of service vulnerability exists in the
394 origin timestamp check functionality of ntpd 4.2.8p9. A specially
395 crafted unauthenticated network packet can be used to reset the
396 expected origin timestamp for target peers. Legitimate replies
397 from targeted peers will fail the origin timestamp check (TEST2)
398 causing the reply to be dropped and creating a denial of service
399 condition. This vulnerability can only be exploited if the
400 attacker can spoof all of the servers.
403 Configure enough servers/peers that an attacker cannot target
404 all of your time sources.
405 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
406 or the NTP Public Services Project Download Page
407 Properly monitor your ntpd instances, and auto-restart
408 ntpd (without -g) if it stops running.
410 This weakness was discovered by Matthew Van Gundy of Cisco.
414 * [Bug 3393] clang scan-build findings <perlinger@ntp.org>
415 * [Bug 3363] Support for openssl-1.1.0 without compatibility modes
416 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
417 * [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
418 * [Bug 3216] libntp audio ioctl() args incorrectly cast to int
419 on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
420 - original patch by Majdi S. Abbas
421 * [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
422 * [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
423 - initial patch by Christos Zoulas
424 * [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
425 - move loader API from 'inline' to proper source
426 - augment pathless dlls with absolute path to NTPD
427 - use 'msyslog()' instead of 'printf() 'for reporting trouble
428 * [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
429 - applied patch by Matthew Van Gundy
430 * [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
431 - applied some of the patches provided by Havard. Not all of them
432 still match the current code base, and I did not touch libopt.
433 * [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
434 - applied patch by Reinhard Max. See bugzilla for limitations.
435 * [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
436 - fixed dependency inversion from [Bug 2837]
437 * [Bug 2896] Nothing happens if minsane < maxclock < minclock
438 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
439 * [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
440 - applied patch by Miroslav Lichvar for ntp4.2.6 compat
441 * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
442 - Fixed these and some more locations of this pattern.
443 Probably din't get them all, though. <perlinger@ntp.org>
444 * Update copyright year.
447 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
449 * [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
450 - added missed changeset for automatic openssl lib detection
451 - fixed some minor warning issues
452 * [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org>
453 * configure.ac cleanup. stenn@ntp.org
454 * openssl configure cleanup. stenn@ntp.org
457 NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
459 Focus: Security, Bug fixes, enhancements.
463 In addition to bug fixes and enhancements, this release fixes the
464 following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
465 5 low-severity vulnerabilities, and provides 28 other non-security
466 fixes and improvements:
469 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
470 References: Sec 3119 / CVE-2016-9311 / VU#633847
471 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
472 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
473 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
474 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
476 ntpd does not enable trap service by default. If trap service
477 has been explicitly enabled, an attacker can send a specially
478 crafted packet to cause a null pointer dereference that will
479 crash ntpd, resulting in a denial of service.
482 Use "restrict default noquery ..." in your ntp.conf file. Only
483 allow mode 6 queries from trusted networks and hosts.
484 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
485 or the NTP Public Services Project Download Page
486 Properly monitor your ntpd instances, and auto-restart ntpd
487 (without -g) if it stops running.
488 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
490 * Mode 6 information disclosure and DDoS vector
491 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
492 References: Sec 3118 / CVE-2016-9310 / VU#633847
493 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
494 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
495 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
496 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
498 An exploitable configuration modification vulnerability exists
499 in the control mode (mode 6) functionality of ntpd. If, against
500 long-standing BCP recommendations, "restrict default noquery ..."
501 is not specified, a specially crafted control mode packet can set
502 ntpd traps, providing information disclosure and DDoS
503 amplification, and unset ntpd traps, disabling legitimate
504 monitoring. A remote, unauthenticated, network attacker can
505 trigger this vulnerability.
508 Use "restrict default noquery ..." in your ntp.conf file.
509 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
510 or the NTP Public Services Project Download Page
511 Properly monitor your ntpd instances, and auto-restart ntpd
512 (without -g) if it stops running.
513 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
515 * Broadcast Mode Replay Prevention DoS
516 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
517 References: Sec 3114 / CVE-2016-7427 / VU#633847
518 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
519 ntp-4.3.90 up to, but not including ntp-4.3.94.
520 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
521 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
523 The broadcast mode of NTP is expected to only be used in a
524 trusted network. If the broadcast network is accessible to an
525 attacker, a potentially exploitable denial of service
526 vulnerability in ntpd's broadcast mode replay prevention
527 functionality can be abused. An attacker with access to the NTP
528 broadcast domain can periodically inject specially crafted
529 broadcast mode NTP packets into the broadcast domain which,
530 while being logged by ntpd, can cause ntpd to reject broadcast
531 mode packets from legitimate NTP broadcast servers.
534 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
535 or the NTP Public Services Project Download Page
536 Properly monitor your ntpd instances, and auto-restart ntpd
537 (without -g) if it stops running.
538 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
540 * Broadcast Mode Poll Interval Enforcement DoS
541 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
542 References: Sec 3113 / CVE-2016-7428 / VU#633847
543 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
544 ntp-4.3.90 up to, but not including ntp-4.3.94
545 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
546 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
548 The broadcast mode of NTP is expected to only be used in a
549 trusted network. If the broadcast network is accessible to an
550 attacker, a potentially exploitable denial of service
551 vulnerability in ntpd's broadcast mode poll interval enforcement
552 functionality can be abused. To limit abuse, ntpd restricts the
553 rate at which each broadcast association will process incoming
554 packets. ntpd will reject broadcast mode packets that arrive
555 before the poll interval specified in the preceding broadcast
556 packet expires. An attacker with access to the NTP broadcast
557 domain can send specially crafted broadcast mode NTP packets to
558 the broadcast domain which, while being logged by ntpd, will
559 cause ntpd to reject broadcast mode packets from legitimate NTP
563 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
564 or the NTP Public Services Project Download Page
565 Properly monitor your ntpd instances, and auto-restart ntpd
566 (without -g) if it stops running.
567 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
569 * Windows: ntpd DoS by oversized UDP packet
570 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
571 References: Sec 3110 / CVE-2016-9312 / VU#633847
572 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
573 and ntp-4.3.0 up to, but not including ntp-4.3.94.
574 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
575 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
577 If a vulnerable instance of ntpd on Windows receives a crafted
578 malicious packet that is "too big", ntpd will stop working.
581 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
582 or the NTP Public Services Project Download Page
583 Properly monitor your ntpd instances, and auto-restart ntpd
584 (without -g) if it stops running.
585 Credit: This weakness was discovered by Robert Pajak of ABB.
587 * 0rigin (zero origin) issues
588 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
589 References: Sec 3102 / CVE-2016-7431 / VU#633847
590 Affects: ntp-4.2.8p8, and ntp-4.3.93.
591 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
592 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
594 Zero Origin timestamp problems were fixed by Bug 2945 in
595 ntp-4.2.8p6. However, subsequent timestamp validation checks
596 introduced a regression in the handling of some Zero origin
600 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
601 or the NTP Public Services Project Download Page
602 Properly monitor your ntpd instances, and auto-restart ntpd
603 (without -g) if it stops running.
604 Credit: This weakness was discovered by Sharon Goldberg and Aanchal
605 Malhotra of Boston University.
607 * read_mru_list() does inadequate incoming packet checks
608 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
609 References: Sec 3082 / CVE-2016-7434 / VU#633847
610 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
611 ntp-4.3.0 up to, but not including ntp-4.3.94.
612 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
613 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
615 If ntpd is configured to allow mrulist query requests from a
616 server that sends a crafted malicious packet, ntpd will crash
617 on receipt of that crafted malicious mrulist query packet.
619 Only allow mrulist query packets from trusted hosts.
621 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
622 or the NTP Public Services Project Download Page
623 Properly monitor your ntpd instances, and auto-restart ntpd
624 (without -g) if it stops running.
625 Credit: This weakness was discovered by Magnus Stubman.
627 * Attack on interface selection
628 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
629 References: Sec 3072 / CVE-2016-7429 / VU#633847
630 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
631 ntp-4.3.0 up to, but not including ntp-4.3.94
632 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
633 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
635 When ntpd receives a server response on a socket that corresponds
636 to a different interface than was used for the request, the peer
637 structure is updated to use the interface for new requests. If
638 ntpd is running on a host with multiple interfaces in separate
639 networks and the operating system doesn't check source address in
640 received packets (e.g. rp_filter on Linux is set to 0), an
641 attacker that knows the address of the source can send a packet
642 with spoofed source address which will cause ntpd to select wrong
643 interface for the source and prevent it from sending new requests
644 until the list of interfaces is refreshed, which happens on
645 routing changes or every 5 minutes by default. If the attack is
646 repeated often enough (once per second), ntpd will not be able to
647 synchronize with the source.
650 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
651 or the NTP Public Services Project Download Page
652 If you are going to configure your OS to disable source address
653 checks, also configure your firewall configuration to control
654 what interfaces can receive packets from what networks.
655 Properly monitor your ntpd instances, and auto-restart ntpd
656 (without -g) if it stops running.
657 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
659 * Client rate limiting and server responses
660 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
661 References: Sec 3071 / CVE-2016-7426 / VU#633847
662 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
663 ntp-4.3.0 up to, but not including ntp-4.3.94
664 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
665 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
667 When ntpd is configured with rate limiting for all associations
668 (restrict default limited in ntp.conf), the limits are applied
669 also to responses received from its configured sources. An
670 attacker who knows the sources (e.g., from an IPv4 refid in
671 server response) and knows the system is (mis)configured in this
672 way can periodically send packets with spoofed source address to
673 keep the rate limiting activated and prevent ntpd from accepting
674 valid responses from its sources.
676 While this blanket rate limiting can be useful to prevent
677 brute-force attacks on the origin timestamp, it allows this DoS
678 attack. Similarly, it allows the attacker to prevent mobilization
679 of ephemeral associations.
682 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
683 or the NTP Public Services Project Download Page
684 Properly monitor your ntpd instances, and auto-restart ntpd
685 (without -g) if it stops running.
686 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
688 * Fix for bug 2085 broke initial sync calculations
689 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
690 References: Sec 3067 / CVE-2016-7433 / VU#633847
691 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
692 ntp-4.3.0 up to, but not including ntp-4.3.94. But the
693 root-distance calculation in general is incorrect in all versions
694 of ntp-4 until this release.
695 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
696 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
698 Bug 2085 described a condition where the root delay was included
699 twice, causing the jitter value to be higher than expected. Due
700 to a misinterpretation of a small-print variable in The Book, the
701 fix for this problem was incorrect, resulting in a root distance
702 that did not include the peer dispersion. The calculations and
703 formulae have been reviewed and reconciled, and the code has been
706 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
707 or the NTP Public Services Project Download Page
708 Properly monitor your ntpd instances, and auto-restart ntpd
709 (without -g) if it stops running.
710 Credit: This weakness was discovered independently by Brian Utterback of
711 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
715 * [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
716 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
717 * [Bug 3129] Unknown hosts can put resolver thread into a hard loop
718 - moved retry decision where it belongs. <perlinger@ntp.org>
719 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
720 using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
721 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
722 * [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
723 - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
724 * [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
725 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
726 - added shim layer for SSL API calls with issues (both directions)
727 * [Bug 3089] Serial Parser does not work anymore for hopfser like device
728 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
729 * [Bug 3084] update-leap mis-parses the leapfile name. HStenn.
730 * [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
731 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
732 * [Bug 3067] Root distance calculation needs improvement. HStenn
733 * [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
734 - PPS-HACK works again.
735 * [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
736 - applied patch by Brian Utterback <brian.utterback@oracle.com>
737 * [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White.
738 * [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
740 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
741 * [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
742 - Patch provided by Kuramatsu.
743 * [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
744 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
745 * [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
746 * [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
747 * [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn.
748 * [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
749 - fixed GPS week expansion to work based on build date. Special thanks
750 to Craig Leres for initial patch and testing.
751 * [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
752 - fixed Makefile.am <perlinger@ntp.org>
753 * [Bug 2689] ATOM driver processes last PPS pulse at startup,
754 even if it is very old <perlinger@ntp.org>
755 - make sure PPS source is alive before processing samples
756 - improve stability close to the 500ms phase jump (phase gate)
757 * Fix typos in include/ntp.h.
758 * Shim X509_get_signature_nid() if needed
759 * git author attribution cleanup
760 * bk ignore file cleanup
761 * remove locks in Windows IO, use rpc-like thread synchronisation instead
764 NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
766 Focus: Security, Bug fixes, enhancements.
770 In addition to bug fixes and enhancements, this release fixes the
771 following 1 high- and 4 low-severity vulnerabilities:
774 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
775 References: Sec 3046 / CVE-2016-4957 / VU#321640
776 Affects: ntp-4.2.8p7, and ntp-4.3.92.
777 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
778 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
779 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
780 could cause ntpd to crash.
783 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
784 or the NTP Public Services Project Download Page
785 If you cannot upgrade from 4.2.8p7, the only other alternatives
786 are to patch your code or filter CRYPTO_NAK packets.
787 Properly monitor your ntpd instances, and auto-restart ntpd
788 (without -g) if it stops running.
789 Credit: This weakness was discovered by Nicolas Edet of Cisco.
791 * Bad authentication demobilizes ephemeral associations
792 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
793 References: Sec 3045 / CVE-2016-4953 / VU#321640
794 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
795 ntp-4.3.0 up to, but not including ntp-4.3.93.
796 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
797 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
798 Summary: An attacker who knows the origin timestamp and can send a
799 spoofed packet containing a CRYPTO-NAK to an ephemeral peer
800 target before any other response is sent can demobilize that
804 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
805 or the NTP Public Services Project Download Page
806 Properly monitor your ntpd instances.
807 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
809 * Processing spoofed server packets
810 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
811 References: Sec 3044 / CVE-2016-4954 / VU#321640
812 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
813 ntp-4.3.0 up to, but not including ntp-4.3.93.
814 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
815 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
816 Summary: An attacker who is able to spoof packets with correct origin
817 timestamps from enough servers before the expected response
818 packets arrive at the target machine can affect some peer
819 variables and, for example, cause a false leap indication to be set.
822 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
823 or the NTP Public Services Project Download Page
824 Properly monitor your ntpd instances.
825 Credit: This weakness was discovered by Jakub Prokes of Red Hat.
827 * Autokey association reset
828 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
829 References: Sec 3043 / CVE-2016-4955 / VU#321640
830 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
831 ntp-4.3.0 up to, but not including ntp-4.3.93.
832 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
833 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
834 Summary: An attacker who is able to spoof a packet with a correct
835 origin timestamp before the expected response packet arrives at
836 the target machine can send a CRYPTO_NAK or a bad MAC and cause
837 the association's peer variables to be cleared. If this can be
838 done often enough, it will prevent that association from working.
841 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
842 or the NTP Public Services Project Download Page
843 Properly monitor your ntpd instances.
844 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
846 * Broadcast interleave
847 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
848 References: Sec 3042 / CVE-2016-4956 / VU#321640
849 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
850 ntp-4.3.0 up to, but not including ntp-4.3.93.
851 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
852 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
853 Summary: The fix for NtpBug2978 does not cover broadcast associations,
854 so broadcast clients can be triggered to flip into interleave mode.
857 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
858 or the NTP Public Services Project Download Page
859 Properly monitor your ntpd instances.
860 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
863 * [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
864 - provide build environment
865 - 'wint_t' and 'struct timespec' defined by VS2015
866 - fixed print()/scanf() format issues
867 * [Bug 3052] Add a .gitignore file. Edmund Wong.
868 * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
869 * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
871 * Fix typo in ntp-wait and plot_summary. HStenn.
872 * Make sure we have an "author" file for git imports. HStenn.
873 * Update the sntp problem tests for MacOS. HStenn.
876 NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
878 Focus: Security, Bug fixes, enhancements.
882 When building NTP from source, there is a new configure option
883 available, --enable-dynamic-interleave. More information on this below.
885 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
886 versions of ntp. These events have almost certainly happened in the
887 past, it's just that they were silently counted and not logged. With
888 the increasing awareness around security, we feel it's better to clearly
889 log these events to help detect abusive behavior. This increased
890 logging can also help detect other problems, too.
892 In addition to bug fixes and enhancements, this release fixes the
893 following 9 low- and medium-severity vulnerabilities:
895 * Improve NTP security against buffer comparison timing attacks,
896 AKA: authdecrypt-timing
897 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
898 References: Sec 2879 / CVE-2016-1550
899 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
900 4.3.0 up to, but not including 4.3.92
901 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
902 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
903 Summary: Packet authentication tests have been performed using
904 memcmp() or possibly bcmp(), and it is potentially possible
905 for a local or perhaps LAN-based attacker to send a packet with
906 an authentication payload and indirectly observe how much of
907 the digest has matched.
909 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
910 or the NTP Public Services Project Download Page.
911 Properly monitor your ntpd instances.
912 Credit: This weakness was discovered independently by Loganaden
913 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
915 * Zero origin timestamp bypass: Additional KoD checks.
916 References: Sec 2945 / Sec 2901 / CVE-2015-8138
917 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
918 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
920 * peer associations were broken by the fix for NtpBug2899
921 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
922 References: Sec 2952 / CVE-2015-7704
923 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
924 4.3.0 up to, but not including 4.3.92
925 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
926 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
927 associations did not address all of the issues.
930 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
931 or the NTP Public Services Project Download Page
932 If you can't upgrade, use "server" associations instead of
934 Monitor your ntpd instances.
935 Credit: This problem was discovered by Michael Tatarinov.
937 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
938 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
939 References: Sec 3007 / CVE-2016-1547 / VU#718152
940 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
941 4.3.0 up to, but not including 4.3.92
942 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
943 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
944 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
945 off-path attacker can cause a preemptable client association to
946 be demobilized by sending a crypto NAK packet to a victim client
947 with a spoofed source address of an existing associated peer.
948 This is true even if authentication is enabled.
950 Furthermore, if the attacker keeps sending crypto NAK packets,
951 for example one every second, the victim never has a chance to
952 reestablish the association and synchronize time with that
955 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
956 stringent checks are performed on incoming packets, but there
957 are still ways to exploit this vulnerability in versions before
961 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
962 or the NTP Public Services Project Download Page
963 Properly monitor your =ntpd= instances
964 Credit: This weakness was discovered by Stephen Gray and
965 Matthew Van Gundy of Cisco ASIG.
967 * ctl_getitem() return value not always checked
968 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
969 References: Sec 3008 / CVE-2016-2519
970 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
971 4.3.0 up to, but not including 4.3.92
972 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
973 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
974 Summary: ntpq and ntpdc can be used to store and retrieve information
975 in ntpd. It is possible to store a data value that is larger
976 than the size of the buffer that the ctl_getitem() function of
977 ntpd uses to report the return value. If the length of the
978 requested data value returned by ctl_getitem() is too large,
979 the value NULL is returned instead. There are 2 cases where the
980 return value from ctl_getitem() was not directly checked to make
981 sure it's not NULL, but there are subsequent INSIST() checks
982 that make sure the return value is not NULL. There are no data
983 values ordinarily stored in ntpd that would exceed this buffer
984 length. But if one has permission to store values and one stores
985 a value that is "too large", then ntpd will abort if an attempt
986 is made to read that oversized value.
989 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
990 or the NTP Public Services Project Download Page
991 Properly monitor your ntpd instances.
992 Credit: This weakness was discovered by Yihan Lian of the Cloud
993 Security Team, Qihoo 360.
995 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
996 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
997 References: Sec 3009 / CVE-2016-2518 / VU#718152
998 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
999 4.3.0 up to, but not including 4.3.92
1000 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1001 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1002 Summary: Using a crafted packet to create a peer association with
1003 hmode > 7 causes the MATCH_ASSOC() lookup to make an
1004 out-of-bounds reference.
1007 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1008 or the NTP Public Services Project Download Page
1009 Properly monitor your ntpd instances
1010 Credit: This weakness was discovered by Yihan Lian of the Cloud
1011 Security Team, Qihoo 360.
1013 * remote configuration trustedkey/requestkey/controlkey values are not
1015 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1016 References: Sec 3010 / CVE-2016-2517 / VU#718152
1017 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1018 4.3.0 up to, but not including 4.3.92
1019 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1020 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1021 Summary: If ntpd was expressly configured to allow for remote
1022 configuration, a malicious user who knows the controlkey for
1023 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1024 can create a session with ntpd and then send a crafted packet to
1025 ntpd that will change the value of the trustedkey, controlkey,
1026 or requestkey to a value that will prevent any subsequent
1027 authentication with ntpd until ntpd is restarted.
1030 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1031 or the NTP Public Services Project Download Page
1032 Properly monitor your =ntpd= instances
1033 Credit: This weakness was discovered by Yihan Lian of the Cloud
1034 Security Team, Qihoo 360.
1036 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1037 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1038 References: Sec 3011 / CVE-2016-2516 / VU#718152
1039 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1040 4.3.0 up to, but not including 4.3.92
1041 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1042 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1043 Summary: If ntpd was expressly configured to allow for remote
1044 configuration, a malicious user who knows the controlkey for
1045 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1046 can create a session with ntpd and if an existing association is
1047 unconfigured using the same IP twice on the unconfig directive
1048 line, ntpd will abort.
1051 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1052 or the NTP Public Services Project Download Page
1053 Properly monitor your ntpd instances
1054 Credit: This weakness was discovered by Yihan Lian of the Cloud
1055 Security Team, Qihoo 360.
1057 * Refclock impersonation vulnerability
1058 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1059 References: Sec 3020 / CVE-2016-1551
1060 Affects: On a very limited number of OSes, all NTP releases up to but
1061 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1062 By "very limited number of OSes" we mean no general-purpose OSes
1063 have yet been identified that have this vulnerability.
1064 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1065 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1066 Summary: While most OSes implement martian packet filtering in their
1067 network stack, at least regarding 127.0.0.0/8, some will allow
1068 packets claiming to be from 127.0.0.0/8 that arrive over a
1069 physical network. On these OSes, if ntpd is configured to use a
1070 reference clock an attacker can inject packets over the network
1071 that look like they are coming from that reference clock.
1073 Implement martian packet filtering and BCP-38.
1074 Configure ntpd to use an adequate number of time sources.
1075 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1076 or the NTP Public Services Project Download Page
1077 If you are unable to upgrade and if you are running an OS that
1078 has this vulnerability, implement martian packet filters and
1079 lobby your OS vendor to fix this problem, or run your
1080 refclocks on computers that use OSes that are not vulnerable
1081 to these attacks and have your vulnerable machines get their
1082 time from protected resources.
1083 Properly monitor your ntpd instances.
1084 Credit: This weakness was discovered by Matt Street and others of
1087 The following issues were fixed in earlier releases and contain
1088 improvements in 4.2.8p7:
1090 * Clients that receive a KoD should validate the origin timestamp field.
1091 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1092 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1093 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1095 * Skeleton key: passive server with trusted key can serve time.
1096 References: Sec 2936 / CVE-2015-7974
1097 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1098 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1100 Two other vulnerabilities have been reported, and the mitigations
1101 for these are as follows:
1104 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1105 References: Sec 2978 / CVE-2016-1548
1106 Affects: All ntp-4 releases.
1107 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1108 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1109 Summary: It is possible to change the time of an ntpd client or deny
1110 service to an ntpd client by forcing it to change from basic
1111 client/server mode to interleaved symmetric mode. An attacker
1112 can spoof a packet from a legitimate ntpd server with an origin
1113 timestamp that matches the peer->dst timestamp recorded for that
1114 server. After making this switch, the client will reject all
1115 future legitimate server responses. It is possible to force the
1116 victim client to move time after the mode has been changed.
1117 ntpq gives no indication that the mode has been switched.
1120 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1121 or the NTP Public Services Project Download Page. These
1122 versions will not dynamically "flip" into interleave mode
1123 unless configured to do so.
1124 Properly monitor your ntpd instances.
1125 Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1126 and separately by Jonathan Gardner of Cisco ASIG.
1128 * Sybil vulnerability: ephemeral association attack
1129 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1130 References: Sec 3012 / CVE-2016-1549
1131 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1132 4.3.0 up to, but not including 4.3.92
1133 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1134 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1135 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1136 the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1137 field in the ntp.keys file to specify which IPs can serve time,
1138 a malicious authenticated peer can create arbitrarily-many
1139 ephemeral associations in order to win the clock selection of
1140 ntpd and modify a victim's clock.
1143 Use the 4th field in the ntp.keys file to specify which IPs
1144 can be time servers.
1145 Properly monitor your ntpd instances.
1146 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1150 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1151 - fixed yet another race condition in the threaded resolver code.
1152 * [Bug 2858] bool support. Use stdbool.h when available. HStenn.
1153 * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1154 - integrated patches by Loganaden Velvidron <logan@ntp.org>
1155 with some modifications & unit tests
1156 * [Bug 2960] async name resolution fixes for chroot() environments.
1158 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1159 * [Bug 2995] Fixes to compile on Windows
1160 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1161 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1162 - Patch provided by Ch. Weisgerber
1163 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1164 - A change related to [Bug 2853] forbids trailing white space in
1165 remote config commands. perlinger@ntp.org
1166 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1167 - report and patch from Aleksandr Kostikov.
1168 - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1169 * [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1170 - fixed memory leak in access list (auth[read]keys.c)
1171 - refactored handling of key access lists (auth[read]keys.c)
1172 - reduced number of error branches (authreadkeys.c)
1173 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1174 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
1175 * [Bug 3031] ntp broadcastclient unable to synchronize to an server
1176 when the time of server changed. perlinger@ntp.org
1177 - Check the initial delay calculation and reject/unpeer the broadcast
1178 server if the delay exceeds 50ms. Retry again after the next
1180 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
1181 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
1182 * Update html/xleave.html documentation. Harlan Stenn.
1183 * Update ntp.conf documentation. Harlan Stenn.
1184 * Fix some Credit: attributions in the NEWS file. Harlan Stenn.
1185 * Fix typo in html/monopt.html. Harlan Stenn.
1186 * Add README.pullrequests. Harlan Stenn.
1187 * Cleanup to include/ntp.h. Harlan Stenn.
1189 New option to 'configure':
1191 While looking in to the issues around Bug 2978, the "interleave pivot"
1192 issue, it became clear that there are some intricate and unresolved
1193 issues with interleave operations. We also realized that the interleave
1194 protocol was never added to the NTPv4 Standard, and it should have been.
1196 Interleave mode was first released in July of 2008, and can be engaged
1197 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may
1198 contain the 'xleave' option, which will expressly enable interlave mode
1199 for that association. Additionally, if a time packet arrives and is
1200 found inconsistent with normal protocol behavior but has certain
1201 characteristics that are compatible with interleave mode, NTP will
1202 dynamically switch to interleave mode. With sufficient knowledge, an
1203 attacker can send a crafted forged packet to an NTP instance that
1204 triggers only one side to enter interleaved mode.
1206 To prevent this attack until we can thoroughly document, describe,
1207 fix, and test the dynamic interleave mode, we've added a new
1208 'configure' option to the build process:
1210 --enable-dynamic-interleave
1212 This option controls whether or not NTP will, if conditions are right,
1213 engage dynamic interleave mode. Dynamic interleave mode is disabled by
1214 default in ntp-4.2.8p7.
1217 NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1219 Focus: Security, Bug fixes, enhancements.
1223 In addition to bug fixes and enhancements, this release fixes the
1224 following 1 low- and 8 medium-severity vulnerabilities:
1226 * Potential Infinite Loop in 'ntpq'
1227 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1228 References: Sec 2548 / CVE-2015-8158
1229 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1230 4.3.0 up to, but not including 4.3.90
1231 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1232 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1233 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1234 The loop's only stopping conditions are receiving a complete and
1235 correct response or hitting a small number of error conditions.
1236 If the packet contains incorrect values that don't trigger one of
1237 the error conditions, the loop continues to receive new packets.
1238 Note well, this is an attack against an instance of 'ntpq', not
1239 'ntpd', and this attack requires the attacker to do one of the
1241 * Own a malicious NTP server that the client trusts
1242 * Prevent a legitimate NTP server from sending packets to
1244 * MITM the 'ntpq' communications between the 'ntpq' client
1247 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1248 or the NTP Public Services Project Download Page
1249 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1251 * 0rigin: Zero Origin Timestamp Bypass
1252 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1253 References: Sec 2945 / CVE-2015-8138
1254 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1255 4.3.0 up to, but not including 4.3.90
1256 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1257 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1258 (3.7 - LOW if you score AC:L)
1259 Summary: To distinguish legitimate peer responses from forgeries, a
1260 client attempts to verify a response packet by ensuring that the
1261 origin timestamp in the packet matches the origin timestamp it
1262 transmitted in its last request. A logic error exists that
1263 allows packets with an origin timestamp of zero to bypass this
1264 check whenever there is not an outstanding request to the server.
1266 Configure 'ntpd' to get time from multiple sources.
1267 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1268 or the NTP Public Services Project Download Page.
1269 Monitor your 'ntpd= instances.
1270 Credit: This weakness was discovered by Matthey Van Gundy and
1271 Jonathan Gardner of Cisco ASIG.
1273 * Stack exhaustion in recursive traversal of restriction list
1274 Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1275 References: Sec 2940 / CVE-2015-7978
1276 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1277 4.3.0 up to, but not including 4.3.90
1278 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1279 Summary: An unauthenticated 'ntpdc reslist' command can cause a
1280 segmentation fault in ntpd by exhausting the call stack.
1283 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1284 or the NTP Public Services Project Download Page.
1285 If you are unable to upgrade:
1286 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1287 If you must enable mode 7:
1288 configure the use of a 'requestkey' to control who can
1289 issue mode 7 requests.
1290 configure 'restrict noquery' to further limit mode 7
1291 requests to trusted sources.
1292 Monitor your ntpd instances.
1293 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1295 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1296 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1297 References: Sec 2942 / CVE-2015-7979
1298 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1299 4.3.0 up to, but not including 4.3.90
1300 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1301 Summary: An off-path attacker can send broadcast packets with bad
1302 authentication (wrong key, mismatched key, incorrect MAC, etc)
1303 to broadcast clients. It is observed that the broadcast client
1304 tears down the association with the broadcast server upon
1305 receiving just one bad packet.
1308 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1309 or the NTP Public Services Project Download Page.
1310 Monitor your 'ntpd' instances.
1311 If this sort of attack is an active problem for you, you have
1312 deeper problems to investigate. In this case also consider
1313 having smaller NTP broadcast domains.
1314 Credit: This weakness was discovered by Aanchal Malhotra of Boston
1317 * reslist NULL pointer dereference
1318 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1319 References: Sec 2939 / CVE-2015-7977
1320 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1321 4.3.0 up to, but not including 4.3.90
1322 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1323 Summary: An unauthenticated 'ntpdc reslist' command can cause a
1324 segmentation fault in ntpd by causing a NULL pointer dereference.
1327 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1328 the NTP Public Services Project Download Page.
1329 If you are unable to upgrade:
1330 mode 7 is disabled by default. Don't enable it.
1331 If you must enable mode 7:
1332 configure the use of a 'requestkey' to control who can
1333 issue mode 7 requests.
1334 configure 'restrict noquery' to further limit mode 7
1335 requests to trusted sources.
1336 Monitor your ntpd instances.
1337 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1339 * 'ntpq saveconfig' command allows dangerous characters in filenames.
1340 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1341 References: Sec 2938 / CVE-2015-7976
1342 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1343 4.3.0 up to, but not including 4.3.90
1344 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1345 Summary: The ntpq saveconfig command does not do adequate filtering
1346 of special characters from the supplied filename.
1347 Note well: The ability to use the saveconfig command is controlled
1348 by the 'restrict nomodify' directive, and the recommended default
1349 configuration is to disable this capability. If the ability to
1350 execute a 'saveconfig' is required, it can easily (and should) be
1351 limited and restricted to a known small number of IP addresses.
1354 use 'restrict default nomodify' in your 'ntp.conf' file.
1355 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1356 If you are unable to upgrade:
1357 build NTP with 'configure --disable-saveconfig' if you will
1358 never need this capability, or
1359 use 'restrict default nomodify' in your 'ntp.conf' file. Be
1360 careful about what IPs have the ability to send 'modify'
1362 Monitor your ntpd instances.
1363 'saveconfig' requests are logged to syslog - monitor your syslog files.
1364 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1366 * nextvar() missing length check in ntpq
1367 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1368 References: Sec 2937 / CVE-2015-7975
1369 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1370 4.3.0 up to, but not including 4.3.90
1371 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1372 If you score A:C, this becomes 4.0.
1373 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1374 Summary: ntpq may call nextvar() which executes a memcpy() into the
1375 name buffer without a proper length check against its maximum
1376 length of 256 bytes. Note well that we're taking about ntpq here.
1377 The usual worst-case effect of this vulnerability is that the
1378 specific instance of ntpq will crash and the person or process
1379 that did this will have stopped themselves.
1381 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1382 or the NTP Public Services Project Download Page.
1383 If you are unable to upgrade:
1384 If you have scripts that feed input to ntpq make sure there are
1385 some sanity checks on the input received from the "outside".
1386 This is potentially more dangerous if ntpq is run as root.
1387 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1389 * Skeleton Key: Any trusted key system can serve time
1390 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1391 References: Sec 2936 / CVE-2015-7974
1392 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1393 4.3.0 up to, but not including 4.3.90
1394 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1395 Summary: Symmetric key encryption uses a shared trusted key. The
1396 reported title for this issue was "Missing key check allows
1397 impersonation between authenticated peers" and the report claimed
1398 "A key specified only for one server should only work to
1399 authenticate that server, other trusted keys should be refused."
1400 Except there has never been any correlation between this trusted
1401 key and server v. clients machines and there has never been any
1402 way to specify a key only for one server. We have treated this as
1403 an enhancement request, and ntp-4.2.8p6 includes other checks and
1404 tests to strengthen clients against attacks coming from broadcast
1408 If this scenario represents a real or a potential issue for you,
1409 upgrade to 4.2.8p6, or later, from the NTP Project Download
1410 Page or the NTP Public Services Project Download Page, and
1411 use the new field in the ntp.keys file that specifies the list
1412 of IPs that are allowed to serve time. Note that this alone
1413 will not protect against time packets with forged source IP
1414 addresses, however other changes in ntp-4.2.8p6 provide
1415 significant mitigation against broadcast attacks. MITM attacks
1416 are a different story.
1417 If you are unable to upgrade:
1418 Don't use broadcast mode if you cannot monitor your client
1420 If you choose to use symmetric keys to authenticate time
1421 packets in a hostile environment where ephemeral time
1422 servers can be created, or if it is expected that malicious
1423 time servers will participate in an NTP broadcast domain,
1424 limit the number of participating systems that participate
1425 in the shared-key group.
1426 Monitor your ntpd instances.
1427 Credit: This weakness was discovered by Matt Street of Cisco ASIG.
1429 * Deja Vu: Replay attack on authenticated broadcast mode
1430 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1431 References: Sec 2935 / CVE-2015-7973
1432 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1433 4.3.0 up to, but not including 4.3.90
1434 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
1435 Summary: If an NTP network is configured for broadcast operations then
1436 either a man-in-the-middle attacker or a malicious participant
1437 that has the same trusted keys as the victim can replay time packets.
1440 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1441 or the NTP Public Services Project Download Page.
1442 If you are unable to upgrade:
1443 Don't use broadcast mode if you cannot monitor your client servers.
1444 Monitor your ntpd instances.
1445 Credit: This weakness was discovered by Aanchal Malhotra of Boston
1450 * [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
1451 * [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
1452 - applied patch by shenpeng11@huawei.com with minor adjustments
1453 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
1454 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1455 * [Bug 2892] Several test cases assume IPv6 capabilities even when
1456 IPv6 is disabled in the build. perlinger@ntp.org
1457 - Found this already fixed, but validation led to cleanup actions.
1458 * [Bug 2905] DNS lookups broken. perlinger@ntp.org
1459 - added limits to stack consumption, fixed some return code handling
1460 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1461 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1462 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1463 * [Bug 2980] reduce number of warnings. perlinger@ntp.org
1464 - integrated several patches from Havard Eidnes (he@uninett.no)
1465 * [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1466 - implement 'auth_log2()' using integer bithack instead of float calculation
1467 * Make leapsec_query debug messages less verbose. Harlan Stenn.
1470 NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1472 Focus: Security, Bug fixes, enhancements.
1476 In addition to bug fixes and enhancements, this release fixes the
1477 following medium-severity vulnerability:
1479 * Small-step/big-step. Close the panic gate earlier.
1480 References: Sec 2956, CVE-2015-5300
1481 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1482 4.3.0 up to, but not including 4.3.78
1483 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1484 Summary: If ntpd is always started with the -g option, which is
1485 common and against long-standing recommendation, and if at the
1486 moment ntpd is restarted an attacker can immediately respond to
1487 enough requests from enough sources trusted by the target, which
1488 is difficult and not common, there is a window of opportunity
1489 where the attacker can cause ntpd to set the time to an
1490 arbitrary value. Similarly, if an attacker is able to respond
1491 to enough requests from enough sources trusted by the target,
1492 the attacker can cause ntpd to abort and restart, at which
1493 point it can tell the target to set the time to an arbitrary
1494 value if and only if ntpd was re-started against long-standing
1495 recommendation with the -g flag, or if ntpd was not given the
1496 -g flag, the attacker can move the target system's time by at
1497 most 900 seconds' time per attack.
1499 Configure ntpd to get time from multiple sources.
1500 Upgrade to 4.2.8p5, or later, from the NTP Project Download
1501 Page or the NTP Public Services Project Download Page
1502 As we've long documented, only use the -g option to ntpd in
1503 cold-start situations.
1504 Monitor your ntpd instances.
1505 Credit: This weakness was discovered by Aanchal Malhotra,
1506 Isaac E. Cohen, and Sharon Goldberg at Boston University.
1508 NOTE WELL: The -g flag disables the limit check on the panic_gate
1509 in ntpd, which is 900 seconds by default. The bug identified by
1510 the researchers at Boston University is that the panic_gate
1511 check was only re-enabled after the first change to the system
1512 clock that was greater than 128 milliseconds, by default. The
1513 correct behavior is that the panic_gate check should be
1514 re-enabled after any initial time correction.
1516 If an attacker is able to inject consistent but erroneous time
1517 responses to your systems via the network or "over the air",
1518 perhaps by spoofing radio, cellphone, or navigation satellite
1519 transmissions, they are in a great position to affect your
1520 system's clock. There comes a point where your very best
1523 Configure ntpd to get time from multiple sources.
1524 Monitor your ntpd instances.
1528 * Coverity submission process updated from Coverity 5 to Coverity 7.
1529 The NTP codebase has been undergoing regular Coverity scans on an
1530 ongoing basis since 2006. As part of our recent upgrade from
1531 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1532 the newly-written Unity test programs. These were fixed.
1533 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
1534 * [Bug 2887] stratum -1 config results as showing value 99
1535 - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1536 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
1537 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
1538 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1539 - applied patch by Christos Zoulas. perlinger@ntp.org
1540 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1541 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1542 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1543 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1544 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1545 - accept key file only if there are no parsing errors
1546 - fixed size_t/u_int format clash
1547 - fixed wrong use of 'strlcpy'
1548 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1549 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1550 - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1551 - promote use of 'size_t' for values that express a size
1552 - use ptr-to-const for read-only arguments
1553 - make sure SOCKET values are not truncated (win32-specific)
1554 - format string fixes
1555 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
1556 * [Bug 2967] ntpdate command suffers an assertion failure
1557 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1558 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
1559 lots of clients. perlinger@ntp.org
1560 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1561 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1562 * Unity cleanup for FreeBSD-6.4. Harlan Stenn.
1563 * Unity test cleanup. Harlan Stenn.
1564 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
1565 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
1566 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
1567 * Quiet a warning from clang. Harlan Stenn.
1570 NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1572 Focus: Security, Bug fixes, enhancements.
1576 In addition to bug fixes and enhancements, this release fixes the
1577 following 13 low- and medium-severity vulnerabilities:
1579 * Incomplete vallen (value length) checks in ntp_crypto.c, leading
1580 to potential crashes or potential code injection/information leakage.
1582 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1583 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1584 and 4.3.0 up to, but not including 4.3.77
1585 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1586 Summary: The fix for CVE-2014-9750 was incomplete in that there were
1587 certain code paths where a packet with particular autokey operations
1588 that contained malicious data was not always being completely
1589 validated. Receipt of these packets can cause ntpd to crash.
1592 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1593 Page or the NTP Public Services Project Download Page
1594 Monitor your ntpd instances.
1595 Credit: This weakness was discovered by Tenable Network Security.
1597 * Clients that receive a KoD should validate the origin timestamp field.
1599 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1600 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1601 and 4.3.0 up to, but not including 4.3.77
1602 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
1603 Summary: An ntpd client that honors Kiss-of-Death responses will honor
1604 KoD messages that have been forged by an attacker, causing it to
1605 delay or stop querying its servers for time updates. Also, an
1606 attacker can forge packets that claim to be from the target and
1607 send them to servers often enough that a server that implements
1608 KoD rate limiting will send the target machine a KoD response to
1609 attempt to reduce the rate of incoming packets, or it may also
1610 trigger a firewall block at the server for packets from the target
1611 machine. For either of these attacks to succeed, the attacker must
1612 know what servers the target is communicating with. An attacker
1613 can be anywhere on the Internet and can frequently learn the
1614 identity of the target's time source by sending the target a
1618 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
1619 or the NTP Public Services Project Download Page
1620 If you can't upgrade, restrict who can query ntpd to learn who
1621 its servers are, and what IPs are allowed to ask your system
1622 for the time. This mitigation is heavy-handed.
1623 Monitor your ntpd instances.
1625 4.2.8p4 protects against the first attack. For the second attack,
1626 all we can do is warn when it is happening, which we do in 4.2.8p4.
1627 Credit: This weakness was discovered by Aanchal Malhotra,
1628 Issac E. Cohen, and Sharon Goldberg of Boston University.
1630 * configuration directives to change "pidfile" and "driftfile" should
1631 only be allowed locally.
1633 References: Sec 2902 / CVE-2015-5196
1634 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1635 and 4.3.0 up to, but not including 4.3.77
1636 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
1637 Summary: If ntpd is configured to allow for remote configuration,
1638 and if the (possibly spoofed) source IP address is allowed to
1639 send remote configuration requests, and if the attacker knows
1640 the remote configuration password, it's possible for an attacker
1641 to use the "pidfile" or "driftfile" directives to potentially
1642 overwrite other files.
1645 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1646 Page or the NTP Public Services Project Download Page
1647 If you cannot upgrade, don't enable remote configuration.
1648 If you must enable remote configuration and cannot upgrade,
1649 remote configuration of NTF's ntpd requires:
1650 - an explicitly configured trustedkey, and you should also
1651 configure a controlkey.
1652 - access from a permitted IP. You choose the IPs.
1653 - authentication. Don't disable it. Practice secure key safety.
1654 Monitor your ntpd instances.
1655 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1657 * Slow memory leak in CRYPTO_ASSOC
1659 References: Sec 2909 / CVE-2015-7701
1660 Affects: All ntp-4 releases that use autokey up to, but not
1661 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1662 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
1664 Summary: If ntpd is configured to use autokey, then an attacker can
1665 send packets to ntpd that will, after several days of ongoing
1666 attack, cause it to run out of memory.
1669 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1670 Page or the NTP Public Services Project Download Page
1671 Monitor your ntpd instances.
1672 Credit: This weakness was discovered by Tenable Network Security.
1674 * mode 7 loop counter underrun
1676 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
1677 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1678 and 4.3.0 up to, but not including 4.3.77
1679 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1680 Summary: If ntpd is configured to enable mode 7 packets, and if the
1681 use of mode 7 packets is not properly protected thru the use of
1682 the available mode 7 authentication and restriction mechanisms,
1683 and if the (possibly spoofed) source IP address is allowed to
1684 send mode 7 queries, then an attacker can send a crafted packet
1685 to ntpd that will cause it to crash.
1688 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1689 Page or the NTP Public Services Project Download Page.
1690 If you are unable to upgrade:
1691 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1692 If you must enable mode 7:
1693 configure the use of a requestkey to control who can issue
1695 configure restrict noquery to further limit mode 7 requests
1697 Monitor your ntpd instances.
1698 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
1700 * memory corruption in password store
1702 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
1703 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1704 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
1705 Summary: If ntpd is configured to allow remote configuration, and if
1706 the (possibly spoofed) source IP address is allowed to send
1707 remote configuration requests, and if the attacker knows the
1708 remote configuration password or if ntpd was configured to
1709 disable authentication, then an attacker can send a set of
1710 packets to ntpd that may cause a crash or theoretically
1711 perform a code injection attack.
1714 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1715 Page or the NTP Public Services Project Download Page.
1716 If you are unable to upgrade, remote configuration of NTF's
1718 an explicitly configured "trusted" key. Only configure
1719 this if you need it.
1720 access from a permitted IP address. You choose the IPs.
1721 authentication. Don't disable it. Practice secure key safety.
1722 Monitor your ntpd instances.
1723 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1725 * Infinite loop if extended logging enabled and the logfile and
1726 keyfile are the same.
1728 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
1729 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1730 and 4.3.0 up to, but not including 4.3.77
1731 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1732 Summary: If ntpd is configured to allow remote configuration, and if
1733 the (possibly spoofed) source IP address is allowed to send
1734 remote configuration requests, and if the attacker knows the
1735 remote configuration password or if ntpd was configured to
1736 disable authentication, then an attacker can send a set of
1737 packets to ntpd that will cause it to crash and/or create a
1738 potentially huge log file. Specifically, the attacker could
1739 enable extended logging, point the key file at the log file,
1740 and cause what amounts to an infinite loop.
1743 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1744 Page or the NTP Public Services Project Download Page.
1745 If you are unable to upgrade, remote configuration of NTF's ntpd
1747 an explicitly configured "trusted" key. Only configure this
1749 access from a permitted IP address. You choose the IPs.
1750 authentication. Don't disable it. Practice secure key safety.
1751 Monitor your ntpd instances.
1752 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1754 * Potential path traversal vulnerability in the config file saving of
1757 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
1758 Affects: All ntp-4 releases running under VMS up to, but not
1759 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1760 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
1761 Summary: If ntpd is configured to allow remote configuration, and if
1762 the (possibly spoofed) IP address is allowed to send remote
1763 configuration requests, and if the attacker knows the remote
1764 configuration password or if ntpd was configured to disable
1765 authentication, then an attacker can send a set of packets to
1766 ntpd that may cause ntpd to overwrite files.
1769 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1770 Page or the NTP Public Services Project Download Page.
1771 If you are unable to upgrade, remote configuration of NTF's ntpd
1773 an explicitly configured "trusted" key. Only configure
1774 this if you need it.
1775 access from permitted IP addresses. You choose the IPs.
1776 authentication. Don't disable it. Practice key security safety.
1777 Monitor your ntpd instances.
1778 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1780 * ntpq atoascii() potential memory corruption
1782 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
1783 Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
1784 and 4.3.0 up to, but not including 4.3.77
1785 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
1786 Summary: If an attacker can figure out the precise moment that ntpq
1787 is listening for data and the port number it is listening on or
1788 if the attacker can provide a malicious instance ntpd that
1789 victims will connect to then an attacker can send a set of
1790 crafted mode 6 response packets that, if received by ntpq,
1791 can cause ntpq to crash.
1794 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1795 Page or the NTP Public Services Project Download Page.
1796 If you are unable to upgrade and you run ntpq against a server
1797 and ntpq crashes, try again using raw mode. Build or get a
1798 patched ntpq and see if that fixes the problem. Report new
1799 bugs in ntpq or abusive servers appropriately.
1800 If you use ntpq in scripts, make sure ntpq does what you expect
1802 Credit: This weakness was discovered by Yves Younan and
1803 Aleksander Nikolich of Cisco Talos.
1805 * Invalid length data provided by a custom refclock driver could cause
1808 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
1809 Affects: Potentially all ntp-4 releases running up to, but not
1810 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1811 that have custom refclocks
1812 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
1813 5.9 unusual worst case
1814 Summary: A negative value for the datalen parameter will overflow a
1815 data buffer. NTF's ntpd driver implementations always set this
1816 value to 0 and are therefore not vulnerable to this weakness.
1817 If you are running a custom refclock driver in ntpd and that
1818 driver supplies a negative value for datalen (no custom driver
1819 of even minimal competence would do this) then ntpd would
1820 overflow a data buffer. It is even hypothetically possible
1821 in this case that instead of simply crashing ntpd the attacker
1822 could effect a code injection attack.
1824 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1825 Page or the NTP Public Services Project Download Page.
1826 If you are unable to upgrade:
1827 If you are running custom refclock drivers, make sure
1828 the signed datalen value is either zero or positive.
1829 Monitor your ntpd instances.
1830 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1832 * Password Length Memory Corruption Vulnerability
1834 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
1835 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1836 4.3.0 up to, but not including 4.3.77
1837 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1838 1.7 usual case, 6.8, worst case
1839 Summary: If ntpd is configured to allow remote configuration, and if
1840 the (possibly spoofed) source IP address is allowed to send
1841 remote configuration requests, and if the attacker knows the
1842 remote configuration password or if ntpd was (foolishly)
1843 configured to disable authentication, then an attacker can
1844 send a set of packets to ntpd that may cause it to crash,
1845 with the hypothetical possibility of a small code injection.
1848 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1849 Page or the NTP Public Services Project Download Page.
1850 If you are unable to upgrade, remote configuration of NTF's
1852 an explicitly configured "trusted" key. Only configure
1853 this if you need it.
1854 access from a permitted IP address. You choose the IPs.
1855 authentication. Don't disable it. Practice secure key safety.
1856 Monitor your ntpd instances.
1857 Credit: This weakness was discovered by Yves Younan and
1858 Aleksander Nikolich of Cisco Talos.
1860 * decodenetnum() will ASSERT botch instead of returning FAIL on some
1863 References: Sec 2922 / CVE-2015-7855
1864 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1865 4.3.0 up to, but not including 4.3.77
1866 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1867 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
1868 an unusually long data value where a network address is expected,
1869 the decodenetnum() function will abort with an assertion failure
1870 instead of simply returning a failure condition.
1873 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1874 Page or the NTP Public Services Project Download Page.
1875 If you are unable to upgrade:
1876 mode 7 is disabled by default. Don't enable it.
1877 Use restrict noquery to limit who can send mode 6
1878 and mode 7 requests.
1879 Configure and use the controlkey and requestkey
1880 authentication directives to limit who can
1881 send mode 6 and mode 7 requests.
1882 Monitor your ntpd instances.
1883 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1885 * NAK to the Future: Symmetric association authentication bypass via
1888 References: Sec 2941 / CVE-2015-7871
1889 Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1890 4.2.8p4, and 4.3.0 up to but not including 4.3.77
1891 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1892 Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1893 from unauthenticated ephemeral symmetric peers by bypassing the
1894 authentication required to mobilize peer associations. This
1895 vulnerability appears to have been introduced in ntp-4.2.5p186
1896 when the code handling mobilization of new passive symmetric
1897 associations (lines 1103-1165) was refactored.
1900 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1901 Page or the NTP Public Services Project Download Page.
1902 If you are unable to upgrade:
1903 Apply the patch to the bottom of the "authentic" check
1904 block around line 1136 of ntp_proto.c.
1905 Monitor your ntpd instances.
1906 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1908 Backward-Incompatible changes:
1909 * [Bug 2817] Default on Linux is now "rlimit memlock -1".
1910 While the general default of 32M is still the case, under Linux
1911 the default value has been changed to -1 (do not lock ntpd into
1912 memory). A value of 0 means "lock ntpd into memory with whatever
1913 memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1914 value in it, that value will continue to be used.
1916 * [Bug 2886] Misspelling: "outlyer" should be "outlier".
1917 If you've written a script that looks for this case in, say, the
1918 output of ntpq, you probably want to change your regex matches
1919 from 'outlyer' to 'outl[iy]er'.
1921 New features in this release:
1922 * 'rlimit memlock' now has finer-grained control. A value of -1 means
1923 "don't lock ntpd into memore". This is the default for Linux boxes.
1924 A value of 0 means "lock ntpd into memory" with no limits. Otherwise
1925 the value is the number of megabytes of memory to lock. The default
1928 * The old Google Test framework has been replaced with a new framework,
1929 based on http://www.throwtheswitch.org/unity/ .
1931 Bug Fixes and Improvements:
1932 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1933 privileges and limiting resources in NTPD removes the need to link
1934 forcefully against 'libgcc_s' which does not always work. J.Perlinger
1935 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
1936 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
1937 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
1938 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org
1939 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
1940 * [Bug 2849] Systems with more than one default route may never
1941 synchronize. Brian Utterback. Note that this patch might need to
1942 be reverted once Bug 2043 has been fixed.
1943 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1944 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
1945 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1946 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
1947 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1948 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
1949 be configured for the distribution targets. Harlan Stenn.
1950 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
1951 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org
1952 * [Bug 2888] streamline calendar functions. perlinger@ntp.org
1953 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org
1954 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
1955 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
1956 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
1957 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
1958 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
1959 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
1960 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
1961 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
1962 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
1963 * top_srcdir can change based on ntp v. sntp. Harlan Stenn.
1964 * sntp/tests/ function parameter list cleanup. Damir Tomić.
1965 * tests/libntp/ function parameter list cleanup. Damir Tomić.
1966 * tests/ntpd/ function parameter list cleanup. Damir Tomić.
1967 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
1968 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
1969 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić.
1970 * tests/libntp/ improvements in code and fixed error printing. Damir Tomić.
1971 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1972 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1973 formatting; first declaration, then code (C90); deleted unnecessary comments;
1974 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1975 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1976 fix formatting, cleanup. Tomasz Flendrich
1977 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1979 * tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1980 fix formatting. Tomasz Flendrich
1981 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1982 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1983 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1985 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1986 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1987 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1988 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1989 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1990 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1991 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1992 fixed formatting. Tomasz Flendrich
1993 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1994 removed unnecessary comments, cleanup. Tomasz Flendrich
1995 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1996 comments, cleanup. Tomasz Flendrich
1997 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1999 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2000 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2001 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2003 * sntp/tests/kodDatabase.c added consts, deleted empty function,
2004 fixed formatting. Tomasz Flendrich
2005 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2006 * sntp/tests/packetHandling.c is now using proper Unity's assertions,
2007 fixed formatting, deleted unused variable. Tomasz Flendrich
2008 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2010 * sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2011 fixed formatting. Tomasz Flendrich
2012 * sntp/tests/utilities.c is now using proper Unity's assertions, changed
2013 the order of includes, fixed formatting, removed unnecessary comments.
2015 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2016 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2017 made one function do its job, deleted unnecessary prints, fixed formatting.
2019 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2020 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
2021 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
2022 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
2023 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
2024 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
2025 * Don't build sntp/libevent/sample/. Harlan Stenn.
2026 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
2027 * br-flock: --enable-local-libevent. Harlan Stenn.
2028 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2029 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
2030 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
2031 * Code cleanup. Harlan Stenn.
2032 * libntp/icom.c: Typo fix. Harlan Stenn.
2033 * util/ntptime.c: initialization nit. Harlan Stenn.
2034 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
2035 * Add std_unity_tests to various Makefile.am files. Harlan Stenn.
2036 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2038 * Changed progname to be const in many files - now it's consistent. Tomasz
2040 * Typo fix for GCC warning suppression. Harlan Stenn.
2041 * Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2042 * Added declarations to all Unity tests, and did minor fixes to them.
2043 Reduced the number of warnings by half. Damir Tomić.
2044 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2045 with the latest Unity updates from Mark. Damir Tomić.
2046 * Retire google test - phase I. Harlan Stenn.
2047 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
2048 * Update the NEWS file. Harlan Stenn.
2049 * Autoconf cleanup. Harlan Stenn.
2050 * Unit test dist cleanup. Harlan Stenn.
2051 * Cleanup various test Makefile.am files. Harlan Stenn.
2052 * Pthread autoconf macro cleanup. Harlan Stenn.
2053 * Fix progname definition in unity runner scripts. Harlan Stenn.
2054 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
2055 * Update the patch for bug 2817. Harlan Stenn.
2056 * More updates for bug 2817. Harlan Stenn.
2057 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
2058 * gcc on older HPUX may need +allowdups. Harlan Stenn.
2059 * Adding missing MCAST protection. Harlan Stenn.
2060 * Disable certain test programs on certain platforms. Harlan Stenn.
2061 * Implement --enable-problem-tests (on by default). Harlan Stenn.
2062 * build system tweaks. Harlan Stenn.
2065 NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2067 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
2073 * [Sec 2853] Crafted remote config packet can crash some versions of
2074 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2076 Under specific circumstances an attacker can send a crafted packet to
2077 cause a vulnerable ntpd instance to crash. This requires each of the
2078 following to be true:
2080 1) ntpd set up to allow remote configuration (not allowed by default), and
2081 2) knowledge of the configuration password, and
2082 3) access to a computer entrusted to perform remote configuration.
2084 This vulnerability is considered low-risk.
2086 New features in this release:
2088 Optional (disabled by default) support to have ntpd provide smeared
2089 leap second time. A specially built and configured ntpd will only
2090 offer smeared time in response to client packets. These response
2091 packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2092 of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2093 format. See README.leapsmear and http://bugs.ntp.org/2855 for more
2096 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2097 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2099 We've imported the Unity test framework, and have begun converting
2100 the existing google-test items to this new framework. If you want
2101 to write new tests or change old ones, you'll need to have ruby
2102 installed. You don't need ruby to run the test suite.
2104 Bug Fixes and Improvements:
2106 * CID 739725: Fix a rare resource leak in libevent/listener.c.
2107 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2108 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2109 * CID 1269537: Clean up a line of dead code in getShmTime().
2110 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
2111 * [Bug 2590] autogen-5.18.5.
2112 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2114 * [Bug 2650] fix includefile processing.
2115 * [Bug 2745] ntpd -x steps clock on leap second
2116 Fixed an initial-value problem that caused misbehaviour in absence of
2117 any leapsecond information.
2118 Do leap second stepping only of the step adjustment is beyond the
2119 proper jump distance limit and step correction is allowed at all.
2120 * [Bug 2750] build for Win64
2121 Building for 32bit of loopback ppsapi needs def file
2122 * [Bug 2776] Improve ntpq's 'help keytype'.
2123 * [Bug 2778] Implement "apeers" ntpq command to include associd.
2124 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2125 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2126 interface is ignored as long as this flag is not set since the
2127 interface is not usable (e.g., no link).
2128 * [Bug 2794] Clean up kernel clock status reports.
2129 * [Bug 2800] refclock_true.c true_debug() can't open debug log because
2130 of incompatible open/fdopen parameters.
2131 * [Bug 2804] install-local-data assumes GNU 'find' semantics.
2132 * [Bug 2805] ntpd fails to join multicast group.
2133 * [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2134 * [Bug 2808] GPSD_JSON driver enhancements, step 1.
2135 Fix crash during cleanup if GPS device not present and char device.
2136 Increase internal token buffer to parse all JSON data, even SKY.
2137 Defer logging of errors during driver init until the first unit is
2138 started, so the syslog is not cluttered when the driver is not used.
2139 Various improvements, see http://bugs.ntp.org/2808 for details.
2140 Changed libjsmn to a more recent version.
2141 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2142 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2143 * [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2144 * [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2145 * [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2146 * [Bug 2824] Convert update-leap to perl. (also see 2769)
2147 * [Bug 2825] Quiet file installation in html/ .
2148 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2149 NTPD transfers the current TAI (instead of an announcement) now.
2150 This might still needed improvement.
2151 Update autokey data ASAP when 'sys_tai' changes.
2152 Fix unit test that was broken by changes for autokey update.
2153 Avoid potential signature length issue and use DPRINTF where possible
2155 * [Bug 2832] refclock_jjy.c supports the TDC-300.
2156 * [Bug 2834] Correct a broken html tag in html/refclock.html
2157 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2158 robust, and require 2 consecutive timestamps to be consistent.
2159 * [Bug 2837] Allow a configurable DSCP value.
2160 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2161 * [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2162 * [Bug 2842] Bug in mdoc2man.
2163 * [Bug 2843] make check fails on 4.3.36
2164 Fixed compiler warnings about numeric range overflow
2165 (The original topic was fixed in a byplay to bug#2830)
2166 * [Bug 2845] Harden memory allocation in ntpd.
2167 * [Bug 2852] 'make check' can't find unity.h. Hal Murray.
2168 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
2169 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
2170 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
2171 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
2172 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
2173 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
2174 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
2175 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
2176 * html/drivers/driver22.html: typo fix. Harlan Stenn.
2177 * refidsmear test cleanup. Tomasz Flendrich.
2178 * refidsmear function support and tests. Harlan Stenn.
2179 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2180 something that was only in the 4.2.6 sntp. Harlan Stenn.
2181 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2183 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2185 * Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2187 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2188 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2189 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2190 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2191 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2192 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2193 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2195 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2196 networking.c, keyFile.c, utilities.cpp, sntptest.h,
2197 fileHandlingTest.h. Damir Tomić
2198 * Initial support for experimental leap smear code. Harlan Stenn.
2199 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
2200 * Report select() debug messages at debug level 3 now.
2201 * sntp/scripts/genLocInfo: treat raspbian as debian.
2202 * Unity test framework fixes.
2203 ** Requires ruby for changes to tests.
2204 * Initial support for PACKAGE_VERSION tests.
2205 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2206 * tests/bug-2803/Makefile.am must distribute bug-2803.h.
2207 * Add an assert to the ntpq ifstats code.
2208 * Clean up the RLIMIT_STACK code.
2209 * Improve the ntpq documentation around the controlkey keyid.
2211 * Windows port build cleanup.
2214 NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2216 Focus: Security and Bug fixes, enhancements.
2220 In addition to bug fixes and enhancements, this release fixes the
2221 following medium-severity vulnerabilities involving private key
2224 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2226 References: Sec 2779 / CVE-2015-1798 / VU#374268
2227 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2228 including ntp-4.2.8p2 where the installation uses symmetric keys
2229 to authenticate remote associations.
2230 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2231 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2232 Summary: When ntpd is configured to use a symmetric key to authenticate
2233 a remote NTP server/peer, it checks if the NTP message
2234 authentication code (MAC) in received packets is valid, but not if
2235 there actually is any MAC included. Packets without a MAC are
2236 accepted as if they had a valid MAC. This allows a MITM attacker to
2237 send false packets that are accepted by the client/peer without
2238 having to know the symmetric key. The attacker needs to know the
2239 transmit timestamp of the client to match it in the forged reply
2240 and the false reply needs to reach the client before the genuine
2241 reply from the server. The attacker doesn't necessarily need to be
2242 relaying the packets between the client and the server.
2244 Authentication using autokey doesn't have this problem as there is
2245 a check that requires the key ID to be larger than NTP_MAXKEY,
2246 which fails for packets without a MAC.
2248 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2249 or the NTP Public Services Project Download Page
2250 Configure ntpd with enough time sources and monitor it properly.
2251 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2253 * [Sec 2781] Authentication doesn't protect symmetric associations against
2256 References: Sec 2781 / CVE-2015-1799 / VU#374268
2257 Affects: All NTP releases starting with at least xntp3.3wy up to but
2258 not including ntp-4.2.8p2 where the installation uses symmetric
2260 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2261 Note: the CVSS base Score for this issue could be 4.3 or lower, and
2262 it could be higher than 5.4.
2263 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2264 Summary: An attacker knowing that NTP hosts A and B are peering with
2265 each other (symmetric association) can send a packet to host A
2266 with source address of B which will set the NTP state variables
2267 on A to the values sent by the attacker. Host A will then send
2268 on its next poll to B a packet with originate timestamp that
2269 doesn't match the transmit timestamp of B and the packet will
2270 be dropped. If the attacker does this periodically for both
2271 hosts, they won't be able to synchronize to each other. This is
2272 a known denial-of-service attack, described at
2273 https://www.eecis.udel.edu/~mills/onwire.html .
2275 According to the document the NTP authentication is supposed to
2276 protect symmetric associations against this attack, but that
2277 doesn't seem to be the case. The state variables are updated even
2278 when authentication fails and the peers are sending packets with
2279 originate timestamps that don't match the transmit timestamps on
2282 This seems to be a very old problem, dating back to at least
2283 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2284 specifications, so other NTP implementations with support for
2285 symmetric associations and authentication may be vulnerable too.
2286 An update to the NTP RFC to correct this error is in-process.
2288 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2289 or the NTP Public Services Project Download Page
2290 Note that for users of autokey, this specific style of MITM attack
2291 is simply a long-known potential problem.
2292 Configure ntpd with appropriate time sources and monitor ntpd.
2293 Alert your staff if problems are detected.
2294 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2296 * New script: update-leap
2297 The update-leap script will verify and if necessary, update the
2298 leap-second definition file.
2299 It requires the following commands in order to work:
2301 wget logger tr sed shasum
2303 Some may choose to run this from cron. It needs more portability testing.
2305 Bug Fixes and Improvements:
2307 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2308 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2309 * [Bug 2346] "graceful termination" signals do not do peer cleanup.
2310 * [Bug 2728] See if C99-style structure initialization works.
2311 * [Bug 2747] Upgrade libevent to 2.1.5-beta.
2312 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2313 * [Bug 2751] jitter.h has stale copies of l_fp macros.
2314 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2315 * [Bug 2757] Quiet compiler warnings.
2316 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2317 * [Bug 2763] Allow different thresholds for forward and backward steps.
2318 * [Bug 2766] ntp-keygen output files should not be world-readable.
2319 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2320 * [Bug 2771] nonvolatile value is documented in wrong units.
2321 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2322 * [Bug 2774] Unreasonably verbose printout - leap pending/warning
2323 * [Bug 2775] ntp-keygen.c fails to compile under Windows.
2324 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2325 Removed non-ASCII characters from some copyright comments.
2326 Removed trailing whitespace.
2327 Updated definitions for Meinberg clocks from current Meinberg header files.
2328 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2329 Account for updated definitions pulled from Meinberg header files.
2330 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2331 Replaced some constant numbers by defines from ntp_calendar.h
2332 Modified creation of parse-specific variables for Meinberg devices
2333 in gps16x_message().
2334 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2335 Modified mbg_tm_str() which now expexts an additional parameter controlling
2336 if the time status shall be printed.
2337 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2338 * [Sec 2781] Authentication doesn't protect symmetric associations against
2340 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2341 * [Bug 2789] Quiet compiler warnings from libevent.
2342 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2343 pause briefly before measuring system clock precision to yield
2345 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2346 * Use predefined function types for parse driver functions
2347 used to set up function pointers.
2348 Account for changed prototype of parse_inp_fnc_t functions.
2349 Cast parse conversion results to appropriate types to avoid
2351 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2352 when called with pointers to different types.
2355 NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2357 Focus: Security and Bug fixes, enhancements.
2361 In addition to bug fixes and enhancements, this release fixes the
2362 following high-severity vulnerabilities:
2364 * vallen is not validated in several places in ntp_crypto.c, leading
2365 to a potential information leak or possibly a crash
2367 References: Sec 2671 / CVE-2014-9297 / VU#852879
2368 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2369 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2370 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2371 Summary: The vallen packet value is not validated in several code
2372 paths in ntp_crypto.c which can lead to information leakage
2373 or perhaps a crash of the ntpd process.
2374 Mitigation - any of:
2375 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2376 or the NTP Public Services Project Download Page.
2377 Disable Autokey Authentication by removing, or commenting out,
2378 all configuration directives beginning with the "crypto"
2379 keyword in your ntp.conf file.
2380 Credit: This vulnerability was discovered by Stephen Roettger of the
2381 Google Security Team, with additional cases found by Sebastian
2382 Krahmer of the SUSE Security Team and Harlan Stenn of Network
2385 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2388 References: Sec 2672 / CVE-2014-9298 / VU#852879
2389 Affects: All NTP4 releases before 4.2.8p1, under at least some
2390 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2391 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2392 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2393 Summary: While available kernels will prevent 127.0.0.1 addresses
2394 from "appearing" on non-localhost IPv4 interfaces, some kernels
2395 do not offer the same protection for ::1 source addresses on
2396 IPv6 interfaces. Since NTP's access control is based on source
2397 address and localhost addresses generally have no restrictions,
2398 an attacker can send malicious control and configuration packets
2399 by spoofing ::1 addresses from the outside. Note Well: This is
2400 not really a bug in NTP, it's a problem with some OSes. If you
2401 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2402 ACL restrictions on any application can be bypassed!
2404 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2405 or the NTP Public Services Project Download Page
2406 Install firewall rules to block packets claiming to come from
2407 ::1 from inappropriate network interfaces.
2408 Credit: This vulnerability was discovered by Stephen Roettger of
2409 the Google Security Team.
2411 Additionally, over 30 bugfixes and improvements were made to the codebase.
2412 See the ChangeLog for more information.
2415 NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
2417 Focus: Security and Bug fixes, enhancements.
2421 In addition to bug fixes and enhancements, this release fixes the
2422 following high-severity vulnerabilities:
2424 ************************** vv NOTE WELL vv *****************************
2426 The vulnerabilities listed below can be significantly mitigated by
2427 following the BCP of putting
2429 restrict default ... noquery
2431 in the ntp.conf file. With the exception of:
2433 receive(): missing return on error
2434 References: Sec 2670 / CVE-2014-9296 / VU#852879
2436 below (which is a limited-risk vulnerability), none of the recent
2437 vulnerabilities listed below can be exploited if the source IP is
2438 restricted from sending a 'query'-class packet by your ntp.conf file.
2440 ************************** ^^ NOTE WELL ^^ *****************************
2442 * Weak default key in config_auth().
2444 References: [Sec 2665] / CVE-2014-9293 / VU#852879
2445 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2446 Vulnerable Versions: all releases prior to 4.2.7p11
2447 Date Resolved: 28 Jan 2010
2449 Summary: If no 'auth' key is set in the configuration file, ntpd
2450 would generate a random key on the fly. There were two
2451 problems with this: 1) the generated key was 31 bits in size,
2452 and 2) it used the (now weak) ntp_random() function, which was
2453 seeded with a 32-bit value and could only provide 32 bits of
2454 entropy. This was sufficient back in the late 1990s when the
2455 code was written. Not today.
2457 Mitigation - any of:
2458 - Upgrade to 4.2.7p11 or later.
2459 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2461 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2462 of the Google Security Team.
2464 * Non-cryptographic random number generator with weak seed used by
2465 ntp-keygen to generate symmetric keys.
2467 References: [Sec 2666] / CVE-2014-9294 / VU#852879
2468 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2469 Vulnerable Versions: All NTP4 releases before 4.2.7p230
2470 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2472 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2473 prepare a random number generator that was of good quality back
2474 in the late 1990s. The random numbers produced was then used to
2475 generate symmetric keys. In ntp-4.2.8 we use a current-technology
2476 cryptographic random number generator, either RAND_bytes from
2477 OpenSSL, or arc4random().
2479 Mitigation - any of:
2480 - Upgrade to 4.2.7p230 or later.
2481 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2483 Credit: This vulnerability was discovered in ntp-4.2.6 by
2484 Stephen Roettger of the Google Security Team.
2486 * Buffer overflow in crypto_recv()
2488 References: Sec 2667 / CVE-2014-9295 / VU#852879
2489 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2490 Versions: All releases before 4.2.8
2491 Date Resolved: Stable (4.2.8) 18 Dec 2014
2493 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2494 file contains a 'crypto pw ...' directive) a remote attacker
2495 can send a carefully crafted packet that can overflow a stack
2496 buffer and potentially allow malicious code to be executed
2497 with the privilege level of the ntpd process.
2499 Mitigation - any of:
2500 - Upgrade to 4.2.8, or later, or
2501 - Disable Autokey Authentication by removing, or commenting out,
2502 all configuration directives beginning with the crypto keyword
2503 in your ntp.conf file.
2505 Credit: This vulnerability was discovered by Stephen Roettger of the
2506 Google Security Team.
2508 * Buffer overflow in ctl_putdata()
2510 References: Sec 2668 / CVE-2014-9295 / VU#852879
2511 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2512 Versions: All NTP4 releases before 4.2.8
2513 Date Resolved: Stable (4.2.8) 18 Dec 2014
2515 Summary: A remote attacker can send a carefully crafted packet that
2516 can overflow a stack buffer and potentially allow malicious
2517 code to be executed with the privilege level of the ntpd process.
2519 Mitigation - any of:
2520 - Upgrade to 4.2.8, or later.
2521 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2523 Credit: This vulnerability was discovered by Stephen Roettger of the
2524 Google Security Team.
2526 * Buffer overflow in configure()
2528 References: Sec 2669 / CVE-2014-9295 / VU#852879
2529 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2530 Versions: All NTP4 releases before 4.2.8
2531 Date Resolved: Stable (4.2.8) 18 Dec 2014
2533 Summary: A remote attacker can send a carefully crafted packet that
2534 can overflow a stack buffer and potentially allow malicious
2535 code to be executed with the privilege level of the ntpd process.
2537 Mitigation - any of:
2538 - Upgrade to 4.2.8, or later.
2539 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2541 Credit: This vulnerability was discovered by Stephen Roettger of the
2542 Google Security Team.
2544 * receive(): missing return on error
2546 References: Sec 2670 / CVE-2014-9296 / VU#852879
2547 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2548 Versions: All NTP4 releases before 4.2.8
2549 Date Resolved: Stable (4.2.8) 18 Dec 2014
2551 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2552 the code path where an error was detected, which meant
2553 processing did not stop when a specific rare error occurred.
2554 We haven't found a way for this bug to affect system integrity.
2555 If there is no way to affect system integrity the base CVSS
2556 score for this bug is 0. If there is one avenue through which
2557 system integrity can be partially affected, the base score
2558 becomes a 5. If system integrity can be partially affected
2559 via all three integrity metrics, the CVSS base score become 7.5.
2561 Mitigation - any of:
2562 - Upgrade to 4.2.8, or later,
2563 - Remove or comment out all configuration directives
2564 beginning with the crypto keyword in your ntp.conf file.
2566 Credit: This vulnerability was discovered by Stephen Roettger of the
2567 Google Security Team.
2569 See http://support.ntp.org/security for more information.
2571 New features / changes in this release:
2575 * Internal NTP Era counters
2577 The internal counters that track the "era" (range of years) we are in
2578 rolls over every 136 years'. The current "era" started at the stroke of
2579 midnight on 1 Jan 1900, and ends just before the stroke of midnight on
2581 In the past, we have used the "midpoint" of the range to decide which
2582 era we were in. Given the longevity of some products, it became clear
2583 that it would be more functional to "look back" less, and "look forward"
2584 more. We now compile a timestamp into the ntpd executable and when we
2585 get a timestamp we us the "built-on" to tell us what era we are in.
2586 This check "looks back" 10 years, and "looks forward" 126 years.
2588 * ntpdc responses disabled by default
2592 For a long time, ntpq and its mostly text-based mode 6 (control)
2593 protocol have been preferred over ntpdc and its mode 7 (private
2594 request) protocol for runtime queries and configuration. There has
2595 been a goal of deprecating ntpdc, previously held back by numerous
2596 capabilities exposed by ntpdc with no ntpq equivalent. I have been
2597 adding commands to ntpq to cover these cases, and I believe I've
2598 covered them all, though I've not compared command-by-command
2601 As I've said previously, the binary mode 7 protocol involves a lot of
2602 hand-rolled structure layout and byte-swapping code in both ntpd and
2603 ntpdc which is hard to get right. As ntpd grows and changes, the
2604 changes are difficult to expose via ntpdc while maintaining forward
2605 and backward compatibility between ntpdc and ntpd. In contrast,
2606 ntpq's text-based, label=value approach involves more code reuse and
2607 allows compatible changes without extra work in most cases.
2609 Mode 7 has always been defined as vendor/implementation-specific while
2610 mode 6 is described in RFC 1305 and intended to be open to interoperate
2611 with other implementations. There is an early draft of an updated
2612 mode 6 description that likely will join the other NTPv4 RFCs
2613 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
2615 For these reasons, ntpd 4.2.7p230 by default disables processing of
2616 ntpdc queries, reducing ntpd's attack surface and functionally
2617 deprecating ntpdc. If you are in the habit of using ntpdc for certain
2618 operations, please try the ntpq equivalent. If there's no equivalent,
2619 please open a bug report at http://bugs.ntp.org./
2621 In addition to the above, over 1100 issues have been resolved between
2622 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
2626 NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
2632 This is a recommended upgrade.
2634 This release updates sys_rootdisp and sys_jitter calculations to match the
2635 RFC specification, fixes a potential IPv6 address matching error for the
2636 "nic" and "interface" configuration directives, suppresses the creation of
2637 extraneous ephemeral associations for certain broadcastclient and
2638 multicastclient configurations, cleans up some ntpq display issues, and
2639 includes improvements to orphan mode, minor bugs fixes and code clean-ups.
2641 New features / changes in this release:
2645 * Updated "nic" and "interface" IPv6 address handling to prevent
2646 mismatches with localhost [::1] and wildcard [::] which resulted from
2647 using the address/prefix format (e.g. fe80::/64)
2648 * Fix orphan mode stratum incorrectly counting to infinity
2649 * Orphan parent selection metric updated to includes missing ntohl()
2650 * Non-printable stratum 16 refid no longer sent to ntp
2651 * Duplicate ephemeral associations suppressed for broadcastclient and
2652 multicastclient without broadcastdelay
2653 * Exclude undetermined sys_refid from use in loopback TEST12
2654 * Exclude MODE_SERVER responses from KoD rate limiting
2655 * Include root delay in clock_update() sys_rootdisp calculations
2656 * get_systime() updated to exclude sys_residual offset (which only
2657 affected bits "below" sys_tick, the precision threshold)
2658 * sys.peer jitter weighting corrected in sys_jitter calculation
2662 * -n option extended to include the billboard "server" column
2663 * IPv6 addresses in the local column truncated to prevent overruns
2666 NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
2668 Focus: Bug fixes and portability improvements
2672 This is a recommended upgrade.
2674 This release includes build infrastructure updates, code
2675 clean-ups, minor bug fixes, fixes for a number of minor
2676 ref-clock issues, and documentation revisions.
2678 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
2680 New features / changes in this release:
2684 * Fix checking for struct rtattr
2685 * Update config.guess and config.sub for AIX
2686 * Upgrade required version of autogen and libopts for building
2687 from our source code repository
2691 * Back-ported several fixes for Coverity warnings from ntp-dev
2692 * Fix a rare boundary condition in UNLINK_EXPR_SLIST()
2693 * Allow "logconfig =allall" configuration directive
2694 * Bind tentative IPv6 addresses on Linux
2695 * Correct WWVB/Spectracom driver to timestamp CR instead of LF
2696 * Improved tally bit handling to prevent incorrect ntpq peer status reports
2697 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial
2698 candidate list unless they are designated a "prefer peer"
2699 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
2700 selection during the 'tos orphanwait' period
2701 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
2703 * Improved support of the Parse Refclock trusttime flag in Meinberg mode
2704 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
2705 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
2706 clock slew on Microsoft Windows
2707 * Code cleanup in libntpq
2711 * Fix timerstats reporting
2715 * Reduce time required to set clock
2716 * Allow a timeout greater than 2 seconds
2720 * Backward incompatible command-line option change:
2721 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
2725 * Update html2man. Fix some tags in the .html files
2726 * Distribute ntp-wait.html
2729 NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
2731 Focus: Bug fixes and portability improvements
2735 This is a recommended upgrade.
2737 This release includes build infrastructure updates, code
2738 clean-ups, minor bug fixes, fixes for a number of minor
2739 ref-clock issues, and documentation revisions.
2741 Portability improvements in this release affect AIX, Atari FreeMiNT,
2742 FreeBSD4, Linux and Microsoft Windows.
2744 New features / changes in this release:
2747 * Use lsb_release to get information about Linux distributions.
2748 * 'test' is in /usr/bin (instead of /bin) on some systems.
2749 * Basic sanity checks for the ChangeLog file.
2750 * Source certain build files with ./filename for systems without . in PATH.
2751 * IRIX portability fix.
2752 * Use a single copy of the "libopts" code.
2753 * autogen/libopts upgrade.
2754 * configure.ac m4 quoting cleanup.
2757 * Do not bind to IN6_IFF_ANYCAST addresses.
2758 * Log the reason for exiting under Windows.
2759 * Multicast fixes for Windows.
2760 * Interpolation fixes for Windows.
2761 * IPv4 and IPv6 Multicast fixes.
2762 * Manycast solicitation fixes and general repairs.
2763 * JJY refclock cleanup.
2764 * NMEA refclock improvements.
2765 * Oncore debug message cleanup.
2766 * Palisade refclock now builds under Linux.
2767 * Give RAWDCF more baud rates.
2768 * Support Truetime Satellite clocks under Windows.
2769 * Support Arbiter 1093C Satellite clocks under Windows.
2770 * Make sure that the "filegen" configuration command defaults to "enable".
2771 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
2772 * Prohibit 'includefile' directive in remote configuration command.
2773 * Fix 'nic' interface bindings.
2774 * Fix the way we link with openssl if openssl is installed in the base
2779 * OpenSSL version display cleanup.
2782 * Many counters should be treated as unsigned.
2785 * Do not ignore replies with equal receive and transmit timestamps.
2788 * libntpq warning cleanup.
2791 * Correct SNMP type for "precision" and "resolution".
2792 * Update the MIB from the draft version to RFC-5907.
2795 * Display timezone offset when showing time for sntp in the local
2797 * Pay proper attention to RATE KoD packets.
2798 * Fix a miscalculation of the offset.
2799 * Properly parse empty lines in the key file.
2801 * Use tv_usec correctly in set_time().
2802 * Documentation cleanup.
2805 NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
2807 Focus: Bug fixes and portability improvements
2811 This is a recommended upgrade.
2813 This release includes build infrastructure updates, code
2814 clean-ups, minor bug fixes, fixes for a number of minor
2815 ref-clock issues, improved KOD handling, OpenSSL related
2816 updates and documentation revisions.
2818 Portability improvements in this release affect Irix, Linux,
2819 Mac OS, Microsoft Windows, OpenBSD and QNX6
2821 New features / changes in this release:
2824 * Range syntax for the trustedkey configuration directive
2825 * Unified IPv4 and IPv6 restrict lists
2828 * Rate limiting and KOD handling
2831 * default connection to net-snmpd via a unix-domain socket
2832 * command-line 'socket name' option
2835 * support for the "passwd ..." syntax
2836 * key-type specific password prompts
2839 * MD5 authentication of an ntpd
2840 * Broadcast and crypto
2844 NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
2846 Focus: Bug fixes, portability fixes, and documentation improvements
2850 This is a recommended upgrade.
2853 NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2855 Focus: enhancements and bug fixes.
2858 NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2860 Focus: Security Fixes
2864 This release fixes the following high-severity vulnerability:
2866 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
2868 See http://support.ntp.org/security for more information.
2870 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
2871 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
2872 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
2873 request or a mode 7 error response from an address which is not listed
2874 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2875 reply with a mode 7 error response (and log a message). In this case:
2877 * If an attacker spoofs the source address of ntpd host A in a
2878 mode 7 response packet sent to ntpd host B, both A and B will
2879 continuously send each other error responses, for as long as
2880 those packets get through.
2882 * If an attacker spoofs an address of ntpd host A in a mode 7
2883 response packet sent to ntpd host A, A will respond to itself
2884 endlessly, consuming CPU and logging excessively.
2886 Credit for finding this vulnerability goes to Robin Park and Dmitri
2887 Vinokurov of Alcatel-Lucent.
2889 THIS IS A STRONGLY RECOMMENDED UPGRADE.
2892 ntpd now syncs to refclocks right away.
2894 Backward-Incompatible changes:
2896 ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2897 Use '--var name' or '--dvar name' instead. (Bug 817)
2900 NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2902 Focus: Security and Bug Fixes
2906 This release fixes the following high-severity vulnerability:
2908 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
2910 See http://support.ntp.org/security for more information.
2912 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2913 line) then a carefully crafted packet sent to the machine will cause
2914 a buffer overflow and possible execution of injected code, running
2915 with the privileges of the ntpd process (often root).
2917 Credit for finding this vulnerability goes to Chris Ries of CMU.
2919 This release fixes the following low-severity vulnerabilities:
2921 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
2922 Credit for finding this vulnerability goes to Geoff Keating of Apple.
2924 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2925 Credit for finding this issue goes to Dave Hart.
2927 This release fixes a number of bugs and adds some improvements:
2930 * Fix many compiler warnings
2931 * Many fixes and improvements for Windows
2932 * Adds support for AIX 6.1
2933 * Resolves some issues under MacOS X and Solaris
2935 THIS IS A STRONGLY RECOMMENDED UPGRADE.
2938 NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2944 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2945 the OpenSSL library relating to the incorrect checking of the return
2946 value of EVP_VerifyFinal function.
2948 Credit for finding this issue goes to the Google Security Team for
2949 finding the original issue with OpenSSL, and to ocert.org for finding
2950 the problem in NTP and telling us about it.
2952 This is a recommended upgrade.
2954 NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2956 Focus: Minor Bugfixes
2958 This release fixes a number of Windows-specific ntpd bugs and
2959 platform-independent ntpdate bugs. A logging bugfix has been applied
2960 to the ONCORE driver.
2962 The "dynamic" keyword and is now obsolete and deferred binding to local
2963 interfaces is the new default. The minimum time restriction for the
2964 interface update interval has been dropped.
2966 A number of minor build system and documentation fixes are included.
2968 This is a recommended upgrade for Windows.
2971 NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2973 Focus: Minor Bugfixes
2975 This release updates certain copyright information, fixes several display
2976 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2977 shutdown in the parse refclock driver, removes some lint from the code,
2978 stops accessing certain buffers immediately after they were freed, fixes
2979 a problem with non-command-line specification of -6, and allows the loopback
2980 interface to share addresses with other interfaces.
2983 NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2985 Focus: Minor Bugfixes
2987 This release fixes a bug in Windows that made it difficult to
2988 terminate ntpd under windows.
2989 This is a recommended upgrade for Windows.
2992 NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2994 Focus: Minor Bugfixes
2996 This release fixes a multicast mode authentication problem,
2997 an error in NTP packet handling on Windows that could lead to
2998 ntpd crashing, and several other minor bugs. Handling of
2999 multicast interfaces and logging configuration were improved.
3000 The required versions of autogen and libopts were incremented.
3001 This is a recommended upgrade for Windows and multicast users.
3004 NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3006 Focus: enhancements and bug fixes.
3008 Dynamic interface rescanning was added to simplify the use of ntpd in
3009 conjunction with DHCP. GNU AutoGen is used for its command-line options
3010 processing. Separate PPS devices are supported for PARSE refclocks, MD5
3011 signatures are now provided for the release files. Drivers have been
3012 added for some new ref-clocks and have been removed for some older
3013 ref-clocks. This release also includes other improvements, documentation
3016 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3020 NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3022 Focus: enhancements and bug fixes.