2 NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
4 Focus: Security, Bug fixes, enhancements.
8 When building NTP from source, there is a new configure option
9 available, --enable-dynamic-interleave. More information on this below.
11 Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
12 versions of ntp. These events have almost certainly happened in the
13 past, it's just that they were silently counted and not logged. With
14 the increasing awareness around security, we feel it's better to clearly
15 log these events to help detect abusive behavior. This increased
16 logging can also help detect other problems, too.
18 In addition to bug fixes and enhancements, this release fixes the
19 following 9 low- and medium-severity vulnerabilities:
21 * Improve NTP security against buffer comparison timing attacks,
22 AKA: authdecrypt-timing
23 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
24 References: Sec 2879 / CVE-2016-1550
25 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
26 4.3.0 up to, but not including 4.3.92
27 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
28 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
29 Summary: Packet authentication tests have been performed using
30 memcmp() or possibly bcmp(), and it is potentially possible
31 for a local or perhaps LAN-based attacker to send a packet with
32 an authentication payload and indirectly observe how much of
33 the digest has matched.
35 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
36 or the NTP Public Services Project Download Page.
37 Properly monitor your ntpd instances.
38 Credit: This weakness was discovered independently by Loganaden
39 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
41 * Zero origin timestamp bypass: Additional KoD checks.
42 References: Sec 2945 / Sec 2901 / CVE-2015-8138
43 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
44 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
46 * peer associations were broken by the fix for NtpBug2899
47 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
48 References: Sec 2952 / CVE-2015-7704
49 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
50 4.3.0 up to, but not including 4.3.92
51 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
52 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
53 associations did not address all of the issues.
56 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
57 or the NTP Public Services Project Download Page
58 If you can't upgrade, use "server" associations instead of
60 Monitor your ntpd instances.
61 Credit: This problem was discovered by Michael Tatarinov.
63 * Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
64 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
65 References: Sec 3007 / CVE-2016-1547 / VU#718152
66 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
67 4.3.0 up to, but not including 4.3.92
68 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
69 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
70 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
71 off-path attacker can cause a preemptable client association to
72 be demobilized by sending a crypto NAK packet to a victim client
73 with a spoofed source address of an existing associated peer.
74 This is true even if authentication is enabled.
76 Furthermore, if the attacker keeps sending crypto NAK packets,
77 for example one every second, the victim never has a chance to
78 reestablish the association and synchronize time with that
81 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
82 stringent checks are performed on incoming packets, but there
83 are still ways to exploit this vulnerability in versions before
87 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
88 or the NTP Public Services Project Download Page
89 Properly monitor your =ntpd= instances
90 Credit: This weakness was discovered by Stephen Gray and
91 Matthew Van Gundy of Cisco ASIG.
93 * ctl_getitem() return value not always checked
94 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
95 References: Sec 3008 / CVE-2016-2519
96 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
97 4.3.0 up to, but not including 4.3.92
98 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
99 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
100 Summary: ntpq and ntpdc can be used to store and retrieve information
101 in ntpd. It is possible to store a data value that is larger
102 than the size of the buffer that the ctl_getitem() function of
103 ntpd uses to report the return value. If the length of the
104 requested data value returned by ctl_getitem() is too large,
105 the value NULL is returned instead. There are 2 cases where the
106 return value from ctl_getitem() was not directly checked to make
107 sure it's not NULL, but there are subsequent INSIST() checks
108 that make sure the return value is not NULL. There are no data
109 values ordinarily stored in ntpd that would exceed this buffer
110 length. But if one has permission to store values and one stores
111 a value that is "too large", then ntpd will abort if an attempt
112 is made to read that oversized value.
115 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
116 or the NTP Public Services Project Download Page
117 Properly monitor your ntpd instances.
118 Credit: This weakness was discovered by Yihan Lian of the Cloud
119 Security Team, Qihoo 360.
121 * Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
122 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
123 References: Sec 3009 / CVE-2016-2518 / VU#718152
124 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
125 4.3.0 up to, but not including 4.3.92
126 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
127 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
128 Summary: Using a crafted packet to create a peer association with
129 hmode > 7 causes the MATCH_ASSOC() lookup to make an
130 out-of-bounds reference.
133 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
134 or the NTP Public Services Project Download Page
135 Properly monitor your ntpd instances
136 Credit: This weakness was discovered by Yihan Lian of the Cloud
137 Security Team, Qihoo 360.
139 * remote configuration trustedkey/requestkey/controlkey values are not
141 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
142 References: Sec 3010 / CVE-2016-2517 / VU#718152
143 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
144 4.3.0 up to, but not including 4.3.92
145 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
146 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
147 Summary: If ntpd was expressly configured to allow for remote
148 configuration, a malicious user who knows the controlkey for
149 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
150 can create a session with ntpd and then send a crafted packet to
151 ntpd that will change the value of the trustedkey, controlkey,
152 or requestkey to a value that will prevent any subsequent
153 authentication with ntpd until ntpd is restarted.
156 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
157 or the NTP Public Services Project Download Page
158 Properly monitor your =ntpd= instances
159 Credit: This weakness was discovered by Yihan Lian of the Cloud
160 Security Team, Qihoo 360.
162 * Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
163 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
164 References: Sec 3011 / CVE-2016-2516 / VU#718152
165 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
166 4.3.0 up to, but not including 4.3.92
167 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
168 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
169 Summary: If ntpd was expressly configured to allow for remote
170 configuration, a malicious user who knows the controlkey for
171 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
172 can create a session with ntpd and if an existing association is
173 unconfigured using the same IP twice on the unconfig directive
174 line, ntpd will abort.
177 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
178 or the NTP Public Services Project Download Page
179 Properly monitor your ntpd instances
180 Credit: This weakness was discovered by Yihan Lian of the Cloud
181 Security Team, Qihoo 360.
183 * Refclock impersonation vulnerability
184 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
185 References: Sec 3020 / CVE-2016-1551
186 Affects: On a very limited number of OSes, all NTP releases up to but
187 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
188 By "very limited number of OSes" we mean no general-purpose OSes
189 have yet been identified that have this vulnerability.
190 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
191 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
192 Summary: While most OSes implement martian packet filtering in their
193 network stack, at least regarding 127.0.0.0/8, some will allow
194 packets claiming to be from 127.0.0.0/8 that arrive over a
195 physical network. On these OSes, if ntpd is configured to use a
196 reference clock an attacker can inject packets over the network
197 that look like they are coming from that reference clock.
199 Implement martian packet filtering and BCP-38.
200 Configure ntpd to use an adequate number of time sources.
201 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
202 or the NTP Public Services Project Download Page
203 If you are unable to upgrade and if you are running an OS that
204 has this vulnerability, implement martian packet filters and
205 lobby your OS vendor to fix this problem, or run your
206 refclocks on computers that use OSes that are not vulnerable
207 to these attacks and have your vulnerable machines get their
208 time from protected resources.
209 Properly monitor your ntpd instances.
210 Credit: This weakness was discovered by Matt Street and others of
213 The following issues were fixed in earlier releases and contain
214 improvements in 4.2.8p7:
216 * Clients that receive a KoD should validate the origin timestamp field.
217 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
218 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
219 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
221 * Skeleton key: passive server with trusted key can serve time.
222 References: Sec 2936 / CVE-2015-7974
223 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
224 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
226 Two other vulnerabilities have been reported, and the mitigations
227 for these are as follows:
230 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
231 References: Sec 2978 / CVE-2016-1548
232 Affects: All ntp-4 releases.
233 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
234 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
235 Summary: It is possible to change the time of an ntpd client or deny
236 service to an ntpd client by forcing it to change from basic
237 client/server mode to interleaved symmetric mode. An attacker
238 can spoof a packet from a legitimate ntpd server with an origin
239 timestamp that matches the peer->dst timestamp recorded for that
240 server. After making this switch, the client will reject all
241 future legitimate server responses. It is possible to force the
242 victim client to move time after the mode has been changed.
243 ntpq gives no indication that the mode has been switched.
246 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
247 or the NTP Public Services Project Download Page. These
248 versions will not dynamically "flip" into interleave mode
249 unless configured to do so.
250 Properly monitor your ntpd instances.
251 Credit: This weakness was discovered by Miroslav Lichvar of RedHat
252 and separately by Jonathan Gardner of Cisco ASIG.
254 * Sybil vulnerability: ephemeral association attack
255 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
256 References: Sec 3012 / CVE-2016-1549
257 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
258 4.3.0 up to, but not including 4.3.92
259 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
260 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
261 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
262 the feature introduced in ntp-4.2.8p6 allowing an optional 4th
263 field in the ntp.keys file to specify which IPs can serve time,
264 a malicious authenticated peer can create arbitrarily-many
265 ephemeral associations in order to win the clock selection of
266 ntpd and modify a victim's clock.
269 Use the 4th field in the ntp.keys file to specify which IPs
271 Properly monitor your ntpd instances.
272 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
276 * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
277 - fixed yet another race condition in the threaded resolver code.
278 * [Bug 2858] bool support. Use stdbool.h when available. HStenn.
279 * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
280 - integrated patches by Loganaden Velvidron <logan@ntp.org>
281 with some modifications & unit tests
282 * [Bug 2960] async name resolution fixes for chroot() environments.
284 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
285 * [Bug 2995] Fixes to compile on Windows
286 * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
287 * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
288 - Patch provided by Ch. Weisgerber
289 * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
290 - A change related to [Bug 2853] forbids trailing white space in
291 remote config commands. perlinger@ntp.org
292 * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
293 - report and patch from Aleksandr Kostikov.
294 - Overhaul of Windows IO completion port handling. perlinger@ntp.org
295 * [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
296 - fixed memory leak in access list (auth[read]keys.c)
297 - refactored handling of key access lists (auth[read]keys.c)
298 - reduced number of error branches (authreadkeys.c)
299 * [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
300 * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
301 * [Bug 3031] ntp broadcastclient unable to synchronize to an server
302 when the time of server changed. perlinger@ntp.org
303 - Check the initial delay calculation and reject/unpeer the broadcast
304 server if the delay exceeds 50ms. Retry again after the next
306 * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
307 * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
308 * Update html/xleave.html documentation. Harlan Stenn.
309 * Update ntp.conf documentation. Harlan Stenn.
310 * Fix some Credit: attributions in the NEWS file. Harlan Stenn.
311 * Fix typo in html/monopt.html. Harlan Stenn.
312 * Add README.pullrequests. Harlan Stenn.
313 * Cleanup to include/ntp.h. Harlan Stenn.
315 New option to 'configure':
317 While looking in to the issues around Bug 2978, the "interleave pivot"
318 issue, it became clear that there are some intricate and unresolved
319 issues with interleave operations. We also realized that the interleave
320 protocol was never added to the NTPv4 Standard, and it should have been.
322 Interleave mode was first released in July of 2008, and can be engaged
323 in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may
324 contain the 'xleave' option, which will expressly enable interlave mode
325 for that association. Additionally, if a time packet arrives and is
326 found inconsistent with normal protocol behavior but has certain
327 characteristics that are compatible with interleave mode, NTP will
328 dynamically switch to interleave mode. With sufficient knowledge, an
329 attacker can send a crafted forged packet to an NTP instance that
330 triggers only one side to enter interleaved mode.
332 To prevent this attack until we can thoroughly document, describe,
333 fix, and test the dynamic interleave mode, we've added a new
334 'configure' option to the build process:
336 --enable-dynamic-interleave
338 This option controls whether or not NTP will, if conditions are right,
339 engage dynamic interleave mode. Dynamic interleave mode is disabled by
340 default in ntp-4.2.8p7.
343 NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
345 Focus: Security, Bug fixes, enhancements.
349 In addition to bug fixes and enhancements, this release fixes the
350 following 1 low- and 8 medium-severity vulnerabilities:
352 * Potential Infinite Loop in 'ntpq'
353 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
354 References: Sec 2548 / CVE-2015-8158
355 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
356 4.3.0 up to, but not including 4.3.90
357 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
358 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
359 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
360 The loop's only stopping conditions are receiving a complete and
361 correct response or hitting a small number of error conditions.
362 If the packet contains incorrect values that don't trigger one of
363 the error conditions, the loop continues to receive new packets.
364 Note well, this is an attack against an instance of 'ntpq', not
365 'ntpd', and this attack requires the attacker to do one of the
367 * Own a malicious NTP server that the client trusts
368 * Prevent a legitimate NTP server from sending packets to
370 * MITM the 'ntpq' communications between the 'ntpq' client
373 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
374 or the NTP Public Services Project Download Page
375 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
377 * 0rigin: Zero Origin Timestamp Bypass
378 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
379 References: Sec 2945 / CVE-2015-8138
380 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
381 4.3.0 up to, but not including 4.3.90
382 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
383 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
384 (3.7 - LOW if you score AC:L)
385 Summary: To distinguish legitimate peer responses from forgeries, a
386 client attempts to verify a response packet by ensuring that the
387 origin timestamp in the packet matches the origin timestamp it
388 transmitted in its last request. A logic error exists that
389 allows packets with an origin timestamp of zero to bypass this
390 check whenever there is not an outstanding request to the server.
392 Configure 'ntpd' to get time from multiple sources.
393 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
394 or the NTP Public Services Project Download Page.
395 Monitor your 'ntpd= instances.
396 Credit: This weakness was discovered by Matthey Van Gundy and
397 Jonathan Gardner of Cisco ASIG.
399 * Stack exhaustion in recursive traversal of restriction list
400 Date Resolved: Stable (4.2.8p6) 19 Jan 2016
401 References: Sec 2940 / CVE-2015-7978
402 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
403 4.3.0 up to, but not including 4.3.90
404 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
405 Summary: An unauthenticated 'ntpdc reslist' command can cause a
406 segmentation fault in ntpd by exhausting the call stack.
409 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
410 or the NTP Public Services Project Download Page.
411 If you are unable to upgrade:
412 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
413 If you must enable mode 7:
414 configure the use of a 'requestkey' to control who can
415 issue mode 7 requests.
416 configure 'restrict noquery' to further limit mode 7
417 requests to trusted sources.
418 Monitor your ntpd instances.
419 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
421 * Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
422 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
423 References: Sec 2942 / CVE-2015-7979
424 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
425 4.3.0 up to, but not including 4.3.90
426 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
427 Summary: An off-path attacker can send broadcast packets with bad
428 authentication (wrong key, mismatched key, incorrect MAC, etc)
429 to broadcast clients. It is observed that the broadcast client
430 tears down the association with the broadcast server upon
431 receiving just one bad packet.
434 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
435 or the NTP Public Services Project Download Page.
436 Monitor your 'ntpd' instances.
437 If this sort of attack is an active problem for you, you have
438 deeper problems to investigate. In this case also consider
439 having smaller NTP broadcast domains.
440 Credit: This weakness was discovered by Aanchal Malhotra of Boston
443 * reslist NULL pointer dereference
444 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
445 References: Sec 2939 / CVE-2015-7977
446 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
447 4.3.0 up to, but not including 4.3.90
448 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
449 Summary: An unauthenticated 'ntpdc reslist' command can cause a
450 segmentation fault in ntpd by causing a NULL pointer dereference.
453 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
454 the NTP Public Services Project Download Page.
455 If you are unable to upgrade:
456 mode 7 is disabled by default. Don't enable it.
457 If you must enable mode 7:
458 configure the use of a 'requestkey' to control who can
459 issue mode 7 requests.
460 configure 'restrict noquery' to further limit mode 7
461 requests to trusted sources.
462 Monitor your ntpd instances.
463 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
465 * 'ntpq saveconfig' command allows dangerous characters in filenames.
466 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
467 References: Sec 2938 / CVE-2015-7976
468 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
469 4.3.0 up to, but not including 4.3.90
470 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
471 Summary: The ntpq saveconfig command does not do adequate filtering
472 of special characters from the supplied filename.
473 Note well: The ability to use the saveconfig command is controlled
474 by the 'restrict nomodify' directive, and the recommended default
475 configuration is to disable this capability. If the ability to
476 execute a 'saveconfig' is required, it can easily (and should) be
477 limited and restricted to a known small number of IP addresses.
480 use 'restrict default nomodify' in your 'ntp.conf' file.
481 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
482 If you are unable to upgrade:
483 build NTP with 'configure --disable-saveconfig' if you will
484 never need this capability, or
485 use 'restrict default nomodify' in your 'ntp.conf' file. Be
486 careful about what IPs have the ability to send 'modify'
488 Monitor your ntpd instances.
489 'saveconfig' requests are logged to syslog - monitor your syslog files.
490 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
492 * nextvar() missing length check in ntpq
493 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
494 References: Sec 2937 / CVE-2015-7975
495 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
496 4.3.0 up to, but not including 4.3.90
497 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
498 If you score A:C, this becomes 4.0.
499 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
500 Summary: ntpq may call nextvar() which executes a memcpy() into the
501 name buffer without a proper length check against its maximum
502 length of 256 bytes. Note well that we're taking about ntpq here.
503 The usual worst-case effect of this vulnerability is that the
504 specific instance of ntpq will crash and the person or process
505 that did this will have stopped themselves.
507 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
508 or the NTP Public Services Project Download Page.
509 If you are unable to upgrade:
510 If you have scripts that feed input to ntpq make sure there are
511 some sanity checks on the input received from the "outside".
512 This is potentially more dangerous if ntpq is run as root.
513 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
515 * Skeleton Key: Any trusted key system can serve time
516 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
517 References: Sec 2936 / CVE-2015-7974
518 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
519 4.3.0 up to, but not including 4.3.90
520 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
521 Summary: Symmetric key encryption uses a shared trusted key. The
522 reported title for this issue was "Missing key check allows
523 impersonation between authenticated peers" and the report claimed
524 "A key specified only for one server should only work to
525 authenticate that server, other trusted keys should be refused."
526 Except there has never been any correlation between this trusted
527 key and server v. clients machines and there has never been any
528 way to specify a key only for one server. We have treated this as
529 an enhancement request, and ntp-4.2.8p6 includes other checks and
530 tests to strengthen clients against attacks coming from broadcast
534 If this scenario represents a real or a potential issue for you,
535 upgrade to 4.2.8p6, or later, from the NTP Project Download
536 Page or the NTP Public Services Project Download Page, and
537 use the new field in the ntp.keys file that specifies the list
538 of IPs that are allowed to serve time. Note that this alone
539 will not protect against time packets with forged source IP
540 addresses, however other changes in ntp-4.2.8p6 provide
541 significant mitigation against broadcast attacks. MITM attacks
542 are a different story.
543 If you are unable to upgrade:
544 Don't use broadcast mode if you cannot monitor your client
546 If you choose to use symmetric keys to authenticate time
547 packets in a hostile environment where ephemeral time
548 servers can be created, or if it is expected that malicious
549 time servers will participate in an NTP broadcast domain,
550 limit the number of participating systems that participate
551 in the shared-key group.
552 Monitor your ntpd instances.
553 Credit: This weakness was discovered by Matt Street of Cisco ASIG.
555 * Deja Vu: Replay attack on authenticated broadcast mode
556 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
557 References: Sec 2935 / CVE-2015-7973
558 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
559 4.3.0 up to, but not including 4.3.90
560 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
561 Summary: If an NTP network is configured for broadcast operations then
562 either a man-in-the-middle attacker or a malicious participant
563 that has the same trusted keys as the victim can replay time packets.
566 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
567 or the NTP Public Services Project Download Page.
568 If you are unable to upgrade:
569 Don't use broadcast mode if you cannot monitor your client servers.
570 Monitor your ntpd instances.
571 Credit: This weakness was discovered by Aanchal Malhotra of Boston
576 * [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
577 * [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
578 - applied patch by shenpeng11@huawei.com with minor adjustments
579 * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
580 * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
581 * [Bug 2892] Several test cases assume IPv6 capabilities even when
582 IPv6 is disabled in the build. perlinger@ntp.org
583 - Found this already fixed, but validation led to cleanup actions.
584 * [Bug 2905] DNS lookups broken. perlinger@ntp.org
585 - added limits to stack consumption, fixed some return code handling
586 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
587 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
588 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
589 * [Bug 2980] reduce number of warnings. perlinger@ntp.org
590 - integrated several patches from Havard Eidnes (he@uninett.no)
591 * [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
592 - implement 'auth_log2()' using integer bithack instead of float calculation
593 * Make leapsec_query debug messages less verbose. Harlan Stenn.
596 NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
598 Focus: Security, Bug fixes, enhancements.
602 In addition to bug fixes and enhancements, this release fixes the
603 following medium-severity vulnerability:
605 * Small-step/big-step. Close the panic gate earlier.
606 References: Sec 2956, CVE-2015-5300
607 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
608 4.3.0 up to, but not including 4.3.78
609 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
610 Summary: If ntpd is always started with the -g option, which is
611 common and against long-standing recommendation, and if at the
612 moment ntpd is restarted an attacker can immediately respond to
613 enough requests from enough sources trusted by the target, which
614 is difficult and not common, there is a window of opportunity
615 where the attacker can cause ntpd to set the time to an
616 arbitrary value. Similarly, if an attacker is able to respond
617 to enough requests from enough sources trusted by the target,
618 the attacker can cause ntpd to abort and restart, at which
619 point it can tell the target to set the time to an arbitrary
620 value if and only if ntpd was re-started against long-standing
621 recommendation with the -g flag, or if ntpd was not given the
622 -g flag, the attacker can move the target system's time by at
623 most 900 seconds' time per attack.
625 Configure ntpd to get time from multiple sources.
626 Upgrade to 4.2.8p5, or later, from the NTP Project Download
627 Page or the NTP Public Services Project Download Page
628 As we've long documented, only use the -g option to ntpd in
629 cold-start situations.
630 Monitor your ntpd instances.
631 Credit: This weakness was discovered by Aanchal Malhotra,
632 Isaac E. Cohen, and Sharon Goldberg at Boston University.
634 NOTE WELL: The -g flag disables the limit check on the panic_gate
635 in ntpd, which is 900 seconds by default. The bug identified by
636 the researchers at Boston University is that the panic_gate
637 check was only re-enabled after the first change to the system
638 clock that was greater than 128 milliseconds, by default. The
639 correct behavior is that the panic_gate check should be
640 re-enabled after any initial time correction.
642 If an attacker is able to inject consistent but erroneous time
643 responses to your systems via the network or "over the air",
644 perhaps by spoofing radio, cellphone, or navigation satellite
645 transmissions, they are in a great position to affect your
646 system's clock. There comes a point where your very best
649 Configure ntpd to get time from multiple sources.
650 Monitor your ntpd instances.
654 * Coverity submission process updated from Coverity 5 to Coverity 7.
655 The NTP codebase has been undergoing regular Coverity scans on an
656 ongoing basis since 2006. As part of our recent upgrade from
657 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
658 the newly-written Unity test programs. These were fixed.
659 * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
660 * [Bug 2887] stratum -1 config results as showing value 99
661 - fudge stratum should only accept values [0..16]. perlinger@ntp.org
662 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
663 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
664 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
665 - applied patch by Christos Zoulas. perlinger@ntp.org
666 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
667 * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
668 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
669 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
670 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
671 - accept key file only if there are no parsing errors
672 - fixed size_t/u_int format clash
673 - fixed wrong use of 'strlcpy'
674 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
675 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
676 - fixed several other warnings (cast-alignment, missing const, missing prototypes)
677 - promote use of 'size_t' for values that express a size
678 - use ptr-to-const for read-only arguments
679 - make sure SOCKET values are not truncated (win32-specific)
680 - format string fixes
681 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
682 * [Bug 2967] ntpdate command suffers an assertion failure
683 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
684 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
685 lots of clients. perlinger@ntp.org
686 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
687 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
688 * Unity cleanup for FreeBSD-6.4. Harlan Stenn.
689 * Unity test cleanup. Harlan Stenn.
690 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
691 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
692 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
693 * Quiet a warning from clang. Harlan Stenn.
696 NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
698 Focus: Security, Bug fixes, enhancements.
702 In addition to bug fixes and enhancements, this release fixes the
703 following 13 low- and medium-severity vulnerabilities:
705 * Incomplete vallen (value length) checks in ntp_crypto.c, leading
706 to potential crashes or potential code injection/information leakage.
708 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
709 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
710 and 4.3.0 up to, but not including 4.3.77
711 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
712 Summary: The fix for CVE-2014-9750 was incomplete in that there were
713 certain code paths where a packet with particular autokey operations
714 that contained malicious data was not always being completely
715 validated. Receipt of these packets can cause ntpd to crash.
718 Upgrade to 4.2.8p4, or later, from the NTP Project Download
719 Page or the NTP Public Services Project Download Page
720 Monitor your ntpd instances.
721 Credit: This weakness was discovered by Tenable Network Security.
723 * Clients that receive a KoD should validate the origin timestamp field.
725 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
726 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
727 and 4.3.0 up to, but not including 4.3.77
728 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
729 Summary: An ntpd client that honors Kiss-of-Death responses will honor
730 KoD messages that have been forged by an attacker, causing it to
731 delay or stop querying its servers for time updates. Also, an
732 attacker can forge packets that claim to be from the target and
733 send them to servers often enough that a server that implements
734 KoD rate limiting will send the target machine a KoD response to
735 attempt to reduce the rate of incoming packets, or it may also
736 trigger a firewall block at the server for packets from the target
737 machine. For either of these attacks to succeed, the attacker must
738 know what servers the target is communicating with. An attacker
739 can be anywhere on the Internet and can frequently learn the
740 identity of the target's time source by sending the target a
744 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
745 or the NTP Public Services Project Download Page
746 If you can't upgrade, restrict who can query ntpd to learn who
747 its servers are, and what IPs are allowed to ask your system
748 for the time. This mitigation is heavy-handed.
749 Monitor your ntpd instances.
751 4.2.8p4 protects against the first attack. For the second attack,
752 all we can do is warn when it is happening, which we do in 4.2.8p4.
753 Credit: This weakness was discovered by Aanchal Malhotra,
754 Issac E. Cohen, and Sharon Goldberg of Boston University.
756 * configuration directives to change "pidfile" and "driftfile" should
757 only be allowed locally.
759 References: Sec 2902 / CVE-2015-5196
760 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
761 and 4.3.0 up to, but not including 4.3.77
762 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
763 Summary: If ntpd is configured to allow for remote configuration,
764 and if the (possibly spoofed) source IP address is allowed to
765 send remote configuration requests, and if the attacker knows
766 the remote configuration password, it's possible for an attacker
767 to use the "pidfile" or "driftfile" directives to potentially
768 overwrite other files.
771 Upgrade to 4.2.8p4, or later, from the NTP Project Download
772 Page or the NTP Public Services Project Download Page
773 If you cannot upgrade, don't enable remote configuration.
774 If you must enable remote configuration and cannot upgrade,
775 remote configuration of NTF's ntpd requires:
776 - an explicitly configured trustedkey, and you should also
777 configure a controlkey.
778 - access from a permitted IP. You choose the IPs.
779 - authentication. Don't disable it. Practice secure key safety.
780 Monitor your ntpd instances.
781 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
783 * Slow memory leak in CRYPTO_ASSOC
785 References: Sec 2909 / CVE-2015-7701
786 Affects: All ntp-4 releases that use autokey up to, but not
787 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
788 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
790 Summary: If ntpd is configured to use autokey, then an attacker can
791 send packets to ntpd that will, after several days of ongoing
792 attack, cause it to run out of memory.
795 Upgrade to 4.2.8p4, or later, from the NTP Project Download
796 Page or the NTP Public Services Project Download Page
797 Monitor your ntpd instances.
798 Credit: This weakness was discovered by Tenable Network Security.
800 * mode 7 loop counter underrun
802 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
803 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
804 and 4.3.0 up to, but not including 4.3.77
805 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
806 Summary: If ntpd is configured to enable mode 7 packets, and if the
807 use of mode 7 packets is not properly protected thru the use of
808 the available mode 7 authentication and restriction mechanisms,
809 and if the (possibly spoofed) source IP address is allowed to
810 send mode 7 queries, then an attacker can send a crafted packet
811 to ntpd that will cause it to crash.
814 Upgrade to 4.2.8p4, or later, from the NTP Project Download
815 Page or the NTP Public Services Project Download Page.
816 If you are unable to upgrade:
817 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
818 If you must enable mode 7:
819 configure the use of a requestkey to control who can issue
821 configure restrict noquery to further limit mode 7 requests
823 Monitor your ntpd instances.
824 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
826 * memory corruption in password store
828 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
829 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
830 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
831 Summary: If ntpd is configured to allow remote configuration, and if
832 the (possibly spoofed) source IP address is allowed to send
833 remote configuration requests, and if the attacker knows the
834 remote configuration password or if ntpd was configured to
835 disable authentication, then an attacker can send a set of
836 packets to ntpd that may cause a crash or theoretically
837 perform a code injection attack.
840 Upgrade to 4.2.8p4, or later, from the NTP Project Download
841 Page or the NTP Public Services Project Download Page.
842 If you are unable to upgrade, remote configuration of NTF's
844 an explicitly configured "trusted" key. Only configure
846 access from a permitted IP address. You choose the IPs.
847 authentication. Don't disable it. Practice secure key safety.
848 Monitor your ntpd instances.
849 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
851 * Infinite loop if extended logging enabled and the logfile and
852 keyfile are the same.
854 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
855 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
856 and 4.3.0 up to, but not including 4.3.77
857 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
858 Summary: If ntpd is configured to allow remote configuration, and if
859 the (possibly spoofed) source IP address is allowed to send
860 remote configuration requests, and if the attacker knows the
861 remote configuration password or if ntpd was configured to
862 disable authentication, then an attacker can send a set of
863 packets to ntpd that will cause it to crash and/or create a
864 potentially huge log file. Specifically, the attacker could
865 enable extended logging, point the key file at the log file,
866 and cause what amounts to an infinite loop.
869 Upgrade to 4.2.8p4, or later, from the NTP Project Download
870 Page or the NTP Public Services Project Download Page.
871 If you are unable to upgrade, remote configuration of NTF's ntpd
873 an explicitly configured "trusted" key. Only configure this
875 access from a permitted IP address. You choose the IPs.
876 authentication. Don't disable it. Practice secure key safety.
877 Monitor your ntpd instances.
878 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
880 * Potential path traversal vulnerability in the config file saving of
883 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
884 Affects: All ntp-4 releases running under VMS up to, but not
885 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
886 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
887 Summary: If ntpd is configured to allow remote configuration, and if
888 the (possibly spoofed) IP address is allowed to send remote
889 configuration requests, and if the attacker knows the remote
890 configuration password or if ntpd was configured to disable
891 authentication, then an attacker can send a set of packets to
892 ntpd that may cause ntpd to overwrite files.
895 Upgrade to 4.2.8p4, or later, from the NTP Project Download
896 Page or the NTP Public Services Project Download Page.
897 If you are unable to upgrade, remote configuration of NTF's ntpd
899 an explicitly configured "trusted" key. Only configure
901 access from permitted IP addresses. You choose the IPs.
902 authentication. Don't disable it. Practice key security safety.
903 Monitor your ntpd instances.
904 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
906 * ntpq atoascii() potential memory corruption
908 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
909 Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
910 and 4.3.0 up to, but not including 4.3.77
911 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
912 Summary: If an attacker can figure out the precise moment that ntpq
913 is listening for data and the port number it is listening on or
914 if the attacker can provide a malicious instance ntpd that
915 victims will connect to then an attacker can send a set of
916 crafted mode 6 response packets that, if received by ntpq,
917 can cause ntpq to crash.
920 Upgrade to 4.2.8p4, or later, from the NTP Project Download
921 Page or the NTP Public Services Project Download Page.
922 If you are unable to upgrade and you run ntpq against a server
923 and ntpq crashes, try again using raw mode. Build or get a
924 patched ntpq and see if that fixes the problem. Report new
925 bugs in ntpq or abusive servers appropriately.
926 If you use ntpq in scripts, make sure ntpq does what you expect
928 Credit: This weakness was discovered by Yves Younan and
929 Aleksander Nikolich of Cisco Talos.
931 * Invalid length data provided by a custom refclock driver could cause
934 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
935 Affects: Potentially all ntp-4 releases running up to, but not
936 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
937 that have custom refclocks
938 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
939 5.9 unusual worst case
940 Summary: A negative value for the datalen parameter will overflow a
941 data buffer. NTF's ntpd driver implementations always set this
942 value to 0 and are therefore not vulnerable to this weakness.
943 If you are running a custom refclock driver in ntpd and that
944 driver supplies a negative value for datalen (no custom driver
945 of even minimal competence would do this) then ntpd would
946 overflow a data buffer. It is even hypothetically possible
947 in this case that instead of simply crashing ntpd the attacker
948 could effect a code injection attack.
950 Upgrade to 4.2.8p4, or later, from the NTP Project Download
951 Page or the NTP Public Services Project Download Page.
952 If you are unable to upgrade:
953 If you are running custom refclock drivers, make sure
954 the signed datalen value is either zero or positive.
955 Monitor your ntpd instances.
956 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
958 * Password Length Memory Corruption Vulnerability
960 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
961 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
962 4.3.0 up to, but not including 4.3.77
963 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
964 1.7 usual case, 6.8, worst case
965 Summary: If ntpd is configured to allow remote configuration, and if
966 the (possibly spoofed) source IP address is allowed to send
967 remote configuration requests, and if the attacker knows the
968 remote configuration password or if ntpd was (foolishly)
969 configured to disable authentication, then an attacker can
970 send a set of packets to ntpd that may cause it to crash,
971 with the hypothetical possibility of a small code injection.
974 Upgrade to 4.2.8p4, or later, from the NTP Project Download
975 Page or the NTP Public Services Project Download Page.
976 If you are unable to upgrade, remote configuration of NTF's
978 an explicitly configured "trusted" key. Only configure
980 access from a permitted IP address. You choose the IPs.
981 authentication. Don't disable it. Practice secure key safety.
982 Monitor your ntpd instances.
983 Credit: This weakness was discovered by Yves Younan and
984 Aleksander Nikolich of Cisco Talos.
986 * decodenetnum() will ASSERT botch instead of returning FAIL on some
989 References: Sec 2922 / CVE-2015-7855
990 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
991 4.3.0 up to, but not including 4.3.77
992 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
993 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
994 an unusually long data value where a network address is expected,
995 the decodenetnum() function will abort with an assertion failure
996 instead of simply returning a failure condition.
999 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1000 Page or the NTP Public Services Project Download Page.
1001 If you are unable to upgrade:
1002 mode 7 is disabled by default. Don't enable it.
1003 Use restrict noquery to limit who can send mode 6
1004 and mode 7 requests.
1005 Configure and use the controlkey and requestkey
1006 authentication directives to limit who can
1007 send mode 6 and mode 7 requests.
1008 Monitor your ntpd instances.
1009 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1011 * NAK to the Future: Symmetric association authentication bypass via
1014 References: Sec 2941 / CVE-2015-7871
1015 Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1016 4.2.8p4, and 4.3.0 up to but not including 4.3.77
1017 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1018 Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1019 from unauthenticated ephemeral symmetric peers by bypassing the
1020 authentication required to mobilize peer associations. This
1021 vulnerability appears to have been introduced in ntp-4.2.5p186
1022 when the code handling mobilization of new passive symmetric
1023 associations (lines 1103-1165) was refactored.
1026 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1027 Page or the NTP Public Services Project Download Page.
1028 If you are unable to upgrade:
1029 Apply the patch to the bottom of the "authentic" check
1030 block around line 1136 of ntp_proto.c.
1031 Monitor your ntpd instances.
1032 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1034 Backward-Incompatible changes:
1035 * [Bug 2817] Default on Linux is now "rlimit memlock -1".
1036 While the general default of 32M is still the case, under Linux
1037 the default value has been changed to -1 (do not lock ntpd into
1038 memory). A value of 0 means "lock ntpd into memory with whatever
1039 memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1040 value in it, that value will continue to be used.
1042 * [Bug 2886] Misspelling: "outlyer" should be "outlier".
1043 If you've written a script that looks for this case in, say, the
1044 output of ntpq, you probably want to change your regex matches
1045 from 'outlyer' to 'outl[iy]er'.
1047 New features in this release:
1048 * 'rlimit memlock' now has finer-grained control. A value of -1 means
1049 "don't lock ntpd into memore". This is the default for Linux boxes.
1050 A value of 0 means "lock ntpd into memory" with no limits. Otherwise
1051 the value is the number of megabytes of memory to lock. The default
1054 * The old Google Test framework has been replaced with a new framework,
1055 based on http://www.throwtheswitch.org/unity/ .
1057 Bug Fixes and Improvements:
1058 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1059 privileges and limiting resources in NTPD removes the need to link
1060 forcefully against 'libgcc_s' which does not always work. J.Perlinger
1061 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
1062 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
1063 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
1064 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org
1065 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
1066 * [Bug 2849] Systems with more than one default route may never
1067 synchronize. Brian Utterback. Note that this patch might need to
1068 be reverted once Bug 2043 has been fixed.
1069 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1070 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
1071 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1072 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
1073 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1074 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
1075 be configured for the distribution targets. Harlan Stenn.
1076 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
1077 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org
1078 * [Bug 2888] streamline calendar functions. perlinger@ntp.org
1079 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org
1080 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
1081 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
1082 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
1083 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
1084 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
1085 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
1086 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
1087 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
1088 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
1089 * top_srcdir can change based on ntp v. sntp. Harlan Stenn.
1090 * sntp/tests/ function parameter list cleanup. Damir Tomić.
1091 * tests/libntp/ function parameter list cleanup. Damir Tomić.
1092 * tests/ntpd/ function parameter list cleanup. Damir Tomić.
1093 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
1094 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
1095 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić.
1096 * tests/libntp/ improvements in code and fixed error printing. Damir Tomić.
1097 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1098 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1099 formatting; first declaration, then code (C90); deleted unnecessary comments;
1100 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1101 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1102 fix formatting, cleanup. Tomasz Flendrich
1103 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1105 * tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1106 fix formatting. Tomasz Flendrich
1107 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1108 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1109 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1111 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1112 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1113 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1114 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1115 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1116 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1117 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1118 fixed formatting. Tomasz Flendrich
1119 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1120 removed unnecessary comments, cleanup. Tomasz Flendrich
1121 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1122 comments, cleanup. Tomasz Flendrich
1123 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1125 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich
1126 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
1127 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
1129 * sntp/tests/kodDatabase.c added consts, deleted empty function,
1130 fixed formatting. Tomasz Flendrich
1131 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
1132 * sntp/tests/packetHandling.c is now using proper Unity's assertions,
1133 fixed formatting, deleted unused variable. Tomasz Flendrich
1134 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
1136 * sntp/tests/packetProcessing.c changed from sprintf to snprintf,
1137 fixed formatting. Tomasz Flendrich
1138 * sntp/tests/utilities.c is now using proper Unity's assertions, changed
1139 the order of includes, fixed formatting, removed unnecessary comments.
1141 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
1142 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
1143 made one function do its job, deleted unnecessary prints, fixed formatting.
1145 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
1146 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
1147 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
1148 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
1149 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
1150 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
1151 * Don't build sntp/libevent/sample/. Harlan Stenn.
1152 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
1153 * br-flock: --enable-local-libevent. Harlan Stenn.
1154 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
1155 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
1156 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
1157 * Code cleanup. Harlan Stenn.
1158 * libntp/icom.c: Typo fix. Harlan Stenn.
1159 * util/ntptime.c: initialization nit. Harlan Stenn.
1160 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
1161 * Add std_unity_tests to various Makefile.am files. Harlan Stenn.
1162 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
1164 * Changed progname to be const in many files - now it's consistent. Tomasz
1166 * Typo fix for GCC warning suppression. Harlan Stenn.
1167 * Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
1168 * Added declarations to all Unity tests, and did minor fixes to them.
1169 Reduced the number of warnings by half. Damir Tomić.
1170 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory
1171 with the latest Unity updates from Mark. Damir Tomić.
1172 * Retire google test - phase I. Harlan Stenn.
1173 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
1174 * Update the NEWS file. Harlan Stenn.
1175 * Autoconf cleanup. Harlan Stenn.
1176 * Unit test dist cleanup. Harlan Stenn.
1177 * Cleanup various test Makefile.am files. Harlan Stenn.
1178 * Pthread autoconf macro cleanup. Harlan Stenn.
1179 * Fix progname definition in unity runner scripts. Harlan Stenn.
1180 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
1181 * Update the patch for bug 2817. Harlan Stenn.
1182 * More updates for bug 2817. Harlan Stenn.
1183 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
1184 * gcc on older HPUX may need +allowdups. Harlan Stenn.
1185 * Adding missing MCAST protection. Harlan Stenn.
1186 * Disable certain test programs on certain platforms. Harlan Stenn.
1187 * Implement --enable-problem-tests (on by default). Harlan Stenn.
1188 * build system tweaks. Harlan Stenn.
1191 NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
1193 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
1199 * [Sec 2853] Crafted remote config packet can crash some versions of
1200 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
1202 Under specific circumstances an attacker can send a crafted packet to
1203 cause a vulnerable ntpd instance to crash. This requires each of the
1204 following to be true:
1206 1) ntpd set up to allow remote configuration (not allowed by default), and
1207 2) knowledge of the configuration password, and
1208 3) access to a computer entrusted to perform remote configuration.
1210 This vulnerability is considered low-risk.
1212 New features in this release:
1214 Optional (disabled by default) support to have ntpd provide smeared
1215 leap second time. A specially built and configured ntpd will only
1216 offer smeared time in response to client packets. These response
1217 packets will also contain a "refid" of 254.a.b.c, where the 24 bits
1218 of a, b, and c encode the amount of smear in a 2:22 integer:fraction
1219 format. See README.leapsmear and http://bugs.ntp.org/2855 for more
1222 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
1223 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
1225 We've imported the Unity test framework, and have begun converting
1226 the existing google-test items to this new framework. If you want
1227 to write new tests or change old ones, you'll need to have ruby
1228 installed. You don't need ruby to run the test suite.
1230 Bug Fixes and Improvements:
1232 * CID 739725: Fix a rare resource leak in libevent/listener.c.
1233 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
1234 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
1235 * CID 1269537: Clean up a line of dead code in getShmTime().
1236 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
1237 * [Bug 2590] autogen-5.18.5.
1238 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
1240 * [Bug 2650] fix includefile processing.
1241 * [Bug 2745] ntpd -x steps clock on leap second
1242 Fixed an initial-value problem that caused misbehaviour in absence of
1243 any leapsecond information.
1244 Do leap second stepping only of the step adjustment is beyond the
1245 proper jump distance limit and step correction is allowed at all.
1246 * [Bug 2750] build for Win64
1247 Building for 32bit of loopback ppsapi needs def file
1248 * [Bug 2776] Improve ntpq's 'help keytype'.
1249 * [Bug 2778] Implement "apeers" ntpq command to include associd.
1250 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
1251 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an
1252 interface is ignored as long as this flag is not set since the
1253 interface is not usable (e.g., no link).
1254 * [Bug 2794] Clean up kernel clock status reports.
1255 * [Bug 2800] refclock_true.c true_debug() can't open debug log because
1256 of incompatible open/fdopen parameters.
1257 * [Bug 2804] install-local-data assumes GNU 'find' semantics.
1258 * [Bug 2805] ntpd fails to join multicast group.
1259 * [Bug 2806] refclock_jjy.c supports the Telephone JJY.
1260 * [Bug 2808] GPSD_JSON driver enhancements, step 1.
1261 Fix crash during cleanup if GPS device not present and char device.
1262 Increase internal token buffer to parse all JSON data, even SKY.
1263 Defer logging of errors during driver init until the first unit is
1264 started, so the syslog is not cluttered when the driver is not used.
1265 Various improvements, see http://bugs.ntp.org/2808 for details.
1266 Changed libjsmn to a more recent version.
1267 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
1268 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
1269 * [Bug 2815] net-snmp before v5.4 has circular library dependencies.
1270 * [Bug 2821] Add a missing NTP_PRINTF and a missing const.
1271 * [Bug 2822] New leap column in sntp broke NTP::Util.pm.
1272 * [Bug 2824] Convert update-leap to perl. (also see 2769)
1273 * [Bug 2825] Quiet file installation in html/ .
1274 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
1275 NTPD transfers the current TAI (instead of an announcement) now.
1276 This might still needed improvement.
1277 Update autokey data ASAP when 'sys_tai' changes.
1278 Fix unit test that was broken by changes for autokey update.
1279 Avoid potential signature length issue and use DPRINTF where possible
1281 * [Bug 2832] refclock_jjy.c supports the TDC-300.
1282 * [Bug 2834] Correct a broken html tag in html/refclock.html
1283 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
1284 robust, and require 2 consecutive timestamps to be consistent.
1285 * [Bug 2837] Allow a configurable DSCP value.
1286 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in
1287 * [Bug 2842] Glitch in ntp.conf.def documentation stanza.
1288 * [Bug 2842] Bug in mdoc2man.
1289 * [Bug 2843] make check fails on 4.3.36
1290 Fixed compiler warnings about numeric range overflow
1291 (The original topic was fixed in a byplay to bug#2830)
1292 * [Bug 2845] Harden memory allocation in ntpd.
1293 * [Bug 2852] 'make check' can't find unity.h. Hal Murray.
1294 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
1295 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
1296 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
1297 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
1298 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
1299 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
1300 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
1301 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
1302 * html/drivers/driver22.html: typo fix. Harlan Stenn.
1303 * refidsmear test cleanup. Tomasz Flendrich.
1304 * refidsmear function support and tests. Harlan Stenn.
1305 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
1306 something that was only in the 4.2.6 sntp. Harlan Stenn.
1307 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
1309 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
1311 * Modified sntp/tests/Makefile.am so it builds Unity framework tests.
1313 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
1314 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
1315 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
1316 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1317 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
1318 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
1319 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
1321 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
1322 networking.c, keyFile.c, utilities.cpp, sntptest.h,
1323 fileHandlingTest.h. Damir Tomić
1324 * Initial support for experimental leap smear code. Harlan Stenn.
1325 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
1326 * Report select() debug messages at debug level 3 now.
1327 * sntp/scripts/genLocInfo: treat raspbian as debian.
1328 * Unity test framework fixes.
1329 ** Requires ruby for changes to tests.
1330 * Initial support for PACKAGE_VERSION tests.
1331 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
1332 * tests/bug-2803/Makefile.am must distribute bug-2803.h.
1333 * Add an assert to the ntpq ifstats code.
1334 * Clean up the RLIMIT_STACK code.
1335 * Improve the ntpq documentation around the controlkey keyid.
1337 * Windows port build cleanup.
1340 NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1342 Focus: Security and Bug fixes, enhancements.
1346 In addition to bug fixes and enhancements, this release fixes the
1347 following medium-severity vulnerabilities involving private key
1350 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1352 References: Sec 2779 / CVE-2015-1798 / VU#374268
1353 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1354 including ntp-4.2.8p2 where the installation uses symmetric keys
1355 to authenticate remote associations.
1356 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1357 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1358 Summary: When ntpd is configured to use a symmetric key to authenticate
1359 a remote NTP server/peer, it checks if the NTP message
1360 authentication code (MAC) in received packets is valid, but not if
1361 there actually is any MAC included. Packets without a MAC are
1362 accepted as if they had a valid MAC. This allows a MITM attacker to
1363 send false packets that are accepted by the client/peer without
1364 having to know the symmetric key. The attacker needs to know the
1365 transmit timestamp of the client to match it in the forged reply
1366 and the false reply needs to reach the client before the genuine
1367 reply from the server. The attacker doesn't necessarily need to be
1368 relaying the packets between the client and the server.
1370 Authentication using autokey doesn't have this problem as there is
1371 a check that requires the key ID to be larger than NTP_MAXKEY,
1372 which fails for packets without a MAC.
1374 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1375 or the NTP Public Services Project Download Page
1376 Configure ntpd with enough time sources and monitor it properly.
1377 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1379 * [Sec 2781] Authentication doesn't protect symmetric associations against
1382 References: Sec 2781 / CVE-2015-1799 / VU#374268
1383 Affects: All NTP releases starting with at least xntp3.3wy up to but
1384 not including ntp-4.2.8p2 where the installation uses symmetric
1386 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1387 Note: the CVSS base Score for this issue could be 4.3 or lower, and
1388 it could be higher than 5.4.
1389 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1390 Summary: An attacker knowing that NTP hosts A and B are peering with
1391 each other (symmetric association) can send a packet to host A
1392 with source address of B which will set the NTP state variables
1393 on A to the values sent by the attacker. Host A will then send
1394 on its next poll to B a packet with originate timestamp that
1395 doesn't match the transmit timestamp of B and the packet will
1396 be dropped. If the attacker does this periodically for both
1397 hosts, they won't be able to synchronize to each other. This is
1398 a known denial-of-service attack, described at
1399 https://www.eecis.udel.edu/~mills/onwire.html .
1401 According to the document the NTP authentication is supposed to
1402 protect symmetric associations against this attack, but that
1403 doesn't seem to be the case. The state variables are updated even
1404 when authentication fails and the peers are sending packets with
1405 originate timestamps that don't match the transmit timestamps on
1408 This seems to be a very old problem, dating back to at least
1409 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1410 specifications, so other NTP implementations with support for
1411 symmetric associations and authentication may be vulnerable too.
1412 An update to the NTP RFC to correct this error is in-process.
1414 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1415 or the NTP Public Services Project Download Page
1416 Note that for users of autokey, this specific style of MITM attack
1417 is simply a long-known potential problem.
1418 Configure ntpd with appropriate time sources and monitor ntpd.
1419 Alert your staff if problems are detected.
1420 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1422 * New script: update-leap
1423 The update-leap script will verify and if necessary, update the
1424 leap-second definition file.
1425 It requires the following commands in order to work:
1427 wget logger tr sed shasum
1429 Some may choose to run this from cron. It needs more portability testing.
1431 Bug Fixes and Improvements:
1433 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1434 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1435 * [Bug 2346] "graceful termination" signals do not do peer cleanup.
1436 * [Bug 2728] See if C99-style structure initialization works.
1437 * [Bug 2747] Upgrade libevent to 2.1.5-beta.
1438 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1439 * [Bug 2751] jitter.h has stale copies of l_fp macros.
1440 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1441 * [Bug 2757] Quiet compiler warnings.
1442 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1443 * [Bug 2763] Allow different thresholds for forward and backward steps.
1444 * [Bug 2766] ntp-keygen output files should not be world-readable.
1445 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1446 * [Bug 2771] nonvolatile value is documented in wrong units.
1447 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1448 * [Bug 2774] Unreasonably verbose printout - leap pending/warning
1449 * [Bug 2775] ntp-keygen.c fails to compile under Windows.
1450 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1451 Removed non-ASCII characters from some copyright comments.
1452 Removed trailing whitespace.
1453 Updated definitions for Meinberg clocks from current Meinberg header files.
1454 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1455 Account for updated definitions pulled from Meinberg header files.
1456 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1457 Replaced some constant numbers by defines from ntp_calendar.h
1458 Modified creation of parse-specific variables for Meinberg devices
1459 in gps16x_message().
1460 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1461 Modified mbg_tm_str() which now expexts an additional parameter controlling
1462 if the time status shall be printed.
1463 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1464 * [Sec 2781] Authentication doesn't protect symmetric associations against
1466 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1467 * [Bug 2789] Quiet compiler warnings from libevent.
1468 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1469 pause briefly before measuring system clock precision to yield
1471 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1472 * Use predefined function types for parse driver functions
1473 used to set up function pointers.
1474 Account for changed prototype of parse_inp_fnc_t functions.
1475 Cast parse conversion results to appropriate types to avoid
1477 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1478 when called with pointers to different types.
1481 NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1483 Focus: Security and Bug fixes, enhancements.
1487 In addition to bug fixes and enhancements, this release fixes the
1488 following high-severity vulnerabilities:
1490 * vallen is not validated in several places in ntp_crypto.c, leading
1491 to a potential information leak or possibly a crash
1493 References: Sec 2671 / CVE-2014-9297 / VU#852879
1494 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1495 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1496 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1497 Summary: The vallen packet value is not validated in several code
1498 paths in ntp_crypto.c which can lead to information leakage
1499 or perhaps a crash of the ntpd process.
1500 Mitigation - any of:
1501 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1502 or the NTP Public Services Project Download Page.
1503 Disable Autokey Authentication by removing, or commenting out,
1504 all configuration directives beginning with the "crypto"
1505 keyword in your ntp.conf file.
1506 Credit: This vulnerability was discovered by Stephen Roettger of the
1507 Google Security Team, with additional cases found by Sebastian
1508 Krahmer of the SUSE Security Team and Harlan Stenn of Network
1511 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1514 References: Sec 2672 / CVE-2014-9298 / VU#852879
1515 Affects: All NTP4 releases before 4.2.8p1, under at least some
1516 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1517 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1518 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1519 Summary: While available kernels will prevent 127.0.0.1 addresses
1520 from "appearing" on non-localhost IPv4 interfaces, some kernels
1521 do not offer the same protection for ::1 source addresses on
1522 IPv6 interfaces. Since NTP's access control is based on source
1523 address and localhost addresses generally have no restrictions,
1524 an attacker can send malicious control and configuration packets
1525 by spoofing ::1 addresses from the outside. Note Well: This is
1526 not really a bug in NTP, it's a problem with some OSes. If you
1527 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1528 ACL restrictions on any application can be bypassed!
1530 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1531 or the NTP Public Services Project Download Page
1532 Install firewall rules to block packets claiming to come from
1533 ::1 from inappropriate network interfaces.
1534 Credit: This vulnerability was discovered by Stephen Roettger of
1535 the Google Security Team.
1537 Additionally, over 30 bugfixes and improvements were made to the codebase.
1538 See the ChangeLog for more information.
1541 NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1543 Focus: Security and Bug fixes, enhancements.
1547 In addition to bug fixes and enhancements, this release fixes the
1548 following high-severity vulnerabilities:
1550 ************************** vv NOTE WELL vv *****************************
1552 The vulnerabilities listed below can be significantly mitigated by
1553 following the BCP of putting
1555 restrict default ... noquery
1557 in the ntp.conf file. With the exception of:
1559 receive(): missing return on error
1560 References: Sec 2670 / CVE-2014-9296 / VU#852879
1562 below (which is a limited-risk vulnerability), none of the recent
1563 vulnerabilities listed below can be exploited if the source IP is
1564 restricted from sending a 'query'-class packet by your ntp.conf file.
1566 ************************** ^^ NOTE WELL ^^ *****************************
1568 * Weak default key in config_auth().
1570 References: [Sec 2665] / CVE-2014-9293 / VU#852879
1571 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1572 Vulnerable Versions: all releases prior to 4.2.7p11
1573 Date Resolved: 28 Jan 2010
1575 Summary: If no 'auth' key is set in the configuration file, ntpd
1576 would generate a random key on the fly. There were two
1577 problems with this: 1) the generated key was 31 bits in size,
1578 and 2) it used the (now weak) ntp_random() function, which was
1579 seeded with a 32-bit value and could only provide 32 bits of
1580 entropy. This was sufficient back in the late 1990s when the
1581 code was written. Not today.
1583 Mitigation - any of:
1584 - Upgrade to 4.2.7p11 or later.
1585 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1587 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
1588 of the Google Security Team.
1590 * Non-cryptographic random number generator with weak seed used by
1591 ntp-keygen to generate symmetric keys.
1593 References: [Sec 2666] / CVE-2014-9294 / VU#852879
1594 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1595 Vulnerable Versions: All NTP4 releases before 4.2.7p230
1596 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
1598 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
1599 prepare a random number generator that was of good quality back
1600 in the late 1990s. The random numbers produced was then used to
1601 generate symmetric keys. In ntp-4.2.8 we use a current-technology
1602 cryptographic random number generator, either RAND_bytes from
1603 OpenSSL, or arc4random().
1605 Mitigation - any of:
1606 - Upgrade to 4.2.7p230 or later.
1607 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1609 Credit: This vulnerability was discovered in ntp-4.2.6 by
1610 Stephen Roettger of the Google Security Team.
1612 * Buffer overflow in crypto_recv()
1614 References: Sec 2667 / CVE-2014-9295 / VU#852879
1615 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1616 Versions: All releases before 4.2.8
1617 Date Resolved: Stable (4.2.8) 18 Dec 2014
1619 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
1620 file contains a 'crypto pw ...' directive) a remote attacker
1621 can send a carefully crafted packet that can overflow a stack
1622 buffer and potentially allow malicious code to be executed
1623 with the privilege level of the ntpd process.
1625 Mitigation - any of:
1626 - Upgrade to 4.2.8, or later, or
1627 - Disable Autokey Authentication by removing, or commenting out,
1628 all configuration directives beginning with the crypto keyword
1629 in your ntp.conf file.
1631 Credit: This vulnerability was discovered by Stephen Roettger of the
1632 Google Security Team.
1634 * Buffer overflow in ctl_putdata()
1636 References: Sec 2668 / CVE-2014-9295 / VU#852879
1637 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1638 Versions: All NTP4 releases before 4.2.8
1639 Date Resolved: Stable (4.2.8) 18 Dec 2014
1641 Summary: A remote attacker can send a carefully crafted packet that
1642 can overflow a stack buffer and potentially allow malicious
1643 code to be executed with the privilege level of the ntpd process.
1645 Mitigation - any of:
1646 - Upgrade to 4.2.8, or later.
1647 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1649 Credit: This vulnerability was discovered by Stephen Roettger of the
1650 Google Security Team.
1652 * Buffer overflow in configure()
1654 References: Sec 2669 / CVE-2014-9295 / VU#852879
1655 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1656 Versions: All NTP4 releases before 4.2.8
1657 Date Resolved: Stable (4.2.8) 18 Dec 2014
1659 Summary: A remote attacker can send a carefully crafted packet that
1660 can overflow a stack buffer and potentially allow malicious
1661 code to be executed with the privilege level of the ntpd process.
1663 Mitigation - any of:
1664 - Upgrade to 4.2.8, or later.
1665 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1667 Credit: This vulnerability was discovered by Stephen Roettger of the
1668 Google Security Team.
1670 * receive(): missing return on error
1672 References: Sec 2670 / CVE-2014-9296 / VU#852879
1673 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
1674 Versions: All NTP4 releases before 4.2.8
1675 Date Resolved: Stable (4.2.8) 18 Dec 2014
1677 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
1678 the code path where an error was detected, which meant
1679 processing did not stop when a specific rare error occurred.
1680 We haven't found a way for this bug to affect system integrity.
1681 If there is no way to affect system integrity the base CVSS
1682 score for this bug is 0. If there is one avenue through which
1683 system integrity can be partially affected, the base score
1684 becomes a 5. If system integrity can be partially affected
1685 via all three integrity metrics, the CVSS base score become 7.5.
1687 Mitigation - any of:
1688 - Upgrade to 4.2.8, or later,
1689 - Remove or comment out all configuration directives
1690 beginning with the crypto keyword in your ntp.conf file.
1692 Credit: This vulnerability was discovered by Stephen Roettger of the
1693 Google Security Team.
1695 See http://support.ntp.org/security for more information.
1697 New features / changes in this release:
1701 * Internal NTP Era counters
1703 The internal counters that track the "era" (range of years) we are in
1704 rolls over every 136 years'. The current "era" started at the stroke of
1705 midnight on 1 Jan 1900, and ends just before the stroke of midnight on
1707 In the past, we have used the "midpoint" of the range to decide which
1708 era we were in. Given the longevity of some products, it became clear
1709 that it would be more functional to "look back" less, and "look forward"
1710 more. We now compile a timestamp into the ntpd executable and when we
1711 get a timestamp we us the "built-on" to tell us what era we are in.
1712 This check "looks back" 10 years, and "looks forward" 126 years.
1714 * ntpdc responses disabled by default
1718 For a long time, ntpq and its mostly text-based mode 6 (control)
1719 protocol have been preferred over ntpdc and its mode 7 (private
1720 request) protocol for runtime queries and configuration. There has
1721 been a goal of deprecating ntpdc, previously held back by numerous
1722 capabilities exposed by ntpdc with no ntpq equivalent. I have been
1723 adding commands to ntpq to cover these cases, and I believe I've
1724 covered them all, though I've not compared command-by-command
1727 As I've said previously, the binary mode 7 protocol involves a lot of
1728 hand-rolled structure layout and byte-swapping code in both ntpd and
1729 ntpdc which is hard to get right. As ntpd grows and changes, the
1730 changes are difficult to expose via ntpdc while maintaining forward
1731 and backward compatibility between ntpdc and ntpd. In contrast,
1732 ntpq's text-based, label=value approach involves more code reuse and
1733 allows compatible changes without extra work in most cases.
1735 Mode 7 has always been defined as vendor/implementation-specific while
1736 mode 6 is described in RFC 1305 and intended to be open to interoperate
1737 with other implementations. There is an early draft of an updated
1738 mode 6 description that likely will join the other NTPv4 RFCs
1739 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
1741 For these reasons, ntpd 4.2.7p230 by default disables processing of
1742 ntpdc queries, reducing ntpd's attack surface and functionally
1743 deprecating ntpdc. If you are in the habit of using ntpdc for certain
1744 operations, please try the ntpq equivalent. If there's no equivalent,
1745 please open a bug report at http://bugs.ntp.org./
1747 In addition to the above, over 1100 issues have been resolved between
1748 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
1752 NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
1758 This is a recommended upgrade.
1760 This release updates sys_rootdisp and sys_jitter calculations to match the
1761 RFC specification, fixes a potential IPv6 address matching error for the
1762 "nic" and "interface" configuration directives, suppresses the creation of
1763 extraneous ephemeral associations for certain broadcastclient and
1764 multicastclient configurations, cleans up some ntpq display issues, and
1765 includes improvements to orphan mode, minor bugs fixes and code clean-ups.
1767 New features / changes in this release:
1771 * Updated "nic" and "interface" IPv6 address handling to prevent
1772 mismatches with localhost [::1] and wildcard [::] which resulted from
1773 using the address/prefix format (e.g. fe80::/64)
1774 * Fix orphan mode stratum incorrectly counting to infinity
1775 * Orphan parent selection metric updated to includes missing ntohl()
1776 * Non-printable stratum 16 refid no longer sent to ntp
1777 * Duplicate ephemeral associations suppressed for broadcastclient and
1778 multicastclient without broadcastdelay
1779 * Exclude undetermined sys_refid from use in loopback TEST12
1780 * Exclude MODE_SERVER responses from KoD rate limiting
1781 * Include root delay in clock_update() sys_rootdisp calculations
1782 * get_systime() updated to exclude sys_residual offset (which only
1783 affected bits "below" sys_tick, the precision threshold)
1784 * sys.peer jitter weighting corrected in sys_jitter calculation
1788 * -n option extended to include the billboard "server" column
1789 * IPv6 addresses in the local column truncated to prevent overruns
1792 NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
1794 Focus: Bug fixes and portability improvements
1798 This is a recommended upgrade.
1800 This release includes build infrastructure updates, code
1801 clean-ups, minor bug fixes, fixes for a number of minor
1802 ref-clock issues, and documentation revisions.
1804 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
1806 New features / changes in this release:
1810 * Fix checking for struct rtattr
1811 * Update config.guess and config.sub for AIX
1812 * Upgrade required version of autogen and libopts for building
1813 from our source code repository
1817 * Back-ported several fixes for Coverity warnings from ntp-dev
1818 * Fix a rare boundary condition in UNLINK_EXPR_SLIST()
1819 * Allow "logconfig =allall" configuration directive
1820 * Bind tentative IPv6 addresses on Linux
1821 * Correct WWVB/Spectracom driver to timestamp CR instead of LF
1822 * Improved tally bit handling to prevent incorrect ntpq peer status reports
1823 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial
1824 candidate list unless they are designated a "prefer peer"
1825 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
1826 selection during the 'tos orphanwait' period
1827 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
1829 * Improved support of the Parse Refclock trusttime flag in Meinberg mode
1830 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
1831 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
1832 clock slew on Microsoft Windows
1833 * Code cleanup in libntpq
1837 * Fix timerstats reporting
1841 * Reduce time required to set clock
1842 * Allow a timeout greater than 2 seconds
1846 * Backward incompatible command-line option change:
1847 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
1851 * Update html2man. Fix some tags in the .html files
1852 * Distribute ntp-wait.html
1855 NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
1857 Focus: Bug fixes and portability improvements
1861 This is a recommended upgrade.
1863 This release includes build infrastructure updates, code
1864 clean-ups, minor bug fixes, fixes for a number of minor
1865 ref-clock issues, and documentation revisions.
1867 Portability improvements in this release affect AIX, Atari FreeMiNT,
1868 FreeBSD4, Linux and Microsoft Windows.
1870 New features / changes in this release:
1873 * Use lsb_release to get information about Linux distributions.
1874 * 'test' is in /usr/bin (instead of /bin) on some systems.
1875 * Basic sanity checks for the ChangeLog file.
1876 * Source certain build files with ./filename for systems without . in PATH.
1877 * IRIX portability fix.
1878 * Use a single copy of the "libopts" code.
1879 * autogen/libopts upgrade.
1880 * configure.ac m4 quoting cleanup.
1883 * Do not bind to IN6_IFF_ANYCAST addresses.
1884 * Log the reason for exiting under Windows.
1885 * Multicast fixes for Windows.
1886 * Interpolation fixes for Windows.
1887 * IPv4 and IPv6 Multicast fixes.
1888 * Manycast solicitation fixes and general repairs.
1889 * JJY refclock cleanup.
1890 * NMEA refclock improvements.
1891 * Oncore debug message cleanup.
1892 * Palisade refclock now builds under Linux.
1893 * Give RAWDCF more baud rates.
1894 * Support Truetime Satellite clocks under Windows.
1895 * Support Arbiter 1093C Satellite clocks under Windows.
1896 * Make sure that the "filegen" configuration command defaults to "enable".
1897 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
1898 * Prohibit 'includefile' directive in remote configuration command.
1899 * Fix 'nic' interface bindings.
1900 * Fix the way we link with openssl if openssl is installed in the base
1905 * OpenSSL version display cleanup.
1908 * Many counters should be treated as unsigned.
1911 * Do not ignore replies with equal receive and transmit timestamps.
1914 * libntpq warning cleanup.
1917 * Correct SNMP type for "precision" and "resolution".
1918 * Update the MIB from the draft version to RFC-5907.
1921 * Display timezone offset when showing time for sntp in the local
1923 * Pay proper attention to RATE KoD packets.
1924 * Fix a miscalculation of the offset.
1925 * Properly parse empty lines in the key file.
1927 * Use tv_usec correctly in set_time().
1928 * Documentation cleanup.
1931 NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
1933 Focus: Bug fixes and portability improvements
1937 This is a recommended upgrade.
1939 This release includes build infrastructure updates, code
1940 clean-ups, minor bug fixes, fixes for a number of minor
1941 ref-clock issues, improved KOD handling, OpenSSL related
1942 updates and documentation revisions.
1944 Portability improvements in this release affect Irix, Linux,
1945 Mac OS, Microsoft Windows, OpenBSD and QNX6
1947 New features / changes in this release:
1950 * Range syntax for the trustedkey configuration directive
1951 * Unified IPv4 and IPv6 restrict lists
1954 * Rate limiting and KOD handling
1957 * default connection to net-snmpd via a unix-domain socket
1958 * command-line 'socket name' option
1961 * support for the "passwd ..." syntax
1962 * key-type specific password prompts
1965 * MD5 authentication of an ntpd
1966 * Broadcast and crypto
1970 NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
1972 Focus: Bug fixes, portability fixes, and documentation improvements
1976 This is a recommended upgrade.
1979 NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1981 Focus: enhancements and bug fixes.
1984 NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1986 Focus: Security Fixes
1990 This release fixes the following high-severity vulnerability:
1992 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
1994 See http://support.ntp.org/security for more information.
1996 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
1997 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
1998 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
1999 request or a mode 7 error response from an address which is not listed
2000 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2001 reply with a mode 7 error response (and log a message). In this case:
2003 * If an attacker spoofs the source address of ntpd host A in a
2004 mode 7 response packet sent to ntpd host B, both A and B will
2005 continuously send each other error responses, for as long as
2006 those packets get through.
2008 * If an attacker spoofs an address of ntpd host A in a mode 7
2009 response packet sent to ntpd host A, A will respond to itself
2010 endlessly, consuming CPU and logging excessively.
2012 Credit for finding this vulnerability goes to Robin Park and Dmitri
2013 Vinokurov of Alcatel-Lucent.
2015 THIS IS A STRONGLY RECOMMENDED UPGRADE.
2018 ntpd now syncs to refclocks right away.
2020 Backward-Incompatible changes:
2022 ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2023 Use '--var name' or '--dvar name' instead. (Bug 817)
2026 NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2028 Focus: Security and Bug Fixes
2032 This release fixes the following high-severity vulnerability:
2034 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
2036 See http://support.ntp.org/security for more information.
2038 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2039 line) then a carefully crafted packet sent to the machine will cause
2040 a buffer overflow and possible execution of injected code, running
2041 with the privileges of the ntpd process (often root).
2043 Credit for finding this vulnerability goes to Chris Ries of CMU.
2045 This release fixes the following low-severity vulnerabilities:
2047 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
2048 Credit for finding this vulnerability goes to Geoff Keating of Apple.
2050 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2051 Credit for finding this issue goes to Dave Hart.
2053 This release fixes a number of bugs and adds some improvements:
2056 * Fix many compiler warnings
2057 * Many fixes and improvements for Windows
2058 * Adds support for AIX 6.1
2059 * Resolves some issues under MacOS X and Solaris
2061 THIS IS A STRONGLY RECOMMENDED UPGRADE.
2064 NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2070 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2071 the OpenSSL library relating to the incorrect checking of the return
2072 value of EVP_VerifyFinal function.
2074 Credit for finding this issue goes to the Google Security Team for
2075 finding the original issue with OpenSSL, and to ocert.org for finding
2076 the problem in NTP and telling us about it.
2078 This is a recommended upgrade.
2080 NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2082 Focus: Minor Bugfixes
2084 This release fixes a number of Windows-specific ntpd bugs and
2085 platform-independent ntpdate bugs. A logging bugfix has been applied
2086 to the ONCORE driver.
2088 The "dynamic" keyword and is now obsolete and deferred binding to local
2089 interfaces is the new default. The minimum time restriction for the
2090 interface update interval has been dropped.
2092 A number of minor build system and documentation fixes are included.
2094 This is a recommended upgrade for Windows.
2097 NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2099 Focus: Minor Bugfixes
2101 This release updates certain copyright information, fixes several display
2102 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2103 shutdown in the parse refclock driver, removes some lint from the code,
2104 stops accessing certain buffers immediately after they were freed, fixes
2105 a problem with non-command-line specification of -6, and allows the loopback
2106 interface to share addresses with other interfaces.
2109 NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2111 Focus: Minor Bugfixes
2113 This release fixes a bug in Windows that made it difficult to
2114 terminate ntpd under windows.
2115 This is a recommended upgrade for Windows.
2118 NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2120 Focus: Minor Bugfixes
2122 This release fixes a multicast mode authentication problem,
2123 an error in NTP packet handling on Windows that could lead to
2124 ntpd crashing, and several other minor bugs. Handling of
2125 multicast interfaces and logging configuration were improved.
2126 The required versions of autogen and libopts were incremented.
2127 This is a recommended upgrade for Windows and multicast users.
2130 NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
2132 Focus: enhancements and bug fixes.
2134 Dynamic interface rescanning was added to simplify the use of ntpd in
2135 conjunction with DHCP. GNU AutoGen is used for its command-line options
2136 processing. Separate PPS devices are supported for PARSE refclocks, MD5
2137 signatures are now provided for the release files. Drivers have been
2138 added for some new ref-clocks and have been removed for some older
2139 ref-clocks. This release also includes other improvements, documentation
2142 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
2146 NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
2148 Focus: enhancements and bug fixes.