2NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: HIGH
7
8In addition to bug fixes and enhancements, this release fixes the
9following 1 high- and 4 low-severity vulnerabilities:
10
11* CRYPTO_NAK crash
12 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
13 References: Sec 3046 / CVE-2016-4957 / VU#321640
14 Affects: ntp-4.2.8p7, and ntp-4.3.92.
15 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
16 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
17 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
18 could cause ntpd to crash.
19 Mitigation:
20 Implement BCP-38.
21 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
22 or the NTP Public Services Project Download Page
23 If you cannot upgrade from 4.2.8p7, the only other alternatives
24 are to patch your code or filter CRYPTO_NAK packets.
25 Properly monitor your ntpd instances, and auto-restart ntpd
26 (without -g) if it stops running.
27 Credit: This weakness was discovered by Nicolas Edet of Cisco.
28
29* Bad authentication demobilizes ephemeral associations
30 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
31 References: Sec 3045 / CVE-2016-4953 / VU#321640
32 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
33 ntp-4.3.0 up to, but not including ntp-4.3.93.
34 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
35 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
36 Summary: An attacker who knows the origin timestamp and can send a
37 spoofed packet containing a CRYPTO-NAK to an ephemeral peer
38 target before any other response is sent can demobilize that
39 association.
40 Mitigation:
41 Implement BCP-38.
42 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
43 or the NTP Public Services Project Download Page
44 Properly monitor your ntpd instances.
45 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
46
47* Processing spoofed server packets
48 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
49 References: Sec 3044 / CVE-2016-4954 / VU#321640
50 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
51 ntp-4.3.0 up to, but not including ntp-4.3.93.
52 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
53 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
54 Summary: An attacker who is able to spoof packets with correct origin
55 timestamps from enough servers before the expected response
56 packets arrive at the target machine can affect some peer
57 variables and, for example, cause a false leap indication to be set.
58 Mitigation:
59 Implement BCP-38.
60 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
61 or the NTP Public Services Project Download Page
62 Properly monitor your ntpd instances.
63 Credit: This weakness was discovered by Jakub Prokes of Red Hat.
64
65* Autokey association reset
66 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
67 References: Sec 3043 / CVE-2016-4955 / VU#321640
68 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
69 ntp-4.3.0 up to, but not including ntp-4.3.93.
70 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
71 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
72 Summary: An attacker who is able to spoof a packet with a correct
73 origin timestamp before the expected response packet arrives at
74 the target machine can send a CRYPTO_NAK or a bad MAC and cause
75 the association's peer variables to be cleared. If this can be
76 done often enough, it will prevent that association from working.
77 Mitigation:
78 Implement BCP-38.
79 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
80 or the NTP Public Services Project Download Page
81 Properly monitor your ntpd instances.
82 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
83
84* Broadcast interleave
85 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
86 References: Sec 3042 / CVE-2016-4956 / VU#321640
87 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
88 ntp-4.3.0 up to, but not including ntp-4.3.93.
89 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
90 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
91 Summary: The fix for NtpBug2978 does not cover broadcast associations,
92 so broadcast clients can be triggered to flip into interleave mode.
93 Mitigation:
94 Implement BCP-38.
95 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
96 or the NTP Public Services Project Download Page
97 Properly monitor your ntpd instances.
98 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
99
100Other fixes:
101* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
102 - provide build environment
103 - 'wint_t' and 'struct timespec' defined by VS2015
104 - fixed print()/scanf() format issues
105* [Bug 3052] Add a .gitignore file. Edmund Wong.
106* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
107* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
108 JPerlinger, HStenn.
109* Fix typo in ntp-wait and plot_summary. HStenn.
110* Make sure we have an "author" file for git imports. HStenn.
111* Update the sntp problem tests for MacOS. HStenn.
112
113---
114NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
115
116Focus: Security, Bug fixes, enhancements.
117
118Severity: MEDIUM
119
120When building NTP from source, there is a new configure option
121available, --enable-dynamic-interleave. More information on this below.
122
123Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
124versions of ntp. These events have almost certainly happened in the
125past, it's just that they were silently counted and not logged. With
126the increasing awareness around security, we feel it's better to clearly
127log these events to help detect abusive behavior. This increased
128logging can also help detect other problems, too.
129
130In addition to bug fixes and enhancements, this release fixes the
131following 9 low- and medium-severity vulnerabilities:
132
133* Improve NTP security against buffer comparison timing attacks,
134 AKA: authdecrypt-timing
135 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
136 References: Sec 2879 / CVE-2016-1550
137 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
138 4.3.0 up to, but not including 4.3.92
139 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
140 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
141 Summary: Packet authentication tests have been performed using
142 memcmp() or possibly bcmp(), and it is potentially possible
143 for a local or perhaps LAN-based attacker to send a packet with
144 an authentication payload and indirectly observe how much of
145 the digest has matched.
146 Mitigation:
147 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
148 or the NTP Public Services Project Download Page.
149 Properly monitor your ntpd instances.
150 Credit: This weakness was discovered independently by Loganaden
151 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
152
153* Zero origin timestamp bypass: Additional KoD checks.
154 References: Sec 2945 / Sec 2901 / CVE-2015-8138
155 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
156 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
157
158* peer associations were broken by the fix for NtpBug2899
159 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
160 References: Sec 2952 / CVE-2015-7704
161 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
162 4.3.0 up to, but not including 4.3.92
163 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
164 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
165 associations did not address all of the issues.
166 Mitigation:
167 Implement BCP-38.
168 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
169 or the NTP Public Services Project Download Page
170 If you can't upgrade, use "server" associations instead of
171 "peer" associations.
172 Monitor your ntpd instances.
173 Credit: This problem was discovered by Michael Tatarinov.
174
175* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
176 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
177 References: Sec 3007 / CVE-2016-1547 / VU#718152
178 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
179 4.3.0 up to, but not including 4.3.92
180 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
181 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
182 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
183 off-path attacker can cause a preemptable client association to
184 be demobilized by sending a crypto NAK packet to a victim client
185 with a spoofed source address of an existing associated peer.
186 This is true even if authentication is enabled.
187
188 Furthermore, if the attacker keeps sending crypto NAK packets,
189 for example one every second, the victim never has a chance to
190 reestablish the association and synchronize time with that
191 legitimate server.
192
193 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
194 stringent checks are performed on incoming packets, but there
195 are still ways to exploit this vulnerability in versions before
196 ntp-4.2.8p7.
197 Mitigation:
198 Implement BCP-38.
199 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
200 or the NTP Public Services Project Download Page
201 Properly monitor your =ntpd= instances
202 Credit: This weakness was discovered by Stephen Gray and
203 Matthew Van Gundy of Cisco ASIG.
204
205* ctl_getitem() return value not always checked
206 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
207 References: Sec 3008 / CVE-2016-2519
208 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
209 4.3.0 up to, but not including 4.3.92
210 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
211 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
212 Summary: ntpq and ntpdc can be used to store and retrieve information
213 in ntpd. It is possible to store a data value that is larger
214 than the size of the buffer that the ctl_getitem() function of
215 ntpd uses to report the return value. If the length of the
216 requested data value returned by ctl_getitem() is too large,
217 the value NULL is returned instead. There are 2 cases where the
218 return value from ctl_getitem() was not directly checked to make
219 sure it's not NULL, but there are subsequent INSIST() checks
220 that make sure the return value is not NULL. There are no data
221 values ordinarily stored in ntpd that would exceed this buffer
222 length. But if one has permission to store values and one stores
223 a value that is "too large", then ntpd will abort if an attempt
224 is made to read that oversized value.
225 Mitigation:
226 Implement BCP-38.
227 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
228 or the NTP Public Services Project Download Page
229 Properly monitor your ntpd instances.
230 Credit: This weakness was discovered by Yihan Lian of the Cloud
231 Security Team, Qihoo 360.
232
233* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
234 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
235 References: Sec 3009 / CVE-2016-2518 / VU#718152
236 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
237 4.3.0 up to, but not including 4.3.92
238 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
239 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
240 Summary: Using a crafted packet to create a peer association with
241 hmode > 7 causes the MATCH_ASSOC() lookup to make an
242 out-of-bounds reference.
243 Mitigation:
244 Implement BCP-38.
245 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
246 or the NTP Public Services Project Download Page
247 Properly monitor your ntpd instances
248 Credit: This weakness was discovered by Yihan Lian of the Cloud
249 Security Team, Qihoo 360.
250
251* remote configuration trustedkey/requestkey/controlkey values are not
252 properly validated
253 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
254 References: Sec 3010 / CVE-2016-2517 / VU#718152
255 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
256 4.3.0 up to, but not including 4.3.92
257 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
258 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
259 Summary: If ntpd was expressly configured to allow for remote
260 configuration, a malicious user who knows the controlkey for
261 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
262 can create a session with ntpd and then send a crafted packet to
263 ntpd that will change the value of the trustedkey, controlkey,
264 or requestkey to a value that will prevent any subsequent
265 authentication with ntpd until ntpd is restarted.
266 Mitigation:
267 Implement BCP-38.
268 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
269 or the NTP Public Services Project Download Page
270 Properly monitor your =ntpd= instances
271 Credit: This weakness was discovered by Yihan Lian of the Cloud
272 Security Team, Qihoo 360.
273
274* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
275 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
276 References: Sec 3011 / CVE-2016-2516 / VU#718152
277 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
278 4.3.0 up to, but not including 4.3.92
279 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
280 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
281 Summary: If ntpd was expressly configured to allow for remote
282 configuration, a malicious user who knows the controlkey for
283 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
284 can create a session with ntpd and if an existing association is
285 unconfigured using the same IP twice on the unconfig directive
286 line, ntpd will abort.
287 Mitigation:
288 Implement BCP-38.
289 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
290 or the NTP Public Services Project Download Page
291 Properly monitor your ntpd instances
292 Credit: This weakness was discovered by Yihan Lian of the Cloud
293 Security Team, Qihoo 360.
294
295* Refclock impersonation vulnerability
296 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
297 References: Sec 3020 / CVE-2016-1551
298 Affects: On a very limited number of OSes, all NTP releases up to but
299 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
300 By "very limited number of OSes" we mean no general-purpose OSes
301 have yet been identified that have this vulnerability.
302 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
303 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
304 Summary: While most OSes implement martian packet filtering in their
305 network stack, at least regarding 127.0.0.0/8, some will allow
306 packets claiming to be from 127.0.0.0/8 that arrive over a
307 physical network. On these OSes, if ntpd is configured to use a
308 reference clock an attacker can inject packets over the network
309 that look like they are coming from that reference clock.
310 Mitigation:
311 Implement martian packet filtering and BCP-38.
312 Configure ntpd to use an adequate number of time sources.
313 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
314 or the NTP Public Services Project Download Page
315 If you are unable to upgrade and if you are running an OS that
316 has this vulnerability, implement martian packet filters and
317 lobby your OS vendor to fix this problem, or run your
318 refclocks on computers that use OSes that are not vulnerable
319 to these attacks and have your vulnerable machines get their
320 time from protected resources.
321 Properly monitor your ntpd instances.
322 Credit: This weakness was discovered by Matt Street and others of
323 Cisco ASIG.
324
325The following issues were fixed in earlier releases and contain
326improvements in 4.2.8p7:
327
328* Clients that receive a KoD should validate the origin timestamp field.
329 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
330 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
331 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
332
333* Skeleton key: passive server with trusted key can serve time.
334 References: Sec 2936 / CVE-2015-7974
335 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
336 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
337
338Two other vulnerabilities have been reported, and the mitigations
339for these are as follows:
340
341* Interleave-pivot
342 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
343 References: Sec 2978 / CVE-2016-1548
344 Affects: All ntp-4 releases.
345 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
346 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
347 Summary: It is possible to change the time of an ntpd client or deny
348 service to an ntpd client by forcing it to change from basic
349 client/server mode to interleaved symmetric mode. An attacker
350 can spoof a packet from a legitimate ntpd server with an origin
351 timestamp that matches the peer->dst timestamp recorded for that
352 server. After making this switch, the client will reject all
353 future legitimate server responses. It is possible to force the
354 victim client to move time after the mode has been changed.
355 ntpq gives no indication that the mode has been switched.
356 Mitigation:
357 Implement BCP-38.
358 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
359 or the NTP Public Services Project Download Page. These
360 versions will not dynamically "flip" into interleave mode
361 unless configured to do so.
362 Properly monitor your ntpd instances.
363 Credit: This weakness was discovered by Miroslav Lichvar of RedHat
364 and separately by Jonathan Gardner of Cisco ASIG.
365
366* Sybil vulnerability: ephemeral association attack
367 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
368 References: Sec 3012 / CVE-2016-1549
369 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
370 4.3.0 up to, but not including 4.3.92
371 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
372 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
373 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
374 the feature introduced in ntp-4.2.8p6 allowing an optional 4th
375 field in the ntp.keys file to specify which IPs can serve time,
376 a malicious authenticated peer can create arbitrarily-many
377 ephemeral associations in order to win the clock selection of
378 ntpd and modify a victim's clock.
379 Mitigation:
380 Implement BCP-38.
381 Use the 4th field in the ntp.keys file to specify which IPs
382 can be time servers.
383 Properly monitor your ntpd instances.
384 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
385
386Other fixes:
387
388* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
389 - fixed yet another race condition in the threaded resolver code.
390* [Bug 2858] bool support. Use stdbool.h when available. HStenn.
391* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
392 - integrated patches by Loganaden Velvidron <logan@ntp.org>
393 with some modifications & unit tests
394* [Bug 2960] async name resolution fixes for chroot() environments.
395 Reinhard Max.
396* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
397* [Bug 2995] Fixes to compile on Windows
398* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
399* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
400 - Patch provided by Ch. Weisgerber
401* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
402 - A change related to [Bug 2853] forbids trailing white space in
403 remote config commands. perlinger@ntp.org
404* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
405 - report and patch from Aleksandr Kostikov.
406 - Overhaul of Windows IO completion port handling. perlinger@ntp.org
407* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
408 - fixed memory leak in access list (auth[read]keys.c)
409 - refactored handling of key access lists (auth[read]keys.c)
410 - reduced number of error branches (authreadkeys.c)
411* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
412* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
413* [Bug 3031] ntp broadcastclient unable to synchronize to an server
414 when the time of server changed. perlinger@ntp.org
415 - Check the initial delay calculation and reject/unpeer the broadcast
416 server if the delay exceeds 50ms. Retry again after the next
417 broadcast packet.
418* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
419* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
420* Update html/xleave.html documentation. Harlan Stenn.
421* Update ntp.conf documentation. Harlan Stenn.
422* Fix some Credit: attributions in the NEWS file. Harlan Stenn.
423* Fix typo in html/monopt.html. Harlan Stenn.
424* Add README.pullrequests. Harlan Stenn.
425* Cleanup to include/ntp.h. Harlan Stenn.
426
427New option to 'configure':
428
429While looking in to the issues around Bug 2978, the "interleave pivot"
430issue, it became clear that there are some intricate and unresolved
431issues with interleave operations. We also realized that the interleave
432protocol was never added to the NTPv4 Standard, and it should have been.
433
434Interleave mode was first released in July of 2008, and can be engaged
435in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may
436contain the 'xleave' option, which will expressly enable interlave mode
437for that association. Additionally, if a time packet arrives and is
438found inconsistent with normal protocol behavior but has certain
439characteristics that are compatible with interleave mode, NTP will
440dynamically switch to interleave mode. With sufficient knowledge, an
441attacker can send a crafted forged packet to an NTP instance that
442triggers only one side to enter interleaved mode.
443
444To prevent this attack until we can thoroughly document, describe,
445fix, and test the dynamic interleave mode, we've added a new
446'configure' option to the build process:
447
448 --enable-dynamic-interleave
449
450This option controls whether or not NTP will, if conditions are right,
451engage dynamic interleave mode. Dynamic interleave mode is disabled by
452default in ntp-4.2.8p7.
453
454---
455NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
456
457Focus: Security, Bug fixes, enhancements.
458
459Severity: MEDIUM
460
461In addition to bug fixes and enhancements, this release fixes the
462following 1 low- and 8 medium-severity vulnerabilities:
463
464* Potential Infinite Loop in 'ntpq'
465 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
466 References: Sec 2548 / CVE-2015-8158
467 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
468 4.3.0 up to, but not including 4.3.90
469 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
470 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
471 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
472 The loop's only stopping conditions are receiving a complete and
473 correct response or hitting a small number of error conditions.
474 If the packet contains incorrect values that don't trigger one of
475 the error conditions, the loop continues to receive new packets.
476 Note well, this is an attack against an instance of 'ntpq', not
477 'ntpd', and this attack requires the attacker to do one of the
478 following:
479 * Own a malicious NTP server that the client trusts
480 * Prevent a legitimate NTP server from sending packets to
481 the 'ntpq' client
482 * MITM the 'ntpq' communications between the 'ntpq' client
483 and the NTP server
484 Mitigation:
485 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
486 or the NTP Public Services Project Download Page
487 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
488
489* 0rigin: Zero Origin Timestamp Bypass
490 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
491 References: Sec 2945 / CVE-2015-8138
492 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
493 4.3.0 up to, but not including 4.3.90
494 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
495 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
496 (3.7 - LOW if you score AC:L)
497 Summary: To distinguish legitimate peer responses from forgeries, a
498 client attempts to verify a response packet by ensuring that the
499 origin timestamp in the packet matches the origin timestamp it
500 transmitted in its last request. A logic error exists that
501 allows packets with an origin timestamp of zero to bypass this
502 check whenever there is not an outstanding request to the server.
503 Mitigation:
504 Configure 'ntpd' to get time from multiple sources.
505 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
506 or the NTP Public Services Project Download Page.
507 Monitor your 'ntpd= instances.
508 Credit: This weakness was discovered by Matthey Van Gundy and
509 Jonathan Gardner of Cisco ASIG.
510
511* Stack exhaustion in recursive traversal of restriction list
512 Date Resolved: Stable (4.2.8p6) 19 Jan 2016
513 References: Sec 2940 / CVE-2015-7978
514 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
515 4.3.0 up to, but not including 4.3.90
516 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
517 Summary: An unauthenticated 'ntpdc reslist' command can cause a
518 segmentation fault in ntpd by exhausting the call stack.
519 Mitigation:
520 Implement BCP-38.
521 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
522 or the NTP Public Services Project Download Page.
523 If you are unable to upgrade:
524 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
525 If you must enable mode 7:
526 configure the use of a 'requestkey' to control who can
527 issue mode 7 requests.
528 configure 'restrict noquery' to further limit mode 7
529 requests to trusted sources.
530 Monitor your ntpd instances.
531 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
532
533* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
534 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
535 References: Sec 2942 / CVE-2015-7979
536 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
537 4.3.0 up to, but not including 4.3.90
538 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
539 Summary: An off-path attacker can send broadcast packets with bad
540 authentication (wrong key, mismatched key, incorrect MAC, etc)
541 to broadcast clients. It is observed that the broadcast client
542 tears down the association with the broadcast server upon
543 receiving just one bad packet.
544 Mitigation:
545 Implement BCP-38.
546 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
547 or the NTP Public Services Project Download Page.
548 Monitor your 'ntpd' instances.
549 If this sort of attack is an active problem for you, you have
550 deeper problems to investigate. In this case also consider
551 having smaller NTP broadcast domains.
552 Credit: This weakness was discovered by Aanchal Malhotra of Boston
553 University.
554
555* reslist NULL pointer dereference
556 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
557 References: Sec 2939 / CVE-2015-7977
558 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
559 4.3.0 up to, but not including 4.3.90
560 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
561 Summary: An unauthenticated 'ntpdc reslist' command can cause a
562 segmentation fault in ntpd by causing a NULL pointer dereference.
563 Mitigation:
564 Implement BCP-38.
565 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
566 the NTP Public Services Project Download Page.
567 If you are unable to upgrade:
568 mode 7 is disabled by default. Don't enable it.
569 If you must enable mode 7:
570 configure the use of a 'requestkey' to control who can
571 issue mode 7 requests.
572 configure 'restrict noquery' to further limit mode 7
573 requests to trusted sources.
574 Monitor your ntpd instances.
575 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
576
577* 'ntpq saveconfig' command allows dangerous characters in filenames.
578 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
579 References: Sec 2938 / CVE-2015-7976
580 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
581 4.3.0 up to, but not including 4.3.90
582 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
583 Summary: The ntpq saveconfig command does not do adequate filtering
584 of special characters from the supplied filename.
585 Note well: The ability to use the saveconfig command is controlled
586 by the 'restrict nomodify' directive, and the recommended default
587 configuration is to disable this capability. If the ability to
588 execute a 'saveconfig' is required, it can easily (and should) be
589 limited and restricted to a known small number of IP addresses.
590 Mitigation:
591 Implement BCP-38.
592 use 'restrict default nomodify' in your 'ntp.conf' file.
593 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
594 If you are unable to upgrade:
595 build NTP with 'configure --disable-saveconfig' if you will
596 never need this capability, or
597 use 'restrict default nomodify' in your 'ntp.conf' file. Be
598 careful about what IPs have the ability to send 'modify'
599 requests to 'ntpd'.
600 Monitor your ntpd instances.
601 'saveconfig' requests are logged to syslog - monitor your syslog files.
602 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
603
604* nextvar() missing length check in ntpq
605 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
606 References: Sec 2937 / CVE-2015-7975
607 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
608 4.3.0 up to, but not including 4.3.90
609 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
610 If you score A:C, this becomes 4.0.
611 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
612 Summary: ntpq may call nextvar() which executes a memcpy() into the
613 name buffer without a proper length check against its maximum
614 length of 256 bytes. Note well that we're taking about ntpq here.
615 The usual worst-case effect of this vulnerability is that the
616 specific instance of ntpq will crash and the person or process
617 that did this will have stopped themselves.
618 Mitigation:
619 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
620 or the NTP Public Services Project Download Page.
621 If you are unable to upgrade:
622 If you have scripts that feed input to ntpq make sure there are
623 some sanity checks on the input received from the "outside".
624 This is potentially more dangerous if ntpq is run as root.
625 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
626
627* Skeleton Key: Any trusted key system can serve time
628 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
629 References: Sec 2936 / CVE-2015-7974
630 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
631 4.3.0 up to, but not including 4.3.90
632 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
633 Summary: Symmetric key encryption uses a shared trusted key. The
634 reported title for this issue was "Missing key check allows
635 impersonation between authenticated peers" and the report claimed
636 "A key specified only for one server should only work to
637 authenticate that server, other trusted keys should be refused."
638 Except there has never been any correlation between this trusted
639 key and server v. clients machines and there has never been any
640 way to specify a key only for one server. We have treated this as
641 an enhancement request, and ntp-4.2.8p6 includes other checks and
642 tests to strengthen clients against attacks coming from broadcast
643 servers.
644 Mitigation:
645 Implement BCP-38.
646 If this scenario represents a real or a potential issue for you,
647 upgrade to 4.2.8p6, or later, from the NTP Project Download
648 Page or the NTP Public Services Project Download Page, and
649 use the new field in the ntp.keys file that specifies the list
650 of IPs that are allowed to serve time. Note that this alone
651 will not protect against time packets with forged source IP
652 addresses, however other changes in ntp-4.2.8p6 provide
653 significant mitigation against broadcast attacks. MITM attacks
654 are a different story.
655 If you are unable to upgrade:
656 Don't use broadcast mode if you cannot monitor your client
657 servers.
658 If you choose to use symmetric keys to authenticate time
659 packets in a hostile environment where ephemeral time
660 servers can be created, or if it is expected that malicious
661 time servers will participate in an NTP broadcast domain,
662 limit the number of participating systems that participate
663 in the shared-key group.
664 Monitor your ntpd instances.
665 Credit: This weakness was discovered by Matt Street of Cisco ASIG.
666
667* Deja Vu: Replay attack on authenticated broadcast mode
668 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
669 References: Sec 2935 / CVE-2015-7973
670 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
671 4.3.0 up to, but not including 4.3.90
672 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
673 Summary: If an NTP network is configured for broadcast operations then
674 either a man-in-the-middle attacker or a malicious participant
675 that has the same trusted keys as the victim can replay time packets.
676 Mitigation:
677 Implement BCP-38.
678 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
679 or the NTP Public Services Project Download Page.
680 If you are unable to upgrade:
681 Don't use broadcast mode if you cannot monitor your client servers.
682 Monitor your ntpd instances.
683 Credit: This weakness was discovered by Aanchal Malhotra of Boston
684 University.
685
686Other fixes:
687
688* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
689* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
690 - applied patch by shenpeng11@huawei.com with minor adjustments
691* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
692* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
693* [Bug 2892] Several test cases assume IPv6 capabilities even when
694 IPv6 is disabled in the build. perlinger@ntp.org
695 - Found this already fixed, but validation led to cleanup actions.
696* [Bug 2905] DNS lookups broken. perlinger@ntp.org
697 - added limits to stack consumption, fixed some return code handling
698* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
699 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
700 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
701* [Bug 2980] reduce number of warnings. perlinger@ntp.org
702 - integrated several patches from Havard Eidnes (he@uninett.no)
703* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
704 - implement 'auth_log2()' using integer bithack instead of float calculation
705* Make leapsec_query debug messages less verbose. Harlan Stenn.
706
707---
708NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
709
710Focus: Security, Bug fixes, enhancements.
711
712Severity: MEDIUM
713
714In addition to bug fixes and enhancements, this release fixes the
715following medium-severity vulnerability:
716
717* Small-step/big-step. Close the panic gate earlier.
718 References: Sec 2956, CVE-2015-5300
719 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
720 4.3.0 up to, but not including 4.3.78
721 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
722 Summary: If ntpd is always started with the -g option, which is
723 common and against long-standing recommendation, and if at the
724 moment ntpd is restarted an attacker can immediately respond to
725 enough requests from enough sources trusted by the target, which
726 is difficult and not common, there is a window of opportunity
727 where the attacker can cause ntpd to set the time to an
728 arbitrary value. Similarly, if an attacker is able to respond
729 to enough requests from enough sources trusted by the target,
730 the attacker can cause ntpd to abort and restart, at which
731 point it can tell the target to set the time to an arbitrary
732 value if and only if ntpd was re-started against long-standing
733 recommendation with the -g flag, or if ntpd was not given the
734 -g flag, the attacker can move the target system's time by at
735 most 900 seconds' time per attack.
736 Mitigation:
737 Configure ntpd to get time from multiple sources.
738 Upgrade to 4.2.8p5, or later, from the NTP Project Download
739 Page or the NTP Public Services Project Download Page
740 As we've long documented, only use the -g option to ntpd in
741 cold-start situations.
742 Monitor your ntpd instances.
743 Credit: This weakness was discovered by Aanchal Malhotra,
744 Isaac E. Cohen, and Sharon Goldberg at Boston University.
745
746 NOTE WELL: The -g flag disables the limit check on the panic_gate
747 in ntpd, which is 900 seconds by default. The bug identified by
748 the researchers at Boston University is that the panic_gate
749 check was only re-enabled after the first change to the system
750 clock that was greater than 128 milliseconds, by default. The
751 correct behavior is that the panic_gate check should be
752 re-enabled after any initial time correction.
753
754 If an attacker is able to inject consistent but erroneous time
755 responses to your systems via the network or "over the air",
756 perhaps by spoofing radio, cellphone, or navigation satellite
757 transmissions, they are in a great position to affect your
758 system's clock. There comes a point where your very best
759 defenses include:
760
761 Configure ntpd to get time from multiple sources.
762 Monitor your ntpd instances.
763
764Other fixes:
765
766* Coverity submission process updated from Coverity 5 to Coverity 7.
767 The NTP codebase has been undergoing regular Coverity scans on an
768 ongoing basis since 2006. As part of our recent upgrade from
769 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
770 the newly-written Unity test programs. These were fixed.
771* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
772* [Bug 2887] stratum -1 config results as showing value 99
773 - fudge stratum should only accept values [0..16]. perlinger@ntp.org
774* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
775* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
776* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
777 - applied patch by Christos Zoulas. perlinger@ntp.org
778* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
779* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
780 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
781 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
782* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
783 - accept key file only if there are no parsing errors
784 - fixed size_t/u_int format clash
785 - fixed wrong use of 'strlcpy'
786* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
787* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
788 - fixed several other warnings (cast-alignment, missing const, missing prototypes)
789 - promote use of 'size_t' for values that express a size
790 - use ptr-to-const for read-only arguments
791 - make sure SOCKET values are not truncated (win32-specific)
792 - format string fixes
793* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
794* [Bug 2967] ntpdate command suffers an assertion failure
795 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
796* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
797 lots of clients. perlinger@ntp.org
798* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
799 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
800* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
801* Unity test cleanup. Harlan Stenn.
802* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
803* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
804* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
805* Quiet a warning from clang. Harlan Stenn.
806
807---
808NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
809
810Focus: Security, Bug fixes, enhancements.
811
812Severity: MEDIUM
813
814In addition to bug fixes and enhancements, this release fixes the
815following 13 low- and medium-severity vulnerabilities:
816
817* Incomplete vallen (value length) checks in ntp_crypto.c, leading
818 to potential crashes or potential code injection/information leakage.
819
820 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
821 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
822 and 4.3.0 up to, but not including 4.3.77
823 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
824 Summary: The fix for CVE-2014-9750 was incomplete in that there were
825 certain code paths where a packet with particular autokey operations
826 that contained malicious data was not always being completely
827 validated. Receipt of these packets can cause ntpd to crash.
828 Mitigation:
829 Don't use autokey.
830 Upgrade to 4.2.8p4, or later, from the NTP Project Download
831 Page or the NTP Public Services Project Download Page
832 Monitor your ntpd instances.
833 Credit: This weakness was discovered by Tenable Network Security.
834
835* Clients that receive a KoD should validate the origin timestamp field.
836
837 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
838 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
839 and 4.3.0 up to, but not including 4.3.77
840 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
841 Summary: An ntpd client that honors Kiss-of-Death responses will honor
842 KoD messages that have been forged by an attacker, causing it to
843 delay or stop querying its servers for time updates. Also, an
844 attacker can forge packets that claim to be from the target and
845 send them to servers often enough that a server that implements
846 KoD rate limiting will send the target machine a KoD response to
847 attempt to reduce the rate of incoming packets, or it may also
848 trigger a firewall block at the server for packets from the target
849 machine. For either of these attacks to succeed, the attacker must
850 know what servers the target is communicating with. An attacker
851 can be anywhere on the Internet and can frequently learn the
852 identity of the target's time source by sending the target a
853 time query.
854 Mitigation:
855 Implement BCP-38.
856 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
857 or the NTP Public Services Project Download Page
858 If you can't upgrade, restrict who can query ntpd to learn who
859 its servers are, and what IPs are allowed to ask your system
860 for the time. This mitigation is heavy-handed.
861 Monitor your ntpd instances.
862 Note:
863 4.2.8p4 protects against the first attack. For the second attack,
864 all we can do is warn when it is happening, which we do in 4.2.8p4.
865 Credit: This weakness was discovered by Aanchal Malhotra,
866 Issac E. Cohen, and Sharon Goldberg of Boston University.
867
868* configuration directives to change "pidfile" and "driftfile" should
869 only be allowed locally.
870
871 References: Sec 2902 / CVE-2015-5196
872 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
873 and 4.3.0 up to, but not including 4.3.77
874 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
875 Summary: If ntpd is configured to allow for remote configuration,
876 and if the (possibly spoofed) source IP address is allowed to
877 send remote configuration requests, and if the attacker knows
878 the remote configuration password, it's possible for an attacker
879 to use the "pidfile" or "driftfile" directives to potentially
880 overwrite other files.
881 Mitigation:
882 Implement BCP-38.
883 Upgrade to 4.2.8p4, or later, from the NTP Project Download
884 Page or the NTP Public Services Project Download Page
885 If you cannot upgrade, don't enable remote configuration.
886 If you must enable remote configuration and cannot upgrade,
887 remote configuration of NTF's ntpd requires:
888 - an explicitly configured trustedkey, and you should also
889 configure a controlkey.
890 - access from a permitted IP. You choose the IPs.
891 - authentication. Don't disable it. Practice secure key safety.
892 Monitor your ntpd instances.
893 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
894
895* Slow memory leak in CRYPTO_ASSOC
896
897 References: Sec 2909 / CVE-2015-7701
898 Affects: All ntp-4 releases that use autokey up to, but not
899 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
900 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
901 4.6 otherwise
902 Summary: If ntpd is configured to use autokey, then an attacker can
903 send packets to ntpd that will, after several days of ongoing
904 attack, cause it to run out of memory.
905 Mitigation:
906 Don't use autokey.
907 Upgrade to 4.2.8p4, or later, from the NTP Project Download
908 Page or the NTP Public Services Project Download Page
909 Monitor your ntpd instances.
910 Credit: This weakness was discovered by Tenable Network Security.
911
912* mode 7 loop counter underrun
913
914 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
915 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
916 and 4.3.0 up to, but not including 4.3.77
917 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
918 Summary: If ntpd is configured to enable mode 7 packets, and if the
919 use of mode 7 packets is not properly protected thru the use of
920 the available mode 7 authentication and restriction mechanisms,
921 and if the (possibly spoofed) source IP address is allowed to
922 send mode 7 queries, then an attacker can send a crafted packet
923 to ntpd that will cause it to crash.
924 Mitigation:
925 Implement BCP-38.
926 Upgrade to 4.2.8p4, or later, from the NTP Project Download
927 Page or the NTP Public Services Project Download Page.
928 If you are unable to upgrade:
929 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
930 If you must enable mode 7:
931 configure the use of a requestkey to control who can issue
932 mode 7 requests.
933 configure restrict noquery to further limit mode 7 requests
934 to trusted sources.
935 Monitor your ntpd instances.
936Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
937
938* memory corruption in password store
939
940 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
941 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
942 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
943 Summary: If ntpd is configured to allow remote configuration, and if
944 the (possibly spoofed) source IP address is allowed to send
945 remote configuration requests, and if the attacker knows the
946 remote configuration password or if ntpd was configured to
947 disable authentication, then an attacker can send a set of
948 packets to ntpd that may cause a crash or theoretically
949 perform a code injection attack.
950 Mitigation:
951 Implement BCP-38.
952 Upgrade to 4.2.8p4, or later, from the NTP Project Download
953 Page or the NTP Public Services Project Download Page.
954 If you are unable to upgrade, remote configuration of NTF's
955 ntpd requires:
956 an explicitly configured "trusted" key. Only configure
957 this if you need it.
958 access from a permitted IP address. You choose the IPs.
959 authentication. Don't disable it. Practice secure key safety.
960 Monitor your ntpd instances.
961 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
962
963* Infinite loop if extended logging enabled and the logfile and
964 keyfile are the same.
965
966 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
967 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
968 and 4.3.0 up to, but not including 4.3.77
969 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
970 Summary: If ntpd is configured to allow remote configuration, and if
971 the (possibly spoofed) source IP address is allowed to send
972 remote configuration requests, and if the attacker knows the
973 remote configuration password or if ntpd was configured to
974 disable authentication, then an attacker can send a set of
975 packets to ntpd that will cause it to crash and/or create a
976 potentially huge log file. Specifically, the attacker could
977 enable extended logging, point the key file at the log file,
978 and cause what amounts to an infinite loop.
979 Mitigation:
980 Implement BCP-38.
981 Upgrade to 4.2.8p4, or later, from the NTP Project Download
982 Page or the NTP Public Services Project Download Page.
983 If you are unable to upgrade, remote configuration of NTF's ntpd
984 requires:
985 an explicitly configured "trusted" key. Only configure this
986 if you need it.
987 access from a permitted IP address. You choose the IPs.
988 authentication. Don't disable it. Practice secure key safety.
989 Monitor your ntpd instances.
990 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
991
992* Potential path traversal vulnerability in the config file saving of
993 ntpd on VMS.
994
995 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
996 Affects: All ntp-4 releases running under VMS up to, but not
997 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
998 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
999 Summary: If ntpd is configured to allow remote configuration, and if
1000 the (possibly spoofed) IP address is allowed to send remote
1001 configuration requests, and if the attacker knows the remote
1002 configuration password or if ntpd was configured to disable
1003 authentication, then an attacker can send a set of packets to
1004 ntpd that may cause ntpd to overwrite files.
1005 Mitigation:
1006 Implement BCP-38.
1007 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1008 Page or the NTP Public Services Project Download Page.
1009 If you are unable to upgrade, remote configuration of NTF's ntpd
1010 requires:
1011 an explicitly configured "trusted" key. Only configure
1012 this if you need it.
1013 access from permitted IP addresses. You choose the IPs.
1014 authentication. Don't disable it. Practice key security safety.
1015 Monitor your ntpd instances.
1016 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1017
1018* ntpq atoascii() potential memory corruption
1019
1020 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
1021 Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
1022 and 4.3.0 up to, but not including 4.3.77
1023 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
1024 Summary: If an attacker can figure out the precise moment that ntpq
1025 is listening for data and the port number it is listening on or
1026 if the attacker can provide a malicious instance ntpd that
1027 victims will connect to then an attacker can send a set of
1028 crafted mode 6 response packets that, if received by ntpq,
1029 can cause ntpq to crash.
1030 Mitigation:
1031 Implement BCP-38.
1032 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1033 Page or the NTP Public Services Project Download Page.
1034 If you are unable to upgrade and you run ntpq against a server
1035 and ntpq crashes, try again using raw mode. Build or get a
1036 patched ntpq and see if that fixes the problem. Report new
1037 bugs in ntpq or abusive servers appropriately.
1038 If you use ntpq in scripts, make sure ntpq does what you expect
1039 in your scripts.
1040 Credit: This weakness was discovered by Yves Younan and
1041 Aleksander Nikolich of Cisco Talos.
1042
1043* Invalid length data provided by a custom refclock driver could cause
1044 a buffer overflow.
1045
1046 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
1047 Affects: Potentially all ntp-4 releases running up to, but not
1048 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1049 that have custom refclocks
1050 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
1051 5.9 unusual worst case
1052 Summary: A negative value for the datalen parameter will overflow a
1053 data buffer. NTF's ntpd driver implementations always set this
1054 value to 0 and are therefore not vulnerable to this weakness.
1055 If you are running a custom refclock driver in ntpd and that
1056 driver supplies a negative value for datalen (no custom driver
1057 of even minimal competence would do this) then ntpd would
1058 overflow a data buffer. It is even hypothetically possible
1059 in this case that instead of simply crashing ntpd the attacker
1060 could effect a code injection attack.
1061 Mitigation:
1062 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1063 Page or the NTP Public Services Project Download Page.
1064 If you are unable to upgrade:
1065 If you are running custom refclock drivers, make sure
1066 the signed datalen value is either zero or positive.
1067 Monitor your ntpd instances.
1068 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1069
1070* Password Length Memory Corruption Vulnerability
1071
1072 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
1073 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1074 4.3.0 up to, but not including 4.3.77
1075 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1076 1.7 usual case, 6.8, worst case
1077 Summary: If ntpd is configured to allow remote configuration, and if
1078 the (possibly spoofed) source IP address is allowed to send
1079 remote configuration requests, and if the attacker knows the
1080 remote configuration password or if ntpd was (foolishly)
1081 configured to disable authentication, then an attacker can
1082 send a set of packets to ntpd that may cause it to crash,
1083 with the hypothetical possibility of a small code injection.
1084 Mitigation:
1085 Implement BCP-38.
1086 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1087 Page or the NTP Public Services Project Download Page.
1088 If you are unable to upgrade, remote configuration of NTF's
1089 ntpd requires:
1090 an explicitly configured "trusted" key. Only configure
1091 this if you need it.
1092 access from a permitted IP address. You choose the IPs.
1093 authentication. Don't disable it. Practice secure key safety.
1094 Monitor your ntpd instances.
1095 Credit: This weakness was discovered by Yves Younan and
1096 Aleksander Nikolich of Cisco Talos.
1097
1098* decodenetnum() will ASSERT botch instead of returning FAIL on some
1099 bogus values.
1100
1101 References: Sec 2922 / CVE-2015-7855
1102 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1103 4.3.0 up to, but not including 4.3.77
1104 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1105 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
1106 an unusually long data value where a network address is expected,
1107 the decodenetnum() function will abort with an assertion failure
1108 instead of simply returning a failure condition.
1109 Mitigation:
1110 Implement BCP-38.
1111 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1112 Page or the NTP Public Services Project Download Page.
1113 If you are unable to upgrade:
1114 mode 7 is disabled by default. Don't enable it.
1115 Use restrict noquery to limit who can send mode 6
1116 and mode 7 requests.
1117 Configure and use the controlkey and requestkey
1118 authentication directives to limit who can
1119 send mode 6 and mode 7 requests.
1120 Monitor your ntpd instances.
1121 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1122
1123* NAK to the Future: Symmetric association authentication bypass via
1124 crypto-NAK.
1125
1126 References: Sec 2941 / CVE-2015-7871
1127 Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1128 4.2.8p4, and 4.3.0 up to but not including 4.3.77
1129 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1130 Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1131 from unauthenticated ephemeral symmetric peers by bypassing the
1132 authentication required to mobilize peer associations. This
1133 vulnerability appears to have been introduced in ntp-4.2.5p186
1134 when the code handling mobilization of new passive symmetric
1135 associations (lines 1103-1165) was refactored.
1136 Mitigation:
1137 Implement BCP-38.
1138 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1139 Page or the NTP Public Services Project Download Page.
1140 If you are unable to upgrade:
1141 Apply the patch to the bottom of the "authentic" check
1142 block around line 1136 of ntp_proto.c.
1143 Monitor your ntpd instances.
1144 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1145
1146Backward-Incompatible changes:
1147* [Bug 2817] Default on Linux is now "rlimit memlock -1".
1148 While the general default of 32M is still the case, under Linux
1149 the default value has been changed to -1 (do not lock ntpd into
1150 memory). A value of 0 means "lock ntpd into memory with whatever
1151 memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1152 value in it, that value will continue to be used.
1153
1154* [Bug 2886] Misspelling: "outlyer" should be "outlier".
1155 If you've written a script that looks for this case in, say, the
1156 output of ntpq, you probably want to change your regex matches
1157 from 'outlyer' to 'outl[iy]er'.
1158
1159New features in this release:
1160* 'rlimit memlock' now has finer-grained control. A value of -1 means
1161 "don't lock ntpd into memore". This is the default for Linux boxes.
1162 A value of 0 means "lock ntpd into memory" with no limits. Otherwise
1163 the value is the number of megabytes of memory to lock. The default
1164 is 32 megabytes.
1165
1166* The old Google Test framework has been replaced with a new framework,
1167 based on http://www.throwtheswitch.org/unity/ .
1168
1169Bug Fixes and Improvements:
1170* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1171 privileges and limiting resources in NTPD removes the need to link
1172 forcefully against 'libgcc_s' which does not always work. J.Perlinger
1173* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
1174* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
1175* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
1176* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org
1177* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
1178* [Bug 2849] Systems with more than one default route may never
1179 synchronize. Brian Utterback. Note that this patch might need to
1180 be reverted once Bug 2043 has been fixed.
1181* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1182* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
1183* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1184* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
1185* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1186* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
1187 be configured for the distribution targets. Harlan Stenn.
1188* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
1189* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org
1190* [Bug 2888] streamline calendar functions. perlinger@ntp.org
1191* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org
1192* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
1193* [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
1194* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
1195* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
1196* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
1197* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
1198* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
1199* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
1200* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
1201* top_srcdir can change based on ntp v. sntp. Harlan Stenn.
1202* sntp/tests/ function parameter list cleanup. Damir Tomi��.
1203* tests/libntp/ function parameter list cleanup. Damir Tomi��.
1204* tests/ntpd/ function parameter list cleanup. Damir Tomi��.
1205* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
1206* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
1207* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��.
1208* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��.
1209* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1210 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1211 formatting; first declaration, then code (C90); deleted unnecessary comments;
1212 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1213* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1214 fix formatting, cleanup. Tomasz Flendrich
1215* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1216 Tomasz Flendrich
1217* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1218 fix formatting. Tomasz Flendrich
1219* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1220* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1221* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1222 Tomasz Flendrich
1223* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1224* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1225* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1226* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1227* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1228* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1229* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1230fixed formatting. Tomasz Flendrich
1231* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1232 removed unnecessary comments, cleanup. Tomasz Flendrich
1233* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1234 comments, cleanup. Tomasz Flendrich
1235* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1236 Tomasz Flendrich
1237* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
1238* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
1239* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
1240 Tomasz Flendrich
1241* sntp/tests/kodDatabase.c added consts, deleted empty function,
1242 fixed formatting. Tomasz Flendrich
1243* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
1244* sntp/tests/packetHandling.c is now using proper Unity's assertions,
1245 fixed formatting, deleted unused variable. Tomasz Flendrich
1246* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
1247 Tomasz Flendrich
1248* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
1249 fixed formatting. Tomasz Flendrich
1250* sntp/tests/utilities.c is now using proper Unity's assertions, changed
1251 the order of includes, fixed formatting, removed unnecessary comments.
1252 Tomasz Flendrich
1253* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
1254* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
1255 made one function do its job, deleted unnecessary prints, fixed formatting.
1256 Tomasz Flendrich
1257* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
1258* sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
1259* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
1260* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
1261* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
1262* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
1263* Don't build sntp/libevent/sample/. Harlan Stenn.
1264* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
1265* br-flock: --enable-local-libevent. Harlan Stenn.
1266* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
1267* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
1268* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
1269* Code cleanup. Harlan Stenn.
1270* libntp/icom.c: Typo fix. Harlan Stenn.
1271* util/ntptime.c: initialization nit. Harlan Stenn.
1272* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
1273* Add std_unity_tests to various Makefile.am files. Harlan Stenn.
1274* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
1275 Tomasz Flendrich
1276* Changed progname to be const in many files - now it's consistent. Tomasz
1277 Flendrich
1278* Typo fix for GCC warning suppression. Harlan Stenn.
1279* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��.
1280* Added declarations to all Unity tests, and did minor fixes to them.
1281 Reduced the number of warnings by half. Damir Tomi��.
1282* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
1283 with the latest Unity updates from Mark. Damir Tomi��.
1284* Retire google test - phase I. Harlan Stenn.
1285* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
1286* Update the NEWS file. Harlan Stenn.
1287* Autoconf cleanup. Harlan Stenn.
1288* Unit test dist cleanup. Harlan Stenn.
1289* Cleanup various test Makefile.am files. Harlan Stenn.
1290* Pthread autoconf macro cleanup. Harlan Stenn.
1291* Fix progname definition in unity runner scripts. Harlan Stenn.
1292* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
1293* Update the patch for bug 2817. Harlan Stenn.
1294* More updates for bug 2817. Harlan Stenn.
1295* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
1296* gcc on older HPUX may need +allowdups. Harlan Stenn.
1297* Adding missing MCAST protection. Harlan Stenn.
1298* Disable certain test programs on certain platforms. Harlan Stenn.
1299* Implement --enable-problem-tests (on by default). Harlan Stenn.
1300* build system tweaks. Harlan Stenn.
1301
1302---
1303NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
1304
1305Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
1306
1307Severity: MEDIUM
1308
1309Security Fix:
1310
1311* [Sec 2853] Crafted remote config packet can crash some versions of
1312 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
1313
1314Under specific circumstances an attacker can send a crafted packet to
1315cause a vulnerable ntpd instance to crash. This requires each of the
1316following to be true:
1317
13181) ntpd set up to allow remote configuration (not allowed by default), and
13192) knowledge of the configuration password, and
13203) access to a computer entrusted to perform remote configuration.
1321
1322This vulnerability is considered low-risk.
1323
1324New features in this release:
1325
1326Optional (disabled by default) support to have ntpd provide smeared
1327leap second time. A specially built and configured ntpd will only
1328offer smeared time in response to client packets. These response
1329packets will also contain a "refid" of 254.a.b.c, where the 24 bits
1330of a, b, and c encode the amount of smear in a 2:22 integer:fraction
1331format. See README.leapsmear and http://bugs.ntp.org/2855 for more
1332information.
1333
1334 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
1335 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
1336
1337We've imported the Unity test framework, and have begun converting
1338the existing google-test items to this new framework. If you want
1339to write new tests or change old ones, you'll need to have ruby
1340installed. You don't need ruby to run the test suite.
1341
1342Bug Fixes and Improvements:
1343
1344* CID 739725: Fix a rare resource leak in libevent/listener.c.
1345* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
1346* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
1347* CID 1269537: Clean up a line of dead code in getShmTime().
1348* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
1349* [Bug 2590] autogen-5.18.5.
1350* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
1351 of 'limited'.
1352* [Bug 2650] fix includefile processing.
1353* [Bug 2745] ntpd -x steps clock on leap second
1354 Fixed an initial-value problem that caused misbehaviour in absence of
1355 any leapsecond information.
1356 Do leap second stepping only of the step adjustment is beyond the
1357 proper jump distance limit and step correction is allowed at all.
1358* [Bug 2750] build for Win64
1359 Building for 32bit of loopback ppsapi needs def file
1360* [Bug 2776] Improve ntpq's 'help keytype'.
1361* [Bug 2778] Implement "apeers" ntpq command to include associd.
1362* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
1363* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
1364 interface is ignored as long as this flag is not set since the
1365 interface is not usable (e.g., no link).
1366* [Bug 2794] Clean up kernel clock status reports.
1367* [Bug 2800] refclock_true.c true_debug() can't open debug log because
1368 of incompatible open/fdopen parameters.
1369* [Bug 2804] install-local-data assumes GNU 'find' semantics.
1370* [Bug 2805] ntpd fails to join multicast group.
1371* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
1372* [Bug 2808] GPSD_JSON driver enhancements, step 1.
1373 Fix crash during cleanup if GPS device not present and char device.
1374 Increase internal token buffer to parse all JSON data, even SKY.
1375 Defer logging of errors during driver init until the first unit is
1376 started, so the syslog is not cluttered when the driver is not used.
1377 Various improvements, see http://bugs.ntp.org/2808 for details.
1378 Changed libjsmn to a more recent version.
1379* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
1380* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
1381* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
1382* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
1383* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
1384* [Bug 2824] Convert update-leap to perl. (also see 2769)
1385* [Bug 2825] Quiet file installation in html/ .
1386* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
1387 NTPD transfers the current TAI (instead of an announcement) now.
1388 This might still needed improvement.
1389 Update autokey data ASAP when 'sys_tai' changes.
1390 Fix unit test that was broken by changes for autokey update.
1391 Avoid potential signature length issue and use DPRINTF where possible
1392 in ntp_crypto.c.
1393* [Bug 2832] refclock_jjy.c supports the TDC-300.
1394* [Bug 2834] Correct a broken html tag in html/refclock.html
1395* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
1396 robust, and require 2 consecutive timestamps to be consistent.
1397* [Bug 2837] Allow a configurable DSCP value.
1398* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
1399* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
1400* [Bug 2842] Bug in mdoc2man.
1401* [Bug 2843] make check fails on 4.3.36
1402 Fixed compiler warnings about numeric range overflow
1403 (The original topic was fixed in a byplay to bug#2830)
1404* [Bug 2845] Harden memory allocation in ntpd.
1405* [Bug 2852] 'make check' can't find unity.h. Hal Murray.
1406* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
1407* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
1408* [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
1409* [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
1410* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
1411* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
1412* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
1413* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
1414* html/drivers/driver22.html: typo fix. Harlan Stenn.
1415* refidsmear test cleanup. Tomasz Flendrich.
1416* refidsmear function support and tests. Harlan Stenn.
1417* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
1418 something that was only in the 4.2.6 sntp. Harlan Stenn.
1419* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
1420 Damir Tomi��
1421* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
1422 Damir Tomi��
1423* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
1424 Damir Tomi��
1425* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
1426* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi��
1427* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
1428 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1429 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
1430 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
1431 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
1432 Damir Tomi��
1433* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
1434 networking.c, keyFile.c, utilities.cpp, sntptest.h,
1435 fileHandlingTest.h. Damir Tomi��
1436* Initial support for experimental leap smear code. Harlan Stenn.
1437* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
1438* Report select() debug messages at debug level 3 now.
1439* sntp/scripts/genLocInfo: treat raspbian as debian.
1440* Unity test framework fixes.
1441 ** Requires ruby for changes to tests.
1442* Initial support for PACKAGE_VERSION tests.
1443* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
1444* tests/bug-2803/Makefile.am must distribute bug-2803.h.
1445* Add an assert to the ntpq ifstats code.
1446* Clean up the RLIMIT_STACK code.
1447* Improve the ntpq documentation around the controlkey keyid.
1448* ntpq.c cleanup.
1449* Windows port build cleanup.
1450
1451---
1452NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1453
1454Focus: Security and Bug fixes, enhancements.
1455
1456Severity: MEDIUM
1457
1458In addition to bug fixes and enhancements, this release fixes the
1459following medium-severity vulnerabilities involving private key
1460authentication:
1461
1462* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1463
1464 References: Sec 2779 / CVE-2015-1798 / VU#374268
1465 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1466 including ntp-4.2.8p2 where the installation uses symmetric keys
1467 to authenticate remote associations.
1468 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1469 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1470 Summary: When ntpd is configured to use a symmetric key to authenticate
1471 a remote NTP server/peer, it checks if the NTP message
1472 authentication code (MAC) in received packets is valid, but not if
1473 there actually is any MAC included. Packets without a MAC are
1474 accepted as if they had a valid MAC. This allows a MITM attacker to
1475 send false packets that are accepted by the client/peer without
1476 having to know the symmetric key. The attacker needs to know the
1477 transmit timestamp of the client to match it in the forged reply
1478 and the false reply needs to reach the client before the genuine
1479 reply from the server. The attacker doesn't necessarily need to be
1480 relaying the packets between the client and the server.
1481
1482 Authentication using autokey doesn't have this problem as there is
1483 a check that requires the key ID to be larger than NTP_MAXKEY,
1484 which fails for packets without a MAC.
1485 Mitigation:
1486 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1487 or the NTP Public Services Project Download Page
1488 Configure ntpd with enough time sources and monitor it properly.
1489 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1490
1491* [Sec 2781] Authentication doesn't protect symmetric associations against
1492 DoS attacks.
1493
1494 References: Sec 2781 / CVE-2015-1799 / VU#374268
1495 Affects: All NTP releases starting with at least xntp3.3wy up to but
1496 not including ntp-4.2.8p2 where the installation uses symmetric
1497 key authentication.
1498 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1499 Note: the CVSS base Score for this issue could be 4.3 or lower, and
1500 it could be higher than 5.4.
1501 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1502 Summary: An attacker knowing that NTP hosts A and B are peering with
1503 each other (symmetric association) can send a packet to host A
1504 with source address of B which will set the NTP state variables
1505 on A to the values sent by the attacker. Host A will then send
1506 on its next poll to B a packet with originate timestamp that
1507 doesn't match the transmit timestamp of B and the packet will
1508 be dropped. If the attacker does this periodically for both
1509 hosts, they won't be able to synchronize to each other. This is
1510 a known denial-of-service attack, described at
1511 https://www.eecis.udel.edu/~mills/onwire.html .
1512
1513 According to the document the NTP authentication is supposed to
1514 protect symmetric associations against this attack, but that
1515 doesn't seem to be the case. The state variables are updated even
1516 when authentication fails and the peers are sending packets with
1517 originate timestamps that don't match the transmit timestamps on
1518 the receiving side.
1519
1520 This seems to be a very old problem, dating back to at least
1521 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1522 specifications, so other NTP implementations with support for
1523 symmetric associations and authentication may be vulnerable too.
1524 An update to the NTP RFC to correct this error is in-process.
1525 Mitigation:
1526 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1527 or the NTP Public Services Project Download Page
1528 Note that for users of autokey, this specific style of MITM attack
1529 is simply a long-known potential problem.
1530 Configure ntpd with appropriate time sources and monitor ntpd.
1531 Alert your staff if problems are detected.
1532 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1533
1534* New script: update-leap
1535The update-leap script will verify and if necessary, update the
1536leap-second definition file.
1537It requires the following commands in order to work:
1538
1539 wget logger tr sed shasum
1540
1541Some may choose to run this from cron. It needs more portability testing.
1542
1543Bug Fixes and Improvements:
1544
1545* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1546* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1547* [Bug 2346] "graceful termination" signals do not do peer cleanup.
1548* [Bug 2728] See if C99-style structure initialization works.
1549* [Bug 2747] Upgrade libevent to 2.1.5-beta.
1550* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1551* [Bug 2751] jitter.h has stale copies of l_fp macros.
1552* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1553* [Bug 2757] Quiet compiler warnings.
1554* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1555* [Bug 2763] Allow different thresholds for forward and backward steps.
1556* [Bug 2766] ntp-keygen output files should not be world-readable.
1557* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1558* [Bug 2771] nonvolatile value is documented in wrong units.
1559* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1560* [Bug 2774] Unreasonably verbose printout - leap pending/warning
1561* [Bug 2775] ntp-keygen.c fails to compile under Windows.
1562* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1563 Removed non-ASCII characters from some copyright comments.
1564 Removed trailing whitespace.
1565 Updated definitions for Meinberg clocks from current Meinberg header files.
1566 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1567 Account for updated definitions pulled from Meinberg header files.
1568 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1569 Replaced some constant numbers by defines from ntp_calendar.h
1570 Modified creation of parse-specific variables for Meinberg devices
1571 in gps16x_message().
1572 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1573 Modified mbg_tm_str() which now expexts an additional parameter controlling
1574 if the time status shall be printed.
1575* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1576* [Sec 2781] Authentication doesn't protect symmetric associations against
1577 DoS attacks.
1578* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1579* [Bug 2789] Quiet compiler warnings from libevent.
1580* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1581 pause briefly before measuring system clock precision to yield
1582 correct results.
1583* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1584* Use predefined function types for parse driver functions
1585 used to set up function pointers.
1586 Account for changed prototype of parse_inp_fnc_t functions.
1587 Cast parse conversion results to appropriate types to avoid
1588 compiler warnings.
1589 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1590 when called with pointers to different types.
1591
1592---
1593NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1594
1595Focus: Security and Bug fixes, enhancements.
1596
1597Severity: HIGH
1598
1599In addition to bug fixes and enhancements, this release fixes the
1600following high-severity vulnerabilities:
1601
1602* vallen is not validated in several places in ntp_crypto.c, leading
1603 to a potential information leak or possibly a crash
1604
1605 References: Sec 2671 / CVE-2014-9297 / VU#852879
1606 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1607 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1608 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1609 Summary: The vallen packet value is not validated in several code
1610 paths in ntp_crypto.c which can lead to information leakage
1611 or perhaps a crash of the ntpd process.
1612 Mitigation - any of:
1613 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1614 or the NTP Public Services Project Download Page.
1615 Disable Autokey Authentication by removing, or commenting out,
1616 all configuration directives beginning with the "crypto"
1617 keyword in your ntp.conf file.
1618 Credit: This vulnerability was discovered by Stephen Roettger of the
1619 Google Security Team, with additional cases found by Sebastian
1620 Krahmer of the SUSE Security Team and Harlan Stenn of Network
1621 Time Foundation.
1622
1623* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1624 can be bypassed.
1625
1626 References: Sec 2672 / CVE-2014-9298 / VU#852879
1627 Affects: All NTP4 releases before 4.2.8p1, under at least some
1628 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1629 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1630 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1631 Summary: While available kernels will prevent 127.0.0.1 addresses
1632 from "appearing" on non-localhost IPv4 interfaces, some kernels
1633 do not offer the same protection for ::1 source addresses on
1634 IPv6 interfaces. Since NTP's access control is based on source
1635 address and localhost addresses generally have no restrictions,
1636 an attacker can send malicious control and configuration packets
1637 by spoofing ::1 addresses from the outside. Note Well: This is
1638 not really a bug in NTP, it's a problem with some OSes. If you
1639 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1640 ACL restrictions on any application can be bypassed!
1641 Mitigation:
1642 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1643 or the NTP Public Services Project Download Page
1644 Install firewall rules to block packets claiming to come from
1645 ::1 from inappropriate network interfaces.
1646 Credit: This vulnerability was discovered by Stephen Roettger of
1647 the Google Security Team.
1648
1649Additionally, over 30 bugfixes and improvements were made to the codebase.
1650See the ChangeLog for more information.
1651
1652---
1653NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1654
1655Focus: Security and Bug fixes, enhancements.
1656
1657Severity: HIGH
1658
1659In addition to bug fixes and enhancements, this release fixes the
1660following high-severity vulnerabilities:
1661
1662************************** vv NOTE WELL vv *****************************
1663
1664The vulnerabilities listed below can be significantly mitigated by
1665following the BCP of putting
1666
1667 restrict default ... noquery
1668
1669in the ntp.conf file. With the exception of:
1670
1671 receive(): missing return on error
1672 References: Sec 2670 / CVE-2014-9296 / VU#852879
1673
1674below (which is a limited-risk vulnerability), none of the recent
1675vulnerabilities listed below can be exploited if the source IP is
1676restricted from sending a 'query'-class packet by your ntp.conf file.
1677
1678************************** ^^ NOTE WELL ^^ *****************************
1679
1680* Weak default key in config_auth().
1681
1682 References: [Sec 2665] / CVE-2014-9293 / VU#852879
1683 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1684 Vulnerable Versions: all releases prior to 4.2.7p11
1685 Date Resolved: 28 Jan 2010
1686
1687 Summary: If no 'auth' key is set in the configuration file, ntpd
1688 would generate a random key on the fly. There were two
1689 problems with this: 1) the generated key was 31 bits in size,
1690 and 2) it used the (now weak) ntp_random() function, which was
1691 seeded with a 32-bit value and could only provide 32 bits of
1692 entropy. This was sufficient back in the late 1990s when the
1693 code was written. Not today.
1694
1695 Mitigation - any of:
1696 - Upgrade to 4.2.7p11 or later.
1697 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1698
1699 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
1700 of the Google Security Team.
1701
1702* Non-cryptographic random number generator with weak seed used by
1703 ntp-keygen to generate symmetric keys.
1704
1705 References: [Sec 2666] / CVE-2014-9294 / VU#852879
1706 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1707 Vulnerable Versions: All NTP4 releases before 4.2.7p230
1708 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
1709
1710 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
1711 prepare a random number generator that was of good quality back
1712 in the late 1990s. The random numbers produced was then used to
1713 generate symmetric keys. In ntp-4.2.8 we use a current-technology
1714 cryptographic random number generator, either RAND_bytes from
1715 OpenSSL, or arc4random().
1716
1717 Mitigation - any of:
1718 - Upgrade to 4.2.7p230 or later.
1719 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1720
1721 Credit: This vulnerability was discovered in ntp-4.2.6 by
1722 Stephen Roettger of the Google Security Team.
1723
1724* Buffer overflow in crypto_recv()
1725
1726 References: Sec 2667 / CVE-2014-9295 / VU#852879
1727 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1728 Versions: All releases before 4.2.8
1729 Date Resolved: Stable (4.2.8) 18 Dec 2014
1730
1731 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
1732 file contains a 'crypto pw ...' directive) a remote attacker
1733 can send a carefully crafted packet that can overflow a stack
1734 buffer and potentially allow malicious code to be executed
1735 with the privilege level of the ntpd process.
1736
1737 Mitigation - any of:
1738 - Upgrade to 4.2.8, or later, or
1739 - Disable Autokey Authentication by removing, or commenting out,
1740 all configuration directives beginning with the crypto keyword
1741 in your ntp.conf file.
1742
1743 Credit: This vulnerability was discovered by Stephen Roettger of the
1744 Google Security Team.
1745
1746* Buffer overflow in ctl_putdata()
1747
1748 References: Sec 2668 / CVE-2014-9295 / VU#852879
1749 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1750 Versions: All NTP4 releases before 4.2.8
1751 Date Resolved: Stable (4.2.8) 18 Dec 2014
1752
1753 Summary: A remote attacker can send a carefully crafted packet that
1754 can overflow a stack buffer and potentially allow malicious
1755 code to be executed with the privilege level of the ntpd process.
1756
1757 Mitigation - any of:
1758 - Upgrade to 4.2.8, or later.
1759 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1760
1761 Credit: This vulnerability was discovered by Stephen Roettger of the
1762 Google Security Team.
1763
1764* Buffer overflow in configure()
1765
1766 References: Sec 2669 / CVE-2014-9295 / VU#852879
1767 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1768 Versions: All NTP4 releases before 4.2.8
1769 Date Resolved: Stable (4.2.8) 18 Dec 2014
1770
1771 Summary: A remote attacker can send a carefully crafted packet that
1772 can overflow a stack buffer and potentially allow malicious
1773 code to be executed with the privilege level of the ntpd process.
1774
1775 Mitigation - any of:
1776 - Upgrade to 4.2.8, or later.
1777 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1778
1779 Credit: This vulnerability was discovered by Stephen Roettger of the
1780 Google Security Team.
1781
1782* receive(): missing return on error
1783
1784 References: Sec 2670 / CVE-2014-9296 / VU#852879
1785 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
1786 Versions: All NTP4 releases before 4.2.8
1787 Date Resolved: Stable (4.2.8) 18 Dec 2014
1788
1789 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
1790 the code path where an error was detected, which meant
1791 processing did not stop when a specific rare error occurred.
1792 We haven't found a way for this bug to affect system integrity.
1793 If there is no way to affect system integrity the base CVSS
1794 score for this bug is 0. If there is one avenue through which
1795 system integrity can be partially affected, the base score
1796 becomes a 5. If system integrity can be partially affected
1797 via all three integrity metrics, the CVSS base score become 7.5.
1798
1799 Mitigation - any of:
1800 - Upgrade to 4.2.8, or later,
1801 - Remove or comment out all configuration directives
1802 beginning with the crypto keyword in your ntp.conf file.
1803
1804 Credit: This vulnerability was discovered by Stephen Roettger of the
1805 Google Security Team.
1806
1807See http://support.ntp.org/security for more information.
1808
1809New features / changes in this release:
1810
1811Important Changes
1812
1813* Internal NTP Era counters
1814
1815The internal counters that track the "era" (range of years) we are in
1816rolls over every 136 years'. The current "era" started at the stroke of
1817midnight on 1 Jan 1900, and ends just before the stroke of midnight on
18181 Jan 2036.
1819In the past, we have used the "midpoint" of the range to decide which
1820era we were in. Given the longevity of some products, it became clear
1821that it would be more functional to "look back" less, and "look forward"
1822more. We now compile a timestamp into the ntpd executable and when we
1823get a timestamp we us the "built-on" to tell us what era we are in.
1824This check "looks back" 10 years, and "looks forward" 126 years.
1825
1826* ntpdc responses disabled by default
1827
1828Dave Hart writes:
1829
1830For a long time, ntpq and its mostly text-based mode 6 (control)
1831protocol have been preferred over ntpdc and its mode 7 (private
1832request) protocol for runtime queries and configuration. There has
1833been a goal of deprecating ntpdc, previously held back by numerous
1834capabilities exposed by ntpdc with no ntpq equivalent. I have been
1835adding commands to ntpq to cover these cases, and I believe I've
1836covered them all, though I've not compared command-by-command
1837recently.
1838
1839As I've said previously, the binary mode 7 protocol involves a lot of
1840hand-rolled structure layout and byte-swapping code in both ntpd and
1841ntpdc which is hard to get right. As ntpd grows and changes, the
1842changes are difficult to expose via ntpdc while maintaining forward
1843and backward compatibility between ntpdc and ntpd. In contrast,
1844ntpq's text-based, label=value approach involves more code reuse and
1845allows compatible changes without extra work in most cases.
1846
1847Mode 7 has always been defined as vendor/implementation-specific while
1848mode 6 is described in RFC 1305 and intended to be open to interoperate
1849with other implementations. There is an early draft of an updated
1850mode 6 description that likely will join the other NTPv4 RFCs
1851eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
1852
1853For these reasons, ntpd 4.2.7p230 by default disables processing of
1854ntpdc queries, reducing ntpd's attack surface and functionally
1855deprecating ntpdc. If you are in the habit of using ntpdc for certain
1856operations, please try the ntpq equivalent. If there's no equivalent,
1857please open a bug report at http://bugs.ntp.org./
1858
1859In addition to the above, over 1100 issues have been resolved between
1860the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
1861lists these.
1862
1863---
1864NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
1865
1866Focus: Bug fixes
1867
1868Severity: Medium
1869
1870This is a recommended upgrade.
1871
1872This release updates sys_rootdisp and sys_jitter calculations to match the
1873RFC specification, fixes a potential IPv6 address matching error for the
1874"nic" and "interface" configuration directives, suppresses the creation of
1875extraneous ephemeral associations for certain broadcastclient and
1876multicastclient configurations, cleans up some ntpq display issues, and
1877includes improvements to orphan mode, minor bugs fixes and code clean-ups.
1878
1879New features / changes in this release:
1880
1881ntpd
1882
1883 * Updated "nic" and "interface" IPv6 address handling to prevent
1884 mismatches with localhost [::1] and wildcard [::] which resulted from
1885 using the address/prefix format (e.g. fe80::/64)
1886 * Fix orphan mode stratum incorrectly counting to infinity
1887 * Orphan parent selection metric updated to includes missing ntohl()
1888 * Non-printable stratum 16 refid no longer sent to ntp
1889 * Duplicate ephemeral associations suppressed for broadcastclient and
1890 multicastclient without broadcastdelay
1891 * Exclude undetermined sys_refid from use in loopback TEST12
1892 * Exclude MODE_SERVER responses from KoD rate limiting
1893 * Include root delay in clock_update() sys_rootdisp calculations
1894 * get_systime() updated to exclude sys_residual offset (which only
1895 affected bits "below" sys_tick, the precision threshold)
1896 * sys.peer jitter weighting corrected in sys_jitter calculation
1897
1898ntpq
1899
1900 * -n option extended to include the billboard "server" column
1901 * IPv6 addresses in the local column truncated to prevent overruns
1902
1903---
1904NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
1905
1906Focus: Bug fixes and portability improvements
1907
1908Severity: Medium
1909
1910This is a recommended upgrade.
1911
1912This release includes build infrastructure updates, code
1913clean-ups, minor bug fixes, fixes for a number of minor
1914ref-clock issues, and documentation revisions.
1915
1916Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
1917
1918New features / changes in this release:
1919
1920Build system
1921
1922* Fix checking for struct rtattr
1923* Update config.guess and config.sub for AIX
1924* Upgrade required version of autogen and libopts for building
1925 from our source code repository
1926
1927ntpd
1928
1929* Back-ported several fixes for Coverity warnings from ntp-dev
1930* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
1931* Allow "logconfig =allall" configuration directive
1932* Bind tentative IPv6 addresses on Linux
1933* Correct WWVB/Spectracom driver to timestamp CR instead of LF
1934* Improved tally bit handling to prevent incorrect ntpq peer status reports
1935* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
1936 candidate list unless they are designated a "prefer peer"
1937* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
1938 selection during the 'tos orphanwait' period
1939* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
1940 drivers
1941* Improved support of the Parse Refclock trusttime flag in Meinberg mode
1942* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
1943* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
1944 clock slew on Microsoft Windows
1945* Code cleanup in libntpq
1946
1947ntpdc
1948
1949* Fix timerstats reporting
1950
1951ntpdate
1952
1953* Reduce time required to set clock
1954* Allow a timeout greater than 2 seconds
1955
1956sntp
1957
1958* Backward incompatible command-line option change:
1959 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
1960
1961Documentation
1962
1963* Update html2man. Fix some tags in the .html files
1964* Distribute ntp-wait.html
1965
1966---
1967NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
1968
1969Focus: Bug fixes and portability improvements
1970
1971Severity: Medium
1972
1973This is a recommended upgrade.
1974
1975This release includes build infrastructure updates, code
1976clean-ups, minor bug fixes, fixes for a number of minor
1977ref-clock issues, and documentation revisions.
1978
1979Portability improvements in this release affect AIX, Atari FreeMiNT,
1980FreeBSD4, Linux and Microsoft Windows.
1981
1982New features / changes in this release:
1983
1984Build system
1985* Use lsb_release to get information about Linux distributions.
1986* 'test' is in /usr/bin (instead of /bin) on some systems.
1987* Basic sanity checks for the ChangeLog file.
1988* Source certain build files with ./filename for systems without . in PATH.
1989* IRIX portability fix.
1990* Use a single copy of the "libopts" code.
1991* autogen/libopts upgrade.
1992* configure.ac m4 quoting cleanup.
1993
1994ntpd
1995* Do not bind to IN6_IFF_ANYCAST addresses.
1996* Log the reason for exiting under Windows.
1997* Multicast fixes for Windows.
1998* Interpolation fixes for Windows.
1999* IPv4 and IPv6 Multicast fixes.
2000* Manycast solicitation fixes and general repairs.
2001* JJY refclock cleanup.
2002* NMEA refclock improvements.
2003* Oncore debug message cleanup.
2004* Palisade refclock now builds under Linux.
2005* Give RAWDCF more baud rates.
2006* Support Truetime Satellite clocks under Windows.
2007* Support Arbiter 1093C Satellite clocks under Windows.
2008* Make sure that the "filegen" configuration command defaults to "enable".
2009* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
2010* Prohibit 'includefile' directive in remote configuration command.
2011* Fix 'nic' interface bindings.
2012* Fix the way we link with openssl if openssl is installed in the base
2013 system.
2014
2015ntp-keygen
2016* Fix -V coredump.
2017* OpenSSL version display cleanup.
2018
2019ntpdc
2020* Many counters should be treated as unsigned.
2021
2022ntpdate
2023* Do not ignore replies with equal receive and transmit timestamps.
2024
2025ntpq
2026* libntpq warning cleanup.
2027
2028ntpsnmpd
2029* Correct SNMP type for "precision" and "resolution".
2030* Update the MIB from the draft version to RFC-5907.
2031
2032sntp
2033* Display timezone offset when showing time for sntp in the local
2034 timezone.
2035* Pay proper attention to RATE KoD packets.
2036* Fix a miscalculation of the offset.
2037* Properly parse empty lines in the key file.
2038* Logging cleanup.
2039* Use tv_usec correctly in set_time().
2040* Documentation cleanup.
2041
2042---
2043NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
2044
2045Focus: Bug fixes and portability improvements
2046
2047Severity: Medium
2048
2049This is a recommended upgrade.
2050
2051This release includes build infrastructure updates, code
2052clean-ups, minor bug fixes, fixes for a number of minor
2053ref-clock issues, improved KOD handling, OpenSSL related
2054updates and documentation revisions.
2055
2056Portability improvements in this release affect Irix, Linux,
2057Mac OS, Microsoft Windows, OpenBSD and QNX6
2058
2059New features / changes in this release:
2060
2061ntpd
2062* Range syntax for the trustedkey configuration directive
2063* Unified IPv4 and IPv6 restrict lists
2064
2065ntpdate
2066* Rate limiting and KOD handling
2067
2068ntpsnmpd
2069* default connection to net-snmpd via a unix-domain socket
2070* command-line 'socket name' option
2071
2072ntpq / ntpdc
2073* support for the "passwd ..." syntax
2074* key-type specific password prompts
2075
2076sntp
2077* MD5 authentication of an ntpd
2078* Broadcast and crypto
2079* OpenSSL support
2080
2081---
2082NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
2083
2084Focus: Bug fixes, portability fixes, and documentation improvements
2085
2086Severity: Medium
2087
2088This is a recommended upgrade.
2089
2090---
2091NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2092
2093Focus: enhancements and bug fixes.
2094
2095---
2096NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2097
2098Focus: Security Fixes
2099
2100Severity: HIGH
2101
2102This release fixes the following high-severity vulnerability:
2103
2104* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
2105
2106 See http://support.ntp.org/security for more information.
2107
2108 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
2109 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
2110 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
2111 request or a mode 7 error response from an address which is not listed
2112 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2113 reply with a mode 7 error response (and log a message). In this case:
2114
2115 * If an attacker spoofs the source address of ntpd host A in a
2116 mode 7 response packet sent to ntpd host B, both A and B will
2117 continuously send each other error responses, for as long as
2118 those packets get through.
2119
2120 * If an attacker spoofs an address of ntpd host A in a mode 7
2121 response packet sent to ntpd host A, A will respond to itself
2122 endlessly, consuming CPU and logging excessively.
2123
2124 Credit for finding this vulnerability goes to Robin Park and Dmitri
2125 Vinokurov of Alcatel-Lucent.
2126
2127THIS IS A STRONGLY RECOMMENDED UPGRADE.
2128
2129---
2130ntpd now syncs to refclocks right away.
2131
2132Backward-Incompatible changes:
2133
2134ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2135Use '--var name' or '--dvar name' instead. (Bug 817)
2136
2137---
2138NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2139
2140Focus: Security and Bug Fixes
2141
2142Severity: HIGH
2143
2144This release fixes the following high-severity vulnerability:
2145
2146* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
2147
2148 See http://support.ntp.org/security for more information.
2149
2150 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2151 line) then a carefully crafted packet sent to the machine will cause
2152 a buffer overflow and possible execution of injected code, running
2153 with the privileges of the ntpd process (often root).
2154
2155 Credit for finding this vulnerability goes to Chris Ries of CMU.
2156
2157This release fixes the following low-severity vulnerabilities:
2158
2159* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
2160 Credit for finding this vulnerability goes to Geoff Keating of Apple.
2161
2162* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2163 Credit for finding this issue goes to Dave Hart.
2164
2165This release fixes a number of bugs and adds some improvements:
2166
2167* Improved logging
2168* Fix many compiler warnings
2169* Many fixes and improvements for Windows
2170* Adds support for AIX 6.1
2171* Resolves some issues under MacOS X and Solaris
2172
2173THIS IS A STRONGLY RECOMMENDED UPGRADE.
2174
2175---
2176NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2177
2178Focus: Security Fix
2179
2180Severity: Low
2181
2182This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2183the OpenSSL library relating to the incorrect checking of the return
2184value of EVP_VerifyFinal function.
2185
2186Credit for finding this issue goes to the Google Security Team for
2187finding the original issue with OpenSSL, and to ocert.org for finding
2188the problem in NTP and telling us about it.
2189
2190This is a recommended upgrade.
2191---
2192NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2193
2194Focus: Minor Bugfixes
2195
2196This release fixes a number of Windows-specific ntpd bugs and
2197platform-independent ntpdate bugs. A logging bugfix has been applied
2198to the ONCORE driver.
2199
2200The "dynamic" keyword and is now obsolete and deferred binding to local
2201interfaces is the new default. The minimum time restriction for the
2202interface update interval has been dropped.
2203
2204A number of minor build system and documentation fixes are included.
2205
2206This is a recommended upgrade for Windows.
2207
2208---
2209NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2210
2211Focus: Minor Bugfixes
2212
2213This release updates certain copyright information, fixes several display
2214bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2215shutdown in the parse refclock driver, removes some lint from the code,
2216stops accessing certain buffers immediately after they were freed, fixes
2217a problem with non-command-line specification of -6, and allows the loopback
2218interface to share addresses with other interfaces.
2219
2220---
2221NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2222
2223Focus: Minor Bugfixes
2224
2225This release fixes a bug in Windows that made it difficult to
2226terminate ntpd under windows.
2227This is a recommended upgrade for Windows.
2228
2229---
2230NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2231
2232Focus: Minor Bugfixes
2233
2234This release fixes a multicast mode authentication problem,
2235an error in NTP packet handling on Windows that could lead to
2236ntpd crashing, and several other minor bugs. Handling of
2237multicast interfaces and logging configuration were improved.
2238The required versions of autogen and libopts were incremented.
2239This is a recommended upgrade for Windows and multicast users.
2240
2241---
2242NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
2243
2244Focus: enhancements and bug fixes.
2245
2246Dynamic interface rescanning was added to simplify the use of ntpd in
2247conjunction with DHCP. GNU AutoGen is used for its command-line options
2248processing. Separate PPS devices are supported for PARSE refclocks, MD5
2249signatures are now provided for the release files. Drivers have been
2250added for some new ref-clocks and have been removed for some older
2251ref-clocks. This release also includes other improvements, documentation
2252and bug fixes.
2253
2254K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
2255C support.
2256
2257---
2258NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
2259
2260Focus: enhancements and bug fixes.
| 309NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
310
311Focus: Security, Bug fixes, enhancements.
312
313Severity: HIGH
314
315In addition to bug fixes and enhancements, this release fixes the
316following 1 high- and 4 low-severity vulnerabilities:
317
318* CRYPTO_NAK crash
319 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
320 References: Sec 3046 / CVE-2016-4957 / VU#321640
321 Affects: ntp-4.2.8p7, and ntp-4.3.92.
322 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
323 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
324 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
325 could cause ntpd to crash.
326 Mitigation:
327 Implement BCP-38.
328 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
329 or the NTP Public Services Project Download Page
330 If you cannot upgrade from 4.2.8p7, the only other alternatives
331 are to patch your code or filter CRYPTO_NAK packets.
332 Properly monitor your ntpd instances, and auto-restart ntpd
333 (without -g) if it stops running.
334 Credit: This weakness was discovered by Nicolas Edet of Cisco.
335
336* Bad authentication demobilizes ephemeral associations
337 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
338 References: Sec 3045 / CVE-2016-4953 / VU#321640
339 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
340 ntp-4.3.0 up to, but not including ntp-4.3.93.
341 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
342 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
343 Summary: An attacker who knows the origin timestamp and can send a
344 spoofed packet containing a CRYPTO-NAK to an ephemeral peer
345 target before any other response is sent can demobilize that
346 association.
347 Mitigation:
348 Implement BCP-38.
349 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
350 or the NTP Public Services Project Download Page
351 Properly monitor your ntpd instances.
352 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
353
354* Processing spoofed server packets
355 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
356 References: Sec 3044 / CVE-2016-4954 / VU#321640
357 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
358 ntp-4.3.0 up to, but not including ntp-4.3.93.
359 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
360 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
361 Summary: An attacker who is able to spoof packets with correct origin
362 timestamps from enough servers before the expected response
363 packets arrive at the target machine can affect some peer
364 variables and, for example, cause a false leap indication to be set.
365 Mitigation:
366 Implement BCP-38.
367 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
368 or the NTP Public Services Project Download Page
369 Properly monitor your ntpd instances.
370 Credit: This weakness was discovered by Jakub Prokes of Red Hat.
371
372* Autokey association reset
373 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
374 References: Sec 3043 / CVE-2016-4955 / VU#321640
375 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
376 ntp-4.3.0 up to, but not including ntp-4.3.93.
377 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
378 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
379 Summary: An attacker who is able to spoof a packet with a correct
380 origin timestamp before the expected response packet arrives at
381 the target machine can send a CRYPTO_NAK or a bad MAC and cause
382 the association's peer variables to be cleared. If this can be
383 done often enough, it will prevent that association from working.
384 Mitigation:
385 Implement BCP-38.
386 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
387 or the NTP Public Services Project Download Page
388 Properly monitor your ntpd instances.
389 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
390
391* Broadcast interleave
392 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
393 References: Sec 3042 / CVE-2016-4956 / VU#321640
394 Affects: ntp-4, up to but not including ntp-4.2.8p8, and
395 ntp-4.3.0 up to, but not including ntp-4.3.93.
396 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
397 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
398 Summary: The fix for NtpBug2978 does not cover broadcast associations,
399 so broadcast clients can be triggered to flip into interleave mode.
400 Mitigation:
401 Implement BCP-38.
402 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
403 or the NTP Public Services Project Download Page
404 Properly monitor your ntpd instances.
405 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
406
407Other fixes:
408* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
409 - provide build environment
410 - 'wint_t' and 'struct timespec' defined by VS2015
411 - fixed print()/scanf() format issues
412* [Bug 3052] Add a .gitignore file. Edmund Wong.
413* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
414* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
415 JPerlinger, HStenn.
416* Fix typo in ntp-wait and plot_summary. HStenn.
417* Make sure we have an "author" file for git imports. HStenn.
418* Update the sntp problem tests for MacOS. HStenn.
419
420---
421NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
422
423Focus: Security, Bug fixes, enhancements.
424
425Severity: MEDIUM
426
427When building NTP from source, there is a new configure option
428available, --enable-dynamic-interleave. More information on this below.
429
430Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
431versions of ntp. These events have almost certainly happened in the
432past, it's just that they were silently counted and not logged. With
433the increasing awareness around security, we feel it's better to clearly
434log these events to help detect abusive behavior. This increased
435logging can also help detect other problems, too.
436
437In addition to bug fixes and enhancements, this release fixes the
438following 9 low- and medium-severity vulnerabilities:
439
440* Improve NTP security against buffer comparison timing attacks,
441 AKA: authdecrypt-timing
442 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
443 References: Sec 2879 / CVE-2016-1550
444 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
445 4.3.0 up to, but not including 4.3.92
446 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
447 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
448 Summary: Packet authentication tests have been performed using
449 memcmp() or possibly bcmp(), and it is potentially possible
450 for a local or perhaps LAN-based attacker to send a packet with
451 an authentication payload and indirectly observe how much of
452 the digest has matched.
453 Mitigation:
454 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
455 or the NTP Public Services Project Download Page.
456 Properly monitor your ntpd instances.
457 Credit: This weakness was discovered independently by Loganaden
458 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
459
460* Zero origin timestamp bypass: Additional KoD checks.
461 References: Sec 2945 / Sec 2901 / CVE-2015-8138
462 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
463 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
464
465* peer associations were broken by the fix for NtpBug2899
466 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
467 References: Sec 2952 / CVE-2015-7704
468 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
469 4.3.0 up to, but not including 4.3.92
470 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
471 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
472 associations did not address all of the issues.
473 Mitigation:
474 Implement BCP-38.
475 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
476 or the NTP Public Services Project Download Page
477 If you can't upgrade, use "server" associations instead of
478 "peer" associations.
479 Monitor your ntpd instances.
480 Credit: This problem was discovered by Michael Tatarinov.
481
482* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
483 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
484 References: Sec 3007 / CVE-2016-1547 / VU#718152
485 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
486 4.3.0 up to, but not including 4.3.92
487 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
488 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
489 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
490 off-path attacker can cause a preemptable client association to
491 be demobilized by sending a crypto NAK packet to a victim client
492 with a spoofed source address of an existing associated peer.
493 This is true even if authentication is enabled.
494
495 Furthermore, if the attacker keeps sending crypto NAK packets,
496 for example one every second, the victim never has a chance to
497 reestablish the association and synchronize time with that
498 legitimate server.
499
500 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
501 stringent checks are performed on incoming packets, but there
502 are still ways to exploit this vulnerability in versions before
503 ntp-4.2.8p7.
504 Mitigation:
505 Implement BCP-38.
506 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
507 or the NTP Public Services Project Download Page
508 Properly monitor your =ntpd= instances
509 Credit: This weakness was discovered by Stephen Gray and
510 Matthew Van Gundy of Cisco ASIG.
511
512* ctl_getitem() return value not always checked
513 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
514 References: Sec 3008 / CVE-2016-2519
515 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
516 4.3.0 up to, but not including 4.3.92
517 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
518 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
519 Summary: ntpq and ntpdc can be used to store and retrieve information
520 in ntpd. It is possible to store a data value that is larger
521 than the size of the buffer that the ctl_getitem() function of
522 ntpd uses to report the return value. If the length of the
523 requested data value returned by ctl_getitem() is too large,
524 the value NULL is returned instead. There are 2 cases where the
525 return value from ctl_getitem() was not directly checked to make
526 sure it's not NULL, but there are subsequent INSIST() checks
527 that make sure the return value is not NULL. There are no data
528 values ordinarily stored in ntpd that would exceed this buffer
529 length. But if one has permission to store values and one stores
530 a value that is "too large", then ntpd will abort if an attempt
531 is made to read that oversized value.
532 Mitigation:
533 Implement BCP-38.
534 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
535 or the NTP Public Services Project Download Page
536 Properly monitor your ntpd instances.
537 Credit: This weakness was discovered by Yihan Lian of the Cloud
538 Security Team, Qihoo 360.
539
540* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
541 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
542 References: Sec 3009 / CVE-2016-2518 / VU#718152
543 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
544 4.3.0 up to, but not including 4.3.92
545 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
546 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
547 Summary: Using a crafted packet to create a peer association with
548 hmode > 7 causes the MATCH_ASSOC() lookup to make an
549 out-of-bounds reference.
550 Mitigation:
551 Implement BCP-38.
552 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
553 or the NTP Public Services Project Download Page
554 Properly monitor your ntpd instances
555 Credit: This weakness was discovered by Yihan Lian of the Cloud
556 Security Team, Qihoo 360.
557
558* remote configuration trustedkey/requestkey/controlkey values are not
559 properly validated
560 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
561 References: Sec 3010 / CVE-2016-2517 / VU#718152
562 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
563 4.3.0 up to, but not including 4.3.92
564 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
565 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
566 Summary: If ntpd was expressly configured to allow for remote
567 configuration, a malicious user who knows the controlkey for
568 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
569 can create a session with ntpd and then send a crafted packet to
570 ntpd that will change the value of the trustedkey, controlkey,
571 or requestkey to a value that will prevent any subsequent
572 authentication with ntpd until ntpd is restarted.
573 Mitigation:
574 Implement BCP-38.
575 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
576 or the NTP Public Services Project Download Page
577 Properly monitor your =ntpd= instances
578 Credit: This weakness was discovered by Yihan Lian of the Cloud
579 Security Team, Qihoo 360.
580
581* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
582 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
583 References: Sec 3011 / CVE-2016-2516 / VU#718152
584 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
585 4.3.0 up to, but not including 4.3.92
586 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
587 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
588 Summary: If ntpd was expressly configured to allow for remote
589 configuration, a malicious user who knows the controlkey for
590 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
591 can create a session with ntpd and if an existing association is
592 unconfigured using the same IP twice on the unconfig directive
593 line, ntpd will abort.
594 Mitigation:
595 Implement BCP-38.
596 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
597 or the NTP Public Services Project Download Page
598 Properly monitor your ntpd instances
599 Credit: This weakness was discovered by Yihan Lian of the Cloud
600 Security Team, Qihoo 360.
601
602* Refclock impersonation vulnerability
603 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
604 References: Sec 3020 / CVE-2016-1551
605 Affects: On a very limited number of OSes, all NTP releases up to but
606 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
607 By "very limited number of OSes" we mean no general-purpose OSes
608 have yet been identified that have this vulnerability.
609 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
610 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
611 Summary: While most OSes implement martian packet filtering in their
612 network stack, at least regarding 127.0.0.0/8, some will allow
613 packets claiming to be from 127.0.0.0/8 that arrive over a
614 physical network. On these OSes, if ntpd is configured to use a
615 reference clock an attacker can inject packets over the network
616 that look like they are coming from that reference clock.
617 Mitigation:
618 Implement martian packet filtering and BCP-38.
619 Configure ntpd to use an adequate number of time sources.
620 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
621 or the NTP Public Services Project Download Page
622 If you are unable to upgrade and if you are running an OS that
623 has this vulnerability, implement martian packet filters and
624 lobby your OS vendor to fix this problem, or run your
625 refclocks on computers that use OSes that are not vulnerable
626 to these attacks and have your vulnerable machines get their
627 time from protected resources.
628 Properly monitor your ntpd instances.
629 Credit: This weakness was discovered by Matt Street and others of
630 Cisco ASIG.
631
632The following issues were fixed in earlier releases and contain
633improvements in 4.2.8p7:
634
635* Clients that receive a KoD should validate the origin timestamp field.
636 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
637 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
638 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
639
640* Skeleton key: passive server with trusted key can serve time.
641 References: Sec 2936 / CVE-2015-7974
642 Affects: All ntp-4 releases up to, but not including 4.2.8p7,
643 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
644
645Two other vulnerabilities have been reported, and the mitigations
646for these are as follows:
647
648* Interleave-pivot
649 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
650 References: Sec 2978 / CVE-2016-1548
651 Affects: All ntp-4 releases.
652 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
653 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
654 Summary: It is possible to change the time of an ntpd client or deny
655 service to an ntpd client by forcing it to change from basic
656 client/server mode to interleaved symmetric mode. An attacker
657 can spoof a packet from a legitimate ntpd server with an origin
658 timestamp that matches the peer->dst timestamp recorded for that
659 server. After making this switch, the client will reject all
660 future legitimate server responses. It is possible to force the
661 victim client to move time after the mode has been changed.
662 ntpq gives no indication that the mode has been switched.
663 Mitigation:
664 Implement BCP-38.
665 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
666 or the NTP Public Services Project Download Page. These
667 versions will not dynamically "flip" into interleave mode
668 unless configured to do so.
669 Properly monitor your ntpd instances.
670 Credit: This weakness was discovered by Miroslav Lichvar of RedHat
671 and separately by Jonathan Gardner of Cisco ASIG.
672
673* Sybil vulnerability: ephemeral association attack
674 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
675 References: Sec 3012 / CVE-2016-1549
676 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
677 4.3.0 up to, but not including 4.3.92
678 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
679 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
680 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
681 the feature introduced in ntp-4.2.8p6 allowing an optional 4th
682 field in the ntp.keys file to specify which IPs can serve time,
683 a malicious authenticated peer can create arbitrarily-many
684 ephemeral associations in order to win the clock selection of
685 ntpd and modify a victim's clock.
686 Mitigation:
687 Implement BCP-38.
688 Use the 4th field in the ntp.keys file to specify which IPs
689 can be time servers.
690 Properly monitor your ntpd instances.
691 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
692
693Other fixes:
694
695* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
696 - fixed yet another race condition in the threaded resolver code.
697* [Bug 2858] bool support. Use stdbool.h when available. HStenn.
698* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
699 - integrated patches by Loganaden Velvidron <logan@ntp.org>
700 with some modifications & unit tests
701* [Bug 2960] async name resolution fixes for chroot() environments.
702 Reinhard Max.
703* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
704* [Bug 2995] Fixes to compile on Windows
705* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
706* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
707 - Patch provided by Ch. Weisgerber
708* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
709 - A change related to [Bug 2853] forbids trailing white space in
710 remote config commands. perlinger@ntp.org
711* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
712 - report and patch from Aleksandr Kostikov.
713 - Overhaul of Windows IO completion port handling. perlinger@ntp.org
714* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
715 - fixed memory leak in access list (auth[read]keys.c)
716 - refactored handling of key access lists (auth[read]keys.c)
717 - reduced number of error branches (authreadkeys.c)
718* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
719* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
720* [Bug 3031] ntp broadcastclient unable to synchronize to an server
721 when the time of server changed. perlinger@ntp.org
722 - Check the initial delay calculation and reject/unpeer the broadcast
723 server if the delay exceeds 50ms. Retry again after the next
724 broadcast packet.
725* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
726* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
727* Update html/xleave.html documentation. Harlan Stenn.
728* Update ntp.conf documentation. Harlan Stenn.
729* Fix some Credit: attributions in the NEWS file. Harlan Stenn.
730* Fix typo in html/monopt.html. Harlan Stenn.
731* Add README.pullrequests. Harlan Stenn.
732* Cleanup to include/ntp.h. Harlan Stenn.
733
734New option to 'configure':
735
736While looking in to the issues around Bug 2978, the "interleave pivot"
737issue, it became clear that there are some intricate and unresolved
738issues with interleave operations. We also realized that the interleave
739protocol was never added to the NTPv4 Standard, and it should have been.
740
741Interleave mode was first released in July of 2008, and can be engaged
742in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may
743contain the 'xleave' option, which will expressly enable interlave mode
744for that association. Additionally, if a time packet arrives and is
745found inconsistent with normal protocol behavior but has certain
746characteristics that are compatible with interleave mode, NTP will
747dynamically switch to interleave mode. With sufficient knowledge, an
748attacker can send a crafted forged packet to an NTP instance that
749triggers only one side to enter interleaved mode.
750
751To prevent this attack until we can thoroughly document, describe,
752fix, and test the dynamic interleave mode, we've added a new
753'configure' option to the build process:
754
755 --enable-dynamic-interleave
756
757This option controls whether or not NTP will, if conditions are right,
758engage dynamic interleave mode. Dynamic interleave mode is disabled by
759default in ntp-4.2.8p7.
760
761---
762NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
763
764Focus: Security, Bug fixes, enhancements.
765
766Severity: MEDIUM
767
768In addition to bug fixes and enhancements, this release fixes the
769following 1 low- and 8 medium-severity vulnerabilities:
770
771* Potential Infinite Loop in 'ntpq'
772 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
773 References: Sec 2548 / CVE-2015-8158
774 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
775 4.3.0 up to, but not including 4.3.90
776 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
777 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
778 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
779 The loop's only stopping conditions are receiving a complete and
780 correct response or hitting a small number of error conditions.
781 If the packet contains incorrect values that don't trigger one of
782 the error conditions, the loop continues to receive new packets.
783 Note well, this is an attack against an instance of 'ntpq', not
784 'ntpd', and this attack requires the attacker to do one of the
785 following:
786 * Own a malicious NTP server that the client trusts
787 * Prevent a legitimate NTP server from sending packets to
788 the 'ntpq' client
789 * MITM the 'ntpq' communications between the 'ntpq' client
790 and the NTP server
791 Mitigation:
792 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
793 or the NTP Public Services Project Download Page
794 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
795
796* 0rigin: Zero Origin Timestamp Bypass
797 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
798 References: Sec 2945 / CVE-2015-8138
799 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
800 4.3.0 up to, but not including 4.3.90
801 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
802 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
803 (3.7 - LOW if you score AC:L)
804 Summary: To distinguish legitimate peer responses from forgeries, a
805 client attempts to verify a response packet by ensuring that the
806 origin timestamp in the packet matches the origin timestamp it
807 transmitted in its last request. A logic error exists that
808 allows packets with an origin timestamp of zero to bypass this
809 check whenever there is not an outstanding request to the server.
810 Mitigation:
811 Configure 'ntpd' to get time from multiple sources.
812 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
813 or the NTP Public Services Project Download Page.
814 Monitor your 'ntpd= instances.
815 Credit: This weakness was discovered by Matthey Van Gundy and
816 Jonathan Gardner of Cisco ASIG.
817
818* Stack exhaustion in recursive traversal of restriction list
819 Date Resolved: Stable (4.2.8p6) 19 Jan 2016
820 References: Sec 2940 / CVE-2015-7978
821 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
822 4.3.0 up to, but not including 4.3.90
823 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
824 Summary: An unauthenticated 'ntpdc reslist' command can cause a
825 segmentation fault in ntpd by exhausting the call stack.
826 Mitigation:
827 Implement BCP-38.
828 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
829 or the NTP Public Services Project Download Page.
830 If you are unable to upgrade:
831 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
832 If you must enable mode 7:
833 configure the use of a 'requestkey' to control who can
834 issue mode 7 requests.
835 configure 'restrict noquery' to further limit mode 7
836 requests to trusted sources.
837 Monitor your ntpd instances.
838 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
839
840* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
841 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
842 References: Sec 2942 / CVE-2015-7979
843 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
844 4.3.0 up to, but not including 4.3.90
845 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
846 Summary: An off-path attacker can send broadcast packets with bad
847 authentication (wrong key, mismatched key, incorrect MAC, etc)
848 to broadcast clients. It is observed that the broadcast client
849 tears down the association with the broadcast server upon
850 receiving just one bad packet.
851 Mitigation:
852 Implement BCP-38.
853 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
854 or the NTP Public Services Project Download Page.
855 Monitor your 'ntpd' instances.
856 If this sort of attack is an active problem for you, you have
857 deeper problems to investigate. In this case also consider
858 having smaller NTP broadcast domains.
859 Credit: This weakness was discovered by Aanchal Malhotra of Boston
860 University.
861
862* reslist NULL pointer dereference
863 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
864 References: Sec 2939 / CVE-2015-7977
865 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
866 4.3.0 up to, but not including 4.3.90
867 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
868 Summary: An unauthenticated 'ntpdc reslist' command can cause a
869 segmentation fault in ntpd by causing a NULL pointer dereference.
870 Mitigation:
871 Implement BCP-38.
872 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
873 the NTP Public Services Project Download Page.
874 If you are unable to upgrade:
875 mode 7 is disabled by default. Don't enable it.
876 If you must enable mode 7:
877 configure the use of a 'requestkey' to control who can
878 issue mode 7 requests.
879 configure 'restrict noquery' to further limit mode 7
880 requests to trusted sources.
881 Monitor your ntpd instances.
882 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
883
884* 'ntpq saveconfig' command allows dangerous characters in filenames.
885 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
886 References: Sec 2938 / CVE-2015-7976
887 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
888 4.3.0 up to, but not including 4.3.90
889 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
890 Summary: The ntpq saveconfig command does not do adequate filtering
891 of special characters from the supplied filename.
892 Note well: The ability to use the saveconfig command is controlled
893 by the 'restrict nomodify' directive, and the recommended default
894 configuration is to disable this capability. If the ability to
895 execute a 'saveconfig' is required, it can easily (and should) be
896 limited and restricted to a known small number of IP addresses.
897 Mitigation:
898 Implement BCP-38.
899 use 'restrict default nomodify' in your 'ntp.conf' file.
900 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
901 If you are unable to upgrade:
902 build NTP with 'configure --disable-saveconfig' if you will
903 never need this capability, or
904 use 'restrict default nomodify' in your 'ntp.conf' file. Be
905 careful about what IPs have the ability to send 'modify'
906 requests to 'ntpd'.
907 Monitor your ntpd instances.
908 'saveconfig' requests are logged to syslog - monitor your syslog files.
909 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
910
911* nextvar() missing length check in ntpq
912 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
913 References: Sec 2937 / CVE-2015-7975
914 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
915 4.3.0 up to, but not including 4.3.90
916 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
917 If you score A:C, this becomes 4.0.
918 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
919 Summary: ntpq may call nextvar() which executes a memcpy() into the
920 name buffer without a proper length check against its maximum
921 length of 256 bytes. Note well that we're taking about ntpq here.
922 The usual worst-case effect of this vulnerability is that the
923 specific instance of ntpq will crash and the person or process
924 that did this will have stopped themselves.
925 Mitigation:
926 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
927 or the NTP Public Services Project Download Page.
928 If you are unable to upgrade:
929 If you have scripts that feed input to ntpq make sure there are
930 some sanity checks on the input received from the "outside".
931 This is potentially more dangerous if ntpq is run as root.
932 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
933
934* Skeleton Key: Any trusted key system can serve time
935 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
936 References: Sec 2936 / CVE-2015-7974
937 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
938 4.3.0 up to, but not including 4.3.90
939 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
940 Summary: Symmetric key encryption uses a shared trusted key. The
941 reported title for this issue was "Missing key check allows
942 impersonation between authenticated peers" and the report claimed
943 "A key specified only for one server should only work to
944 authenticate that server, other trusted keys should be refused."
945 Except there has never been any correlation between this trusted
946 key and server v. clients machines and there has never been any
947 way to specify a key only for one server. We have treated this as
948 an enhancement request, and ntp-4.2.8p6 includes other checks and
949 tests to strengthen clients against attacks coming from broadcast
950 servers.
951 Mitigation:
952 Implement BCP-38.
953 If this scenario represents a real or a potential issue for you,
954 upgrade to 4.2.8p6, or later, from the NTP Project Download
955 Page or the NTP Public Services Project Download Page, and
956 use the new field in the ntp.keys file that specifies the list
957 of IPs that are allowed to serve time. Note that this alone
958 will not protect against time packets with forged source IP
959 addresses, however other changes in ntp-4.2.8p6 provide
960 significant mitigation against broadcast attacks. MITM attacks
961 are a different story.
962 If you are unable to upgrade:
963 Don't use broadcast mode if you cannot monitor your client
964 servers.
965 If you choose to use symmetric keys to authenticate time
966 packets in a hostile environment where ephemeral time
967 servers can be created, or if it is expected that malicious
968 time servers will participate in an NTP broadcast domain,
969 limit the number of participating systems that participate
970 in the shared-key group.
971 Monitor your ntpd instances.
972 Credit: This weakness was discovered by Matt Street of Cisco ASIG.
973
974* Deja Vu: Replay attack on authenticated broadcast mode
975 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
976 References: Sec 2935 / CVE-2015-7973
977 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
978 4.3.0 up to, but not including 4.3.90
979 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
980 Summary: If an NTP network is configured for broadcast operations then
981 either a man-in-the-middle attacker or a malicious participant
982 that has the same trusted keys as the victim can replay time packets.
983 Mitigation:
984 Implement BCP-38.
985 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
986 or the NTP Public Services Project Download Page.
987 If you are unable to upgrade:
988 Don't use broadcast mode if you cannot monitor your client servers.
989 Monitor your ntpd instances.
990 Credit: This weakness was discovered by Aanchal Malhotra of Boston
991 University.
992
993Other fixes:
994
995* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
996* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
997 - applied patch by shenpeng11@huawei.com with minor adjustments
998* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
999* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1000* [Bug 2892] Several test cases assume IPv6 capabilities even when
1001 IPv6 is disabled in the build. perlinger@ntp.org
1002 - Found this already fixed, but validation led to cleanup actions.
1003* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1004 - added limits to stack consumption, fixed some return code handling
1005* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1006 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1007 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1008* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1009 - integrated several patches from Havard Eidnes (he@uninett.no)
1010* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1011 - implement 'auth_log2()' using integer bithack instead of float calculation
1012* Make leapsec_query debug messages less verbose. Harlan Stenn.
1013
1014---
1015NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1016
1017Focus: Security, Bug fixes, enhancements.
1018
1019Severity: MEDIUM
1020
1021In addition to bug fixes and enhancements, this release fixes the
1022following medium-severity vulnerability:
1023
1024* Small-step/big-step. Close the panic gate earlier.
1025 References: Sec 2956, CVE-2015-5300
1026 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1027 4.3.0 up to, but not including 4.3.78
1028 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1029 Summary: If ntpd is always started with the -g option, which is
1030 common and against long-standing recommendation, and if at the
1031 moment ntpd is restarted an attacker can immediately respond to
1032 enough requests from enough sources trusted by the target, which
1033 is difficult and not common, there is a window of opportunity
1034 where the attacker can cause ntpd to set the time to an
1035 arbitrary value. Similarly, if an attacker is able to respond
1036 to enough requests from enough sources trusted by the target,
1037 the attacker can cause ntpd to abort and restart, at which
1038 point it can tell the target to set the time to an arbitrary
1039 value if and only if ntpd was re-started against long-standing
1040 recommendation with the -g flag, or if ntpd was not given the
1041 -g flag, the attacker can move the target system's time by at
1042 most 900 seconds' time per attack.
1043 Mitigation:
1044 Configure ntpd to get time from multiple sources.
1045 Upgrade to 4.2.8p5, or later, from the NTP Project Download
1046 Page or the NTP Public Services Project Download Page
1047 As we've long documented, only use the -g option to ntpd in
1048 cold-start situations.
1049 Monitor your ntpd instances.
1050 Credit: This weakness was discovered by Aanchal Malhotra,
1051 Isaac E. Cohen, and Sharon Goldberg at Boston University.
1052
1053 NOTE WELL: The -g flag disables the limit check on the panic_gate
1054 in ntpd, which is 900 seconds by default. The bug identified by
1055 the researchers at Boston University is that the panic_gate
1056 check was only re-enabled after the first change to the system
1057 clock that was greater than 128 milliseconds, by default. The
1058 correct behavior is that the panic_gate check should be
1059 re-enabled after any initial time correction.
1060
1061 If an attacker is able to inject consistent but erroneous time
1062 responses to your systems via the network or "over the air",
1063 perhaps by spoofing radio, cellphone, or navigation satellite
1064 transmissions, they are in a great position to affect your
1065 system's clock. There comes a point where your very best
1066 defenses include:
1067
1068 Configure ntpd to get time from multiple sources.
1069 Monitor your ntpd instances.
1070
1071Other fixes:
1072
1073* Coverity submission process updated from Coverity 5 to Coverity 7.
1074 The NTP codebase has been undergoing regular Coverity scans on an
1075 ongoing basis since 2006. As part of our recent upgrade from
1076 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1077 the newly-written Unity test programs. These were fixed.
1078* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
1079* [Bug 2887] stratum -1 config results as showing value 99
1080 - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1081* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
1082* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
1083* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1084 - applied patch by Christos Zoulas. perlinger@ntp.org
1085* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1086* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1087 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1088 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1089* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1090 - accept key file only if there are no parsing errors
1091 - fixed size_t/u_int format clash
1092 - fixed wrong use of 'strlcpy'
1093* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1094* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1095 - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1096 - promote use of 'size_t' for values that express a size
1097 - use ptr-to-const for read-only arguments
1098 - make sure SOCKET values are not truncated (win32-specific)
1099 - format string fixes
1100* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
1101* [Bug 2967] ntpdate command suffers an assertion failure
1102 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1103* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
1104 lots of clients. perlinger@ntp.org
1105* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1106 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1107* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
1108* Unity test cleanup. Harlan Stenn.
1109* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
1110* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
1111* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
1112* Quiet a warning from clang. Harlan Stenn.
1113
1114---
1115NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1116
1117Focus: Security, Bug fixes, enhancements.
1118
1119Severity: MEDIUM
1120
1121In addition to bug fixes and enhancements, this release fixes the
1122following 13 low- and medium-severity vulnerabilities:
1123
1124* Incomplete vallen (value length) checks in ntp_crypto.c, leading
1125 to potential crashes or potential code injection/information leakage.
1126
1127 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1128 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1129 and 4.3.0 up to, but not including 4.3.77
1130 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1131 Summary: The fix for CVE-2014-9750 was incomplete in that there were
1132 certain code paths where a packet with particular autokey operations
1133 that contained malicious data was not always being completely
1134 validated. Receipt of these packets can cause ntpd to crash.
1135 Mitigation:
1136 Don't use autokey.
1137 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1138 Page or the NTP Public Services Project Download Page
1139 Monitor your ntpd instances.
1140 Credit: This weakness was discovered by Tenable Network Security.
1141
1142* Clients that receive a KoD should validate the origin timestamp field.
1143
1144 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1145 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1146 and 4.3.0 up to, but not including 4.3.77
1147 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
1148 Summary: An ntpd client that honors Kiss-of-Death responses will honor
1149 KoD messages that have been forged by an attacker, causing it to
1150 delay or stop querying its servers for time updates. Also, an
1151 attacker can forge packets that claim to be from the target and
1152 send them to servers often enough that a server that implements
1153 KoD rate limiting will send the target machine a KoD response to
1154 attempt to reduce the rate of incoming packets, or it may also
1155 trigger a firewall block at the server for packets from the target
1156 machine. For either of these attacks to succeed, the attacker must
1157 know what servers the target is communicating with. An attacker
1158 can be anywhere on the Internet and can frequently learn the
1159 identity of the target's time source by sending the target a
1160 time query.
1161 Mitigation:
1162 Implement BCP-38.
1163 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
1164 or the NTP Public Services Project Download Page
1165 If you can't upgrade, restrict who can query ntpd to learn who
1166 its servers are, and what IPs are allowed to ask your system
1167 for the time. This mitigation is heavy-handed.
1168 Monitor your ntpd instances.
1169 Note:
1170 4.2.8p4 protects against the first attack. For the second attack,
1171 all we can do is warn when it is happening, which we do in 4.2.8p4.
1172 Credit: This weakness was discovered by Aanchal Malhotra,
1173 Issac E. Cohen, and Sharon Goldberg of Boston University.
1174
1175* configuration directives to change "pidfile" and "driftfile" should
1176 only be allowed locally.
1177
1178 References: Sec 2902 / CVE-2015-5196
1179 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1180 and 4.3.0 up to, but not including 4.3.77
1181 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
1182 Summary: If ntpd is configured to allow for remote configuration,
1183 and if the (possibly spoofed) source IP address is allowed to
1184 send remote configuration requests, and if the attacker knows
1185 the remote configuration password, it's possible for an attacker
1186 to use the "pidfile" or "driftfile" directives to potentially
1187 overwrite other files.
1188 Mitigation:
1189 Implement BCP-38.
1190 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1191 Page or the NTP Public Services Project Download Page
1192 If you cannot upgrade, don't enable remote configuration.
1193 If you must enable remote configuration and cannot upgrade,
1194 remote configuration of NTF's ntpd requires:
1195 - an explicitly configured trustedkey, and you should also
1196 configure a controlkey.
1197 - access from a permitted IP. You choose the IPs.
1198 - authentication. Don't disable it. Practice secure key safety.
1199 Monitor your ntpd instances.
1200 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1201
1202* Slow memory leak in CRYPTO_ASSOC
1203
1204 References: Sec 2909 / CVE-2015-7701
1205 Affects: All ntp-4 releases that use autokey up to, but not
1206 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1207 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
1208 4.6 otherwise
1209 Summary: If ntpd is configured to use autokey, then an attacker can
1210 send packets to ntpd that will, after several days of ongoing
1211 attack, cause it to run out of memory.
1212 Mitigation:
1213 Don't use autokey.
1214 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1215 Page or the NTP Public Services Project Download Page
1216 Monitor your ntpd instances.
1217 Credit: This weakness was discovered by Tenable Network Security.
1218
1219* mode 7 loop counter underrun
1220
1221 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
1222 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1223 and 4.3.0 up to, but not including 4.3.77
1224 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1225 Summary: If ntpd is configured to enable mode 7 packets, and if the
1226 use of mode 7 packets is not properly protected thru the use of
1227 the available mode 7 authentication and restriction mechanisms,
1228 and if the (possibly spoofed) source IP address is allowed to
1229 send mode 7 queries, then an attacker can send a crafted packet
1230 to ntpd that will cause it to crash.
1231 Mitigation:
1232 Implement BCP-38.
1233 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1234 Page or the NTP Public Services Project Download Page.
1235 If you are unable to upgrade:
1236 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1237 If you must enable mode 7:
1238 configure the use of a requestkey to control who can issue
1239 mode 7 requests.
1240 configure restrict noquery to further limit mode 7 requests
1241 to trusted sources.
1242 Monitor your ntpd instances.
1243Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
1244
1245* memory corruption in password store
1246
1247 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
1248 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1249 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
1250 Summary: If ntpd is configured to allow remote configuration, and if
1251 the (possibly spoofed) source IP address is allowed to send
1252 remote configuration requests, and if the attacker knows the
1253 remote configuration password or if ntpd was configured to
1254 disable authentication, then an attacker can send a set of
1255 packets to ntpd that may cause a crash or theoretically
1256 perform a code injection attack.
1257 Mitigation:
1258 Implement BCP-38.
1259 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1260 Page or the NTP Public Services Project Download Page.
1261 If you are unable to upgrade, remote configuration of NTF's
1262 ntpd requires:
1263 an explicitly configured "trusted" key. Only configure
1264 this if you need it.
1265 access from a permitted IP address. You choose the IPs.
1266 authentication. Don't disable it. Practice secure key safety.
1267 Monitor your ntpd instances.
1268 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1269
1270* Infinite loop if extended logging enabled and the logfile and
1271 keyfile are the same.
1272
1273 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
1274 Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1275 and 4.3.0 up to, but not including 4.3.77
1276 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1277 Summary: If ntpd is configured to allow remote configuration, and if
1278 the (possibly spoofed) source IP address is allowed to send
1279 remote configuration requests, and if the attacker knows the
1280 remote configuration password or if ntpd was configured to
1281 disable authentication, then an attacker can send a set of
1282 packets to ntpd that will cause it to crash and/or create a
1283 potentially huge log file. Specifically, the attacker could
1284 enable extended logging, point the key file at the log file,
1285 and cause what amounts to an infinite loop.
1286 Mitigation:
1287 Implement BCP-38.
1288 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1289 Page or the NTP Public Services Project Download Page.
1290 If you are unable to upgrade, remote configuration of NTF's ntpd
1291 requires:
1292 an explicitly configured "trusted" key. Only configure this
1293 if you need it.
1294 access from a permitted IP address. You choose the IPs.
1295 authentication. Don't disable it. Practice secure key safety.
1296 Monitor your ntpd instances.
1297 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1298
1299* Potential path traversal vulnerability in the config file saving of
1300 ntpd on VMS.
1301
1302 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
1303 Affects: All ntp-4 releases running under VMS up to, but not
1304 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1305 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
1306 Summary: If ntpd is configured to allow remote configuration, and if
1307 the (possibly spoofed) IP address is allowed to send remote
1308 configuration requests, and if the attacker knows the remote
1309 configuration password or if ntpd was configured to disable
1310 authentication, then an attacker can send a set of packets to
1311 ntpd that may cause ntpd to overwrite files.
1312 Mitigation:
1313 Implement BCP-38.
1314 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1315 Page or the NTP Public Services Project Download Page.
1316 If you are unable to upgrade, remote configuration of NTF's ntpd
1317 requires:
1318 an explicitly configured "trusted" key. Only configure
1319 this if you need it.
1320 access from permitted IP addresses. You choose the IPs.
1321 authentication. Don't disable it. Practice key security safety.
1322 Monitor your ntpd instances.
1323 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1324
1325* ntpq atoascii() potential memory corruption
1326
1327 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
1328 Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
1329 and 4.3.0 up to, but not including 4.3.77
1330 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
1331 Summary: If an attacker can figure out the precise moment that ntpq
1332 is listening for data and the port number it is listening on or
1333 if the attacker can provide a malicious instance ntpd that
1334 victims will connect to then an attacker can send a set of
1335 crafted mode 6 response packets that, if received by ntpq,
1336 can cause ntpq to crash.
1337 Mitigation:
1338 Implement BCP-38.
1339 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1340 Page or the NTP Public Services Project Download Page.
1341 If you are unable to upgrade and you run ntpq against a server
1342 and ntpq crashes, try again using raw mode. Build or get a
1343 patched ntpq and see if that fixes the problem. Report new
1344 bugs in ntpq or abusive servers appropriately.
1345 If you use ntpq in scripts, make sure ntpq does what you expect
1346 in your scripts.
1347 Credit: This weakness was discovered by Yves Younan and
1348 Aleksander Nikolich of Cisco Talos.
1349
1350* Invalid length data provided by a custom refclock driver could cause
1351 a buffer overflow.
1352
1353 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
1354 Affects: Potentially all ntp-4 releases running up to, but not
1355 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1356 that have custom refclocks
1357 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
1358 5.9 unusual worst case
1359 Summary: A negative value for the datalen parameter will overflow a
1360 data buffer. NTF's ntpd driver implementations always set this
1361 value to 0 and are therefore not vulnerable to this weakness.
1362 If you are running a custom refclock driver in ntpd and that
1363 driver supplies a negative value for datalen (no custom driver
1364 of even minimal competence would do this) then ntpd would
1365 overflow a data buffer. It is even hypothetically possible
1366 in this case that instead of simply crashing ntpd the attacker
1367 could effect a code injection attack.
1368 Mitigation:
1369 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1370 Page or the NTP Public Services Project Download Page.
1371 If you are unable to upgrade:
1372 If you are running custom refclock drivers, make sure
1373 the signed datalen value is either zero or positive.
1374 Monitor your ntpd instances.
1375 Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1376
1377* Password Length Memory Corruption Vulnerability
1378
1379 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
1380 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1381 4.3.0 up to, but not including 4.3.77
1382 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1383 1.7 usual case, 6.8, worst case
1384 Summary: If ntpd is configured to allow remote configuration, and if
1385 the (possibly spoofed) source IP address is allowed to send
1386 remote configuration requests, and if the attacker knows the
1387 remote configuration password or if ntpd was (foolishly)
1388 configured to disable authentication, then an attacker can
1389 send a set of packets to ntpd that may cause it to crash,
1390 with the hypothetical possibility of a small code injection.
1391 Mitigation:
1392 Implement BCP-38.
1393 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1394 Page or the NTP Public Services Project Download Page.
1395 If you are unable to upgrade, remote configuration of NTF's
1396 ntpd requires:
1397 an explicitly configured "trusted" key. Only configure
1398 this if you need it.
1399 access from a permitted IP address. You choose the IPs.
1400 authentication. Don't disable it. Practice secure key safety.
1401 Monitor your ntpd instances.
1402 Credit: This weakness was discovered by Yves Younan and
1403 Aleksander Nikolich of Cisco Talos.
1404
1405* decodenetnum() will ASSERT botch instead of returning FAIL on some
1406 bogus values.
1407
1408 References: Sec 2922 / CVE-2015-7855
1409 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1410 4.3.0 up to, but not including 4.3.77
1411 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1412 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
1413 an unusually long data value where a network address is expected,
1414 the decodenetnum() function will abort with an assertion failure
1415 instead of simply returning a failure condition.
1416 Mitigation:
1417 Implement BCP-38.
1418 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1419 Page or the NTP Public Services Project Download Page.
1420 If you are unable to upgrade:
1421 mode 7 is disabled by default. Don't enable it.
1422 Use restrict noquery to limit who can send mode 6
1423 and mode 7 requests.
1424 Configure and use the controlkey and requestkey
1425 authentication directives to limit who can
1426 send mode 6 and mode 7 requests.
1427 Monitor your ntpd instances.
1428 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1429
1430* NAK to the Future: Symmetric association authentication bypass via
1431 crypto-NAK.
1432
1433 References: Sec 2941 / CVE-2015-7871
1434 Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1435 4.2.8p4, and 4.3.0 up to but not including 4.3.77
1436 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1437 Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1438 from unauthenticated ephemeral symmetric peers by bypassing the
1439 authentication required to mobilize peer associations. This
1440 vulnerability appears to have been introduced in ntp-4.2.5p186
1441 when the code handling mobilization of new passive symmetric
1442 associations (lines 1103-1165) was refactored.
1443 Mitigation:
1444 Implement BCP-38.
1445 Upgrade to 4.2.8p4, or later, from the NTP Project Download
1446 Page or the NTP Public Services Project Download Page.
1447 If you are unable to upgrade:
1448 Apply the patch to the bottom of the "authentic" check
1449 block around line 1136 of ntp_proto.c.
1450 Monitor your ntpd instances.
1451 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1452
1453Backward-Incompatible changes:
1454* [Bug 2817] Default on Linux is now "rlimit memlock -1".
1455 While the general default of 32M is still the case, under Linux
1456 the default value has been changed to -1 (do not lock ntpd into
1457 memory). A value of 0 means "lock ntpd into memory with whatever
1458 memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1459 value in it, that value will continue to be used.
1460
1461* [Bug 2886] Misspelling: "outlyer" should be "outlier".
1462 If you've written a script that looks for this case in, say, the
1463 output of ntpq, you probably want to change your regex matches
1464 from 'outlyer' to 'outl[iy]er'.
1465
1466New features in this release:
1467* 'rlimit memlock' now has finer-grained control. A value of -1 means
1468 "don't lock ntpd into memore". This is the default for Linux boxes.
1469 A value of 0 means "lock ntpd into memory" with no limits. Otherwise
1470 the value is the number of megabytes of memory to lock. The default
1471 is 32 megabytes.
1472
1473* The old Google Test framework has been replaced with a new framework,
1474 based on http://www.throwtheswitch.org/unity/ .
1475
1476Bug Fixes and Improvements:
1477* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1478 privileges and limiting resources in NTPD removes the need to link
1479 forcefully against 'libgcc_s' which does not always work. J.Perlinger
1480* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
1481* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
1482* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
1483* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org
1484* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
1485* [Bug 2849] Systems with more than one default route may never
1486 synchronize. Brian Utterback. Note that this patch might need to
1487 be reverted once Bug 2043 has been fixed.
1488* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1489* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
1490* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1491* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
1492* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1493* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
1494 be configured for the distribution targets. Harlan Stenn.
1495* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
1496* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org
1497* [Bug 2888] streamline calendar functions. perlinger@ntp.org
1498* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org
1499* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
1500* [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
1501* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
1502* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
1503* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
1504* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
1505* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
1506* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
1507* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
1508* top_srcdir can change based on ntp v. sntp. Harlan Stenn.
1509* sntp/tests/ function parameter list cleanup. Damir Tomi��.
1510* tests/libntp/ function parameter list cleanup. Damir Tomi��.
1511* tests/ntpd/ function parameter list cleanup. Damir Tomi��.
1512* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
1513* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
1514* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��.
1515* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��.
1516* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1517 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1518 formatting; first declaration, then code (C90); deleted unnecessary comments;
1519 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1520* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1521 fix formatting, cleanup. Tomasz Flendrich
1522* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1523 Tomasz Flendrich
1524* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1525 fix formatting. Tomasz Flendrich
1526* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1527* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1528* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1529 Tomasz Flendrich
1530* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1531* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1532* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1533* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1534* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1535* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1536* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1537fixed formatting. Tomasz Flendrich
1538* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1539 removed unnecessary comments, cleanup. Tomasz Flendrich
1540* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1541 comments, cleanup. Tomasz Flendrich
1542* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1543 Tomasz Flendrich
1544* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
1545* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
1546* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
1547 Tomasz Flendrich
1548* sntp/tests/kodDatabase.c added consts, deleted empty function,
1549 fixed formatting. Tomasz Flendrich
1550* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
1551* sntp/tests/packetHandling.c is now using proper Unity's assertions,
1552 fixed formatting, deleted unused variable. Tomasz Flendrich
1553* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
1554 Tomasz Flendrich
1555* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
1556 fixed formatting. Tomasz Flendrich
1557* sntp/tests/utilities.c is now using proper Unity's assertions, changed
1558 the order of includes, fixed formatting, removed unnecessary comments.
1559 Tomasz Flendrich
1560* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
1561* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
1562 made one function do its job, deleted unnecessary prints, fixed formatting.
1563 Tomasz Flendrich
1564* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
1565* sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
1566* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
1567* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
1568* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
1569* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
1570* Don't build sntp/libevent/sample/. Harlan Stenn.
1571* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
1572* br-flock: --enable-local-libevent. Harlan Stenn.
1573* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
1574* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
1575* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
1576* Code cleanup. Harlan Stenn.
1577* libntp/icom.c: Typo fix. Harlan Stenn.
1578* util/ntptime.c: initialization nit. Harlan Stenn.
1579* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
1580* Add std_unity_tests to various Makefile.am files. Harlan Stenn.
1581* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
1582 Tomasz Flendrich
1583* Changed progname to be const in many files - now it's consistent. Tomasz
1584 Flendrich
1585* Typo fix for GCC warning suppression. Harlan Stenn.
1586* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��.
1587* Added declarations to all Unity tests, and did minor fixes to them.
1588 Reduced the number of warnings by half. Damir Tomi��.
1589* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
1590 with the latest Unity updates from Mark. Damir Tomi��.
1591* Retire google test - phase I. Harlan Stenn.
1592* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
1593* Update the NEWS file. Harlan Stenn.
1594* Autoconf cleanup. Harlan Stenn.
1595* Unit test dist cleanup. Harlan Stenn.
1596* Cleanup various test Makefile.am files. Harlan Stenn.
1597* Pthread autoconf macro cleanup. Harlan Stenn.
1598* Fix progname definition in unity runner scripts. Harlan Stenn.
1599* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
1600* Update the patch for bug 2817. Harlan Stenn.
1601* More updates for bug 2817. Harlan Stenn.
1602* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
1603* gcc on older HPUX may need +allowdups. Harlan Stenn.
1604* Adding missing MCAST protection. Harlan Stenn.
1605* Disable certain test programs on certain platforms. Harlan Stenn.
1606* Implement --enable-problem-tests (on by default). Harlan Stenn.
1607* build system tweaks. Harlan Stenn.
1608
1609---
1610NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
1611
1612Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
1613
1614Severity: MEDIUM
1615
1616Security Fix:
1617
1618* [Sec 2853] Crafted remote config packet can crash some versions of
1619 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
1620
1621Under specific circumstances an attacker can send a crafted packet to
1622cause a vulnerable ntpd instance to crash. This requires each of the
1623following to be true:
1624
16251) ntpd set up to allow remote configuration (not allowed by default), and
16262) knowledge of the configuration password, and
16273) access to a computer entrusted to perform remote configuration.
1628
1629This vulnerability is considered low-risk.
1630
1631New features in this release:
1632
1633Optional (disabled by default) support to have ntpd provide smeared
1634leap second time. A specially built and configured ntpd will only
1635offer smeared time in response to client packets. These response
1636packets will also contain a "refid" of 254.a.b.c, where the 24 bits
1637of a, b, and c encode the amount of smear in a 2:22 integer:fraction
1638format. See README.leapsmear and http://bugs.ntp.org/2855 for more
1639information.
1640
1641 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
1642 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
1643
1644We've imported the Unity test framework, and have begun converting
1645the existing google-test items to this new framework. If you want
1646to write new tests or change old ones, you'll need to have ruby
1647installed. You don't need ruby to run the test suite.
1648
1649Bug Fixes and Improvements:
1650
1651* CID 739725: Fix a rare resource leak in libevent/listener.c.
1652* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
1653* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
1654* CID 1269537: Clean up a line of dead code in getShmTime().
1655* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
1656* [Bug 2590] autogen-5.18.5.
1657* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
1658 of 'limited'.
1659* [Bug 2650] fix includefile processing.
1660* [Bug 2745] ntpd -x steps clock on leap second
1661 Fixed an initial-value problem that caused misbehaviour in absence of
1662 any leapsecond information.
1663 Do leap second stepping only of the step adjustment is beyond the
1664 proper jump distance limit and step correction is allowed at all.
1665* [Bug 2750] build for Win64
1666 Building for 32bit of loopback ppsapi needs def file
1667* [Bug 2776] Improve ntpq's 'help keytype'.
1668* [Bug 2778] Implement "apeers" ntpq command to include associd.
1669* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
1670* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
1671 interface is ignored as long as this flag is not set since the
1672 interface is not usable (e.g., no link).
1673* [Bug 2794] Clean up kernel clock status reports.
1674* [Bug 2800] refclock_true.c true_debug() can't open debug log because
1675 of incompatible open/fdopen parameters.
1676* [Bug 2804] install-local-data assumes GNU 'find' semantics.
1677* [Bug 2805] ntpd fails to join multicast group.
1678* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
1679* [Bug 2808] GPSD_JSON driver enhancements, step 1.
1680 Fix crash during cleanup if GPS device not present and char device.
1681 Increase internal token buffer to parse all JSON data, even SKY.
1682 Defer logging of errors during driver init until the first unit is
1683 started, so the syslog is not cluttered when the driver is not used.
1684 Various improvements, see http://bugs.ntp.org/2808 for details.
1685 Changed libjsmn to a more recent version.
1686* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
1687* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
1688* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
1689* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
1690* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
1691* [Bug 2824] Convert update-leap to perl. (also see 2769)
1692* [Bug 2825] Quiet file installation in html/ .
1693* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
1694 NTPD transfers the current TAI (instead of an announcement) now.
1695 This might still needed improvement.
1696 Update autokey data ASAP when 'sys_tai' changes.
1697 Fix unit test that was broken by changes for autokey update.
1698 Avoid potential signature length issue and use DPRINTF where possible
1699 in ntp_crypto.c.
1700* [Bug 2832] refclock_jjy.c supports the TDC-300.
1701* [Bug 2834] Correct a broken html tag in html/refclock.html
1702* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
1703 robust, and require 2 consecutive timestamps to be consistent.
1704* [Bug 2837] Allow a configurable DSCP value.
1705* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
1706* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
1707* [Bug 2842] Bug in mdoc2man.
1708* [Bug 2843] make check fails on 4.3.36
1709 Fixed compiler warnings about numeric range overflow
1710 (The original topic was fixed in a byplay to bug#2830)
1711* [Bug 2845] Harden memory allocation in ntpd.
1712* [Bug 2852] 'make check' can't find unity.h. Hal Murray.
1713* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
1714* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
1715* [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
1716* [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
1717* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
1718* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
1719* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
1720* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
1721* html/drivers/driver22.html: typo fix. Harlan Stenn.
1722* refidsmear test cleanup. Tomasz Flendrich.
1723* refidsmear function support and tests. Harlan Stenn.
1724* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
1725 something that was only in the 4.2.6 sntp. Harlan Stenn.
1726* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
1727 Damir Tomi��
1728* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
1729 Damir Tomi��
1730* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
1731 Damir Tomi��
1732* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
1733* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi��
1734* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
1735 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1736 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
1737 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
1738 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
1739 Damir Tomi��
1740* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
1741 networking.c, keyFile.c, utilities.cpp, sntptest.h,
1742 fileHandlingTest.h. Damir Tomi��
1743* Initial support for experimental leap smear code. Harlan Stenn.
1744* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
1745* Report select() debug messages at debug level 3 now.
1746* sntp/scripts/genLocInfo: treat raspbian as debian.
1747* Unity test framework fixes.
1748 ** Requires ruby for changes to tests.
1749* Initial support for PACKAGE_VERSION tests.
1750* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
1751* tests/bug-2803/Makefile.am must distribute bug-2803.h.
1752* Add an assert to the ntpq ifstats code.
1753* Clean up the RLIMIT_STACK code.
1754* Improve the ntpq documentation around the controlkey keyid.
1755* ntpq.c cleanup.
1756* Windows port build cleanup.
1757
1758---
1759NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1760
1761Focus: Security and Bug fixes, enhancements.
1762
1763Severity: MEDIUM
1764
1765In addition to bug fixes and enhancements, this release fixes the
1766following medium-severity vulnerabilities involving private key
1767authentication:
1768
1769* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1770
1771 References: Sec 2779 / CVE-2015-1798 / VU#374268
1772 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1773 including ntp-4.2.8p2 where the installation uses symmetric keys
1774 to authenticate remote associations.
1775 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1776 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1777 Summary: When ntpd is configured to use a symmetric key to authenticate
1778 a remote NTP server/peer, it checks if the NTP message
1779 authentication code (MAC) in received packets is valid, but not if
1780 there actually is any MAC included. Packets without a MAC are
1781 accepted as if they had a valid MAC. This allows a MITM attacker to
1782 send false packets that are accepted by the client/peer without
1783 having to know the symmetric key. The attacker needs to know the
1784 transmit timestamp of the client to match it in the forged reply
1785 and the false reply needs to reach the client before the genuine
1786 reply from the server. The attacker doesn't necessarily need to be
1787 relaying the packets between the client and the server.
1788
1789 Authentication using autokey doesn't have this problem as there is
1790 a check that requires the key ID to be larger than NTP_MAXKEY,
1791 which fails for packets without a MAC.
1792 Mitigation:
1793 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1794 or the NTP Public Services Project Download Page
1795 Configure ntpd with enough time sources and monitor it properly.
1796 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1797
1798* [Sec 2781] Authentication doesn't protect symmetric associations against
1799 DoS attacks.
1800
1801 References: Sec 2781 / CVE-2015-1799 / VU#374268
1802 Affects: All NTP releases starting with at least xntp3.3wy up to but
1803 not including ntp-4.2.8p2 where the installation uses symmetric
1804 key authentication.
1805 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1806 Note: the CVSS base Score for this issue could be 4.3 or lower, and
1807 it could be higher than 5.4.
1808 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1809 Summary: An attacker knowing that NTP hosts A and B are peering with
1810 each other (symmetric association) can send a packet to host A
1811 with source address of B which will set the NTP state variables
1812 on A to the values sent by the attacker. Host A will then send
1813 on its next poll to B a packet with originate timestamp that
1814 doesn't match the transmit timestamp of B and the packet will
1815 be dropped. If the attacker does this periodically for both
1816 hosts, they won't be able to synchronize to each other. This is
1817 a known denial-of-service attack, described at
1818 https://www.eecis.udel.edu/~mills/onwire.html .
1819
1820 According to the document the NTP authentication is supposed to
1821 protect symmetric associations against this attack, but that
1822 doesn't seem to be the case. The state variables are updated even
1823 when authentication fails and the peers are sending packets with
1824 originate timestamps that don't match the transmit timestamps on
1825 the receiving side.
1826
1827 This seems to be a very old problem, dating back to at least
1828 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1829 specifications, so other NTP implementations with support for
1830 symmetric associations and authentication may be vulnerable too.
1831 An update to the NTP RFC to correct this error is in-process.
1832 Mitigation:
1833 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1834 or the NTP Public Services Project Download Page
1835 Note that for users of autokey, this specific style of MITM attack
1836 is simply a long-known potential problem.
1837 Configure ntpd with appropriate time sources and monitor ntpd.
1838 Alert your staff if problems are detected.
1839 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1840
1841* New script: update-leap
1842The update-leap script will verify and if necessary, update the
1843leap-second definition file.
1844It requires the following commands in order to work:
1845
1846 wget logger tr sed shasum
1847
1848Some may choose to run this from cron. It needs more portability testing.
1849
1850Bug Fixes and Improvements:
1851
1852* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1853* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1854* [Bug 2346] "graceful termination" signals do not do peer cleanup.
1855* [Bug 2728] See if C99-style structure initialization works.
1856* [Bug 2747] Upgrade libevent to 2.1.5-beta.
1857* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1858* [Bug 2751] jitter.h has stale copies of l_fp macros.
1859* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1860* [Bug 2757] Quiet compiler warnings.
1861* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1862* [Bug 2763] Allow different thresholds for forward and backward steps.
1863* [Bug 2766] ntp-keygen output files should not be world-readable.
1864* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1865* [Bug 2771] nonvolatile value is documented in wrong units.
1866* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1867* [Bug 2774] Unreasonably verbose printout - leap pending/warning
1868* [Bug 2775] ntp-keygen.c fails to compile under Windows.
1869* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1870 Removed non-ASCII characters from some copyright comments.
1871 Removed trailing whitespace.
1872 Updated definitions for Meinberg clocks from current Meinberg header files.
1873 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1874 Account for updated definitions pulled from Meinberg header files.
1875 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1876 Replaced some constant numbers by defines from ntp_calendar.h
1877 Modified creation of parse-specific variables for Meinberg devices
1878 in gps16x_message().
1879 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1880 Modified mbg_tm_str() which now expexts an additional parameter controlling
1881 if the time status shall be printed.
1882* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1883* [Sec 2781] Authentication doesn't protect symmetric associations against
1884 DoS attacks.
1885* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1886* [Bug 2789] Quiet compiler warnings from libevent.
1887* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1888 pause briefly before measuring system clock precision to yield
1889 correct results.
1890* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1891* Use predefined function types for parse driver functions
1892 used to set up function pointers.
1893 Account for changed prototype of parse_inp_fnc_t functions.
1894 Cast parse conversion results to appropriate types to avoid
1895 compiler warnings.
1896 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1897 when called with pointers to different types.
1898
1899---
1900NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1901
1902Focus: Security and Bug fixes, enhancements.
1903
1904Severity: HIGH
1905
1906In addition to bug fixes and enhancements, this release fixes the
1907following high-severity vulnerabilities:
1908
1909* vallen is not validated in several places in ntp_crypto.c, leading
1910 to a potential information leak or possibly a crash
1911
1912 References: Sec 2671 / CVE-2014-9297 / VU#852879
1913 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1914 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1915 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1916 Summary: The vallen packet value is not validated in several code
1917 paths in ntp_crypto.c which can lead to information leakage
1918 or perhaps a crash of the ntpd process.
1919 Mitigation - any of:
1920 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1921 or the NTP Public Services Project Download Page.
1922 Disable Autokey Authentication by removing, or commenting out,
1923 all configuration directives beginning with the "crypto"
1924 keyword in your ntp.conf file.
1925 Credit: This vulnerability was discovered by Stephen Roettger of the
1926 Google Security Team, with additional cases found by Sebastian
1927 Krahmer of the SUSE Security Team and Harlan Stenn of Network
1928 Time Foundation.
1929
1930* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1931 can be bypassed.
1932
1933 References: Sec 2672 / CVE-2014-9298 / VU#852879
1934 Affects: All NTP4 releases before 4.2.8p1, under at least some
1935 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1936 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1937 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1938 Summary: While available kernels will prevent 127.0.0.1 addresses
1939 from "appearing" on non-localhost IPv4 interfaces, some kernels
1940 do not offer the same protection for ::1 source addresses on
1941 IPv6 interfaces. Since NTP's access control is based on source
1942 address and localhost addresses generally have no restrictions,
1943 an attacker can send malicious control and configuration packets
1944 by spoofing ::1 addresses from the outside. Note Well: This is
1945 not really a bug in NTP, it's a problem with some OSes. If you
1946 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1947 ACL restrictions on any application can be bypassed!
1948 Mitigation:
1949 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1950 or the NTP Public Services Project Download Page
1951 Install firewall rules to block packets claiming to come from
1952 ::1 from inappropriate network interfaces.
1953 Credit: This vulnerability was discovered by Stephen Roettger of
1954 the Google Security Team.
1955
1956Additionally, over 30 bugfixes and improvements were made to the codebase.
1957See the ChangeLog for more information.
1958
1959---
1960NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1961
1962Focus: Security and Bug fixes, enhancements.
1963
1964Severity: HIGH
1965
1966In addition to bug fixes and enhancements, this release fixes the
1967following high-severity vulnerabilities:
1968
1969************************** vv NOTE WELL vv *****************************
1970
1971The vulnerabilities listed below can be significantly mitigated by
1972following the BCP of putting
1973
1974 restrict default ... noquery
1975
1976in the ntp.conf file. With the exception of:
1977
1978 receive(): missing return on error
1979 References: Sec 2670 / CVE-2014-9296 / VU#852879
1980
1981below (which is a limited-risk vulnerability), none of the recent
1982vulnerabilities listed below can be exploited if the source IP is
1983restricted from sending a 'query'-class packet by your ntp.conf file.
1984
1985************************** ^^ NOTE WELL ^^ *****************************
1986
1987* Weak default key in config_auth().
1988
1989 References: [Sec 2665] / CVE-2014-9293 / VU#852879
1990 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1991 Vulnerable Versions: all releases prior to 4.2.7p11
1992 Date Resolved: 28 Jan 2010
1993
1994 Summary: If no 'auth' key is set in the configuration file, ntpd
1995 would generate a random key on the fly. There were two
1996 problems with this: 1) the generated key was 31 bits in size,
1997 and 2) it used the (now weak) ntp_random() function, which was
1998 seeded with a 32-bit value and could only provide 32 bits of
1999 entropy. This was sufficient back in the late 1990s when the
2000 code was written. Not today.
2001
2002 Mitigation - any of:
2003 - Upgrade to 4.2.7p11 or later.
2004 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2005
2006 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2007 of the Google Security Team.
2008
2009* Non-cryptographic random number generator with weak seed used by
2010 ntp-keygen to generate symmetric keys.
2011
2012 References: [Sec 2666] / CVE-2014-9294 / VU#852879
2013 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2014 Vulnerable Versions: All NTP4 releases before 4.2.7p230
2015 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2016
2017 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2018 prepare a random number generator that was of good quality back
2019 in the late 1990s. The random numbers produced was then used to
2020 generate symmetric keys. In ntp-4.2.8 we use a current-technology
2021 cryptographic random number generator, either RAND_bytes from
2022 OpenSSL, or arc4random().
2023
2024 Mitigation - any of:
2025 - Upgrade to 4.2.7p230 or later.
2026 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2027
2028 Credit: This vulnerability was discovered in ntp-4.2.6 by
2029 Stephen Roettger of the Google Security Team.
2030
2031* Buffer overflow in crypto_recv()
2032
2033 References: Sec 2667 / CVE-2014-9295 / VU#852879
2034 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2035 Versions: All releases before 4.2.8
2036 Date Resolved: Stable (4.2.8) 18 Dec 2014
2037
2038 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2039 file contains a 'crypto pw ...' directive) a remote attacker
2040 can send a carefully crafted packet that can overflow a stack
2041 buffer and potentially allow malicious code to be executed
2042 with the privilege level of the ntpd process.
2043
2044 Mitigation - any of:
2045 - Upgrade to 4.2.8, or later, or
2046 - Disable Autokey Authentication by removing, or commenting out,
2047 all configuration directives beginning with the crypto keyword
2048 in your ntp.conf file.
2049
2050 Credit: This vulnerability was discovered by Stephen Roettger of the
2051 Google Security Team.
2052
2053* Buffer overflow in ctl_putdata()
2054
2055 References: Sec 2668 / CVE-2014-9295 / VU#852879
2056 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2057 Versions: All NTP4 releases before 4.2.8
2058 Date Resolved: Stable (4.2.8) 18 Dec 2014
2059
2060 Summary: A remote attacker can send a carefully crafted packet that
2061 can overflow a stack buffer and potentially allow malicious
2062 code to be executed with the privilege level of the ntpd process.
2063
2064 Mitigation - any of:
2065 - Upgrade to 4.2.8, or later.
2066 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2067
2068 Credit: This vulnerability was discovered by Stephen Roettger of the
2069 Google Security Team.
2070
2071* Buffer overflow in configure()
2072
2073 References: Sec 2669 / CVE-2014-9295 / VU#852879
2074 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2075 Versions: All NTP4 releases before 4.2.8
2076 Date Resolved: Stable (4.2.8) 18 Dec 2014
2077
2078 Summary: A remote attacker can send a carefully crafted packet that
2079 can overflow a stack buffer and potentially allow malicious
2080 code to be executed with the privilege level of the ntpd process.
2081
2082 Mitigation - any of:
2083 - Upgrade to 4.2.8, or later.
2084 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2085
2086 Credit: This vulnerability was discovered by Stephen Roettger of the
2087 Google Security Team.
2088
2089* receive(): missing return on error
2090
2091 References: Sec 2670 / CVE-2014-9296 / VU#852879
2092 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2093 Versions: All NTP4 releases before 4.2.8
2094 Date Resolved: Stable (4.2.8) 18 Dec 2014
2095
2096 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2097 the code path where an error was detected, which meant
2098 processing did not stop when a specific rare error occurred.
2099 We haven't found a way for this bug to affect system integrity.
2100 If there is no way to affect system integrity the base CVSS
2101 score for this bug is 0. If there is one avenue through which
2102 system integrity can be partially affected, the base score
2103 becomes a 5. If system integrity can be partially affected
2104 via all three integrity metrics, the CVSS base score become 7.5.
2105
2106 Mitigation - any of:
2107 - Upgrade to 4.2.8, or later,
2108 - Remove or comment out all configuration directives
2109 beginning with the crypto keyword in your ntp.conf file.
2110
2111 Credit: This vulnerability was discovered by Stephen Roettger of the
2112 Google Security Team.
2113
2114See http://support.ntp.org/security for more information.
2115
2116New features / changes in this release:
2117
2118Important Changes
2119
2120* Internal NTP Era counters
2121
2122The internal counters that track the "era" (range of years) we are in
2123rolls over every 136 years'. The current "era" started at the stroke of
2124midnight on 1 Jan 1900, and ends just before the stroke of midnight on
21251 Jan 2036.
2126In the past, we have used the "midpoint" of the range to decide which
2127era we were in. Given the longevity of some products, it became clear
2128that it would be more functional to "look back" less, and "look forward"
2129more. We now compile a timestamp into the ntpd executable and when we
2130get a timestamp we us the "built-on" to tell us what era we are in.
2131This check "looks back" 10 years, and "looks forward" 126 years.
2132
2133* ntpdc responses disabled by default
2134
2135Dave Hart writes:
2136
2137For a long time, ntpq and its mostly text-based mode 6 (control)
2138protocol have been preferred over ntpdc and its mode 7 (private
2139request) protocol for runtime queries and configuration. There has
2140been a goal of deprecating ntpdc, previously held back by numerous
2141capabilities exposed by ntpdc with no ntpq equivalent. I have been
2142adding commands to ntpq to cover these cases, and I believe I've
2143covered them all, though I've not compared command-by-command
2144recently.
2145
2146As I've said previously, the binary mode 7 protocol involves a lot of
2147hand-rolled structure layout and byte-swapping code in both ntpd and
2148ntpdc which is hard to get right. As ntpd grows and changes, the
2149changes are difficult to expose via ntpdc while maintaining forward
2150and backward compatibility between ntpdc and ntpd. In contrast,
2151ntpq's text-based, label=value approach involves more code reuse and
2152allows compatible changes without extra work in most cases.
2153
2154Mode 7 has always been defined as vendor/implementation-specific while
2155mode 6 is described in RFC 1305 and intended to be open to interoperate
2156with other implementations. There is an early draft of an updated
2157mode 6 description that likely will join the other NTPv4 RFCs
2158eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
2159
2160For these reasons, ntpd 4.2.7p230 by default disables processing of
2161ntpdc queries, reducing ntpd's attack surface and functionally
2162deprecating ntpdc. If you are in the habit of using ntpdc for certain
2163operations, please try the ntpq equivalent. If there's no equivalent,
2164please open a bug report at http://bugs.ntp.org./
2165
2166In addition to the above, over 1100 issues have been resolved between
2167the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
2168lists these.
2169
2170---
2171NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
2172
2173Focus: Bug fixes
2174
2175Severity: Medium
2176
2177This is a recommended upgrade.
2178
2179This release updates sys_rootdisp and sys_jitter calculations to match the
2180RFC specification, fixes a potential IPv6 address matching error for the
2181"nic" and "interface" configuration directives, suppresses the creation of
2182extraneous ephemeral associations for certain broadcastclient and
2183multicastclient configurations, cleans up some ntpq display issues, and
2184includes improvements to orphan mode, minor bugs fixes and code clean-ups.
2185
2186New features / changes in this release:
2187
2188ntpd
2189
2190 * Updated "nic" and "interface" IPv6 address handling to prevent
2191 mismatches with localhost [::1] and wildcard [::] which resulted from
2192 using the address/prefix format (e.g. fe80::/64)
2193 * Fix orphan mode stratum incorrectly counting to infinity
2194 * Orphan parent selection metric updated to includes missing ntohl()
2195 * Non-printable stratum 16 refid no longer sent to ntp
2196 * Duplicate ephemeral associations suppressed for broadcastclient and
2197 multicastclient without broadcastdelay
2198 * Exclude undetermined sys_refid from use in loopback TEST12
2199 * Exclude MODE_SERVER responses from KoD rate limiting
2200 * Include root delay in clock_update() sys_rootdisp calculations
2201 * get_systime() updated to exclude sys_residual offset (which only
2202 affected bits "below" sys_tick, the precision threshold)
2203 * sys.peer jitter weighting corrected in sys_jitter calculation
2204
2205ntpq
2206
2207 * -n option extended to include the billboard "server" column
2208 * IPv6 addresses in the local column truncated to prevent overruns
2209
2210---
2211NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
2212
2213Focus: Bug fixes and portability improvements
2214
2215Severity: Medium
2216
2217This is a recommended upgrade.
2218
2219This release includes build infrastructure updates, code
2220clean-ups, minor bug fixes, fixes for a number of minor
2221ref-clock issues, and documentation revisions.
2222
2223Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
2224
2225New features / changes in this release:
2226
2227Build system
2228
2229* Fix checking for struct rtattr
2230* Update config.guess and config.sub for AIX
2231* Upgrade required version of autogen and libopts for building
2232 from our source code repository
2233
2234ntpd
2235
2236* Back-ported several fixes for Coverity warnings from ntp-dev
2237* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
2238* Allow "logconfig =allall" configuration directive
2239* Bind tentative IPv6 addresses on Linux
2240* Correct WWVB/Spectracom driver to timestamp CR instead of LF
2241* Improved tally bit handling to prevent incorrect ntpq peer status reports
2242* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
2243 candidate list unless they are designated a "prefer peer"
2244* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
2245 selection during the 'tos orphanwait' period
2246* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
2247 drivers
2248* Improved support of the Parse Refclock trusttime flag in Meinberg mode
2249* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
2250* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
2251 clock slew on Microsoft Windows
2252* Code cleanup in libntpq
2253
2254ntpdc
2255
2256* Fix timerstats reporting
2257
2258ntpdate
2259
2260* Reduce time required to set clock
2261* Allow a timeout greater than 2 seconds
2262
2263sntp
2264
2265* Backward incompatible command-line option change:
2266 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
2267
2268Documentation
2269
2270* Update html2man. Fix some tags in the .html files
2271* Distribute ntp-wait.html
2272
2273---
2274NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
2275
2276Focus: Bug fixes and portability improvements
2277
2278Severity: Medium
2279
2280This is a recommended upgrade.
2281
2282This release includes build infrastructure updates, code
2283clean-ups, minor bug fixes, fixes for a number of minor
2284ref-clock issues, and documentation revisions.
2285
2286Portability improvements in this release affect AIX, Atari FreeMiNT,
2287FreeBSD4, Linux and Microsoft Windows.
2288
2289New features / changes in this release:
2290
2291Build system
2292* Use lsb_release to get information about Linux distributions.
2293* 'test' is in /usr/bin (instead of /bin) on some systems.
2294* Basic sanity checks for the ChangeLog file.
2295* Source certain build files with ./filename for systems without . in PATH.
2296* IRIX portability fix.
2297* Use a single copy of the "libopts" code.
2298* autogen/libopts upgrade.
2299* configure.ac m4 quoting cleanup.
2300
2301ntpd
2302* Do not bind to IN6_IFF_ANYCAST addresses.
2303* Log the reason for exiting under Windows.
2304* Multicast fixes for Windows.
2305* Interpolation fixes for Windows.
2306* IPv4 and IPv6 Multicast fixes.
2307* Manycast solicitation fixes and general repairs.
2308* JJY refclock cleanup.
2309* NMEA refclock improvements.
2310* Oncore debug message cleanup.
2311* Palisade refclock now builds under Linux.
2312* Give RAWDCF more baud rates.
2313* Support Truetime Satellite clocks under Windows.
2314* Support Arbiter 1093C Satellite clocks under Windows.
2315* Make sure that the "filegen" configuration command defaults to "enable".
2316* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
2317* Prohibit 'includefile' directive in remote configuration command.
2318* Fix 'nic' interface bindings.
2319* Fix the way we link with openssl if openssl is installed in the base
2320 system.
2321
2322ntp-keygen
2323* Fix -V coredump.
2324* OpenSSL version display cleanup.
2325
2326ntpdc
2327* Many counters should be treated as unsigned.
2328
2329ntpdate
2330* Do not ignore replies with equal receive and transmit timestamps.
2331
2332ntpq
2333* libntpq warning cleanup.
2334
2335ntpsnmpd
2336* Correct SNMP type for "precision" and "resolution".
2337* Update the MIB from the draft version to RFC-5907.
2338
2339sntp
2340* Display timezone offset when showing time for sntp in the local
2341 timezone.
2342* Pay proper attention to RATE KoD packets.
2343* Fix a miscalculation of the offset.
2344* Properly parse empty lines in the key file.
2345* Logging cleanup.
2346* Use tv_usec correctly in set_time().
2347* Documentation cleanup.
2348
2349---
2350NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
2351
2352Focus: Bug fixes and portability improvements
2353
2354Severity: Medium
2355
2356This is a recommended upgrade.
2357
2358This release includes build infrastructure updates, code
2359clean-ups, minor bug fixes, fixes for a number of minor
2360ref-clock issues, improved KOD handling, OpenSSL related
2361updates and documentation revisions.
2362
2363Portability improvements in this release affect Irix, Linux,
2364Mac OS, Microsoft Windows, OpenBSD and QNX6
2365
2366New features / changes in this release:
2367
2368ntpd
2369* Range syntax for the trustedkey configuration directive
2370* Unified IPv4 and IPv6 restrict lists
2371
2372ntpdate
2373* Rate limiting and KOD handling
2374
2375ntpsnmpd
2376* default connection to net-snmpd via a unix-domain socket
2377* command-line 'socket name' option
2378
2379ntpq / ntpdc
2380* support for the "passwd ..." syntax
2381* key-type specific password prompts
2382
2383sntp
2384* MD5 authentication of an ntpd
2385* Broadcast and crypto
2386* OpenSSL support
2387
2388---
2389NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
2390
2391Focus: Bug fixes, portability fixes, and documentation improvements
2392
2393Severity: Medium
2394
2395This is a recommended upgrade.
2396
2397---
2398NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2399
2400Focus: enhancements and bug fixes.
2401
2402---
2403NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2404
2405Focus: Security Fixes
2406
2407Severity: HIGH
2408
2409This release fixes the following high-severity vulnerability:
2410
2411* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
2412
2413 See http://support.ntp.org/security for more information.
2414
2415 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
2416 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
2417 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
2418 request or a mode 7 error response from an address which is not listed
2419 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2420 reply with a mode 7 error response (and log a message). In this case:
2421
2422 * If an attacker spoofs the source address of ntpd host A in a
2423 mode 7 response packet sent to ntpd host B, both A and B will
2424 continuously send each other error responses, for as long as
2425 those packets get through.
2426
2427 * If an attacker spoofs an address of ntpd host A in a mode 7
2428 response packet sent to ntpd host A, A will respond to itself
2429 endlessly, consuming CPU and logging excessively.
2430
2431 Credit for finding this vulnerability goes to Robin Park and Dmitri
2432 Vinokurov of Alcatel-Lucent.
2433
2434THIS IS A STRONGLY RECOMMENDED UPGRADE.
2435
2436---
2437ntpd now syncs to refclocks right away.
2438
2439Backward-Incompatible changes:
2440
2441ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2442Use '--var name' or '--dvar name' instead. (Bug 817)
2443
2444---
2445NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2446
2447Focus: Security and Bug Fixes
2448
2449Severity: HIGH
2450
2451This release fixes the following high-severity vulnerability:
2452
2453* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
2454
2455 See http://support.ntp.org/security for more information.
2456
2457 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2458 line) then a carefully crafted packet sent to the machine will cause
2459 a buffer overflow and possible execution of injected code, running
2460 with the privileges of the ntpd process (often root).
2461
2462 Credit for finding this vulnerability goes to Chris Ries of CMU.
2463
2464This release fixes the following low-severity vulnerabilities:
2465
2466* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
2467 Credit for finding this vulnerability goes to Geoff Keating of Apple.
2468
2469* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2470 Credit for finding this issue goes to Dave Hart.
2471
2472This release fixes a number of bugs and adds some improvements:
2473
2474* Improved logging
2475* Fix many compiler warnings
2476* Many fixes and improvements for Windows
2477* Adds support for AIX 6.1
2478* Resolves some issues under MacOS X and Solaris
2479
2480THIS IS A STRONGLY RECOMMENDED UPGRADE.
2481
2482---
2483NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2484
2485Focus: Security Fix
2486
2487Severity: Low
2488
2489This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2490the OpenSSL library relating to the incorrect checking of the return
2491value of EVP_VerifyFinal function.
2492
2493Credit for finding this issue goes to the Google Security Team for
2494finding the original issue with OpenSSL, and to ocert.org for finding
2495the problem in NTP and telling us about it.
2496
2497This is a recommended upgrade.
2498---
2499NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2500
2501Focus: Minor Bugfixes
2502
2503This release fixes a number of Windows-specific ntpd bugs and
2504platform-independent ntpdate bugs. A logging bugfix has been applied
2505to the ONCORE driver.
2506
2507The "dynamic" keyword and is now obsolete and deferred binding to local
2508interfaces is the new default. The minimum time restriction for the
2509interface update interval has been dropped.
2510
2511A number of minor build system and documentation fixes are included.
2512
2513This is a recommended upgrade for Windows.
2514
2515---
2516NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2517
2518Focus: Minor Bugfixes
2519
2520This release updates certain copyright information, fixes several display
2521bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2522shutdown in the parse refclock driver, removes some lint from the code,
2523stops accessing certain buffers immediately after they were freed, fixes
2524a problem with non-command-line specification of -6, and allows the loopback
2525interface to share addresses with other interfaces.
2526
2527---
2528NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2529
2530Focus: Minor Bugfixes
2531
2532This release fixes a bug in Windows that made it difficult to
2533terminate ntpd under windows.
2534This is a recommended upgrade for Windows.
2535
2536---
2537NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2538
2539Focus: Minor Bugfixes
2540
2541This release fixes a multicast mode authentication problem,
2542an error in NTP packet handling on Windows that could lead to
2543ntpd crashing, and several other minor bugs. Handling of
2544multicast interfaces and logging configuration were improved.
2545The required versions of autogen and libopts were incremented.
2546This is a recommended upgrade for Windows and multicast users.
2547
2548---
2549NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
2550
2551Focus: enhancements and bug fixes.
2552
2553Dynamic interface rescanning was added to simplify the use of ntpd in
2554conjunction with DHCP. GNU AutoGen is used for its command-line options
2555processing. Separate PPS devices are supported for PARSE refclocks, MD5
2556signatures are now provided for the release files. Drivers have been
2557added for some new ref-clocks and have been removed for some older
2558ref-clocks. This release also includes other improvements, documentation
2559and bug fixes.
2560
2561K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
2562C support.
2563
2564---
2565NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
2566
2567Focus: enhancements and bug fixes.
|