| 2NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 3 4Focus: Security, Bug fixes, enhancements. 5 6Severity: HIGH 7 8In addition to bug fixes and enhancements, this release fixes the 9following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 105 low-severity vulnerabilities, and provides 28 other non-security 11fixes and improvements: 12 13* Trap crash 14 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 15 References: Sec 3119 / CVE-2016-9311 / VU#633847 16 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 17 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 18 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 19 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 20 Summary: 21 ntpd does not enable trap service by default. If trap service 22 has been explicitly enabled, an attacker can send a specially 23 crafted packet to cause a null pointer dereference that will 24 crash ntpd, resulting in a denial of service. 25 Mitigation: 26 Implement BCP-38. 27 Use "restrict default noquery ..." in your ntp.conf file. Only 28 allow mode 6 queries from trusted networks and hosts. 29 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 30 or the NTP Public Services Project Download Page 31 Properly monitor your ntpd instances, and auto-restart ntpd 32 (without -g) if it stops running. 33 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 34 35* Mode 6 information disclosure and DDoS vector 36 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 37 References: Sec 3118 / CVE-2016-9310 / VU#633847 38 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 39 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 40 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 41 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 42 Summary: 43 An exploitable configuration modification vulnerability exists 44 in the control mode (mode 6) functionality of ntpd. If, against 45 long-standing BCP recommendations, "restrict default noquery ..." 46 is not specified, a specially crafted control mode packet can set 47 ntpd traps, providing information disclosure and DDoS 48 amplification, and unset ntpd traps, disabling legitimate 49 monitoring. A remote, unauthenticated, network attacker can 50 trigger this vulnerability. 51 Mitigation: 52 Implement BCP-38. 53 Use "restrict default noquery ..." in your ntp.conf file. 54 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 55 or the NTP Public Services Project Download Page 56 Properly monitor your ntpd instances, and auto-restart ntpd 57 (without -g) if it stops running. 58 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 59 60* Broadcast Mode Replay Prevention DoS 61 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 62 References: Sec 3114 / CVE-2016-7427 / VU#633847 63 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 64 ntp-4.3.90 up to, but not including ntp-4.3.94. 65 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 66 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 67 Summary: 68 The broadcast mode of NTP is expected to only be used in a 69 trusted network. If the broadcast network is accessible to an 70 attacker, a potentially exploitable denial of service 71 vulnerability in ntpd's broadcast mode replay prevention 72 functionality can be abused. An attacker with access to the NTP 73 broadcast domain can periodically inject specially crafted 74 broadcast mode NTP packets into the broadcast domain which, 75 while being logged by ntpd, can cause ntpd to reject broadcast 76 mode packets from legitimate NTP broadcast servers. 77 Mitigation: 78 Implement BCP-38. 79 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 80 or the NTP Public Services Project Download Page 81 Properly monitor your ntpd instances, and auto-restart ntpd 82 (without -g) if it stops running. 83 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 84 85* Broadcast Mode Poll Interval Enforcement DoS 86 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 87 References: Sec 3113 / CVE-2016-7428 / VU#633847 88 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 89 ntp-4.3.90 up to, but not including ntp-4.3.94 90 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 91 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 92 Summary: 93 The broadcast mode of NTP is expected to only be used in a 94 trusted network. If the broadcast network is accessible to an 95 attacker, a potentially exploitable denial of service 96 vulnerability in ntpd's broadcast mode poll interval enforcement 97 functionality can be abused. To limit abuse, ntpd restricts the 98 rate at which each broadcast association will process incoming 99 packets. ntpd will reject broadcast mode packets that arrive 100 before the poll interval specified in the preceding broadcast 101 packet expires. An attacker with access to the NTP broadcast 102 domain can send specially crafted broadcast mode NTP packets to 103 the broadcast domain which, while being logged by ntpd, will 104 cause ntpd to reject broadcast mode packets from legitimate NTP 105 broadcast servers. 106 Mitigation: 107 Implement BCP-38. 108 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 109 or the NTP Public Services Project Download Page 110 Properly monitor your ntpd instances, and auto-restart ntpd 111 (without -g) if it stops running. 112 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 113 114* Windows: ntpd DoS by oversized UDP packet 115 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 116 References: Sec 3110 / CVE-2016-9312 / VU#633847 117 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 118 and ntp-4.3.0 up to, but not including ntp-4.3.94. 119 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 120 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 121 Summary: 122 If a vulnerable instance of ntpd on Windows receives a crafted 123 malicious packet that is "too big", ntpd will stop working. 124 Mitigation: 125 Implement BCP-38. 126 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 127 or the NTP Public Services Project Download Page 128 Properly monitor your ntpd instances, and auto-restart ntpd 129 (without -g) if it stops running. 130 Credit: This weakness was discovered by Robert Pajak of ABB. 131 132* 0rigin (zero origin) issues 133 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 134 References: Sec 3102 / CVE-2016-7431 / VU#633847 135 Affects: ntp-4.2.8p8, and ntp-4.3.93. 136 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 137 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 138 Summary: 139 Zero Origin timestamp problems were fixed by Bug 2945 in 140 ntp-4.2.8p6. However, subsequent timestamp validation checks 141 introduced a regression in the handling of some Zero origin 142 timestamp checks. 143 Mitigation: 144 Implement BCP-38. 145 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 146 or the NTP Public Services Project Download Page 147 Properly monitor your ntpd instances, and auto-restart ntpd 148 (without -g) if it stops running. 149 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 150 Malhotra of Boston University. 151 152* read_mru_list() does inadequate incoming packet checks 153 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 154 References: Sec 3082 / CVE-2016-7434 / VU#633847 155 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 156 ntp-4.3.0 up to, but not including ntp-4.3.94. 157 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 158 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 159 Summary: 160 If ntpd is configured to allow mrulist query requests from a 161 server that sends a crafted malicious packet, ntpd will crash 162 on receipt of that crafted malicious mrulist query packet. 163 Mitigation: 164 Only allow mrulist query packets from trusted hosts. 165 Implement BCP-38. 166 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 167 or the NTP Public Services Project Download Page 168 Properly monitor your ntpd instances, and auto-restart ntpd 169 (without -g) if it stops running. 170 Credit: This weakness was discovered by Magnus Stubman. 171 172* Attack on interface selection 173 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 174 References: Sec 3072 / CVE-2016-7429 / VU#633847 175 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 176 ntp-4.3.0 up to, but not including ntp-4.3.94 177 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 178 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 179 Summary: 180 When ntpd receives a server response on a socket that corresponds 181 to a different interface than was used for the request, the peer 182 structure is updated to use the interface for new requests. If 183 ntpd is running on a host with multiple interfaces in separate 184 networks and the operating system doesn't check source address in 185 received packets (e.g. rp_filter on Linux is set to 0), an 186 attacker that knows the address of the source can send a packet 187 with spoofed source address which will cause ntpd to select wrong 188 interface for the source and prevent it from sending new requests 189 until the list of interfaces is refreshed, which happens on 190 routing changes or every 5 minutes by default. If the attack is 191 repeated often enough (once per second), ntpd will not be able to 192 synchronize with the source. 193 Mitigation: 194 Implement BCP-38. 195 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 196 or the NTP Public Services Project Download Page 197 If you are going to configure your OS to disable source address 198 checks, also configure your firewall configuration to control 199 what interfaces can receive packets from what networks. 200 Properly monitor your ntpd instances, and auto-restart ntpd 201 (without -g) if it stops running. 202 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 203 204* Client rate limiting and server responses 205 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 206 References: Sec 3071 / CVE-2016-7426 / VU#633847 207 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 208 ntp-4.3.0 up to, but not including ntp-4.3.94 209 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 210 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 211 Summary: 212 When ntpd is configured with rate limiting for all associations 213 (restrict default limited in ntp.conf), the limits are applied 214 also to responses received from its configured sources. An 215 attacker who knows the sources (e.g., from an IPv4 refid in 216 server response) and knows the system is (mis)configured in this 217 way can periodically send packets with spoofed source address to 218 keep the rate limiting activated and prevent ntpd from accepting 219 valid responses from its sources. 220 221 While this blanket rate limiting can be useful to prevent 222 brute-force attacks on the origin timestamp, it allows this DoS 223 attack. Similarly, it allows the attacker to prevent mobilization 224 of ephemeral associations. 225 Mitigation: 226 Implement BCP-38. 227 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 228 or the NTP Public Services Project Download Page 229 Properly monitor your ntpd instances, and auto-restart ntpd 230 (without -g) if it stops running. 231 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 232 233* Fix for bug 2085 broke initial sync calculations 234 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 235 References: Sec 3067 / CVE-2016-7433 / VU#633847 236 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 237 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 238 root-distance calculation in general is incorrect in all versions 239 of ntp-4 until this release. 240 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 241 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 242 Summary: 243 Bug 2085 described a condition where the root delay was included 244 twice, causing the jitter value to be higher than expected. Due 245 to a misinterpretation of a small-print variable in The Book, the 246 fix for this problem was incorrect, resulting in a root distance 247 that did not include the peer dispersion. The calculations and 248 formulae have been reviewed and reconciled, and the code has been 249 updated accordingly. 250 Mitigation: 251 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 252 or the NTP Public Services Project Download Page 253 Properly monitor your ntpd instances, and auto-restart ntpd 254 (without -g) if it stops running. 255 Credit: This weakness was discovered independently by Brian Utterback of 256 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 257 258Other fixes: 259 260* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 261* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 262* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 263 - moved retry decision where it belongs. <perlinger@ntp.org> 264* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 265 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 266* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 267* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 268 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 269* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 270 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 271 - added shim layer for SSL API calls with issues (both directions) 272* [Bug 3089] Serial Parser does not work anymore for hopfser like device 273 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 274* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 275* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 276 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 277* [Bug 3067] Root distance calculation needs improvement. HStenn 278* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 279 - PPS-HACK works again. 280* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 281 - applied patch by Brian Utterback <brian.utterback@oracle.com> 282* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 283* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 284 <perlinger@ntp.org> 285 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 286* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 287 - Patch provided by Kuramatsu. 288* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 289 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 290* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 291* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 292* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 293* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 294 - fixed GPS week expansion to work based on build date. Special thanks 295 to Craig Leres for initial patch and testing. 296* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 297 - fixed Makefile.am <perlinger@ntp.org> 298* [Bug 2689] ATOM driver processes last PPS pulse at startup, 299 even if it is very old <perlinger@ntp.org> 300 - make sure PPS source is alive before processing samples 301 - improve stability close to the 500ms phase jump (phase gate) 302* Fix typos in include/ntp.h. 303* Shim X509_get_signature_nid() if needed 304* git author attribution cleanup 305* bk ignore file cleanup 306* remove locks in Windows IO, use rpc-like thread synchronisation instead 307 308---
|