| 2NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: HIGH
7
8In addition to bug fixes and enhancements, this release fixes the
9following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
105 low-severity vulnerabilities, and provides 28 other non-security
11fixes and improvements:
12
13* Trap crash
14 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
15 References: Sec 3119 / CVE-2016-9311 / VU#633847
16 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
17 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
18 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
19 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
20 Summary:
21 ntpd does not enable trap service by default. If trap service
22 has been explicitly enabled, an attacker can send a specially
23 crafted packet to cause a null pointer dereference that will
24 crash ntpd, resulting in a denial of service.
25 Mitigation:
26 Implement BCP-38.
27 Use "restrict default noquery ..." in your ntp.conf file. Only
28 allow mode 6 queries from trusted networks and hosts.
29 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
30 or the NTP Public Services Project Download Page
31 Properly monitor your ntpd instances, and auto-restart ntpd
32 (without -g) if it stops running.
33 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
34
35* Mode 6 information disclosure and DDoS vector
36 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
37 References: Sec 3118 / CVE-2016-9310 / VU#633847
38 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
39 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
40 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
41 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
42 Summary:
43 An exploitable configuration modification vulnerability exists
44 in the control mode (mode 6) functionality of ntpd. If, against
45 long-standing BCP recommendations, "restrict default noquery ..."
46 is not specified, a specially crafted control mode packet can set
47 ntpd traps, providing information disclosure and DDoS
48 amplification, and unset ntpd traps, disabling legitimate
49 monitoring. A remote, unauthenticated, network attacker can
50 trigger this vulnerability.
51 Mitigation:
52 Implement BCP-38.
53 Use "restrict default noquery ..." in your ntp.conf file.
54 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
55 or the NTP Public Services Project Download Page
56 Properly monitor your ntpd instances, and auto-restart ntpd
57 (without -g) if it stops running.
58 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
59
60* Broadcast Mode Replay Prevention DoS
61 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
62 References: Sec 3114 / CVE-2016-7427 / VU#633847
63 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
64 ntp-4.3.90 up to, but not including ntp-4.3.94.
65 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
66 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
67 Summary:
68 The broadcast mode of NTP is expected to only be used in a
69 trusted network. If the broadcast network is accessible to an
70 attacker, a potentially exploitable denial of service
71 vulnerability in ntpd's broadcast mode replay prevention
72 functionality can be abused. An attacker with access to the NTP
73 broadcast domain can periodically inject specially crafted
74 broadcast mode NTP packets into the broadcast domain which,
75 while being logged by ntpd, can cause ntpd to reject broadcast
76 mode packets from legitimate NTP broadcast servers.
77 Mitigation:
78 Implement BCP-38.
79 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
80 or the NTP Public Services Project Download Page
81 Properly monitor your ntpd instances, and auto-restart ntpd
82 (without -g) if it stops running.
83 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
84
85* Broadcast Mode Poll Interval Enforcement DoS
86 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
87 References: Sec 3113 / CVE-2016-7428 / VU#633847
88 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
89 ntp-4.3.90 up to, but not including ntp-4.3.94
90 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
91 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
92 Summary:
93 The broadcast mode of NTP is expected to only be used in a
94 trusted network. If the broadcast network is accessible to an
95 attacker, a potentially exploitable denial of service
96 vulnerability in ntpd's broadcast mode poll interval enforcement
97 functionality can be abused. To limit abuse, ntpd restricts the
98 rate at which each broadcast association will process incoming
99 packets. ntpd will reject broadcast mode packets that arrive
100 before the poll interval specified in the preceding broadcast
101 packet expires. An attacker with access to the NTP broadcast
102 domain can send specially crafted broadcast mode NTP packets to
103 the broadcast domain which, while being logged by ntpd, will
104 cause ntpd to reject broadcast mode packets from legitimate NTP
105 broadcast servers.
106 Mitigation:
107 Implement BCP-38.
108 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
109 or the NTP Public Services Project Download Page
110 Properly monitor your ntpd instances, and auto-restart ntpd
111 (without -g) if it stops running.
112 Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
113
114* Windows: ntpd DoS by oversized UDP packet
115 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
116 References: Sec 3110 / CVE-2016-9312 / VU#633847
117 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
118 and ntp-4.3.0 up to, but not including ntp-4.3.94.
119 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
120 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
121 Summary:
122 If a vulnerable instance of ntpd on Windows receives a crafted
123 malicious packet that is "too big", ntpd will stop working.
124 Mitigation:
125 Implement BCP-38.
126 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
127 or the NTP Public Services Project Download Page
128 Properly monitor your ntpd instances, and auto-restart ntpd
129 (without -g) if it stops running.
130 Credit: This weakness was discovered by Robert Pajak of ABB.
131
132* 0rigin (zero origin) issues
133 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
134 References: Sec 3102 / CVE-2016-7431 / VU#633847
135 Affects: ntp-4.2.8p8, and ntp-4.3.93.
136 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
137 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
138 Summary:
139 Zero Origin timestamp problems were fixed by Bug 2945 in
140 ntp-4.2.8p6. However, subsequent timestamp validation checks
141 introduced a regression in the handling of some Zero origin
142 timestamp checks.
143 Mitigation:
144 Implement BCP-38.
145 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
146 or the NTP Public Services Project Download Page
147 Properly monitor your ntpd instances, and auto-restart ntpd
148 (without -g) if it stops running.
149 Credit: This weakness was discovered by Sharon Goldberg and Aanchal
150 Malhotra of Boston University.
151
152* read_mru_list() does inadequate incoming packet checks
153 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
154 References: Sec 3082 / CVE-2016-7434 / VU#633847
155 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
156 ntp-4.3.0 up to, but not including ntp-4.3.94.
157 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
158 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
159 Summary:
160 If ntpd is configured to allow mrulist query requests from a
161 server that sends a crafted malicious packet, ntpd will crash
162 on receipt of that crafted malicious mrulist query packet.
163 Mitigation:
164 Only allow mrulist query packets from trusted hosts.
165 Implement BCP-38.
166 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
167 or the NTP Public Services Project Download Page
168 Properly monitor your ntpd instances, and auto-restart ntpd
169 (without -g) if it stops running.
170 Credit: This weakness was discovered by Magnus Stubman.
171
172* Attack on interface selection
173 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
174 References: Sec 3072 / CVE-2016-7429 / VU#633847
175 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
176 ntp-4.3.0 up to, but not including ntp-4.3.94
177 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
178 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
179 Summary:
180 When ntpd receives a server response on a socket that corresponds
181 to a different interface than was used for the request, the peer
182 structure is updated to use the interface for new requests. If
183 ntpd is running on a host with multiple interfaces in separate
184 networks and the operating system doesn't check source address in
185 received packets (e.g. rp_filter on Linux is set to 0), an
186 attacker that knows the address of the source can send a packet
187 with spoofed source address which will cause ntpd to select wrong
188 interface for the source and prevent it from sending new requests
189 until the list of interfaces is refreshed, which happens on
190 routing changes or every 5 minutes by default. If the attack is
191 repeated often enough (once per second), ntpd will not be able to
192 synchronize with the source.
193 Mitigation:
194 Implement BCP-38.
195 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
196 or the NTP Public Services Project Download Page
197 If you are going to configure your OS to disable source address
198 checks, also configure your firewall configuration to control
199 what interfaces can receive packets from what networks.
200 Properly monitor your ntpd instances, and auto-restart ntpd
201 (without -g) if it stops running.
202 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
203
204* Client rate limiting and server responses
205 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
206 References: Sec 3071 / CVE-2016-7426 / VU#633847
207 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
208 ntp-4.3.0 up to, but not including ntp-4.3.94
209 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
210 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
211 Summary:
212 When ntpd is configured with rate limiting for all associations
213 (restrict default limited in ntp.conf), the limits are applied
214 also to responses received from its configured sources. An
215 attacker who knows the sources (e.g., from an IPv4 refid in
216 server response) and knows the system is (mis)configured in this
217 way can periodically send packets with spoofed source address to
218 keep the rate limiting activated and prevent ntpd from accepting
219 valid responses from its sources.
220
221 While this blanket rate limiting can be useful to prevent
222 brute-force attacks on the origin timestamp, it allows this DoS
223 attack. Similarly, it allows the attacker to prevent mobilization
224 of ephemeral associations.
225 Mitigation:
226 Implement BCP-38.
227 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
228 or the NTP Public Services Project Download Page
229 Properly monitor your ntpd instances, and auto-restart ntpd
230 (without -g) if it stops running.
231 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
232
233* Fix for bug 2085 broke initial sync calculations
234 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
235 References: Sec 3067 / CVE-2016-7433 / VU#633847
236 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
237 ntp-4.3.0 up to, but not including ntp-4.3.94. But the
238 root-distance calculation in general is incorrect in all versions
239 of ntp-4 until this release.
240 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
241 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
242 Summary:
243 Bug 2085 described a condition where the root delay was included
244 twice, causing the jitter value to be higher than expected. Due
245 to a misinterpretation of a small-print variable in The Book, the
246 fix for this problem was incorrect, resulting in a root distance
247 that did not include the peer dispersion. The calculations and
248 formulae have been reviewed and reconciled, and the code has been
249 updated accordingly.
250 Mitigation:
251 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
252 or the NTP Public Services Project Download Page
253 Properly monitor your ntpd instances, and auto-restart ntpd
254 (without -g) if it stops running.
255 Credit: This weakness was discovered independently by Brian Utterback of
256 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
257
258Other fixes:
259
260* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
261* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
262* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
263 - moved retry decision where it belongs. <perlinger@ntp.org>
264* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
265 using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
266* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
267* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
268 - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
269* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
270 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
271 - added shim layer for SSL API calls with issues (both directions)
272* [Bug 3089] Serial Parser does not work anymore for hopfser like device
273 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
274* [Bug 3084] update-leap mis-parses the leapfile name. HStenn.
275* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
276 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
277* [Bug 3067] Root distance calculation needs improvement. HStenn
278* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
279 - PPS-HACK works again.
280* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
281 - applied patch by Brian Utterback <brian.utterback@oracle.com>
282* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White.
283* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
284 <perlinger@ntp.org>
285 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
286* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
287 - Patch provided by Kuramatsu.
288* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
289 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
290* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
291* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
292* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn.
293* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
294 - fixed GPS week expansion to work based on build date. Special thanks
295 to Craig Leres for initial patch and testing.
296* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
297 - fixed Makefile.am <perlinger@ntp.org>
298* [Bug 2689] ATOM driver processes last PPS pulse at startup,
299 even if it is very old <perlinger@ntp.org>
300 - make sure PPS source is alive before processing samples
301 - improve stability close to the 500ms phase jump (phase gate)
302* Fix typos in include/ntp.h.
303* Shim X509_get_signature_nid() if needed
304* git author attribution cleanup
305* bk ignore file cleanup
306* remove locks in Windows IO, use rpc-like thread synchronisation instead
307
308---
|