1-- 2NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 3 4NOTE: this NEWS file will be undergoing more revisions. 5 6Focus: Security, Bug fixes, enhancements. 7 8Severity: MEDIUM 9 10This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 11vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 12provides 65 other non-security fixes and improvements: 13 14* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 15 association (LOW/MED) 16 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 17 References: Sec 3454 / CVE-2018-7185 / VU#961909 18 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 19 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 20 2.9 and 6.8. 21 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 22 score between 2.6 and 3.1 23 Summary: 24 The NTP Protocol allows for both non-authenticated and 25 authenticated associations, in client/server, symmetric (peer), 26 and several broadcast modes. In addition to the basic NTP 27 operational modes, symmetric mode and broadcast servers can 28 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 29 was inadvertently introduced into the protocol engine that 30 allows a non-authenticated zero-origin (reset) packet to reset 31 an authenticated interleaved peer association. If an attacker 32 can send a packet with a zero-origin timestamp and the source 33 IP address of the "other side" of an interleaved association, 34 the 'victim' ntpd will reset its association. The attacker must 35 continue sending these packets in order to maintain the 36 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 37 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 38 interleaved mode must be explicitly configured/enabled. 39 Mitigation: 40 Implement BCP-38. 41 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 42 or the NTP Public Services Project Download Page. 43 If you are unable to upgrade to 4.2.8p11 or later and have 44 'peer HOST xleave' lines in your ntp.conf file, remove the 45 'xleave' option. 46 Have enough sources of time. 47 Properly monitor your ntpd instances. 48 If ntpd stops running, auto-restart it without -g . 49 Credit: 50 This weakness was discovered by Miroslav Lichvar of Red Hat. 51 52* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 53 state (LOW/MED) 54 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 55 References: Sec 3453 / CVE-2018-7184 / VU#961909 56 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 57 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 58 Could score between 2.9 and 6.8. 59 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 60 Could score between 2.6 and 6.0. 61 Summary: 62 The fix for NtpBug2952 was incomplete, and while it fixed one 63 problem it created another. Specifically, it drops bad packets 64 before updating the "received" timestamp. This means a 65 third-party can inject a packet with a zero-origin timestamp, 66 meaning the sender wants to reset the association, and the 67 transmit timestamp in this bogus packet will be saved as the 68 most recent "received" timestamp. The real remote peer does 69 not know this value and this will disrupt the association until 70 the association resets. 71 Mitigation: 72 Implement BCP-38. 73 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 74 or the NTP Public Services Project Download Page. 75 Use authentication with 'peer' mode. 76 Have enough sources of time. 77 Properly monitor your ntpd instances. 78 If ntpd stops running, auto-restart it without -g . 79 Credit: 80 This weakness was discovered by Miroslav Lichvar of Red Hat. 81 82* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 83 peering (LOW) 84 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 85 References: Sec 3415 / CVE-2018-7170 / VU#961909 86 Sec 3012 / CVE-2016-1549 / VU#718152 87 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 88 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 89 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 90 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 91 Summary: 92 ntpd can be vulnerable to Sybil attacks. If a system is set up to 93 use a trustedkey and if one is not using the feature introduced in 94 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 95 specify which IPs can serve time, a malicious authenticated peer 96 -- i.e. one where the attacker knows the private symmetric key -- 97 can create arbitrarily-many ephemeral associations in order to win 98 the clock selection of ntpd and modify a victim's clock. Three 99 additional protections are offered in ntp-4.2.8p11. One is the 100 new 'noepeer' directive, which disables symmetric passive 101 ephemeral peering. Another is the new 'ippeerlimit' directive, 102 which limits the number of peers that can be created from an IP. 103 The third extends the functionality of the 4th field in the 104 ntp.keys file to include specifying a subnet range. 105 Mitigation: 106 Implement BCP-38. 107 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 108 or the NTP Public Services Project Download Page. 109 Use the 'noepeer' directive to prohibit symmetric passive 110 ephemeral associations. 111 Use the 'ippeerlimit' directive to limit the number of peers 112 that can be created from an IP. 113 Use the 4th argument in the ntp.keys file to limit the IPs and 114 subnets that can be time servers. 115 Have enough sources of time. 116 Properly monitor your ntpd instances. 117 If ntpd stops running, auto-restart it without -g . 118 Credit: 119 This weakness was reported as Bug 3012 by Matthew Van Gundy of 120 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 121 122* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 123 Date Resolved: 27 Feb 2018 124 References: Sec 3414 / CVE-2018-7183 / VU#961909 125 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 126 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 127 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 128 Summary: 129 ntpq is a monitoring and control program for ntpd. decodearr() 130 is an internal function of ntpq that is used to -- wait for it -- 131 decode an array in a response string when formatted data is being 132 displayed. This is a problem in affected versions of ntpq if a 133 maliciously-altered ntpd returns an array result that will trip this 134 bug, or if a bad actor is able to read an ntpq request on its way to 135 a remote ntpd server and forge and send a response before the remote 136 ntpd sends its response. It's potentially possible that the 137 malicious data could become injectable/executable code. 138 Mitigation: 139 Implement BCP-38. 140 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 141 or the NTP Public Services Project Download Page. 142 Credit: 143 This weakness was discovered by Michael Macnair of Thales e-Security. 144 145* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 146 behavior and information leak (Info/Medium) 147 Date Resolved: 27 Feb 2018 148 References: Sec 3412 / CVE-2018-7182 / VU#961909 149 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 150 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 151 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 152 0.0 if C:N 153 Summary: 154 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 155 A malicious mode 6 packet can be sent to an ntpd instance, and 156 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 157 cause ctl_getitem() to read past the end of its buffer. 158 Mitigation: 159 Implement BCP-38. 160 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 161 or the NTP Public Services Project Download Page. 162 Have enough sources of time. 163 Properly monitor your ntpd instances. 164 If ntpd stops running, auto-restart it without -g . 165 Credit: 166 This weakness was discovered by Yihan Lian of Qihoo 360. 167 168* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 169 Also see Bug 3415, above. 170 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 171 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 172 References: Sec 3012 / CVE-2016-1549 / VU#718152 173 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 174 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 175 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 176 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 177 Summary: 178 ntpd can be vulnerable to Sybil attacks. If a system is set up 179 to use a trustedkey and if one is not using the feature 180 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 181 ntp.keys file to specify which IPs can serve time, a malicious 182 authenticated peer -- i.e. one where the attacker knows the 183 private symmetric key -- can create arbitrarily-many ephemeral 184 associations in order to win the clock selection of ntpd and 185 modify a victim's clock. Two additional protections are 186 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 187 disables symmetric passive ephemeral peering. The other extends 188 the functionality of the 4th field in the ntp.keys file to 189 include specifying a subnet range. 190 Mitigation: 191 Implement BCP-38. 192 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 193 the NTP Public Services Project Download Page. 194 Use the 'noepeer' directive to prohibit symmetric passive 195 ephemeral associations. 196 Use the 'ippeerlimit' directive to limit the number of peer 197 associations from an IP. 198 Use the 4th argument in the ntp.keys file to limit the IPs 199 and subnets that can be time servers. 200 Properly monitor your ntpd instances. 201 Credit: 202 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 203 204* Bug fixes: 205 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 206 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 207 - applied patch by Sean Haugh 208 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 209 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 210 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 211 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 212 - refactoring the MAC code, too 213 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 214 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 215 - applied patch by ggarvey 216 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 217 - applied patch by ggarvey (with minor mods) 218 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 219 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 220 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 221 [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 222 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 223 - fixed several issues with hash algos in ntpd, sntp, ntpq, 224 ntpdc and the test suites <perlinger@ntp.org> 225 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 226 - initial patch by Daniel Pouzzner 227 [Bug 3423] QNX adjtime() implementation error checking is 228 wrong <perlinger@ntp.org> 229 [Bug 3417] ntpq ifstats packet counters can be negative 230 made IFSTATS counter quantities unsigned <perlinger@ntp.org> 231 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 232 - raised receive buffer size to 1200 <perlinger@ntp.org> 233 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 234 analysis tool. <abe@ntp.org> 235 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 236 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 237 - fix/drop assumptions on OpenSSL libs directory layout 238 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 239 - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 240 [Bug 3398] tests fail with core dump <perlinger@ntp.org> 241 - patch contributed by Alexander Bluhm 242 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 243 rework of formatting & data transfer stuff in 'ntp_control.c' 244 avoids unecessary buffers and size limitations. <perlinger@ntp.org> 245 [Bug 3394] Leap second deletion does not work on ntpd clients 246 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 247 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 248 - increased mimimum stack size to 32kB <perlinger@ntp.org> 249 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 250 - reverted handling of PPS kernel consumer to 4.2.6 behavior 251 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 252 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 253 [Bug 3016] wrong error position reported for bad ":config pool" 254 - fixed location counter & ntpq output <perlinger@ntp.org> 255 [Bug 2900] libntp build order problem. HStenn. 256 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 257 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 258 perlinger@ntp.org 259 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 260 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 261 Use strlcpy() to copy strings, not memcpy(). HStenn. 262 Typos. HStenn. 263 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 264 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 265 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 266 Fix trivial warnings from 'make check'. perlinger@ntp.org 267 Fix bug in the override portion of the compiler hardening macro. HStenn. 268 record_raw_stats(): Log entire packet. Log writes. HStenn. 269 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 270 sntp: tweak key file logging. HStenn. 271 sntp: pkt_output(): Improve debug output. HStenn. 272 update-leap: updates from Paul McMath. 273 When using pkg-config, report --modversion. HStenn. 274 Clean up libevent configure checks. HStenn. 275 sntp: show the IP of who sent us a crypto-NAK. HStenn. 276 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 277 authistrustedip() - use it in more places. HStenn, JPerlinger. 278 New sysstats: sys_lamport, sys_tsrounding. HStenn. 279 Update ntp.keys .../N documentation. HStenn. 280 Distribute testconf.yml. HStenn. 281 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 282 Rename the configuration flag fifo variables. HStenn. 283 Improve saveconfig output. HStenn. 284 Decode restrict flags on receive() debug output. HStenn. 285 Decode interface flags on receive() debug output. HStenn. 286 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 287 Update the documentation in ntp.conf.def . HStenn. 288 restrictions() must return restrict flags and ippeerlimit. HStenn. 289 Update ntpq peer documentation to describe the 'p' type. HStenn. 290 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 291 Provide dump_restricts() for debugging. HStenn. 292 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 293 294* Other items: 295 296* update-leap needs the following perl modules: 297 Net::SSLeay 298 IO::Socket::SSL 299 300* New sysstats variables: sys_lamport, sys_tsrounding 301See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 302sys_lamport counts the number of observed Lamport violations, while 303sys_tsrounding counts observed timestamp rounding events. 304 305* New ntp.conf items: 306 307- restrict ... noepeer 308- restrict ... ippeerlimit N 309 310The 'noepeer' directive will disallow all ephemeral/passive peer 311requests. 312 313The 'ippeerlimit' directive limits the number of time associations 314for each IP in the designated set of addresses. This limit does not 315apply to explicitly-configured associations. A value of -1, the current 316default, means an unlimited number of associations may connect from a 317single IP. 0 means "none", etc. Ordinarily the only way multiple 318associations would come from the same IP would be if the remote side 319was using a proxy. But a trusted machine might become compromised, 320in which case an attacker might spin up multiple authenticated sessions 321from different ports. This directive should be helpful in this case. 322 323* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 324field may contain a /subnetbits specification, which identifies the 325scope of IPs that may use this key. This IP/subnet restriction can be 326used to limit the IPs that may use the key in most all situations where 327a key is used. 328-- 329NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 330 331Focus: Security, Bug fixes, enhancements. 332 333Severity: MEDIUM 334 335This release fixes 5 medium-, 6 low-, and 4 informational-severity 336vulnerabilities, and provides 15 other non-security fixes and improvements: 337 338* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 339 Date Resolved: 21 Mar 2017 340 References: Sec 3389 / CVE-2017-6464 / VU#325339 341 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 342 ntp-4.3.0 up to, but not including ntp-4.3.94. 343 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 344 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 345 Summary: 346 A vulnerability found in the NTP server makes it possible for an 347 authenticated remote user to crash ntpd via a malformed mode 348 configuration directive. 349 Mitigation: 350 Implement BCP-38. 351 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 352 the NTP Public Services Project Download Page 353 Properly monitor your ntpd instances, and auto-restart 354 ntpd (without -g) if it stops running. 355 Credit: 356 This weakness was discovered by Cure53. 357 358* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 359 Date Resolved: 21 Mar 2017 360 References: Sec 3388 / CVE-2017-6462 / VU#325339 361 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 362 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 363 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 364 Summary: 365 There is a potential for a buffer overflow in the legacy Datum 366 Programmable Time Server refclock driver. Here the packets are 367 processed from the /dev/datum device and handled in 368 datum_pts_receive(). Since an attacker would be required to 369 somehow control a malicious /dev/datum device, this does not 370 appear to be a practical attack and renders this issue "Low" in 371 terms of severity. 372 Mitigation: 373 If you have a Datum reference clock installed and think somebody 374 may maliciously change the device, upgrade to 4.2.8p10, or 375 later, from the NTP Project Download Page or the NTP Public 376 Services Project Download Page 377 Properly monitor your ntpd instances, and auto-restart 378 ntpd (without -g) if it stops running. 379 Credit: 380 This weakness was discovered by Cure53. 381 382* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 383 Date Resolved: 21 Mar 2017 384 References: Sec 3387 / CVE-2017-6463 / VU#325339 385 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 386 ntp-4.3.0 up to, but not including ntp-4.3.94. 387 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 388 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 389 Summary: 390 A vulnerability found in the NTP server allows an authenticated 391 remote attacker to crash the daemon by sending an invalid setting 392 via the :config directive. The unpeer option expects a number or 393 an address as an argument. In case the value is "0", a 394 segmentation fault occurs. 395 Mitigation: 396 Implement BCP-38. 397 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 398 or the NTP Public Services Project Download Page 399 Properly monitor your ntpd instances, and auto-restart 400 ntpd (without -g) if it stops running. 401 Credit: 402 This weakness was discovered by Cure53. 403 404* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 405 Date Resolved: 21 Mar 2017 406 References: Sec 3386 407 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 408 ntp-4.3.0 up to, but not including ntp-4.3.94. 409 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 410 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 411 Summary: 412 The NTP Mode 6 monitoring and control client, ntpq, uses the 413 function ntpq_stripquotes() to remove quotes and escape characters 414 from a given string. According to the documentation, the function 415 is supposed to return the number of copied bytes but due to 416 incorrect pointer usage this value is always zero. Although the 417 return value of this function is never used in the code, this 418 flaw could lead to a vulnerability in the future. Since relying 419 on wrong return values when performing memory operations is a 420 dangerous practice, it is recommended to return the correct value 421 in accordance with the documentation pertinent to the code. 422 Mitigation: 423 Implement BCP-38. 424 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 425 or the NTP Public Services Project Download Page 426 Properly monitor your ntpd instances, and auto-restart 427 ntpd (without -g) if it stops running. 428 Credit: 429 This weakness was discovered by Cure53. 430 431* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 432 Date Resolved: 21 Mar 2017 433 References: Sec 3385 434 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 435 ntp-4.3.0 up to, but not including ntp-4.3.94. 436 Summary: 437 NTP makes use of several wrappers around the standard heap memory 438 allocation functions that are provided by libc. This is mainly 439 done to introduce additional safety checks concentrated on 440 several goals. First, they seek to ensure that memory is not 441 accidentally freed, secondly they verify that a correct amount 442 is always allocated and, thirdly, that allocation failures are 443 correctly handled. There is an additional implementation for 444 scenarios where memory for a specific amount of items of the 445 same size needs to be allocated. The handling can be found in 446 the oreallocarray() function for which a further number-of-elements 447 parameter needs to be provided. Although no considerable threat 448 was identified as tied to a lack of use of this function, it is 449 recommended to correctly apply oreallocarray() as a preferred 450 option across all of the locations where it is possible. 451 Mitigation: 452 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 453 or the NTP Public Services Project Download Page 454 Credit: 455 This weakness was discovered by Cure53. 456 457* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 458 PPSAPI ONLY) (Low) 459 Date Resolved: 21 Mar 2017 460 References: Sec 3384 / CVE-2017-6455 / VU#325339 461 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 462 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 463 including ntp-4.3.94. 464 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 465 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 466 Summary: 467 The Windows NT port has the added capability to preload DLLs 468 defined in the inherited global local environment variable 469 PPSAPI_DLLS. The code contained within those libraries is then 470 called from the NTPD service, usually running with elevated 471 privileges. Depending on how securely the machine is setup and 472 configured, if ntpd is configured to use the PPSAPI under Windows 473 this can easily lead to a code injection. 474 Mitigation: 475 Implement BCP-38. 476 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 477 or the NTP Public Services Project Download Page 478 Credit: 479 This weakness was discovered by Cure53. 480 481* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 482 installer ONLY) (Low) 483 Date Resolved: 21 Mar 2017 484 References: Sec 3383 / CVE-2017-6452 / VU#325339 485 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 486 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 487 to, but not including ntp-4.3.94. 488 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 489 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 490 Summary: 491 The Windows installer for NTP calls strcat(), blindly appending 492 the string passed to the stack buffer in the addSourceToRegistry() 493 function. The stack buffer is 70 bytes smaller than the buffer 494 in the calling main() function. Together with the initially 495 copied Registry path, the combination causes a stack buffer 496 overflow and effectively overwrites the stack frame. The 497 passed application path is actually limited to 256 bytes by the 498 operating system, but this is not sufficient to assure that the 499 affected stack buffer is consistently protected against 500 overflowing at all times. 501 Mitigation: 502 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 503 or the NTP Public Services Project Download Page 504 Credit: 505 This weakness was discovered by Cure53. 506 507* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 508 installer ONLY) (Low) 509 Date Resolved: 21 Mar 2017 510 References: Sec 3382 / CVE-2017-6459 / VU#325339 511 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 512 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 513 up to, but not including ntp-4.3.94. 514 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 515 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 516 Summary: 517 The Windows installer for NTP calls strcpy() with an argument 518 that specifically contains multiple null bytes. strcpy() only 519 copies a single terminating null character into the target 520 buffer instead of copying the required double null bytes in the 521 addKeysToRegistry() function. As a consequence, a garbage 522 registry entry can be created. The additional arsize parameter 523 is erroneously set to contain two null bytes and the following 524 call to RegSetValueEx() claims to be passing in a multi-string 525 value, though this may not be true. 526 Mitigation: 527 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 528 or the NTP Public Services Project Download Page 529 Credit: 530 This weakness was discovered by Cure53. 531 532* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 533 References: Sec 3381 534 Summary: 535 The report says: Statically included external projects 536 potentially introduce several problems and the issue of having 537 extensive amounts of code that is "dead" in the resulting binary 538 must clearly be pointed out. The unnecessary unused code may or 539 may not contain bugs and, quite possibly, might be leveraged for 540 code-gadget-based branch-flow redirection exploits. Analogically, 541 having source trees statically included as well means a failure 542 in taking advantage of the free feature for periodical updates. 543 This solution is offered by the system's Package Manager. The 544 three libraries identified are libisc, libevent, and libopts. 545 Resolution: 546 For libisc, we already only use a portion of the original library. 547 We've found and fixed bugs in the original implementation (and 548 offered the patches to ISC), and plan to see what has changed 549 since we last upgraded the code. libisc is generally not 550 installed, and when it it we usually only see the static libisc.a 551 file installed. Until we know for sure that the bugs we've found 552 and fixed are fixed upstream, we're better off with the copy we 553 are using. 554 555 Version 1 of libevent was the only production version available 556 until recently, and we've been requiring version 2 for a long time. 557 But if the build system has at least version 2 of libevent 558 installed, we'll use the version that is installed on the system. 559 Otherwise, we provide a copy of libevent that we know works. 560 561 libopts is provided by GNU AutoGen, and that library and package 562 undergoes frequent API version updates. The version of autogen 563 used to generate the tables for the code must match the API 564 version in libopts. AutoGen can be ... difficult to build and 565 install, and very few developers really need it. So we have it 566 on our build and development machines, and we provide the 567 specific version of the libopts code in the distribution to make 568 sure that the proper API version of libopts is available. 569 570 As for the point about there being code in these libraries that 571 NTP doesn't use, OK. But other packages used these libraries as 572 well, and it is reasonable to assume that other people are paying 573 attention to security and code quality issues for the overall 574 libraries. It takes significant resources to analyze and 575 customize these libraries to only include what we need, and to 576 date we believe the cost of this effort does not justify the benefit. 577 Credit: 578 This issue was discovered by Cure53. 579 580* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 581 Date Resolved: 21 Mar 2017 582 References: Sec 3380 583 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 584 ntp-4.3.0 up to, but not including ntp-4.3.94. 585 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 586 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 587 Summary: 588 There is a fencepost error in a "recovery branch" of the code for 589 the Oncore GPS receiver if the communication link to the ONCORE 590 is weak / distorted and the decoding doesn't work. 591 Mitigation: 592 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 593 the NTP Public Services Project Download Page 594 Properly monitor your ntpd instances, and auto-restart 595 ntpd (without -g) if it stops running. 596 Credit: 597 This weakness was discovered by Cure53. 598 599* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 600 Date Resolved: 21 Mar 2017 601 References: Sec 3379 / CVE-2017-6458 / VU#325339 602 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 603 ntp-4.3.0 up to, but not including ntp-4.3.94. 604 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 605 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 606 Summary: 607 ntpd makes use of different wrappers around ctl_putdata() to 608 create name/value ntpq (mode 6) response strings. For example, 609 ctl_putstr() is usually used to send string data (variable names 610 or string data). The formatting code was missing a length check 611 for variable names. If somebody explicitly created any unusually 612 long variable names in ntpd (longer than 200-512 bytes, depending 613 on the type of variable), then if any of these variables are 614 added to the response list it would overflow a buffer. 615 Mitigation: 616 Implement BCP-38. 617 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 618 or the NTP Public Services Project Download Page 619 If you don't want to upgrade, then don't setvar variable names 620 longer than 200-512 bytes in your ntp.conf file. 621 Properly monitor your ntpd instances, and auto-restart 622 ntpd (without -g) if it stops running. 623 Credit: 624 This weakness was discovered by Cure53. 625 626* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 627 Date Resolved: 21 Mar 2017 628 References: Sec 3378 / CVE-2017-6451 / VU#325339 629 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 630 ntp-4.3.0 up to, but not including ntp-4.3.94. 631 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 632 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 633 Summary: 634 The legacy MX4200 refclock is only built if is specifically 635 enabled, and furthermore additional code changes are required to 636 compile and use it. But it uses the libc functions snprintf() 637 and vsnprintf() incorrectly, which can lead to an out-of-bounds 638 memory write due to an improper handling of the return value of 639 snprintf()/vsnprintf(). Since the return value is used as an 640 iterator and it can be larger than the buffer's size, it is 641 possible for the iterator to point somewhere outside of the 642 allocated buffer space. This results in an out-of-bound memory 643 write. This behavior can be leveraged to overwrite a saved 644 instruction pointer on the stack and gain control over the 645 execution flow. During testing it was not possible to identify 646 any malicious usage for this vulnerability. Specifically, no 647 way for an attacker to exploit this vulnerability was ultimately 648 unveiled. However, it has the potential to be exploited, so the 649 code should be fixed. 650 Mitigation, if you have a Magnavox MX4200 refclock: 651 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 652 or the NTP Public Services Project Download Page. 653 Properly monitor your ntpd instances, and auto-restart 654 ntpd (without -g) if it stops running. 655 Credit: 656 This weakness was discovered by Cure53. 657 658* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 659 malicious ntpd (Medium) 660 Date Resolved: 21 Mar 2017 661 References: Sec 3377 / CVE-2017-6460 / VU#325339 662 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 663 ntp-4.3.0 up to, but not including ntp-4.3.94. 664 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 665 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 666 Summary: 667 A stack buffer overflow in ntpq can be triggered by a malicious 668 ntpd server when ntpq requests the restriction list from the server. 669 This is due to a missing length check in the reslist() function. 670 It occurs whenever the function parses the server's response and 671 encounters a flagstr variable of an excessive length. The string 672 will be copied into a fixed-size buffer, leading to an overflow on 673 the function's stack-frame. Note well that this problem requires 674 a malicious server, and affects ntpq, not ntpd. 675 Mitigation: 676 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 677 or the NTP Public Services Project Download Page 678 If you can't upgrade your version of ntpq then if you want to know 679 the reslist of an instance of ntpd that you do not control, 680 know that if the target ntpd is malicious that it can send back 681 a response that intends to crash your ntpq process. 682 Credit: 683 This weakness was discovered by Cure53. 684 685* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 686 Date Resolved: 21 Mar 2017 687 References: Sec 3376 688 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 689 ntp-4.3.0 up to, but not including ntp-4.3.94. 690 CVSS2: N/A 691 CVSS3: N/A 692 Summary: 693 The build process for NTP has not, by default, provided compile 694 or link flags to offer "hardened" security options. Package 695 maintainers have always been able to provide hardening security 696 flags for their builds. As of ntp-4.2.8p10, the NTP build 697 system has a way to provide OS-specific hardening flags. Please 698 note that this is still not a really great solution because it 699 is specific to NTP builds. It's inefficient to have every 700 package supply, track and maintain this information for every 701 target build. It would be much better if there was a common way 702 for OSes to provide this information in a way that arbitrary 703 packages could benefit from it. 704 Mitigation: 705 Implement BCP-38. 706 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 707 or the NTP Public Services Project Download Page 708 Properly monitor your ntpd instances, and auto-restart 709 ntpd (without -g) if it stops running. 710 Credit: 711 This weakness was reported by Cure53. 712 713* 0rigin DoS (Medium) 714 Date Resolved: 21 Mar 2017 715 References: Sec 3361 / CVE-2016-9042 / VU#325339 716 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 717 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 718 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 719 Summary: 720 An exploitable denial of service vulnerability exists in the 721 origin timestamp check functionality of ntpd 4.2.8p9. A specially 722 crafted unauthenticated network packet can be used to reset the 723 expected origin timestamp for target peers. Legitimate replies 724 from targeted peers will fail the origin timestamp check (TEST2) 725 causing the reply to be dropped and creating a denial of service 726 condition. This vulnerability can only be exploited if the 727 attacker can spoof all of the servers. 728 Mitigation: 729 Implement BCP-38. 730 Configure enough servers/peers that an attacker cannot target 731 all of your time sources. 732 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 733 or the NTP Public Services Project Download Page 734 Properly monitor your ntpd instances, and auto-restart 735 ntpd (without -g) if it stops running. 736 Credit: 737 This weakness was discovered by Matthew Van Gundy of Cisco. 738 739Other fixes: 740 741* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 742* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 743 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 744* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 745* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 746 on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 747 - original patch by Majdi S. Abbas 748* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 749* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 750 - initial patch by Christos Zoulas 751* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 752 - move loader API from 'inline' to proper source 753 - augment pathless dlls with absolute path to NTPD 754 - use 'msyslog()' instead of 'printf() 'for reporting trouble 755* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 756 - applied patch by Matthew Van Gundy 757* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 758 - applied some of the patches provided by Havard. Not all of them 759 still match the current code base, and I did not touch libopt. 760* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 761 - applied patch by Reinhard Max. See bugzilla for limitations. 762* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 763 - fixed dependency inversion from [Bug 2837] 764* [Bug 2896] Nothing happens if minsane < maxclock < minclock 765 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 766* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 767 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 768* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 769 - Fixed these and some more locations of this pattern. 770 Probably din't get them all, though. <perlinger@ntp.org> 771* Update copyright year. 772 773-- 774(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 775 776* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 777 - added missed changeset for automatic openssl lib detection 778 - fixed some minor warning issues 779* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 780* configure.ac cleanup. stenn@ntp.org 781* openssl configure cleanup. stenn@ntp.org 782 783-- 784NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 785 786Focus: Security, Bug fixes, enhancements. 787 788Severity: HIGH 789 790In addition to bug fixes and enhancements, this release fixes the 791following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 7925 low-severity vulnerabilities, and provides 28 other non-security 793fixes and improvements: 794 795* Trap crash 796 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 797 References: Sec 3119 / CVE-2016-9311 / VU#633847 798 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 799 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 800 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 801 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 802 Summary: 803 ntpd does not enable trap service by default. If trap service 804 has been explicitly enabled, an attacker can send a specially 805 crafted packet to cause a null pointer dereference that will 806 crash ntpd, resulting in a denial of service. 807 Mitigation: 808 Implement BCP-38. 809 Use "restrict default noquery ..." in your ntp.conf file. Only 810 allow mode 6 queries from trusted networks and hosts. 811 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 812 or the NTP Public Services Project Download Page 813 Properly monitor your ntpd instances, and auto-restart ntpd 814 (without -g) if it stops running. 815 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 816 817* Mode 6 information disclosure and DDoS vector 818 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 819 References: Sec 3118 / CVE-2016-9310 / VU#633847 820 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 821 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 822 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 823 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 824 Summary: 825 An exploitable configuration modification vulnerability exists 826 in the control mode (mode 6) functionality of ntpd. If, against 827 long-standing BCP recommendations, "restrict default noquery ..." 828 is not specified, a specially crafted control mode packet can set 829 ntpd traps, providing information disclosure and DDoS 830 amplification, and unset ntpd traps, disabling legitimate 831 monitoring. A remote, unauthenticated, network attacker can 832 trigger this vulnerability. 833 Mitigation: 834 Implement BCP-38. 835 Use "restrict default noquery ..." in your ntp.conf file. 836 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 837 or the NTP Public Services Project Download Page 838 Properly monitor your ntpd instances, and auto-restart ntpd 839 (without -g) if it stops running. 840 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 841 842* Broadcast Mode Replay Prevention DoS 843 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 844 References: Sec 3114 / CVE-2016-7427 / VU#633847 845 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 846 ntp-4.3.90 up to, but not including ntp-4.3.94. 847 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 848 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 849 Summary: 850 The broadcast mode of NTP is expected to only be used in a 851 trusted network. If the broadcast network is accessible to an 852 attacker, a potentially exploitable denial of service 853 vulnerability in ntpd's broadcast mode replay prevention 854 functionality can be abused. An attacker with access to the NTP 855 broadcast domain can periodically inject specially crafted 856 broadcast mode NTP packets into the broadcast domain which, 857 while being logged by ntpd, can cause ntpd to reject broadcast 858 mode packets from legitimate NTP broadcast servers. 859 Mitigation: 860 Implement BCP-38. 861 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 862 or the NTP Public Services Project Download Page 863 Properly monitor your ntpd instances, and auto-restart ntpd 864 (without -g) if it stops running. 865 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 866 867* Broadcast Mode Poll Interval Enforcement DoS 868 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 869 References: Sec 3113 / CVE-2016-7428 / VU#633847 870 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 871 ntp-4.3.90 up to, but not including ntp-4.3.94 872 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 873 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 874 Summary: 875 The broadcast mode of NTP is expected to only be used in a 876 trusted network. If the broadcast network is accessible to an 877 attacker, a potentially exploitable denial of service 878 vulnerability in ntpd's broadcast mode poll interval enforcement 879 functionality can be abused. To limit abuse, ntpd restricts the 880 rate at which each broadcast association will process incoming 881 packets. ntpd will reject broadcast mode packets that arrive 882 before the poll interval specified in the preceding broadcast 883 packet expires. An attacker with access to the NTP broadcast 884 domain can send specially crafted broadcast mode NTP packets to 885 the broadcast domain which, while being logged by ntpd, will 886 cause ntpd to reject broadcast mode packets from legitimate NTP 887 broadcast servers. 888 Mitigation: 889 Implement BCP-38. 890 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 891 or the NTP Public Services Project Download Page 892 Properly monitor your ntpd instances, and auto-restart ntpd 893 (without -g) if it stops running. 894 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 895 896* Windows: ntpd DoS by oversized UDP packet 897 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 898 References: Sec 3110 / CVE-2016-9312 / VU#633847 899 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 900 and ntp-4.3.0 up to, but not including ntp-4.3.94. 901 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 902 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 903 Summary: 904 If a vulnerable instance of ntpd on Windows receives a crafted 905 malicious packet that is "too big", ntpd will stop working. 906 Mitigation: 907 Implement BCP-38. 908 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 909 or the NTP Public Services Project Download Page 910 Properly monitor your ntpd instances, and auto-restart ntpd 911 (without -g) if it stops running. 912 Credit: This weakness was discovered by Robert Pajak of ABB. 913 914* 0rigin (zero origin) issues 915 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 916 References: Sec 3102 / CVE-2016-7431 / VU#633847 917 Affects: ntp-4.2.8p8, and ntp-4.3.93. 918 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 919 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 920 Summary: 921 Zero Origin timestamp problems were fixed by Bug 2945 in 922 ntp-4.2.8p6. However, subsequent timestamp validation checks 923 introduced a regression in the handling of some Zero origin 924 timestamp checks. 925 Mitigation: 926 Implement BCP-38. 927 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 928 or the NTP Public Services Project Download Page 929 Properly monitor your ntpd instances, and auto-restart ntpd 930 (without -g) if it stops running. 931 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 932 Malhotra of Boston University. 933 934* read_mru_list() does inadequate incoming packet checks 935 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 936 References: Sec 3082 / CVE-2016-7434 / VU#633847 937 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 938 ntp-4.3.0 up to, but not including ntp-4.3.94. 939 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 940 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 941 Summary: 942 If ntpd is configured to allow mrulist query requests from a 943 server that sends a crafted malicious packet, ntpd will crash 944 on receipt of that crafted malicious mrulist query packet. 945 Mitigation: 946 Only allow mrulist query packets from trusted hosts. 947 Implement BCP-38. 948 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 949 or the NTP Public Services Project Download Page 950 Properly monitor your ntpd instances, and auto-restart ntpd 951 (without -g) if it stops running. 952 Credit: This weakness was discovered by Magnus Stubman. 953 954* Attack on interface selection 955 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 956 References: Sec 3072 / CVE-2016-7429 / VU#633847 957 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 958 ntp-4.3.0 up to, but not including ntp-4.3.94 959 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 960 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 961 Summary: 962 When ntpd receives a server response on a socket that corresponds 963 to a different interface than was used for the request, the peer 964 structure is updated to use the interface for new requests. If 965 ntpd is running on a host with multiple interfaces in separate 966 networks and the operating system doesn't check source address in 967 received packets (e.g. rp_filter on Linux is set to 0), an 968 attacker that knows the address of the source can send a packet 969 with spoofed source address which will cause ntpd to select wrong 970 interface for the source and prevent it from sending new requests 971 until the list of interfaces is refreshed, which happens on 972 routing changes or every 5 minutes by default. If the attack is 973 repeated often enough (once per second), ntpd will not be able to 974 synchronize with the source. 975 Mitigation: 976 Implement BCP-38. 977 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 978 or the NTP Public Services Project Download Page 979 If you are going to configure your OS to disable source address 980 checks, also configure your firewall configuration to control 981 what interfaces can receive packets from what networks. 982 Properly monitor your ntpd instances, and auto-restart ntpd 983 (without -g) if it stops running. 984 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 985 986* Client rate limiting and server responses 987 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 988 References: Sec 3071 / CVE-2016-7426 / VU#633847 989 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 990 ntp-4.3.0 up to, but not including ntp-4.3.94 991 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 992 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 993 Summary: 994 When ntpd is configured with rate limiting for all associations 995 (restrict default limited in ntp.conf), the limits are applied 996 also to responses received from its configured sources. An 997 attacker who knows the sources (e.g., from an IPv4 refid in 998 server response) and knows the system is (mis)configured in this 999 way can periodically send packets with spoofed source address to 1000 keep the rate limiting activated and prevent ntpd from accepting 1001 valid responses from its sources. 1002 1003 While this blanket rate limiting can be useful to prevent 1004 brute-force attacks on the origin timestamp, it allows this DoS 1005 attack. Similarly, it allows the attacker to prevent mobilization 1006 of ephemeral associations. 1007 Mitigation: 1008 Implement BCP-38. 1009 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1010 or the NTP Public Services Project Download Page 1011 Properly monitor your ntpd instances, and auto-restart ntpd 1012 (without -g) if it stops running. 1013 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1014 1015* Fix for bug 2085 broke initial sync calculations 1016 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1017 References: Sec 3067 / CVE-2016-7433 / VU#633847 1018 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1019 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1020 root-distance calculation in general is incorrect in all versions 1021 of ntp-4 until this release. 1022 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1023 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1024 Summary: 1025 Bug 2085 described a condition where the root delay was included 1026 twice, causing the jitter value to be higher than expected. Due 1027 to a misinterpretation of a small-print variable in The Book, the 1028 fix for this problem was incorrect, resulting in a root distance 1029 that did not include the peer dispersion. The calculations and 1030 formulae have been reviewed and reconciled, and the code has been 1031 updated accordingly. 1032 Mitigation: 1033 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1034 or the NTP Public Services Project Download Page 1035 Properly monitor your ntpd instances, and auto-restart ntpd 1036 (without -g) if it stops running. 1037 Credit: This weakness was discovered independently by Brian Utterback of 1038 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1039 1040Other fixes: 1041 1042* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1043* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1044* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1045 - moved retry decision where it belongs. <perlinger@ntp.org> 1046* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1047 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1048* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1049* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1050 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1051* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1052 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1053 - added shim layer for SSL API calls with issues (both directions) 1054* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1055 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1056* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1057* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1058 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1059* [Bug 3067] Root distance calculation needs improvement. HStenn 1060* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1061 - PPS-HACK works again. 1062* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1063 - applied patch by Brian Utterback <brian.utterback@oracle.com> 1064* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1065* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1066 <perlinger@ntp.org> 1067 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1068* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1069 - Patch provided by Kuramatsu. 1070* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1071 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1072* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1073* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1074* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1075* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1076 - fixed GPS week expansion to work based on build date. Special thanks 1077 to Craig Leres for initial patch and testing. 1078* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1079 - fixed Makefile.am <perlinger@ntp.org> 1080* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1081 even if it is very old <perlinger@ntp.org> 1082 - make sure PPS source is alive before processing samples 1083 - improve stability close to the 500ms phase jump (phase gate) 1084* Fix typos in include/ntp.h. 1085* Shim X509_get_signature_nid() if needed 1086* git author attribution cleanup 1087* bk ignore file cleanup 1088* remove locks in Windows IO, use rpc-like thread synchronisation instead 1089 1090--- 1091NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1092 1093Focus: Security, Bug fixes, enhancements. 1094 1095Severity: HIGH 1096 1097In addition to bug fixes and enhancements, this release fixes the 1098following 1 high- and 4 low-severity vulnerabilities: 1099 1100* CRYPTO_NAK crash 1101 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1102 References: Sec 3046 / CVE-2016-4957 / VU#321640 1103 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1104 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1105 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1106 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1107 could cause ntpd to crash. 1108 Mitigation: 1109 Implement BCP-38. 1110 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1111 or the NTP Public Services Project Download Page 1112 If you cannot upgrade from 4.2.8p7, the only other alternatives 1113 are to patch your code or filter CRYPTO_NAK packets. 1114 Properly monitor your ntpd instances, and auto-restart ntpd 1115 (without -g) if it stops running. 1116 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1117 1118* Bad authentication demobilizes ephemeral associations 1119 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1120 References: Sec 3045 / CVE-2016-4953 / VU#321640 1121 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1122 ntp-4.3.0 up to, but not including ntp-4.3.93. 1123 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1124 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1125 Summary: An attacker who knows the origin timestamp and can send a 1126 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1127 target before any other response is sent can demobilize that 1128 association. 1129 Mitigation: 1130 Implement BCP-38. 1131 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1132 or the NTP Public Services Project Download Page 1133 Properly monitor your ntpd instances. 1134 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1135 1136* Processing spoofed server packets 1137 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1138 References: Sec 3044 / CVE-2016-4954 / VU#321640 1139 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1140 ntp-4.3.0 up to, but not including ntp-4.3.93. 1141 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1142 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1143 Summary: An attacker who is able to spoof packets with correct origin 1144 timestamps from enough servers before the expected response 1145 packets arrive at the target machine can affect some peer 1146 variables and, for example, cause a false leap indication to be set. 1147 Mitigation: 1148 Implement BCP-38. 1149 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1150 or the NTP Public Services Project Download Page 1151 Properly monitor your ntpd instances. 1152 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1153 1154* Autokey association reset 1155 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1156 References: Sec 3043 / CVE-2016-4955 / VU#321640 1157 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1158 ntp-4.3.0 up to, but not including ntp-4.3.93. 1159 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1160 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1161 Summary: An attacker who is able to spoof a packet with a correct 1162 origin timestamp before the expected response packet arrives at 1163 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1164 the association's peer variables to be cleared. If this can be 1165 done often enough, it will prevent that association from working. 1166 Mitigation: 1167 Implement BCP-38. 1168 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1169 or the NTP Public Services Project Download Page 1170 Properly monitor your ntpd instances. 1171 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1172 1173* Broadcast interleave 1174 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1175 References: Sec 3042 / CVE-2016-4956 / VU#321640 1176 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1177 ntp-4.3.0 up to, but not including ntp-4.3.93. 1178 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1179 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1180 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1181 so broadcast clients can be triggered to flip into interleave mode. 1182 Mitigation: 1183 Implement BCP-38. 1184 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1185 or the NTP Public Services Project Download Page 1186 Properly monitor your ntpd instances. 1187 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1188 1189Other fixes: 1190* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1191 - provide build environment 1192 - 'wint_t' and 'struct timespec' defined by VS2015 1193 - fixed print()/scanf() format issues 1194* [Bug 3052] Add a .gitignore file. Edmund Wong. 1195* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1196* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1197 JPerlinger, HStenn. 1198* Fix typo in ntp-wait and plot_summary. HStenn. 1199* Make sure we have an "author" file for git imports. HStenn. 1200* Update the sntp problem tests for MacOS. HStenn. 1201 1202--- 1203NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1204 1205Focus: Security, Bug fixes, enhancements. 1206 1207Severity: MEDIUM 1208 1209When building NTP from source, there is a new configure option 1210available, --enable-dynamic-interleave. More information on this below. 1211 1212Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1213versions of ntp. These events have almost certainly happened in the 1214past, it's just that they were silently counted and not logged. With 1215the increasing awareness around security, we feel it's better to clearly 1216log these events to help detect abusive behavior. This increased 1217logging can also help detect other problems, too. 1218 1219In addition to bug fixes and enhancements, this release fixes the 1220following 9 low- and medium-severity vulnerabilities: 1221 1222* Improve NTP security against buffer comparison timing attacks, 1223 AKA: authdecrypt-timing 1224 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1225 References: Sec 2879 / CVE-2016-1550 1226 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1227 4.3.0 up to, but not including 4.3.92 1228 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1229 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1230 Summary: Packet authentication tests have been performed using 1231 memcmp() or possibly bcmp(), and it is potentially possible 1232 for a local or perhaps LAN-based attacker to send a packet with 1233 an authentication payload and indirectly observe how much of 1234 the digest has matched. 1235 Mitigation: 1236 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1237 or the NTP Public Services Project Download Page. 1238 Properly monitor your ntpd instances. 1239 Credit: This weakness was discovered independently by Loganaden 1240 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1241 1242* Zero origin timestamp bypass: Additional KoD checks. 1243 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1244 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1245 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1246 1247* peer associations were broken by the fix for NtpBug2899 1248 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1249 References: Sec 2952 / CVE-2015-7704 1250 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1251 4.3.0 up to, but not including 4.3.92 1252 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1253 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1254 associations did not address all of the issues. 1255 Mitigation: 1256 Implement BCP-38. 1257 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1258 or the NTP Public Services Project Download Page 1259 If you can't upgrade, use "server" associations instead of 1260 "peer" associations. 1261 Monitor your ntpd instances. 1262 Credit: This problem was discovered by Michael Tatarinov. 1263 1264* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1265 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1266 References: Sec 3007 / CVE-2016-1547 / VU#718152 1267 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1268 4.3.0 up to, but not including 4.3.92 1269 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1270 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1271 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1272 off-path attacker can cause a preemptable client association to 1273 be demobilized by sending a crypto NAK packet to a victim client 1274 with a spoofed source address of an existing associated peer. 1275 This is true even if authentication is enabled. 1276 1277 Furthermore, if the attacker keeps sending crypto NAK packets, 1278 for example one every second, the victim never has a chance to 1279 reestablish the association and synchronize time with that 1280 legitimate server. 1281 1282 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1283 stringent checks are performed on incoming packets, but there 1284 are still ways to exploit this vulnerability in versions before 1285 ntp-4.2.8p7. 1286 Mitigation: 1287 Implement BCP-38. 1288 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1289 or the NTP Public Services Project Download Page 1290 Properly monitor your ntpd instances 1291 Credit: This weakness was discovered by Stephen Gray and 1292 Matthew Van Gundy of Cisco ASIG. 1293 1294* ctl_getitem() return value not always checked 1295 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1296 References: Sec 3008 / CVE-2016-2519 1297 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1298 4.3.0 up to, but not including 4.3.92 1299 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1300 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1301 Summary: ntpq and ntpdc can be used to store and retrieve information 1302 in ntpd. It is possible to store a data value that is larger 1303 than the size of the buffer that the ctl_getitem() function of 1304 ntpd uses to report the return value. If the length of the 1305 requested data value returned by ctl_getitem() is too large, 1306 the value NULL is returned instead. There are 2 cases where the 1307 return value from ctl_getitem() was not directly checked to make 1308 sure it's not NULL, but there are subsequent INSIST() checks 1309 that make sure the return value is not NULL. There are no data 1310 values ordinarily stored in ntpd that would exceed this buffer 1311 length. But if one has permission to store values and one stores 1312 a value that is "too large", then ntpd will abort if an attempt 1313 is made to read that oversized value. 1314 Mitigation: 1315 Implement BCP-38. 1316 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1317 or the NTP Public Services Project Download Page 1318 Properly monitor your ntpd instances. 1319 Credit: This weakness was discovered by Yihan Lian of the Cloud 1320 Security Team, Qihoo 360. 1321 1322* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1323 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1324 References: Sec 3009 / CVE-2016-2518 / VU#718152 1325 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1326 4.3.0 up to, but not including 4.3.92 1327 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1328 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1329 Summary: Using a crafted packet to create a peer association with 1330 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1331 out-of-bounds reference. 1332 Mitigation: 1333 Implement BCP-38. 1334 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1335 or the NTP Public Services Project Download Page 1336 Properly monitor your ntpd instances 1337 Credit: This weakness was discovered by Yihan Lian of the Cloud 1338 Security Team, Qihoo 360. 1339 1340* remote configuration trustedkey/requestkey/controlkey values are not 1341 properly validated 1342 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1343 References: Sec 3010 / CVE-2016-2517 / VU#718152 1344 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1345 4.3.0 up to, but not including 4.3.92 1346 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1347 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1348 Summary: If ntpd was expressly configured to allow for remote 1349 configuration, a malicious user who knows the controlkey for 1350 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1351 can create a session with ntpd and then send a crafted packet to 1352 ntpd that will change the value of the trustedkey, controlkey, 1353 or requestkey to a value that will prevent any subsequent 1354 authentication with ntpd until ntpd is restarted. 1355 Mitigation: 1356 Implement BCP-38. 1357 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1358 or the NTP Public Services Project Download Page 1359 Properly monitor your ntpd instances 1360 Credit: This weakness was discovered by Yihan Lian of the Cloud 1361 Security Team, Qihoo 360. 1362 1363* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1364 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1365 References: Sec 3011 / CVE-2016-2516 / VU#718152 1366 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1367 4.3.0 up to, but not including 4.3.92 1368 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1369 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1370 Summary: If ntpd was expressly configured to allow for remote 1371 configuration, a malicious user who knows the controlkey for 1372 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1373 can create a session with ntpd and if an existing association is 1374 unconfigured using the same IP twice on the unconfig directive 1375 line, ntpd will abort. 1376 Mitigation: 1377 Implement BCP-38. 1378 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1379 or the NTP Public Services Project Download Page 1380 Properly monitor your ntpd instances 1381 Credit: This weakness was discovered by Yihan Lian of the Cloud 1382 Security Team, Qihoo 360. 1383 1384* Refclock impersonation vulnerability 1385 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1386 References: Sec 3020 / CVE-2016-1551 1387 Affects: On a very limited number of OSes, all NTP releases up to but 1388 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1389 By "very limited number of OSes" we mean no general-purpose OSes 1390 have yet been identified that have this vulnerability. 1391 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1392 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1393 Summary: While most OSes implement martian packet filtering in their 1394 network stack, at least regarding 127.0.0.0/8, some will allow 1395 packets claiming to be from 127.0.0.0/8 that arrive over a 1396 physical network. On these OSes, if ntpd is configured to use a 1397 reference clock an attacker can inject packets over the network 1398 that look like they are coming from that reference clock. 1399 Mitigation: 1400 Implement martian packet filtering and BCP-38. 1401 Configure ntpd to use an adequate number of time sources. 1402 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1403 or the NTP Public Services Project Download Page 1404 If you are unable to upgrade and if you are running an OS that 1405 has this vulnerability, implement martian packet filters and 1406 lobby your OS vendor to fix this problem, or run your 1407 refclocks on computers that use OSes that are not vulnerable 1408 to these attacks and have your vulnerable machines get their 1409 time from protected resources. 1410 Properly monitor your ntpd instances. 1411 Credit: This weakness was discovered by Matt Street and others of 1412 Cisco ASIG. 1413 1414The following issues were fixed in earlier releases and contain 1415improvements in 4.2.8p7: 1416 1417* Clients that receive a KoD should validate the origin timestamp field. 1418 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1419 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1420 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1421 1422* Skeleton key: passive server with trusted key can serve time. 1423 References: Sec 2936 / CVE-2015-7974 1424 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1425 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1426 1427Two other vulnerabilities have been reported, and the mitigations 1428for these are as follows: 1429 1430* Interleave-pivot 1431 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1432 References: Sec 2978 / CVE-2016-1548 1433 Affects: All ntp-4 releases. 1434 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1435 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1436 Summary: It is possible to change the time of an ntpd client or deny 1437 service to an ntpd client by forcing it to change from basic 1438 client/server mode to interleaved symmetric mode. An attacker 1439 can spoof a packet from a legitimate ntpd server with an origin 1440 timestamp that matches the peer->dst timestamp recorded for that 1441 server. After making this switch, the client will reject all 1442 future legitimate server responses. It is possible to force the 1443 victim client to move time after the mode has been changed. 1444 ntpq gives no indication that the mode has been switched. 1445 Mitigation: 1446 Implement BCP-38. 1447 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1448 or the NTP Public Services Project Download Page. These 1449 versions will not dynamically "flip" into interleave mode 1450 unless configured to do so. 1451 Properly monitor your ntpd instances. 1452 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1453 and separately by Jonathan Gardner of Cisco ASIG. 1454 1455* Sybil vulnerability: ephemeral association attack 1456 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1457 References: Sec 3012 / CVE-2016-1549 1458 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1459 4.3.0 up to, but not including 4.3.92 1460 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1461 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1462 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1463 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1464 field in the ntp.keys file to specify which IPs can serve time, 1465 a malicious authenticated peer can create arbitrarily-many 1466 ephemeral associations in order to win the clock selection of 1467 ntpd and modify a victim's clock. 1468 Mitigation: 1469 Implement BCP-38. 1470 Use the 4th field in the ntp.keys file to specify which IPs 1471 can be time servers. 1472 Properly monitor your ntpd instances. 1473 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1474 1475Other fixes: 1476 1477* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1478 - fixed yet another race condition in the threaded resolver code. 1479* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1480* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1481 - integrated patches by Loganaden Velvidron <logan@ntp.org> 1482 with some modifications & unit tests 1483* [Bug 2960] async name resolution fixes for chroot() environments. 1484 Reinhard Max. 1485* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1486* [Bug 2995] Fixes to compile on Windows 1487* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1488* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1489 - Patch provided by Ch. Weisgerber 1490* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1491 - A change related to [Bug 2853] forbids trailing white space in 1492 remote config commands. perlinger@ntp.org 1493* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1494 - report and patch from Aleksandr Kostikov. 1495 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1496* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1497 - fixed memory leak in access list (auth[read]keys.c) 1498 - refactored handling of key access lists (auth[read]keys.c) 1499 - reduced number of error branches (authreadkeys.c) 1500* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1501* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1502* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1503 when the time of server changed. perlinger@ntp.org 1504 - Check the initial delay calculation and reject/unpeer the broadcast 1505 server if the delay exceeds 50ms. Retry again after the next 1506 broadcast packet. 1507* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1508* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1509* Update html/xleave.html documentation. Harlan Stenn. 1510* Update ntp.conf documentation. Harlan Stenn. 1511* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1512* Fix typo in html/monopt.html. Harlan Stenn. 1513* Add README.pullrequests. Harlan Stenn. 1514* Cleanup to include/ntp.h. Harlan Stenn. 1515 1516New option to 'configure': 1517 1518While looking in to the issues around Bug 2978, the "interleave pivot" 1519issue, it became clear that there are some intricate and unresolved 1520issues with interleave operations. We also realized that the interleave 1521protocol was never added to the NTPv4 Standard, and it should have been. 1522 1523Interleave mode was first released in July of 2008, and can be engaged 1524in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1525contain the 'xleave' option, which will expressly enable interlave mode 1526for that association. Additionally, if a time packet arrives and is 1527found inconsistent with normal protocol behavior but has certain 1528characteristics that are compatible with interleave mode, NTP will 1529dynamically switch to interleave mode. With sufficient knowledge, an 1530attacker can send a crafted forged packet to an NTP instance that 1531triggers only one side to enter interleaved mode. 1532 1533To prevent this attack until we can thoroughly document, describe, 1534fix, and test the dynamic interleave mode, we've added a new 1535'configure' option to the build process: 1536 1537 --enable-dynamic-interleave 1538 1539This option controls whether or not NTP will, if conditions are right, 1540engage dynamic interleave mode. Dynamic interleave mode is disabled by 1541default in ntp-4.2.8p7. 1542 1543--- 1544NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1545 1546Focus: Security, Bug fixes, enhancements. 1547 1548Severity: MEDIUM 1549 1550In addition to bug fixes and enhancements, this release fixes the 1551following 1 low- and 8 medium-severity vulnerabilities: 1552 1553* Potential Infinite Loop in 'ntpq' 1554 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1555 References: Sec 2548 / CVE-2015-8158 1556 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1557 4.3.0 up to, but not including 4.3.90 1558 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1559 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1560 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1561 The loop's only stopping conditions are receiving a complete and 1562 correct response or hitting a small number of error conditions. 1563 If the packet contains incorrect values that don't trigger one of 1564 the error conditions, the loop continues to receive new packets. 1565 Note well, this is an attack against an instance of 'ntpq', not 1566 'ntpd', and this attack requires the attacker to do one of the 1567 following: 1568 * Own a malicious NTP server that the client trusts 1569 * Prevent a legitimate NTP server from sending packets to 1570 the 'ntpq' client 1571 * MITM the 'ntpq' communications between the 'ntpq' client 1572 and the NTP server 1573 Mitigation: 1574 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1575 or the NTP Public Services Project Download Page 1576 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1577 1578* 0rigin: Zero Origin Timestamp Bypass 1579 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1580 References: Sec 2945 / CVE-2015-8138 1581 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1582 4.3.0 up to, but not including 4.3.90 1583 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1584 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1585 (3.7 - LOW if you score AC:L) 1586 Summary: To distinguish legitimate peer responses from forgeries, a 1587 client attempts to verify a response packet by ensuring that the 1588 origin timestamp in the packet matches the origin timestamp it 1589 transmitted in its last request. A logic error exists that 1590 allows packets with an origin timestamp of zero to bypass this 1591 check whenever there is not an outstanding request to the server. 1592 Mitigation: 1593 Configure 'ntpd' to get time from multiple sources. 1594 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1595 or the NTP Public Services Project Download Page. 1596 Monitor your 'ntpd' instances. 1597 Credit: This weakness was discovered by Matthey Van Gundy and 1598 Jonathan Gardner of Cisco ASIG. 1599 1600* Stack exhaustion in recursive traversal of restriction list 1601 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1602 References: Sec 2940 / CVE-2015-7978 1603 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1604 4.3.0 up to, but not including 4.3.90 1605 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1606 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1607 segmentation fault in ntpd by exhausting the call stack. 1608 Mitigation: 1609 Implement BCP-38. 1610 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1611 or the NTP Public Services Project Download Page. 1612 If you are unable to upgrade: 1613 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1614 If you must enable mode 7: 1615 configure the use of a 'requestkey' to control who can 1616 issue mode 7 requests. 1617 configure 'restrict noquery' to further limit mode 7 1618 requests to trusted sources. 1619 Monitor your ntpd instances. 1620 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1621 1622* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1623 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1624 References: Sec 2942 / CVE-2015-7979 1625 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1626 4.3.0 up to, but not including 4.3.90 1627 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1628 Summary: An off-path attacker can send broadcast packets with bad 1629 authentication (wrong key, mismatched key, incorrect MAC, etc) 1630 to broadcast clients. It is observed that the broadcast client 1631 tears down the association with the broadcast server upon 1632 receiving just one bad packet. 1633 Mitigation: 1634 Implement BCP-38. 1635 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1636 or the NTP Public Services Project Download Page. 1637 Monitor your 'ntpd' instances. 1638 If this sort of attack is an active problem for you, you have 1639 deeper problems to investigate. In this case also consider 1640 having smaller NTP broadcast domains. 1641 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1642 University. 1643 1644* reslist NULL pointer dereference 1645 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1646 References: Sec 2939 / CVE-2015-7977 1647 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1648 4.3.0 up to, but not including 4.3.90 1649 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1650 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1651 segmentation fault in ntpd by causing a NULL pointer dereference. 1652 Mitigation: 1653 Implement BCP-38. 1654 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1655 the NTP Public Services Project Download Page. 1656 If you are unable to upgrade: 1657 mode 7 is disabled by default. Don't enable it. 1658 If you must enable mode 7: 1659 configure the use of a 'requestkey' to control who can 1660 issue mode 7 requests. 1661 configure 'restrict noquery' to further limit mode 7 1662 requests to trusted sources. 1663 Monitor your ntpd instances. 1664 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1665 1666* 'ntpq saveconfig' command allows dangerous characters in filenames. 1667 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1668 References: Sec 2938 / CVE-2015-7976 1669 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1670 4.3.0 up to, but not including 4.3.90 1671 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1672 Summary: The ntpq saveconfig command does not do adequate filtering 1673 of special characters from the supplied filename. 1674 Note well: The ability to use the saveconfig command is controlled 1675 by the 'restrict nomodify' directive, and the recommended default 1676 configuration is to disable this capability. If the ability to 1677 execute a 'saveconfig' is required, it can easily (and should) be 1678 limited and restricted to a known small number of IP addresses. 1679 Mitigation: 1680 Implement BCP-38. 1681 use 'restrict default nomodify' in your 'ntp.conf' file. 1682 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1683 If you are unable to upgrade: 1684 build NTP with 'configure --disable-saveconfig' if you will 1685 never need this capability, or 1686 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1687 careful about what IPs have the ability to send 'modify' 1688 requests to 'ntpd'. 1689 Monitor your ntpd instances. 1690 'saveconfig' requests are logged to syslog - monitor your syslog files. 1691 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1692 1693* nextvar() missing length check in ntpq 1694 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1695 References: Sec 2937 / CVE-2015-7975 1696 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1697 4.3.0 up to, but not including 4.3.90 1698 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1699 If you score A:C, this becomes 4.0. 1700 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1701 Summary: ntpq may call nextvar() which executes a memcpy() into the 1702 name buffer without a proper length check against its maximum 1703 length of 256 bytes. Note well that we're taking about ntpq here. 1704 The usual worst-case effect of this vulnerability is that the 1705 specific instance of ntpq will crash and the person or process 1706 that did this will have stopped themselves. 1707 Mitigation: 1708 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1709 or the NTP Public Services Project Download Page. 1710 If you are unable to upgrade: 1711 If you have scripts that feed input to ntpq make sure there are 1712 some sanity checks on the input received from the "outside". 1713 This is potentially more dangerous if ntpq is run as root. 1714 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1715 1716* Skeleton Key: Any trusted key system can serve time 1717 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1718 References: Sec 2936 / CVE-2015-7974 1719 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1720 4.3.0 up to, but not including 4.3.90 1721 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1722 Summary: Symmetric key encryption uses a shared trusted key. The 1723 reported title for this issue was "Missing key check allows 1724 impersonation between authenticated peers" and the report claimed 1725 "A key specified only for one server should only work to 1726 authenticate that server, other trusted keys should be refused." 1727 Except there has never been any correlation between this trusted 1728 key and server v. clients machines and there has never been any 1729 way to specify a key only for one server. We have treated this as 1730 an enhancement request, and ntp-4.2.8p6 includes other checks and 1731 tests to strengthen clients against attacks coming from broadcast 1732 servers. 1733 Mitigation: 1734 Implement BCP-38. 1735 If this scenario represents a real or a potential issue for you, 1736 upgrade to 4.2.8p6, or later, from the NTP Project Download 1737 Page or the NTP Public Services Project Download Page, and 1738 use the new field in the ntp.keys file that specifies the list 1739 of IPs that are allowed to serve time. Note that this alone 1740 will not protect against time packets with forged source IP 1741 addresses, however other changes in ntp-4.2.8p6 provide 1742 significant mitigation against broadcast attacks. MITM attacks 1743 are a different story. 1744 If you are unable to upgrade: 1745 Don't use broadcast mode if you cannot monitor your client 1746 servers. 1747 If you choose to use symmetric keys to authenticate time 1748 packets in a hostile environment where ephemeral time 1749 servers can be created, or if it is expected that malicious 1750 time servers will participate in an NTP broadcast domain, 1751 limit the number of participating systems that participate 1752 in the shared-key group. 1753 Monitor your ntpd instances. 1754 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1755 1756* Deja Vu: Replay attack on authenticated broadcast mode 1757 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1758 References: Sec 2935 / CVE-2015-7973 1759 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1760 4.3.0 up to, but not including 4.3.90 1761 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1762 Summary: If an NTP network is configured for broadcast operations then 1763 either a man-in-the-middle attacker or a malicious participant 1764 that has the same trusted keys as the victim can replay time packets. 1765 Mitigation: 1766 Implement BCP-38. 1767 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1768 or the NTP Public Services Project Download Page. 1769 If you are unable to upgrade: 1770 Don't use broadcast mode if you cannot monitor your client servers. 1771 Monitor your ntpd instances. 1772 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1773 University. 1774 1775Other fixes: 1776 1777* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 1778* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 1779 - applied patch by shenpeng11@huawei.com with minor adjustments 1780* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 1781* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 1782* [Bug 2892] Several test cases assume IPv6 capabilities even when 1783 IPv6 is disabled in the build. perlinger@ntp.org 1784 - Found this already fixed, but validation led to cleanup actions. 1785* [Bug 2905] DNS lookups broken. perlinger@ntp.org 1786 - added limits to stack consumption, fixed some return code handling 1787* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1788 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1789 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 1790* [Bug 2980] reduce number of warnings. perlinger@ntp.org 1791 - integrated several patches from Havard Eidnes (he@uninett.no) 1792* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 1793 - implement 'auth_log2()' using integer bithack instead of float calculation 1794* Make leapsec_query debug messages less verbose. Harlan Stenn. 1795 1796--- 1797NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 1798 1799Focus: Security, Bug fixes, enhancements. 1800 1801Severity: MEDIUM 1802 1803In addition to bug fixes and enhancements, this release fixes the 1804following medium-severity vulnerability: 1805 1806* Small-step/big-step. Close the panic gate earlier. 1807 References: Sec 2956, CVE-2015-5300 1808 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1809 4.3.0 up to, but not including 4.3.78 1810 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1811 Summary: If ntpd is always started with the -g option, which is 1812 common and against long-standing recommendation, and if at the 1813 moment ntpd is restarted an attacker can immediately respond to 1814 enough requests from enough sources trusted by the target, which 1815 is difficult and not common, there is a window of opportunity 1816 where the attacker can cause ntpd to set the time to an 1817 arbitrary value. Similarly, if an attacker is able to respond 1818 to enough requests from enough sources trusted by the target, 1819 the attacker can cause ntpd to abort and restart, at which 1820 point it can tell the target to set the time to an arbitrary 1821 value if and only if ntpd was re-started against long-standing 1822 recommendation with the -g flag, or if ntpd was not given the 1823 -g flag, the attacker can move the target system's time by at 1824 most 900 seconds' time per attack. 1825 Mitigation: 1826 Configure ntpd to get time from multiple sources. 1827 Upgrade to 4.2.8p5, or later, from the NTP Project Download 1828 Page or the NTP Public Services Project Download Page 1829 As we've long documented, only use the -g option to ntpd in 1830 cold-start situations. 1831 Monitor your ntpd instances. 1832 Credit: This weakness was discovered by Aanchal Malhotra, 1833 Isaac E. Cohen, and Sharon Goldberg at Boston University. 1834 1835 NOTE WELL: The -g flag disables the limit check on the panic_gate 1836 in ntpd, which is 900 seconds by default. The bug identified by 1837 the researchers at Boston University is that the panic_gate 1838 check was only re-enabled after the first change to the system 1839 clock that was greater than 128 milliseconds, by default. The 1840 correct behavior is that the panic_gate check should be 1841 re-enabled after any initial time correction. 1842 1843 If an attacker is able to inject consistent but erroneous time 1844 responses to your systems via the network or "over the air", 1845 perhaps by spoofing radio, cellphone, or navigation satellite 1846 transmissions, they are in a great position to affect your 1847 system's clock. There comes a point where your very best 1848 defenses include: 1849 1850 Configure ntpd to get time from multiple sources. 1851 Monitor your ntpd instances. 1852 1853Other fixes: 1854 1855* Coverity submission process updated from Coverity 5 to Coverity 7. 1856 The NTP codebase has been undergoing regular Coverity scans on an 1857 ongoing basis since 2006. As part of our recent upgrade from 1858 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1859 the newly-written Unity test programs. These were fixed. 1860* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 1861* [Bug 2887] stratum -1 config results as showing value 99 1862 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 1863* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1864* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1865* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1866 - applied patch by Christos Zoulas. perlinger@ntp.org 1867* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1868* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1869 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 1870 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 1871* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 1872 - accept key file only if there are no parsing errors 1873 - fixed size_t/u_int format clash 1874 - fixed wrong use of 'strlcpy' 1875* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1876* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 1877 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 1878 - promote use of 'size_t' for values that express a size 1879 - use ptr-to-const for read-only arguments 1880 - make sure SOCKET values are not truncated (win32-specific) 1881 - format string fixes 1882* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 1883* [Bug 2967] ntpdate command suffers an assertion failure 1884 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 1885* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 1886 lots of clients. perlinger@ntp.org 1887* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1888 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1889* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 1890* Unity test cleanup. Harlan Stenn. 1891* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 1892* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 1893* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 1894* Quiet a warning from clang. Harlan Stenn. 1895 1896--- 1897NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 1898 1899Focus: Security, Bug fixes, enhancements. 1900 1901Severity: MEDIUM 1902 1903In addition to bug fixes and enhancements, this release fixes the 1904following 13 low- and medium-severity vulnerabilities: 1905 1906* Incomplete vallen (value length) checks in ntp_crypto.c, leading 1907 to potential crashes or potential code injection/information leakage. 1908 1909 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 1910 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1911 and 4.3.0 up to, but not including 4.3.77 1912 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1913 Summary: The fix for CVE-2014-9750 was incomplete in that there were 1914 certain code paths where a packet with particular autokey operations 1915 that contained malicious data was not always being completely 1916 validated. Receipt of these packets can cause ntpd to crash. 1917 Mitigation: 1918 Don't use autokey. 1919 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1920 Page or the NTP Public Services Project Download Page 1921 Monitor your ntpd instances. 1922 Credit: This weakness was discovered by Tenable Network Security. 1923 1924* Clients that receive a KoD should validate the origin timestamp field. 1925 1926 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1927 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1928 and 4.3.0 up to, but not including 4.3.77 1929 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 1930 Summary: An ntpd client that honors Kiss-of-Death responses will honor 1931 KoD messages that have been forged by an attacker, causing it to 1932 delay or stop querying its servers for time updates. Also, an 1933 attacker can forge packets that claim to be from the target and 1934 send them to servers often enough that a server that implements 1935 KoD rate limiting will send the target machine a KoD response to 1936 attempt to reduce the rate of incoming packets, or it may also 1937 trigger a firewall block at the server for packets from the target 1938 machine. For either of these attacks to succeed, the attacker must 1939 know what servers the target is communicating with. An attacker 1940 can be anywhere on the Internet and can frequently learn the 1941 identity of the target's time source by sending the target a 1942 time query. 1943 Mitigation: 1944 Implement BCP-38. 1945 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 1946 or the NTP Public Services Project Download Page 1947 If you can't upgrade, restrict who can query ntpd to learn who 1948 its servers are, and what IPs are allowed to ask your system 1949 for the time. This mitigation is heavy-handed. 1950 Monitor your ntpd instances. 1951 Note: 1952 4.2.8p4 protects against the first attack. For the second attack, 1953 all we can do is warn when it is happening, which we do in 4.2.8p4. 1954 Credit: This weakness was discovered by Aanchal Malhotra, 1955 Issac E. Cohen, and Sharon Goldberg of Boston University. 1956 1957* configuration directives to change "pidfile" and "driftfile" should 1958 only be allowed locally. 1959 1960 References: Sec 2902 / CVE-2015-5196 1961 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1962 and 4.3.0 up to, but not including 4.3.77 1963 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 1964 Summary: If ntpd is configured to allow for remote configuration, 1965 and if the (possibly spoofed) source IP address is allowed to 1966 send remote configuration requests, and if the attacker knows 1967 the remote configuration password, it's possible for an attacker 1968 to use the "pidfile" or "driftfile" directives to potentially 1969 overwrite other files. 1970 Mitigation: 1971 Implement BCP-38. 1972 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1973 Page or the NTP Public Services Project Download Page 1974 If you cannot upgrade, don't enable remote configuration. 1975 If you must enable remote configuration and cannot upgrade, 1976 remote configuration of NTF's ntpd requires: 1977 - an explicitly configured trustedkey, and you should also 1978 configure a controlkey. 1979 - access from a permitted IP. You choose the IPs. 1980 - authentication. Don't disable it. Practice secure key safety. 1981 Monitor your ntpd instances. 1982 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1983 1984* Slow memory leak in CRYPTO_ASSOC 1985 1986 References: Sec 2909 / CVE-2015-7701 1987 Affects: All ntp-4 releases that use autokey up to, but not 1988 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1989 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 1990 4.6 otherwise 1991 Summary: If ntpd is configured to use autokey, then an attacker can 1992 send packets to ntpd that will, after several days of ongoing 1993 attack, cause it to run out of memory. 1994 Mitigation: 1995 Don't use autokey. 1996 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1997 Page or the NTP Public Services Project Download Page 1998 Monitor your ntpd instances. 1999 Credit: This weakness was discovered by Tenable Network Security. 2000 2001* mode 7 loop counter underrun 2002 2003 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2004 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2005 and 4.3.0 up to, but not including 4.3.77 2006 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2007 Summary: If ntpd is configured to enable mode 7 packets, and if the 2008 use of mode 7 packets is not properly protected thru the use of 2009 the available mode 7 authentication and restriction mechanisms, 2010 and if the (possibly spoofed) source IP address is allowed to 2011 send mode 7 queries, then an attacker can send a crafted packet 2012 to ntpd that will cause it to crash. 2013 Mitigation: 2014 Implement BCP-38. 2015 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2016 Page or the NTP Public Services Project Download Page. 2017 If you are unable to upgrade: 2018 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2019 If you must enable mode 7: 2020 configure the use of a requestkey to control who can issue 2021 mode 7 requests. 2022 configure restrict noquery to further limit mode 7 requests 2023 to trusted sources. 2024 Monitor your ntpd instances. 2025Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2026 2027* memory corruption in password store 2028 2029 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2030 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2031 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2032 Summary: If ntpd is configured to allow remote configuration, and if 2033 the (possibly spoofed) source IP address is allowed to send 2034 remote configuration requests, and if the attacker knows the 2035 remote configuration password or if ntpd was configured to 2036 disable authentication, then an attacker can send a set of 2037 packets to ntpd that may cause a crash or theoretically 2038 perform a code injection attack. 2039 Mitigation: 2040 Implement BCP-38. 2041 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2042 Page or the NTP Public Services Project Download Page. 2043 If you are unable to upgrade, remote configuration of NTF's 2044 ntpd requires: 2045 an explicitly configured "trusted" key. Only configure 2046 this if you need it. 2047 access from a permitted IP address. You choose the IPs. 2048 authentication. Don't disable it. Practice secure key safety. 2049 Monitor your ntpd instances. 2050 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2051 2052* Infinite loop if extended logging enabled and the logfile and 2053 keyfile are the same. 2054 2055 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2056 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2057 and 4.3.0 up to, but not including 4.3.77 2058 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2059 Summary: If ntpd is configured to allow remote configuration, and if 2060 the (possibly spoofed) source IP address is allowed to send 2061 remote configuration requests, and if the attacker knows the 2062 remote configuration password or if ntpd was configured to 2063 disable authentication, then an attacker can send a set of 2064 packets to ntpd that will cause it to crash and/or create a 2065 potentially huge log file. Specifically, the attacker could 2066 enable extended logging, point the key file at the log file, 2067 and cause what amounts to an infinite loop. 2068 Mitigation: 2069 Implement BCP-38. 2070 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2071 Page or the NTP Public Services Project Download Page. 2072 If you are unable to upgrade, remote configuration of NTF's ntpd 2073 requires: 2074 an explicitly configured "trusted" key. Only configure this 2075 if you need it. 2076 access from a permitted IP address. You choose the IPs. 2077 authentication. Don't disable it. Practice secure key safety. 2078 Monitor your ntpd instances. 2079 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2080 2081* Potential path traversal vulnerability in the config file saving of 2082 ntpd on VMS. 2083 2084 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2085 Affects: All ntp-4 releases running under VMS up to, but not 2086 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2087 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2088 Summary: If ntpd is configured to allow remote configuration, and if 2089 the (possibly spoofed) IP address is allowed to send remote 2090 configuration requests, and if the attacker knows the remote 2091 configuration password or if ntpd was configured to disable 2092 authentication, then an attacker can send a set of packets to 2093 ntpd that may cause ntpd to overwrite files. 2094 Mitigation: 2095 Implement BCP-38. 2096 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2097 Page or the NTP Public Services Project Download Page. 2098 If you are unable to upgrade, remote configuration of NTF's ntpd 2099 requires: 2100 an explicitly configured "trusted" key. Only configure 2101 this if you need it. 2102 access from permitted IP addresses. You choose the IPs. 2103 authentication. Don't disable it. Practice key security safety. 2104 Monitor your ntpd instances. 2105 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2106 2107* ntpq atoascii() potential memory corruption 2108 2109 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2110 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2111 and 4.3.0 up to, but not including 4.3.77 2112 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2113 Summary: If an attacker can figure out the precise moment that ntpq 2114 is listening for data and the port number it is listening on or 2115 if the attacker can provide a malicious instance ntpd that 2116 victims will connect to then an attacker can send a set of 2117 crafted mode 6 response packets that, if received by ntpq, 2118 can cause ntpq to crash. 2119 Mitigation: 2120 Implement BCP-38. 2121 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2122 Page or the NTP Public Services Project Download Page. 2123 If you are unable to upgrade and you run ntpq against a server 2124 and ntpq crashes, try again using raw mode. Build or get a 2125 patched ntpq and see if that fixes the problem. Report new 2126 bugs in ntpq or abusive servers appropriately. 2127 If you use ntpq in scripts, make sure ntpq does what you expect 2128 in your scripts. 2129 Credit: This weakness was discovered by Yves Younan and 2130 Aleksander Nikolich of Cisco Talos. 2131 2132* Invalid length data provided by a custom refclock driver could cause 2133 a buffer overflow. 2134 2135 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2136 Affects: Potentially all ntp-4 releases running up to, but not 2137 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2138 that have custom refclocks 2139 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2140 5.9 unusual worst case 2141 Summary: A negative value for the datalen parameter will overflow a 2142 data buffer. NTF's ntpd driver implementations always set this 2143 value to 0 and are therefore not vulnerable to this weakness. 2144 If you are running a custom refclock driver in ntpd and that 2145 driver supplies a negative value for datalen (no custom driver 2146 of even minimal competence would do this) then ntpd would 2147 overflow a data buffer. It is even hypothetically possible 2148 in this case that instead of simply crashing ntpd the attacker 2149 could effect a code injection attack. 2150 Mitigation: 2151 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2152 Page or the NTP Public Services Project Download Page. 2153 If you are unable to upgrade: 2154 If you are running custom refclock drivers, make sure 2155 the signed datalen value is either zero or positive. 2156 Monitor your ntpd instances. 2157 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2158 2159* Password Length Memory Corruption Vulnerability 2160 2161 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2162 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2163 4.3.0 up to, but not including 4.3.77 2164 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2165 1.7 usual case, 6.8, worst case 2166 Summary: If ntpd is configured to allow remote configuration, and if 2167 the (possibly spoofed) source IP address is allowed to send 2168 remote configuration requests, and if the attacker knows the 2169 remote configuration password or if ntpd was (foolishly) 2170 configured to disable authentication, then an attacker can 2171 send a set of packets to ntpd that may cause it to crash, 2172 with the hypothetical possibility of a small code injection. 2173 Mitigation: 2174 Implement BCP-38. 2175 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2176 Page or the NTP Public Services Project Download Page. 2177 If you are unable to upgrade, remote configuration of NTF's 2178 ntpd requires: 2179 an explicitly configured "trusted" key. Only configure 2180 this if you need it. 2181 access from a permitted IP address. You choose the IPs. 2182 authentication. Don't disable it. Practice secure key safety. 2183 Monitor your ntpd instances. 2184 Credit: This weakness was discovered by Yves Younan and 2185 Aleksander Nikolich of Cisco Talos. 2186 2187* decodenetnum() will ASSERT botch instead of returning FAIL on some 2188 bogus values. 2189 2190 References: Sec 2922 / CVE-2015-7855 2191 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2192 4.3.0 up to, but not including 4.3.77 2193 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2194 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2195 an unusually long data value where a network address is expected, 2196 the decodenetnum() function will abort with an assertion failure 2197 instead of simply returning a failure condition. 2198 Mitigation: 2199 Implement BCP-38. 2200 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2201 Page or the NTP Public Services Project Download Page. 2202 If you are unable to upgrade: 2203 mode 7 is disabled by default. Don't enable it. 2204 Use restrict noquery to limit who can send mode 6 2205 and mode 7 requests. 2206 Configure and use the controlkey and requestkey 2207 authentication directives to limit who can 2208 send mode 6 and mode 7 requests. 2209 Monitor your ntpd instances. 2210 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2211 2212* NAK to the Future: Symmetric association authentication bypass via 2213 crypto-NAK. 2214 2215 References: Sec 2941 / CVE-2015-7871 2216 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2217 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2218 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2219 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2220 from unauthenticated ephemeral symmetric peers by bypassing the 2221 authentication required to mobilize peer associations. This 2222 vulnerability appears to have been introduced in ntp-4.2.5p186 2223 when the code handling mobilization of new passive symmetric 2224 associations (lines 1103-1165) was refactored. 2225 Mitigation: 2226 Implement BCP-38. 2227 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2228 Page or the NTP Public Services Project Download Page. 2229 If you are unable to upgrade: 2230 Apply the patch to the bottom of the "authentic" check 2231 block around line 1136 of ntp_proto.c. 2232 Monitor your ntpd instances. 2233 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2234 2235Backward-Incompatible changes: 2236* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2237 While the general default of 32M is still the case, under Linux 2238 the default value has been changed to -1 (do not lock ntpd into 2239 memory). A value of 0 means "lock ntpd into memory with whatever 2240 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2241 value in it, that value will continue to be used. 2242 2243* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2244 If you've written a script that looks for this case in, say, the 2245 output of ntpq, you probably want to change your regex matches 2246 from 'outlyer' to 'outl[iy]er'. 2247 2248New features in this release: 2249* 'rlimit memlock' now has finer-grained control. A value of -1 means 2250 "don't lock ntpd into memore". This is the default for Linux boxes. 2251 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2252 the value is the number of megabytes of memory to lock. The default 2253 is 32 megabytes. 2254 2255* The old Google Test framework has been replaced with a new framework, 2256 based on http://www.throwtheswitch.org/unity/ . 2257 2258Bug Fixes and Improvements: 2259* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2260 privileges and limiting resources in NTPD removes the need to link 2261 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2262* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2263* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2264* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2265* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2266* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2267* [Bug 2849] Systems with more than one default route may never 2268 synchronize. Brian Utterback. Note that this patch might need to 2269 be reverted once Bug 2043 has been fixed. 2270* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2271* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2272* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2273* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2274* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2275* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2276 be configured for the distribution targets. Harlan Stenn. 2277* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2278* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2279* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2280* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2281* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2282* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2283* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2284* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2285* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2286* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2287* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2288* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2289* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2290* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2291* sntp/tests/ function parameter list cleanup. Damir Tomi��. 2292* tests/libntp/ function parameter list cleanup. Damir Tomi��. 2293* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 2294* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2295* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2296* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 2297* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 2298* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2299 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2300 formatting; first declaration, then code (C90); deleted unnecessary comments; 2301 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2302* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2303 fix formatting, cleanup. Tomasz Flendrich 2304* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2305 Tomasz Flendrich 2306* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2307 fix formatting. Tomasz Flendrich 2308* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2309* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2310* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2311 Tomasz Flendrich 2312* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2313* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2314* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2315* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2316* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2317* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2318* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2319fixed formatting. Tomasz Flendrich 2320* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2321 removed unnecessary comments, cleanup. Tomasz Flendrich 2322* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2323 comments, cleanup. Tomasz Flendrich 2324* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2325 Tomasz Flendrich 2326* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2327* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2328* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2329 Tomasz Flendrich 2330* sntp/tests/kodDatabase.c added consts, deleted empty function, 2331 fixed formatting. Tomasz Flendrich 2332* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2333* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2334 fixed formatting, deleted unused variable. Tomasz Flendrich 2335* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2336 Tomasz Flendrich 2337* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2338 fixed formatting. Tomasz Flendrich 2339* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2340 the order of includes, fixed formatting, removed unnecessary comments. 2341 Tomasz Flendrich 2342* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2343* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2344 made one function do its job, deleted unnecessary prints, fixed formatting. 2345 Tomasz Flendrich 2346* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2347* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2348* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2349* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2350* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2351* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2352* Don't build sntp/libevent/sample/. Harlan Stenn. 2353* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2354* br-flock: --enable-local-libevent. Harlan Stenn. 2355* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2356* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2357* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2358* Code cleanup. Harlan Stenn. 2359* libntp/icom.c: Typo fix. Harlan Stenn. 2360* util/ntptime.c: initialization nit. Harlan Stenn. 2361* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2362* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2363* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2364 Tomasz Flendrich 2365* Changed progname to be const in many files - now it's consistent. Tomasz 2366 Flendrich 2367* Typo fix for GCC warning suppression. Harlan Stenn. 2368* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 2369* Added declarations to all Unity tests, and did minor fixes to them. 2370 Reduced the number of warnings by half. Damir Tomi��. 2371* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2372 with the latest Unity updates from Mark. Damir Tomi��. 2373* Retire google test - phase I. Harlan Stenn. 2374* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2375* Update the NEWS file. Harlan Stenn. 2376* Autoconf cleanup. Harlan Stenn. 2377* Unit test dist cleanup. Harlan Stenn. 2378* Cleanup various test Makefile.am files. Harlan Stenn. 2379* Pthread autoconf macro cleanup. Harlan Stenn. 2380* Fix progname definition in unity runner scripts. Harlan Stenn. 2381* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2382* Update the patch for bug 2817. Harlan Stenn. 2383* More updates for bug 2817. Harlan Stenn. 2384* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2385* gcc on older HPUX may need +allowdups. Harlan Stenn. 2386* Adding missing MCAST protection. Harlan Stenn. 2387* Disable certain test programs on certain platforms. Harlan Stenn. 2388* Implement --enable-problem-tests (on by default). Harlan Stenn. 2389* build system tweaks. Harlan Stenn. 2390 2391--- 2392NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2393 2394Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2395 2396Severity: MEDIUM 2397 2398Security Fix: 2399 2400* [Sec 2853] Crafted remote config packet can crash some versions of 2401 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2402 2403Under specific circumstances an attacker can send a crafted packet to 2404cause a vulnerable ntpd instance to crash. This requires each of the 2405following to be true: 2406 24071) ntpd set up to allow remote configuration (not allowed by default), and 24082) knowledge of the configuration password, and 24093) access to a computer entrusted to perform remote configuration. 2410 2411This vulnerability is considered low-risk. 2412 2413New features in this release: 2414 2415Optional (disabled by default) support to have ntpd provide smeared 2416leap second time. A specially built and configured ntpd will only 2417offer smeared time in response to client packets. These response 2418packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2419of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2420format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2421information. 2422 2423 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2424 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2425 2426We've imported the Unity test framework, and have begun converting 2427the existing google-test items to this new framework. If you want 2428to write new tests or change old ones, you'll need to have ruby 2429installed. You don't need ruby to run the test suite. 2430 2431Bug Fixes and Improvements: 2432 2433* CID 739725: Fix a rare resource leak in libevent/listener.c. 2434* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2435* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2436* CID 1269537: Clean up a line of dead code in getShmTime(). 2437* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2438* [Bug 2590] autogen-5.18.5. 2439* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2440 of 'limited'. 2441* [Bug 2650] fix includefile processing. 2442* [Bug 2745] ntpd -x steps clock on leap second 2443 Fixed an initial-value problem that caused misbehaviour in absence of 2444 any leapsecond information. 2445 Do leap second stepping only of the step adjustment is beyond the 2446 proper jump distance limit and step correction is allowed at all. 2447* [Bug 2750] build for Win64 2448 Building for 32bit of loopback ppsapi needs def file 2449* [Bug 2776] Improve ntpq's 'help keytype'. 2450* [Bug 2778] Implement "apeers" ntpq command to include associd. 2451* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2452* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2453 interface is ignored as long as this flag is not set since the 2454 interface is not usable (e.g., no link). 2455* [Bug 2794] Clean up kernel clock status reports. 2456* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2457 of incompatible open/fdopen parameters. 2458* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2459* [Bug 2805] ntpd fails to join multicast group. 2460* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2461* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2462 Fix crash during cleanup if GPS device not present and char device. 2463 Increase internal token buffer to parse all JSON data, even SKY. 2464 Defer logging of errors during driver init until the first unit is 2465 started, so the syslog is not cluttered when the driver is not used. 2466 Various improvements, see http://bugs.ntp.org/2808 for details. 2467 Changed libjsmn to a more recent version. 2468* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2469* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2470* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2471* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2472* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2473* [Bug 2824] Convert update-leap to perl. (also see 2769) 2474* [Bug 2825] Quiet file installation in html/ . 2475* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2476 NTPD transfers the current TAI (instead of an announcement) now. 2477 This might still needed improvement. 2478 Update autokey data ASAP when 'sys_tai' changes. 2479 Fix unit test that was broken by changes for autokey update. 2480 Avoid potential signature length issue and use DPRINTF where possible 2481 in ntp_crypto.c. 2482* [Bug 2832] refclock_jjy.c supports the TDC-300. 2483* [Bug 2834] Correct a broken html tag in html/refclock.html 2484* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2485 robust, and require 2 consecutive timestamps to be consistent. 2486* [Bug 2837] Allow a configurable DSCP value. 2487* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2488* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2489* [Bug 2842] Bug in mdoc2man. 2490* [Bug 2843] make check fails on 4.3.36 2491 Fixed compiler warnings about numeric range overflow 2492 (The original topic was fixed in a byplay to bug#2830) 2493* [Bug 2845] Harden memory allocation in ntpd. 2494* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2495* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2496* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2497* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2498* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2499* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2500* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2501* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2502* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2503* html/drivers/driver22.html: typo fix. Harlan Stenn. 2504* refidsmear test cleanup. Tomasz Flendrich. 2505* refidsmear function support and tests. Harlan Stenn. 2506* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2507 something that was only in the 4.2.6 sntp. Harlan Stenn. 2508* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2509 Damir Tomi�� 2510* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2511 Damir Tomi�� 2512* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2513 Damir Tomi�� 2514* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2515* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 2516* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2517 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2518 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2519 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2520 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2521 Damir Tomi�� 2522* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2523 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2524 fileHandlingTest.h. Damir Tomi�� 2525* Initial support for experimental leap smear code. Harlan Stenn. 2526* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2527* Report select() debug messages at debug level 3 now. 2528* sntp/scripts/genLocInfo: treat raspbian as debian. 2529* Unity test framework fixes. 2530 ** Requires ruby for changes to tests. 2531* Initial support for PACKAGE_VERSION tests. 2532* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2533* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2534* Add an assert to the ntpq ifstats code. 2535* Clean up the RLIMIT_STACK code. 2536* Improve the ntpq documentation around the controlkey keyid. 2537* ntpq.c cleanup. 2538* Windows port build cleanup. 2539 2540--- 2541NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2542 2543Focus: Security and Bug fixes, enhancements. 2544 2545Severity: MEDIUM 2546 2547In addition to bug fixes and enhancements, this release fixes the 2548following medium-severity vulnerabilities involving private key 2549authentication: 2550 2551* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2552 2553 References: Sec 2779 / CVE-2015-1798 / VU#374268 2554 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2555 including ntp-4.2.8p2 where the installation uses symmetric keys 2556 to authenticate remote associations. 2557 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2558 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2559 Summary: When ntpd is configured to use a symmetric key to authenticate 2560 a remote NTP server/peer, it checks if the NTP message 2561 authentication code (MAC) in received packets is valid, but not if 2562 there actually is any MAC included. Packets without a MAC are 2563 accepted as if they had a valid MAC. This allows a MITM attacker to 2564 send false packets that are accepted by the client/peer without 2565 having to know the symmetric key. The attacker needs to know the 2566 transmit timestamp of the client to match it in the forged reply 2567 and the false reply needs to reach the client before the genuine 2568 reply from the server. The attacker doesn't necessarily need to be 2569 relaying the packets between the client and the server. 2570 2571 Authentication using autokey doesn't have this problem as there is 2572 a check that requires the key ID to be larger than NTP_MAXKEY, 2573 which fails for packets without a MAC. 2574 Mitigation: 2575 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2576 or the NTP Public Services Project Download Page 2577 Configure ntpd with enough time sources and monitor it properly. 2578 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2579 2580* [Sec 2781] Authentication doesn't protect symmetric associations against 2581 DoS attacks. 2582 2583 References: Sec 2781 / CVE-2015-1799 / VU#374268 2584 Affects: All NTP releases starting with at least xntp3.3wy up to but 2585 not including ntp-4.2.8p2 where the installation uses symmetric 2586 key authentication. 2587 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2588 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2589 it could be higher than 5.4. 2590 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2591 Summary: An attacker knowing that NTP hosts A and B are peering with 2592 each other (symmetric association) can send a packet to host A 2593 with source address of B which will set the NTP state variables 2594 on A to the values sent by the attacker. Host A will then send 2595 on its next poll to B a packet with originate timestamp that 2596 doesn't match the transmit timestamp of B and the packet will 2597 be dropped. If the attacker does this periodically for both 2598 hosts, they won't be able to synchronize to each other. This is 2599 a known denial-of-service attack, described at 2600 https://www.eecis.udel.edu/~mills/onwire.html . 2601 2602 According to the document the NTP authentication is supposed to 2603 protect symmetric associations against this attack, but that 2604 doesn't seem to be the case. The state variables are updated even 2605 when authentication fails and the peers are sending packets with 2606 originate timestamps that don't match the transmit timestamps on 2607 the receiving side. 2608 2609 This seems to be a very old problem, dating back to at least 2610 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2611 specifications, so other NTP implementations with support for 2612 symmetric associations and authentication may be vulnerable too. 2613 An update to the NTP RFC to correct this error is in-process. 2614 Mitigation: 2615 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2616 or the NTP Public Services Project Download Page 2617 Note that for users of autokey, this specific style of MITM attack 2618 is simply a long-known potential problem. 2619 Configure ntpd with appropriate time sources and monitor ntpd. 2620 Alert your staff if problems are detected. 2621 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2622 2623* New script: update-leap 2624The update-leap script will verify and if necessary, update the 2625leap-second definition file. 2626It requires the following commands in order to work: 2627 2628 wget logger tr sed shasum 2629 2630Some may choose to run this from cron. It needs more portability testing. 2631 2632Bug Fixes and Improvements: 2633 2634* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2635* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2636* [Bug 2346] "graceful termination" signals do not do peer cleanup. 2637* [Bug 2728] See if C99-style structure initialization works. 2638* [Bug 2747] Upgrade libevent to 2.1.5-beta. 2639* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2640* [Bug 2751] jitter.h has stale copies of l_fp macros. 2641* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2642* [Bug 2757] Quiet compiler warnings. 2643* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2644* [Bug 2763] Allow different thresholds for forward and backward steps. 2645* [Bug 2766] ntp-keygen output files should not be world-readable. 2646* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2647* [Bug 2771] nonvolatile value is documented in wrong units. 2648* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2649* [Bug 2774] Unreasonably verbose printout - leap pending/warning 2650* [Bug 2775] ntp-keygen.c fails to compile under Windows. 2651* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2652 Removed non-ASCII characters from some copyright comments. 2653 Removed trailing whitespace. 2654 Updated definitions for Meinberg clocks from current Meinberg header files. 2655 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2656 Account for updated definitions pulled from Meinberg header files. 2657 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2658 Replaced some constant numbers by defines from ntp_calendar.h 2659 Modified creation of parse-specific variables for Meinberg devices 2660 in gps16x_message(). 2661 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2662 Modified mbg_tm_str() which now expexts an additional parameter controlling 2663 if the time status shall be printed. 2664* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2665* [Sec 2781] Authentication doesn't protect symmetric associations against 2666 DoS attacks. 2667* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2668* [Bug 2789] Quiet compiler warnings from libevent. 2669* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2670 pause briefly before measuring system clock precision to yield 2671 correct results. 2672* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2673* Use predefined function types for parse driver functions 2674 used to set up function pointers. 2675 Account for changed prototype of parse_inp_fnc_t functions. 2676 Cast parse conversion results to appropriate types to avoid 2677 compiler warnings. 2678 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2679 when called with pointers to different types. 2680 2681--- 2682NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 2683 2684Focus: Security and Bug fixes, enhancements. 2685 2686Severity: HIGH 2687 2688In addition to bug fixes and enhancements, this release fixes the 2689following high-severity vulnerabilities: 2690 2691* vallen is not validated in several places in ntp_crypto.c, leading 2692 to a potential information leak or possibly a crash 2693 2694 References: Sec 2671 / CVE-2014-9297 / VU#852879 2695 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2696 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2697 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2698 Summary: The vallen packet value is not validated in several code 2699 paths in ntp_crypto.c which can lead to information leakage 2700 or perhaps a crash of the ntpd process. 2701 Mitigation - any of: 2702 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2703 or the NTP Public Services Project Download Page. 2704 Disable Autokey Authentication by removing, or commenting out, 2705 all configuration directives beginning with the "crypto" 2706 keyword in your ntp.conf file. 2707 Credit: This vulnerability was discovered by Stephen Roettger of the 2708 Google Security Team, with additional cases found by Sebastian 2709 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2710 Time Foundation. 2711 2712* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2713 can be bypassed. 2714 2715 References: Sec 2672 / CVE-2014-9298 / VU#852879 2716 Affects: All NTP4 releases before 4.2.8p1, under at least some 2717 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2718 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2719 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2720 Summary: While available kernels will prevent 127.0.0.1 addresses 2721 from "appearing" on non-localhost IPv4 interfaces, some kernels 2722 do not offer the same protection for ::1 source addresses on 2723 IPv6 interfaces. Since NTP's access control is based on source 2724 address and localhost addresses generally have no restrictions, 2725 an attacker can send malicious control and configuration packets 2726 by spoofing ::1 addresses from the outside. Note Well: This is 2727 not really a bug in NTP, it's a problem with some OSes. If you 2728 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2729 ACL restrictions on any application can be bypassed! 2730 Mitigation: 2731 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2732 or the NTP Public Services Project Download Page 2733 Install firewall rules to block packets claiming to come from 2734 ::1 from inappropriate network interfaces. 2735 Credit: This vulnerability was discovered by Stephen Roettger of 2736 the Google Security Team. 2737 2738Additionally, over 30 bugfixes and improvements were made to the codebase. 2739See the ChangeLog for more information. 2740 2741--- 2742NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 2743 2744Focus: Security and Bug fixes, enhancements. 2745 2746Severity: HIGH 2747 2748In addition to bug fixes and enhancements, this release fixes the 2749following high-severity vulnerabilities: 2750 2751************************** vv NOTE WELL vv ***************************** 2752 2753The vulnerabilities listed below can be significantly mitigated by 2754following the BCP of putting 2755 2756 restrict default ... noquery 2757 2758in the ntp.conf file. With the exception of: 2759 2760 receive(): missing return on error 2761 References: Sec 2670 / CVE-2014-9296 / VU#852879 2762 2763below (which is a limited-risk vulnerability), none of the recent 2764vulnerabilities listed below can be exploited if the source IP is 2765restricted from sending a 'query'-class packet by your ntp.conf file. 2766 2767************************** ^^ NOTE WELL ^^ ***************************** 2768 2769* Weak default key in config_auth(). 2770 2771 References: [Sec 2665] / CVE-2014-9293 / VU#852879 2772 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2773 Vulnerable Versions: all releases prior to 4.2.7p11 2774 Date Resolved: 28 Jan 2010 2775 2776 Summary: If no 'auth' key is set in the configuration file, ntpd 2777 would generate a random key on the fly. There were two 2778 problems with this: 1) the generated key was 31 bits in size, 2779 and 2) it used the (now weak) ntp_random() function, which was 2780 seeded with a 32-bit value and could only provide 32 bits of 2781 entropy. This was sufficient back in the late 1990s when the 2782 code was written. Not today. 2783 2784 Mitigation - any of: 2785 - Upgrade to 4.2.7p11 or later. 2786 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2787 2788 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2789 of the Google Security Team. 2790 2791* Non-cryptographic random number generator with weak seed used by 2792 ntp-keygen to generate symmetric keys. 2793 2794 References: [Sec 2666] / CVE-2014-9294 / VU#852879 2795 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2796 Vulnerable Versions: All NTP4 releases before 4.2.7p230 2797 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2798 2799 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2800 prepare a random number generator that was of good quality back 2801 in the late 1990s. The random numbers produced was then used to 2802 generate symmetric keys. In ntp-4.2.8 we use a current-technology 2803 cryptographic random number generator, either RAND_bytes from 2804 OpenSSL, or arc4random(). 2805 2806 Mitigation - any of: 2807 - Upgrade to 4.2.7p230 or later. 2808 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2809 2810 Credit: This vulnerability was discovered in ntp-4.2.6 by 2811 Stephen Roettger of the Google Security Team. 2812 2813* Buffer overflow in crypto_recv() 2814 2815 References: Sec 2667 / CVE-2014-9295 / VU#852879 2816 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2817 Versions: All releases before 4.2.8 2818 Date Resolved: Stable (4.2.8) 18 Dec 2014 2819 2820 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2821 file contains a 'crypto pw ...' directive) a remote attacker 2822 can send a carefully crafted packet that can overflow a stack 2823 buffer and potentially allow malicious code to be executed 2824 with the privilege level of the ntpd process. 2825 2826 Mitigation - any of: 2827 - Upgrade to 4.2.8, or later, or 2828 - Disable Autokey Authentication by removing, or commenting out, 2829 all configuration directives beginning with the crypto keyword 2830 in your ntp.conf file. 2831 2832 Credit: This vulnerability was discovered by Stephen Roettger of the 2833 Google Security Team. 2834 2835* Buffer overflow in ctl_putdata() 2836 2837 References: Sec 2668 / CVE-2014-9295 / VU#852879 2838 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2839 Versions: All NTP4 releases before 4.2.8 2840 Date Resolved: Stable (4.2.8) 18 Dec 2014 2841 2842 Summary: A remote attacker can send a carefully crafted packet that 2843 can overflow a stack buffer and potentially allow malicious 2844 code to be executed with the privilege level of the ntpd process. 2845 2846 Mitigation - any of: 2847 - Upgrade to 4.2.8, or later. 2848 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2849 2850 Credit: This vulnerability was discovered by Stephen Roettger of the 2851 Google Security Team. 2852 2853* Buffer overflow in configure() 2854 2855 References: Sec 2669 / CVE-2014-9295 / VU#852879 2856 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2857 Versions: All NTP4 releases before 4.2.8 2858 Date Resolved: Stable (4.2.8) 18 Dec 2014 2859 2860 Summary: A remote attacker can send a carefully crafted packet that 2861 can overflow a stack buffer and potentially allow malicious 2862 code to be executed with the privilege level of the ntpd process. 2863 2864 Mitigation - any of: 2865 - Upgrade to 4.2.8, or later. 2866 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2867 2868 Credit: This vulnerability was discovered by Stephen Roettger of the 2869 Google Security Team. 2870 2871* receive(): missing return on error 2872 2873 References: Sec 2670 / CVE-2014-9296 / VU#852879 2874 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2875 Versions: All NTP4 releases before 4.2.8 2876 Date Resolved: Stable (4.2.8) 18 Dec 2014 2877 2878 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 2879 the code path where an error was detected, which meant 2880 processing did not stop when a specific rare error occurred. 2881 We haven't found a way for this bug to affect system integrity. 2882 If there is no way to affect system integrity the base CVSS 2883 score for this bug is 0. If there is one avenue through which 2884 system integrity can be partially affected, the base score 2885 becomes a 5. If system integrity can be partially affected 2886 via all three integrity metrics, the CVSS base score become 7.5. 2887 2888 Mitigation - any of: 2889 - Upgrade to 4.2.8, or later, 2890 - Remove or comment out all configuration directives 2891 beginning with the crypto keyword in your ntp.conf file. 2892 2893 Credit: This vulnerability was discovered by Stephen Roettger of the 2894 Google Security Team. 2895 2896See http://support.ntp.org/security for more information. 2897 2898New features / changes in this release: 2899 2900Important Changes 2901 2902* Internal NTP Era counters 2903 2904The internal counters that track the "era" (range of years) we are in 2905rolls over every 136 years'. The current "era" started at the stroke of 2906midnight on 1 Jan 1900, and ends just before the stroke of midnight on 29071 Jan 2036. 2908In the past, we have used the "midpoint" of the range to decide which 2909era we were in. Given the longevity of some products, it became clear 2910that it would be more functional to "look back" less, and "look forward" 2911more. We now compile a timestamp into the ntpd executable and when we 2912get a timestamp we us the "built-on" to tell us what era we are in. 2913This check "looks back" 10 years, and "looks forward" 126 years. 2914 2915* ntpdc responses disabled by default 2916 2917Dave Hart writes: 2918 2919For a long time, ntpq and its mostly text-based mode 6 (control) 2920protocol have been preferred over ntpdc and its mode 7 (private 2921request) protocol for runtime queries and configuration. There has 2922been a goal of deprecating ntpdc, previously held back by numerous 2923capabilities exposed by ntpdc with no ntpq equivalent. I have been 2924adding commands to ntpq to cover these cases, and I believe I've 2925covered them all, though I've not compared command-by-command 2926recently. 2927 2928As I've said previously, the binary mode 7 protocol involves a lot of 2929hand-rolled structure layout and byte-swapping code in both ntpd and 2930ntpdc which is hard to get right. As ntpd grows and changes, the 2931changes are difficult to expose via ntpdc while maintaining forward 2932and backward compatibility between ntpdc and ntpd. In contrast, 2933ntpq's text-based, label=value approach involves more code reuse and 2934allows compatible changes without extra work in most cases. 2935 2936Mode 7 has always been defined as vendor/implementation-specific while 2937mode 6 is described in RFC 1305 and intended to be open to interoperate 2938with other implementations. There is an early draft of an updated 2939mode 6 description that likely will join the other NTPv4 RFCs 2940eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 2941 2942For these reasons, ntpd 4.2.7p230 by default disables processing of 2943ntpdc queries, reducing ntpd's attack surface and functionally 2944deprecating ntpdc. If you are in the habit of using ntpdc for certain 2945operations, please try the ntpq equivalent. If there's no equivalent, 2946please open a bug report at http://bugs.ntp.org./ 2947 2948In addition to the above, over 1100 issues have been resolved between 2949the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 2950lists these. 2951 2952--- 2953NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 2954 2955Focus: Bug fixes 2956 2957Severity: Medium 2958 2959This is a recommended upgrade. 2960 2961This release updates sys_rootdisp and sys_jitter calculations to match the 2962RFC specification, fixes a potential IPv6 address matching error for the 2963"nic" and "interface" configuration directives, suppresses the creation of 2964extraneous ephemeral associations for certain broadcastclient and 2965multicastclient configurations, cleans up some ntpq display issues, and 2966includes improvements to orphan mode, minor bugs fixes and code clean-ups. 2967 2968New features / changes in this release: 2969 2970ntpd 2971 2972 * Updated "nic" and "interface" IPv6 address handling to prevent 2973 mismatches with localhost [::1] and wildcard [::] which resulted from 2974 using the address/prefix format (e.g. fe80::/64) 2975 * Fix orphan mode stratum incorrectly counting to infinity 2976 * Orphan parent selection metric updated to includes missing ntohl() 2977 * Non-printable stratum 16 refid no longer sent to ntp 2978 * Duplicate ephemeral associations suppressed for broadcastclient and 2979 multicastclient without broadcastdelay 2980 * Exclude undetermined sys_refid from use in loopback TEST12 2981 * Exclude MODE_SERVER responses from KoD rate limiting 2982 * Include root delay in clock_update() sys_rootdisp calculations 2983 * get_systime() updated to exclude sys_residual offset (which only 2984 affected bits "below" sys_tick, the precision threshold) 2985 * sys.peer jitter weighting corrected in sys_jitter calculation 2986 2987ntpq 2988 2989 * -n option extended to include the billboard "server" column 2990 * IPv6 addresses in the local column truncated to prevent overruns 2991 2992--- 2993NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 2994 2995Focus: Bug fixes and portability improvements 2996 2997Severity: Medium 2998 2999This is a recommended upgrade. 3000 3001This release includes build infrastructure updates, code 3002clean-ups, minor bug fixes, fixes for a number of minor 3003ref-clock issues, and documentation revisions. 3004 3005Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3006 3007New features / changes in this release: 3008 3009Build system 3010 3011* Fix checking for struct rtattr 3012* Update config.guess and config.sub for AIX 3013* Upgrade required version of autogen and libopts for building 3014 from our source code repository 3015 3016ntpd 3017 3018* Back-ported several fixes for Coverity warnings from ntp-dev 3019* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3020* Allow "logconfig =allall" configuration directive 3021* Bind tentative IPv6 addresses on Linux 3022* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3023* Improved tally bit handling to prevent incorrect ntpq peer status reports 3024* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3025 candidate list unless they are designated a "prefer peer" 3026* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3027 selection during the 'tos orphanwait' period 3028* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3029 drivers 3030* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3031* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3032* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3033 clock slew on Microsoft Windows 3034* Code cleanup in libntpq 3035 3036ntpdc 3037 3038* Fix timerstats reporting 3039 3040ntpdate 3041 3042* Reduce time required to set clock 3043* Allow a timeout greater than 2 seconds 3044 3045sntp 3046 3047* Backward incompatible command-line option change: 3048 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3049 3050Documentation 3051 3052* Update html2man. Fix some tags in the .html files 3053* Distribute ntp-wait.html 3054 3055--- 3056NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3057 3058Focus: Bug fixes and portability improvements 3059 3060Severity: Medium 3061 3062This is a recommended upgrade. 3063 3064This release includes build infrastructure updates, code 3065clean-ups, minor bug fixes, fixes for a number of minor 3066ref-clock issues, and documentation revisions. 3067 3068Portability improvements in this release affect AIX, Atari FreeMiNT, 3069FreeBSD4, Linux and Microsoft Windows. 3070 3071New features / changes in this release: 3072 3073Build system 3074* Use lsb_release to get information about Linux distributions. 3075* 'test' is in /usr/bin (instead of /bin) on some systems. 3076* Basic sanity checks for the ChangeLog file. 3077* Source certain build files with ./filename for systems without . in PATH. 3078* IRIX portability fix. 3079* Use a single copy of the "libopts" code. 3080* autogen/libopts upgrade. 3081* configure.ac m4 quoting cleanup. 3082 3083ntpd 3084* Do not bind to IN6_IFF_ANYCAST addresses. 3085* Log the reason for exiting under Windows. 3086* Multicast fixes for Windows. 3087* Interpolation fixes for Windows. 3088* IPv4 and IPv6 Multicast fixes. 3089* Manycast solicitation fixes and general repairs. 3090* JJY refclock cleanup. 3091* NMEA refclock improvements. 3092* Oncore debug message cleanup. 3093* Palisade refclock now builds under Linux. 3094* Give RAWDCF more baud rates. 3095* Support Truetime Satellite clocks under Windows. 3096* Support Arbiter 1093C Satellite clocks under Windows. 3097* Make sure that the "filegen" configuration command defaults to "enable". 3098* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3099* Prohibit 'includefile' directive in remote configuration command. 3100* Fix 'nic' interface bindings. 3101* Fix the way we link with openssl if openssl is installed in the base 3102 system. 3103 3104ntp-keygen 3105* Fix -V coredump. 3106* OpenSSL version display cleanup. 3107 3108ntpdc 3109* Many counters should be treated as unsigned. 3110 3111ntpdate 3112* Do not ignore replies with equal receive and transmit timestamps. 3113 3114ntpq 3115* libntpq warning cleanup. 3116 3117ntpsnmpd 3118* Correct SNMP type for "precision" and "resolution". 3119* Update the MIB from the draft version to RFC-5907. 3120 3121sntp 3122* Display timezone offset when showing time for sntp in the local 3123 timezone. 3124* Pay proper attention to RATE KoD packets. 3125* Fix a miscalculation of the offset. 3126* Properly parse empty lines in the key file. 3127* Logging cleanup. 3128* Use tv_usec correctly in set_time(). 3129* Documentation cleanup. 3130 3131--- 3132NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3133 3134Focus: Bug fixes and portability improvements 3135 3136Severity: Medium 3137 3138This is a recommended upgrade. 3139 3140This release includes build infrastructure updates, code 3141clean-ups, minor bug fixes, fixes for a number of minor 3142ref-clock issues, improved KOD handling, OpenSSL related 3143updates and documentation revisions. 3144 3145Portability improvements in this release affect Irix, Linux, 3146Mac OS, Microsoft Windows, OpenBSD and QNX6 3147 3148New features / changes in this release: 3149 3150ntpd 3151* Range syntax for the trustedkey configuration directive 3152* Unified IPv4 and IPv6 restrict lists 3153 3154ntpdate 3155* Rate limiting and KOD handling 3156 3157ntpsnmpd 3158* default connection to net-snmpd via a unix-domain socket 3159* command-line 'socket name' option 3160 3161ntpq / ntpdc 3162* support for the "passwd ..." syntax 3163* key-type specific password prompts 3164 3165sntp 3166* MD5 authentication of an ntpd 3167* Broadcast and crypto 3168* OpenSSL support 3169 3170--- 3171NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3172 3173Focus: Bug fixes, portability fixes, and documentation improvements 3174 3175Severity: Medium 3176 3177This is a recommended upgrade. 3178 3179--- 3180NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3181 3182Focus: enhancements and bug fixes. 3183 3184--- 3185NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3186 3187Focus: Security Fixes 3188 3189Severity: HIGH 3190 3191This release fixes the following high-severity vulnerability: 3192 3193* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3194 3195 See http://support.ntp.org/security for more information. 3196 3197 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3198 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3199 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3200 request or a mode 7 error response from an address which is not listed 3201 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3202 reply with a mode 7 error response (and log a message). In this case: 3203 3204 * If an attacker spoofs the source address of ntpd host A in a 3205 mode 7 response packet sent to ntpd host B, both A and B will 3206 continuously send each other error responses, for as long as 3207 those packets get through. 3208 3209 * If an attacker spoofs an address of ntpd host A in a mode 7 3210 response packet sent to ntpd host A, A will respond to itself 3211 endlessly, consuming CPU and logging excessively. 3212 3213 Credit for finding this vulnerability goes to Robin Park and Dmitri 3214 Vinokurov of Alcatel-Lucent. 3215 3216THIS IS A STRONGLY RECOMMENDED UPGRADE. 3217 3218--- 3219ntpd now syncs to refclocks right away. 3220 3221Backward-Incompatible changes: 3222 3223ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3224Use '--var name' or '--dvar name' instead. (Bug 817) 3225 3226--- 3227NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3228 3229Focus: Security and Bug Fixes 3230 3231Severity: HIGH 3232 3233This release fixes the following high-severity vulnerability: 3234 3235* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3236 3237 See http://support.ntp.org/security for more information. 3238 3239 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3240 line) then a carefully crafted packet sent to the machine will cause 3241 a buffer overflow and possible execution of injected code, running 3242 with the privileges of the ntpd process (often root). 3243 3244 Credit for finding this vulnerability goes to Chris Ries of CMU. 3245 3246This release fixes the following low-severity vulnerabilities: 3247 3248* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3249 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3250 3251* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3252 Credit for finding this issue goes to Dave Hart. 3253 3254This release fixes a number of bugs and adds some improvements: 3255 3256* Improved logging 3257* Fix many compiler warnings 3258* Many fixes and improvements for Windows 3259* Adds support for AIX 6.1 3260* Resolves some issues under MacOS X and Solaris 3261 3262THIS IS A STRONGLY RECOMMENDED UPGRADE. 3263 3264--- 3265NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3266 3267Focus: Security Fix 3268 3269Severity: Low 3270 3271This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3272the OpenSSL library relating to the incorrect checking of the return 3273value of EVP_VerifyFinal function. 3274 3275Credit for finding this issue goes to the Google Security Team for 3276finding the original issue with OpenSSL, and to ocert.org for finding 3277the problem in NTP and telling us about it. 3278 3279This is a recommended upgrade. 3280--- 3281NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3282 3283Focus: Minor Bugfixes 3284 3285This release fixes a number of Windows-specific ntpd bugs and 3286platform-independent ntpdate bugs. A logging bugfix has been applied 3287to the ONCORE driver. 3288 3289The "dynamic" keyword and is now obsolete and deferred binding to local 3290interfaces is the new default. The minimum time restriction for the 3291interface update interval has been dropped. 3292 3293A number of minor build system and documentation fixes are included. 3294 3295This is a recommended upgrade for Windows. 3296 3297--- 3298NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3299 3300Focus: Minor Bugfixes 3301 3302This release updates certain copyright information, fixes several display 3303bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3304shutdown in the parse refclock driver, removes some lint from the code, 3305stops accessing certain buffers immediately after they were freed, fixes 3306a problem with non-command-line specification of -6, and allows the loopback 3307interface to share addresses with other interfaces. 3308 3309--- 3310NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3311 3312Focus: Minor Bugfixes 3313 3314This release fixes a bug in Windows that made it difficult to 3315terminate ntpd under windows. 3316This is a recommended upgrade for Windows. 3317 3318--- 3319NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3320 3321Focus: Minor Bugfixes 3322 3323This release fixes a multicast mode authentication problem, 3324an error in NTP packet handling on Windows that could lead to 3325ntpd crashing, and several other minor bugs. Handling of 3326multicast interfaces and logging configuration were improved. 3327The required versions of autogen and libopts were incremented. 3328This is a recommended upgrade for Windows and multicast users. 3329 3330--- 3331NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3332 3333Focus: enhancements and bug fixes. 3334 3335Dynamic interface rescanning was added to simplify the use of ntpd in 3336conjunction with DHCP. GNU AutoGen is used for its command-line options 3337processing. Separate PPS devices are supported for PARSE refclocks, MD5 3338signatures are now provided for the release files. Drivers have been 3339added for some new ref-clocks and have been removed for some older 3340ref-clocks. This release also includes other improvements, documentation 3341and bug fixes. 3342 3343K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3344C support. 3345 3346--- 3347NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3348 3349Focus: enhancements and bug fixes. 3350