NEWS revision 344884
1--- 2NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 3 4Focus: Security, Bug fixes, enhancements. 5 6Severity: MEDIUM 7 8This release fixes a bug that allows an attacker with access to an 9explicitly trusted source to send a crafted malicious mode 6 (ntpq) 10packet that can trigger a NULL pointer dereference, crashing ntpd. 11It also provides 17 other bugfixes and 1 other improvement: 12 13* [Sec 3565] Crafted null dereference attack in authenticated 14 mode 6 packet <perlinger@ntp.org> 15 - reported by Magnus Stubman 16* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 17 - applied patch by Ian Lepore 18* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 19 - isolate and fix linux/windows specific code issue 20* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 21 - provide better function for incremental string formatting 22* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 23 - applied patch by Gerry Garvey 24* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 25 - original finding by Gerry Garvey, additional cleanup needed 26* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 27 - patch by Christous Zoulas 28* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 29 - finding by Chen Jiabin, plus another one by me 30* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 31 - applied patch by Maciej Szmigiero 32* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 33 - applied patch by Andre Charbonneau 34* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 35 - applied patch by Baruch Siach 36* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 37 - applied patch by Baruch Siach 38* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 39 - refactored handling of GPS era based on 'tos basedate' for 40 parse (TSIP) and JUPITER clocks 41* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 42 - patch by Daniel J. Luke; this does not fix a potential linker 43 regression issue on MacOS. 44* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 45 anomaly <perlinger@ntp.org>, reported by GGarvey. 46 - --enable-bug3527-fix support by HStenn 47* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 48 - applied patch by Gerry Garvey 49* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 50 - added missing check, reported by Reinhard Max <perlinger@ntp.org> 51* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 52 - this is a variant of [bug 3558] and should be fixed with it 53* Implement 'configure --disable-signalled-io' 54 55-- 56NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 57 58Focus: Security, Bug fixes, enhancements. 59 60Severity: MEDIUM 61 62This release fixes a "hole" in the noepeer capability introduced to ntpd 63in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 64ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 65 66* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 67 68* [Sec 3012] Fix a hole in the new "noepeer" processing. 69 70* Bug Fixes: 71 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 72 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 73 other TrustedBSD platforms 74 - applied patch by Ian Lepore <perlinger@ntp.org> 75 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 76 - changed interaction with SCM to signal pending startup 77 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 78 - applied patch by Gerry Garvey 79 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 80 - applied patch by Gerry Garvey 81 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 82 - rework of ntpq 'nextvar()' key/value parsing 83 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 84 - applied patch by Gerry Garvey (with mods) 85 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 86 - applied patch by Gerry Garvey 87 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 88 - applied patch by Gerry Garvey (with mods) 89 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 90 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 91 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 92 - applied patch by Gerry Garvey 93 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 94 - applied patch by Gerry Garvey 95 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 96 - add #define ENABLE_CMAC support in configure. HStenn. 97 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 98 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 99 - patch by Stephen Friedl 100 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 101 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 102 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 103 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 104 - initial patch by Hal Murray; also fixed refclock_report() trouble 105 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 106 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 107 - According to Brooks Davis, there was only one location <perlinger@ntp.org> 108 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 109 - applied patch by Gerry Garvey 110 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 111 - applied patch by Gerry Garvey 112 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 113 with modifications 114 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 115 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 116 - applied patch by Miroslav Lichvar 117 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 118 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 119 - integrated patch by Reinhard Max 120 [Bug 2821] minor build issues <perlinger@ntp.org> 121 - applied patches by Christos Zoulas, including real bug fixes 122 html/authopt.html: cleanup, from <stenn@ntp.org> 123 ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 124 Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 125 126-- 127NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 128 129Focus: Security, Bug fixes, enhancements. 130 131Severity: MEDIUM 132 133This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 134vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 135provides 65 other non-security fixes and improvements: 136 137* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 138 association (LOW/MED) 139 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 140 References: Sec 3454 / CVE-2018-7185 / VU#961909 141 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 142 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 143 2.9 and 6.8. 144 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 145 score between 2.6 and 3.1 146 Summary: 147 The NTP Protocol allows for both non-authenticated and 148 authenticated associations, in client/server, symmetric (peer), 149 and several broadcast modes. In addition to the basic NTP 150 operational modes, symmetric mode and broadcast servers can 151 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 152 was inadvertently introduced into the protocol engine that 153 allows a non-authenticated zero-origin (reset) packet to reset 154 an authenticated interleaved peer association. If an attacker 155 can send a packet with a zero-origin timestamp and the source 156 IP address of the "other side" of an interleaved association, 157 the 'victim' ntpd will reset its association. The attacker must 158 continue sending these packets in order to maintain the 159 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 160 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 161 interleaved mode must be explicitly configured/enabled. 162 Mitigation: 163 Implement BCP-38. 164 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 165 or the NTP Public Services Project Download Page. 166 If you are unable to upgrade to 4.2.8p11 or later and have 167 'peer HOST xleave' lines in your ntp.conf file, remove the 168 'xleave' option. 169 Have enough sources of time. 170 Properly monitor your ntpd instances. 171 If ntpd stops running, auto-restart it without -g . 172 Credit: 173 This weakness was discovered by Miroslav Lichvar of Red Hat. 174 175* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 176 state (LOW/MED) 177 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 178 References: Sec 3453 / CVE-2018-7184 / VU#961909 179 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 180 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 181 Could score between 2.9 and 6.8. 182 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 183 Could score between 2.6 and 6.0. 184 Summary: 185 The fix for NtpBug2952 was incomplete, and while it fixed one 186 problem it created another. Specifically, it drops bad packets 187 before updating the "received" timestamp. This means a 188 third-party can inject a packet with a zero-origin timestamp, 189 meaning the sender wants to reset the association, and the 190 transmit timestamp in this bogus packet will be saved as the 191 most recent "received" timestamp. The real remote peer does 192 not know this value and this will disrupt the association until 193 the association resets. 194 Mitigation: 195 Implement BCP-38. 196 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 197 or the NTP Public Services Project Download Page. 198 Use authentication with 'peer' mode. 199 Have enough sources of time. 200 Properly monitor your ntpd instances. 201 If ntpd stops running, auto-restart it without -g . 202 Credit: 203 This weakness was discovered by Miroslav Lichvar of Red Hat. 204 205* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 206 peering (LOW) 207 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 208 References: Sec 3415 / CVE-2018-7170 / VU#961909 209 Sec 3012 / CVE-2016-1549 / VU#718152 210 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 211 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 212 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 213 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 214 Summary: 215 ntpd can be vulnerable to Sybil attacks. If a system is set up to 216 use a trustedkey and if one is not using the feature introduced in 217 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 218 specify which IPs can serve time, a malicious authenticated peer 219 -- i.e. one where the attacker knows the private symmetric key -- 220 can create arbitrarily-many ephemeral associations in order to win 221 the clock selection of ntpd and modify a victim's clock. Three 222 additional protections are offered in ntp-4.2.8p11. One is the 223 new 'noepeer' directive, which disables symmetric passive 224 ephemeral peering. Another is the new 'ippeerlimit' directive, 225 which limits the number of peers that can be created from an IP. 226 The third extends the functionality of the 4th field in the 227 ntp.keys file to include specifying a subnet range. 228 Mitigation: 229 Implement BCP-38. 230 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 231 or the NTP Public Services Project Download Page. 232 Use the 'noepeer' directive to prohibit symmetric passive 233 ephemeral associations. 234 Use the 'ippeerlimit' directive to limit the number of peers 235 that can be created from an IP. 236 Use the 4th argument in the ntp.keys file to limit the IPs and 237 subnets that can be time servers. 238 Have enough sources of time. 239 Properly monitor your ntpd instances. 240 If ntpd stops running, auto-restart it without -g . 241 Credit: 242 This weakness was reported as Bug 3012 by Matthew Van Gundy of 243 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 244 245* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 246 Date Resolved: 27 Feb 2018 247 References: Sec 3414 / CVE-2018-7183 / VU#961909 248 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 249 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 250 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 251 Summary: 252 ntpq is a monitoring and control program for ntpd. decodearr() 253 is an internal function of ntpq that is used to -- wait for it -- 254 decode an array in a response string when formatted data is being 255 displayed. This is a problem in affected versions of ntpq if a 256 maliciously-altered ntpd returns an array result that will trip this 257 bug, or if a bad actor is able to read an ntpq request on its way to 258 a remote ntpd server and forge and send a response before the remote 259 ntpd sends its response. It's potentially possible that the 260 malicious data could become injectable/executable code. 261 Mitigation: 262 Implement BCP-38. 263 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 264 or the NTP Public Services Project Download Page. 265 Credit: 266 This weakness was discovered by Michael Macnair of Thales e-Security. 267 268* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 269 behavior and information leak (Info/Medium) 270 Date Resolved: 27 Feb 2018 271 References: Sec 3412 / CVE-2018-7182 / VU#961909 272 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 273 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 274 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 275 0.0 if C:N 276 Summary: 277 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 278 A malicious mode 6 packet can be sent to an ntpd instance, and 279 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 280 cause ctl_getitem() to read past the end of its buffer. 281 Mitigation: 282 Implement BCP-38. 283 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 284 or the NTP Public Services Project Download Page. 285 Have enough sources of time. 286 Properly monitor your ntpd instances. 287 If ntpd stops running, auto-restart it without -g . 288 Credit: 289 This weakness was discovered by Yihan Lian of Qihoo 360. 290 291* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 292 Also see Bug 3415, above. 293 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 294 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 295 References: Sec 3012 / CVE-2016-1549 / VU#718152 296 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 297 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 298 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 299 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 300 Summary: 301 ntpd can be vulnerable to Sybil attacks. If a system is set up 302 to use a trustedkey and if one is not using the feature 303 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 304 ntp.keys file to specify which IPs can serve time, a malicious 305 authenticated peer -- i.e. one where the attacker knows the 306 private symmetric key -- can create arbitrarily-many ephemeral 307 associations in order to win the clock selection of ntpd and 308 modify a victim's clock. Two additional protections are 309 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 310 disables symmetric passive ephemeral peering. The other extends 311 the functionality of the 4th field in the ntp.keys file to 312 include specifying a subnet range. 313 Mitigation: 314 Implement BCP-38. 315 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 316 the NTP Public Services Project Download Page. 317 Use the 'noepeer' directive to prohibit symmetric passive 318 ephemeral associations. 319 Use the 'ippeerlimit' directive to limit the number of peer 320 associations from an IP. 321 Use the 4th argument in the ntp.keys file to limit the IPs 322 and subnets that can be time servers. 323 Properly monitor your ntpd instances. 324 Credit: 325 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 326 327* Bug fixes: 328 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 329 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 330 - applied patch by Sean Haugh 331 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 332 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 333 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 334 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 335 - refactoring the MAC code, too 336 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 337 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 338 - applied patch by ggarvey 339 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 340 - applied patch by ggarvey (with minor mods) 341 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 342 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 343 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 344 [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 345 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 346 - fixed several issues with hash algos in ntpd, sntp, ntpq, 347 ntpdc and the test suites <perlinger@ntp.org> 348 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 349 - initial patch by Daniel Pouzzner 350 [Bug 3423] QNX adjtime() implementation error checking is 351 wrong <perlinger@ntp.org> 352 [Bug 3417] ntpq ifstats packet counters can be negative 353 made IFSTATS counter quantities unsigned <perlinger@ntp.org> 354 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 355 - raised receive buffer size to 1200 <perlinger@ntp.org> 356 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 357 analysis tool. <abe@ntp.org> 358 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 359 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 360 - fix/drop assumptions on OpenSSL libs directory layout 361 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 362 - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 363 [Bug 3398] tests fail with core dump <perlinger@ntp.org> 364 - patch contributed by Alexander Bluhm 365 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 366 rework of formatting & data transfer stuff in 'ntp_control.c' 367 avoids unecessary buffers and size limitations. <perlinger@ntp.org> 368 [Bug 3394] Leap second deletion does not work on ntpd clients 369 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 370 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 371 - increased mimimum stack size to 32kB <perlinger@ntp.org> 372 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 373 - reverted handling of PPS kernel consumer to 4.2.6 behavior 374 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 375 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 376 [Bug 3016] wrong error position reported for bad ":config pool" 377 - fixed location counter & ntpq output <perlinger@ntp.org> 378 [Bug 2900] libntp build order problem. HStenn. 379 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 380 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 381 perlinger@ntp.org 382 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 383 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 384 Use strlcpy() to copy strings, not memcpy(). HStenn. 385 Typos. HStenn. 386 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 387 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 388 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 389 Fix trivial warnings from 'make check'. perlinger@ntp.org 390 Fix bug in the override portion of the compiler hardening macro. HStenn. 391 record_raw_stats(): Log entire packet. Log writes. HStenn. 392 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 393 sntp: tweak key file logging. HStenn. 394 sntp: pkt_output(): Improve debug output. HStenn. 395 update-leap: updates from Paul McMath. 396 When using pkg-config, report --modversion. HStenn. 397 Clean up libevent configure checks. HStenn. 398 sntp: show the IP of who sent us a crypto-NAK. HStenn. 399 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 400 authistrustedip() - use it in more places. HStenn, JPerlinger. 401 New sysstats: sys_lamport, sys_tsrounding. HStenn. 402 Update ntp.keys .../N documentation. HStenn. 403 Distribute testconf.yml. HStenn. 404 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 405 Rename the configuration flag fifo variables. HStenn. 406 Improve saveconfig output. HStenn. 407 Decode restrict flags on receive() debug output. HStenn. 408 Decode interface flags on receive() debug output. HStenn. 409 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 410 Update the documentation in ntp.conf.def . HStenn. 411 restrictions() must return restrict flags and ippeerlimit. HStenn. 412 Update ntpq peer documentation to describe the 'p' type. HStenn. 413 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 414 Provide dump_restricts() for debugging. HStenn. 415 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 416 417* Other items: 418 419* update-leap needs the following perl modules: 420 Net::SSLeay 421 IO::Socket::SSL 422 423* New sysstats variables: sys_lamport, sys_tsrounding 424See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 425sys_lamport counts the number of observed Lamport violations, while 426sys_tsrounding counts observed timestamp rounding events. 427 428* New ntp.conf items: 429 430- restrict ... noepeer 431- restrict ... ippeerlimit N 432 433The 'noepeer' directive will disallow all ephemeral/passive peer 434requests. 435 436The 'ippeerlimit' directive limits the number of time associations 437for each IP in the designated set of addresses. This limit does not 438apply to explicitly-configured associations. A value of -1, the current 439default, means an unlimited number of associations may connect from a 440single IP. 0 means "none", etc. Ordinarily the only way multiple 441associations would come from the same IP would be if the remote side 442was using a proxy. But a trusted machine might become compromised, 443in which case an attacker might spin up multiple authenticated sessions 444from different ports. This directive should be helpful in this case. 445 446* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 447field may contain a /subnetbits specification, which identifies the 448scope of IPs that may use this key. This IP/subnet restriction can be 449used to limit the IPs that may use the key in most all situations where 450a key is used. 451-- 452NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 453 454Focus: Security, Bug fixes, enhancements. 455 456Severity: MEDIUM 457 458This release fixes 5 medium-, 6 low-, and 4 informational-severity 459vulnerabilities, and provides 15 other non-security fixes and improvements: 460 461* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 462 Date Resolved: 21 Mar 2017 463 References: Sec 3389 / CVE-2017-6464 / VU#325339 464 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 465 ntp-4.3.0 up to, but not including ntp-4.3.94. 466 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 467 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 468 Summary: 469 A vulnerability found in the NTP server makes it possible for an 470 authenticated remote user to crash ntpd via a malformed mode 471 configuration directive. 472 Mitigation: 473 Implement BCP-38. 474 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 475 the NTP Public Services Project Download Page 476 Properly monitor your ntpd instances, and auto-restart 477 ntpd (without -g) if it stops running. 478 Credit: 479 This weakness was discovered by Cure53. 480 481* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 482 Date Resolved: 21 Mar 2017 483 References: Sec 3388 / CVE-2017-6462 / VU#325339 484 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 485 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 486 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 487 Summary: 488 There is a potential for a buffer overflow in the legacy Datum 489 Programmable Time Server refclock driver. Here the packets are 490 processed from the /dev/datum device and handled in 491 datum_pts_receive(). Since an attacker would be required to 492 somehow control a malicious /dev/datum device, this does not 493 appear to be a practical attack and renders this issue "Low" in 494 terms of severity. 495 Mitigation: 496 If you have a Datum reference clock installed and think somebody 497 may maliciously change the device, upgrade to 4.2.8p10, or 498 later, from the NTP Project Download Page or the NTP Public 499 Services Project Download Page 500 Properly monitor your ntpd instances, and auto-restart 501 ntpd (without -g) if it stops running. 502 Credit: 503 This weakness was discovered by Cure53. 504 505* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 506 Date Resolved: 21 Mar 2017 507 References: Sec 3387 / CVE-2017-6463 / VU#325339 508 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 509 ntp-4.3.0 up to, but not including ntp-4.3.94. 510 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 511 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 512 Summary: 513 A vulnerability found in the NTP server allows an authenticated 514 remote attacker to crash the daemon by sending an invalid setting 515 via the :config directive. The unpeer option expects a number or 516 an address as an argument. In case the value is "0", a 517 segmentation fault occurs. 518 Mitigation: 519 Implement BCP-38. 520 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 521 or the NTP Public Services Project Download Page 522 Properly monitor your ntpd instances, and auto-restart 523 ntpd (without -g) if it stops running. 524 Credit: 525 This weakness was discovered by Cure53. 526 527* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 528 Date Resolved: 21 Mar 2017 529 References: Sec 3386 530 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 531 ntp-4.3.0 up to, but not including ntp-4.3.94. 532 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 533 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 534 Summary: 535 The NTP Mode 6 monitoring and control client, ntpq, uses the 536 function ntpq_stripquotes() to remove quotes and escape characters 537 from a given string. According to the documentation, the function 538 is supposed to return the number of copied bytes but due to 539 incorrect pointer usage this value is always zero. Although the 540 return value of this function is never used in the code, this 541 flaw could lead to a vulnerability in the future. Since relying 542 on wrong return values when performing memory operations is a 543 dangerous practice, it is recommended to return the correct value 544 in accordance with the documentation pertinent to the code. 545 Mitigation: 546 Implement BCP-38. 547 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 548 or the NTP Public Services Project Download Page 549 Properly monitor your ntpd instances, and auto-restart 550 ntpd (without -g) if it stops running. 551 Credit: 552 This weakness was discovered by Cure53. 553 554* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 555 Date Resolved: 21 Mar 2017 556 References: Sec 3385 557 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 558 ntp-4.3.0 up to, but not including ntp-4.3.94. 559 Summary: 560 NTP makes use of several wrappers around the standard heap memory 561 allocation functions that are provided by libc. This is mainly 562 done to introduce additional safety checks concentrated on 563 several goals. First, they seek to ensure that memory is not 564 accidentally freed, secondly they verify that a correct amount 565 is always allocated and, thirdly, that allocation failures are 566 correctly handled. There is an additional implementation for 567 scenarios where memory for a specific amount of items of the 568 same size needs to be allocated. The handling can be found in 569 the oreallocarray() function for which a further number-of-elements 570 parameter needs to be provided. Although no considerable threat 571 was identified as tied to a lack of use of this function, it is 572 recommended to correctly apply oreallocarray() as a preferred 573 option across all of the locations where it is possible. 574 Mitigation: 575 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 576 or the NTP Public Services Project Download Page 577 Credit: 578 This weakness was discovered by Cure53. 579 580* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 581 PPSAPI ONLY) (Low) 582 Date Resolved: 21 Mar 2017 583 References: Sec 3384 / CVE-2017-6455 / VU#325339 584 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 585 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 586 including ntp-4.3.94. 587 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 588 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 589 Summary: 590 The Windows NT port has the added capability to preload DLLs 591 defined in the inherited global local environment variable 592 PPSAPI_DLLS. The code contained within those libraries is then 593 called from the NTPD service, usually running with elevated 594 privileges. Depending on how securely the machine is setup and 595 configured, if ntpd is configured to use the PPSAPI under Windows 596 this can easily lead to a code injection. 597 Mitigation: 598 Implement BCP-38. 599 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 600 or the NTP Public Services Project Download Page 601 Credit: 602 This weakness was discovered by Cure53. 603 604* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 605 installer ONLY) (Low) 606 Date Resolved: 21 Mar 2017 607 References: Sec 3383 / CVE-2017-6452 / VU#325339 608 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 609 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 610 to, but not including ntp-4.3.94. 611 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 612 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 613 Summary: 614 The Windows installer for NTP calls strcat(), blindly appending 615 the string passed to the stack buffer in the addSourceToRegistry() 616 function. The stack buffer is 70 bytes smaller than the buffer 617 in the calling main() function. Together with the initially 618 copied Registry path, the combination causes a stack buffer 619 overflow and effectively overwrites the stack frame. The 620 passed application path is actually limited to 256 bytes by the 621 operating system, but this is not sufficient to assure that the 622 affected stack buffer is consistently protected against 623 overflowing at all times. 624 Mitigation: 625 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 626 or the NTP Public Services Project Download Page 627 Credit: 628 This weakness was discovered by Cure53. 629 630* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 631 installer ONLY) (Low) 632 Date Resolved: 21 Mar 2017 633 References: Sec 3382 / CVE-2017-6459 / VU#325339 634 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 635 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 636 up to, but not including ntp-4.3.94. 637 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 638 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 639 Summary: 640 The Windows installer for NTP calls strcpy() with an argument 641 that specifically contains multiple null bytes. strcpy() only 642 copies a single terminating null character into the target 643 buffer instead of copying the required double null bytes in the 644 addKeysToRegistry() function. As a consequence, a garbage 645 registry entry can be created. The additional arsize parameter 646 is erroneously set to contain two null bytes and the following 647 call to RegSetValueEx() claims to be passing in a multi-string 648 value, though this may not be true. 649 Mitigation: 650 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 651 or the NTP Public Services Project Download Page 652 Credit: 653 This weakness was discovered by Cure53. 654 655* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 656 References: Sec 3381 657 Summary: 658 The report says: Statically included external projects 659 potentially introduce several problems and the issue of having 660 extensive amounts of code that is "dead" in the resulting binary 661 must clearly be pointed out. The unnecessary unused code may or 662 may not contain bugs and, quite possibly, might be leveraged for 663 code-gadget-based branch-flow redirection exploits. Analogically, 664 having source trees statically included as well means a failure 665 in taking advantage of the free feature for periodical updates. 666 This solution is offered by the system's Package Manager. The 667 three libraries identified are libisc, libevent, and libopts. 668 Resolution: 669 For libisc, we already only use a portion of the original library. 670 We've found and fixed bugs in the original implementation (and 671 offered the patches to ISC), and plan to see what has changed 672 since we last upgraded the code. libisc is generally not 673 installed, and when it it we usually only see the static libisc.a 674 file installed. Until we know for sure that the bugs we've found 675 and fixed are fixed upstream, we're better off with the copy we 676 are using. 677 678 Version 1 of libevent was the only production version available 679 until recently, and we've been requiring version 2 for a long time. 680 But if the build system has at least version 2 of libevent 681 installed, we'll use the version that is installed on the system. 682 Otherwise, we provide a copy of libevent that we know works. 683 684 libopts is provided by GNU AutoGen, and that library and package 685 undergoes frequent API version updates. The version of autogen 686 used to generate the tables for the code must match the API 687 version in libopts. AutoGen can be ... difficult to build and 688 install, and very few developers really need it. So we have it 689 on our build and development machines, and we provide the 690 specific version of the libopts code in the distribution to make 691 sure that the proper API version of libopts is available. 692 693 As for the point about there being code in these libraries that 694 NTP doesn't use, OK. But other packages used these libraries as 695 well, and it is reasonable to assume that other people are paying 696 attention to security and code quality issues for the overall 697 libraries. It takes significant resources to analyze and 698 customize these libraries to only include what we need, and to 699 date we believe the cost of this effort does not justify the benefit. 700 Credit: 701 This issue was discovered by Cure53. 702 703* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 704 Date Resolved: 21 Mar 2017 705 References: Sec 3380 706 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 707 ntp-4.3.0 up to, but not including ntp-4.3.94. 708 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 709 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 710 Summary: 711 There is a fencepost error in a "recovery branch" of the code for 712 the Oncore GPS receiver if the communication link to the ONCORE 713 is weak / distorted and the decoding doesn't work. 714 Mitigation: 715 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 716 the NTP Public Services Project Download Page 717 Properly monitor your ntpd instances, and auto-restart 718 ntpd (without -g) if it stops running. 719 Credit: 720 This weakness was discovered by Cure53. 721 722* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 723 Date Resolved: 21 Mar 2017 724 References: Sec 3379 / CVE-2017-6458 / VU#325339 725 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 726 ntp-4.3.0 up to, but not including ntp-4.3.94. 727 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 728 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 729 Summary: 730 ntpd makes use of different wrappers around ctl_putdata() to 731 create name/value ntpq (mode 6) response strings. For example, 732 ctl_putstr() is usually used to send string data (variable names 733 or string data). The formatting code was missing a length check 734 for variable names. If somebody explicitly created any unusually 735 long variable names in ntpd (longer than 200-512 bytes, depending 736 on the type of variable), then if any of these variables are 737 added to the response list it would overflow a buffer. 738 Mitigation: 739 Implement BCP-38. 740 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 741 or the NTP Public Services Project Download Page 742 If you don't want to upgrade, then don't setvar variable names 743 longer than 200-512 bytes in your ntp.conf file. 744 Properly monitor your ntpd instances, and auto-restart 745 ntpd (without -g) if it stops running. 746 Credit: 747 This weakness was discovered by Cure53. 748 749* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 750 Date Resolved: 21 Mar 2017 751 References: Sec 3378 / CVE-2017-6451 / VU#325339 752 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 753 ntp-4.3.0 up to, but not including ntp-4.3.94. 754 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 755 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 756 Summary: 757 The legacy MX4200 refclock is only built if is specifically 758 enabled, and furthermore additional code changes are required to 759 compile and use it. But it uses the libc functions snprintf() 760 and vsnprintf() incorrectly, which can lead to an out-of-bounds 761 memory write due to an improper handling of the return value of 762 snprintf()/vsnprintf(). Since the return value is used as an 763 iterator and it can be larger than the buffer's size, it is 764 possible for the iterator to point somewhere outside of the 765 allocated buffer space. This results in an out-of-bound memory 766 write. This behavior can be leveraged to overwrite a saved 767 instruction pointer on the stack and gain control over the 768 execution flow. During testing it was not possible to identify 769 any malicious usage for this vulnerability. Specifically, no 770 way for an attacker to exploit this vulnerability was ultimately 771 unveiled. However, it has the potential to be exploited, so the 772 code should be fixed. 773 Mitigation, if you have a Magnavox MX4200 refclock: 774 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 775 or the NTP Public Services Project Download Page. 776 Properly monitor your ntpd instances, and auto-restart 777 ntpd (without -g) if it stops running. 778 Credit: 779 This weakness was discovered by Cure53. 780 781* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 782 malicious ntpd (Medium) 783 Date Resolved: 21 Mar 2017 784 References: Sec 3377 / CVE-2017-6460 / VU#325339 785 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 786 ntp-4.3.0 up to, but not including ntp-4.3.94. 787 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 788 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 789 Summary: 790 A stack buffer overflow in ntpq can be triggered by a malicious 791 ntpd server when ntpq requests the restriction list from the server. 792 This is due to a missing length check in the reslist() function. 793 It occurs whenever the function parses the server's response and 794 encounters a flagstr variable of an excessive length. The string 795 will be copied into a fixed-size buffer, leading to an overflow on 796 the function's stack-frame. Note well that this problem requires 797 a malicious server, and affects ntpq, not ntpd. 798 Mitigation: 799 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 800 or the NTP Public Services Project Download Page 801 If you can't upgrade your version of ntpq then if you want to know 802 the reslist of an instance of ntpd that you do not control, 803 know that if the target ntpd is malicious that it can send back 804 a response that intends to crash your ntpq process. 805 Credit: 806 This weakness was discovered by Cure53. 807 808* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 809 Date Resolved: 21 Mar 2017 810 References: Sec 3376 811 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 812 ntp-4.3.0 up to, but not including ntp-4.3.94. 813 CVSS2: N/A 814 CVSS3: N/A 815 Summary: 816 The build process for NTP has not, by default, provided compile 817 or link flags to offer "hardened" security options. Package 818 maintainers have always been able to provide hardening security 819 flags for their builds. As of ntp-4.2.8p10, the NTP build 820 system has a way to provide OS-specific hardening flags. Please 821 note that this is still not a really great solution because it 822 is specific to NTP builds. It's inefficient to have every 823 package supply, track and maintain this information for every 824 target build. It would be much better if there was a common way 825 for OSes to provide this information in a way that arbitrary 826 packages could benefit from it. 827 Mitigation: 828 Implement BCP-38. 829 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 830 or the NTP Public Services Project Download Page 831 Properly monitor your ntpd instances, and auto-restart 832 ntpd (without -g) if it stops running. 833 Credit: 834 This weakness was reported by Cure53. 835 836* 0rigin DoS (Medium) 837 Date Resolved: 21 Mar 2017 838 References: Sec 3361 / CVE-2016-9042 / VU#325339 839 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 840 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 841 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 842 Summary: 843 An exploitable denial of service vulnerability exists in the 844 origin timestamp check functionality of ntpd 4.2.8p9. A specially 845 crafted unauthenticated network packet can be used to reset the 846 expected origin timestamp for target peers. Legitimate replies 847 from targeted peers will fail the origin timestamp check (TEST2) 848 causing the reply to be dropped and creating a denial of service 849 condition. This vulnerability can only be exploited if the 850 attacker can spoof all of the servers. 851 Mitigation: 852 Implement BCP-38. 853 Configure enough servers/peers that an attacker cannot target 854 all of your time sources. 855 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 856 or the NTP Public Services Project Download Page 857 Properly monitor your ntpd instances, and auto-restart 858 ntpd (without -g) if it stops running. 859 Credit: 860 This weakness was discovered by Matthew Van Gundy of Cisco. 861 862Other fixes: 863 864* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 865* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 866 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 867* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 868* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 869 on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 870 - original patch by Majdi S. Abbas 871* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 872* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 873 - initial patch by Christos Zoulas 874* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 875 - move loader API from 'inline' to proper source 876 - augment pathless dlls with absolute path to NTPD 877 - use 'msyslog()' instead of 'printf() 'for reporting trouble 878* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 879 - applied patch by Matthew Van Gundy 880* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 881 - applied some of the patches provided by Havard. Not all of them 882 still match the current code base, and I did not touch libopt. 883* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 884 - applied patch by Reinhard Max. See bugzilla for limitations. 885* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 886 - fixed dependency inversion from [Bug 2837] 887* [Bug 2896] Nothing happens if minsane < maxclock < minclock 888 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 889* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 890 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 891* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 892 - Fixed these and some more locations of this pattern. 893 Probably din't get them all, though. <perlinger@ntp.org> 894* Update copyright year. 895 896-- 897(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 898 899* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 900 - added missed changeset for automatic openssl lib detection 901 - fixed some minor warning issues 902* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 903* configure.ac cleanup. stenn@ntp.org 904* openssl configure cleanup. stenn@ntp.org 905 906-- 907NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 908 909Focus: Security, Bug fixes, enhancements. 910 911Severity: HIGH 912 913In addition to bug fixes and enhancements, this release fixes the 914following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 9155 low-severity vulnerabilities, and provides 28 other non-security 916fixes and improvements: 917 918* Trap crash 919 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 920 References: Sec 3119 / CVE-2016-9311 / VU#633847 921 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 922 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 923 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 924 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 925 Summary: 926 ntpd does not enable trap service by default. If trap service 927 has been explicitly enabled, an attacker can send a specially 928 crafted packet to cause a null pointer dereference that will 929 crash ntpd, resulting in a denial of service. 930 Mitigation: 931 Implement BCP-38. 932 Use "restrict default noquery ..." in your ntp.conf file. Only 933 allow mode 6 queries from trusted networks and hosts. 934 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 935 or the NTP Public Services Project Download Page 936 Properly monitor your ntpd instances, and auto-restart ntpd 937 (without -g) if it stops running. 938 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 939 940* Mode 6 information disclosure and DDoS vector 941 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 942 References: Sec 3118 / CVE-2016-9310 / VU#633847 943 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 944 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 945 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 946 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 947 Summary: 948 An exploitable configuration modification vulnerability exists 949 in the control mode (mode 6) functionality of ntpd. If, against 950 long-standing BCP recommendations, "restrict default noquery ..." 951 is not specified, a specially crafted control mode packet can set 952 ntpd traps, providing information disclosure and DDoS 953 amplification, and unset ntpd traps, disabling legitimate 954 monitoring. A remote, unauthenticated, network attacker can 955 trigger this vulnerability. 956 Mitigation: 957 Implement BCP-38. 958 Use "restrict default noquery ..." in your ntp.conf file. 959 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 960 or the NTP Public Services Project Download Page 961 Properly monitor your ntpd instances, and auto-restart ntpd 962 (without -g) if it stops running. 963 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 964 965* Broadcast Mode Replay Prevention DoS 966 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 967 References: Sec 3114 / CVE-2016-7427 / VU#633847 968 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 969 ntp-4.3.90 up to, but not including ntp-4.3.94. 970 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 971 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 972 Summary: 973 The broadcast mode of NTP is expected to only be used in a 974 trusted network. If the broadcast network is accessible to an 975 attacker, a potentially exploitable denial of service 976 vulnerability in ntpd's broadcast mode replay prevention 977 functionality can be abused. An attacker with access to the NTP 978 broadcast domain can periodically inject specially crafted 979 broadcast mode NTP packets into the broadcast domain which, 980 while being logged by ntpd, can cause ntpd to reject broadcast 981 mode packets from legitimate NTP broadcast servers. 982 Mitigation: 983 Implement BCP-38. 984 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 985 or the NTP Public Services Project Download Page 986 Properly monitor your ntpd instances, and auto-restart ntpd 987 (without -g) if it stops running. 988 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 989 990* Broadcast Mode Poll Interval Enforcement DoS 991 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 992 References: Sec 3113 / CVE-2016-7428 / VU#633847 993 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 994 ntp-4.3.90 up to, but not including ntp-4.3.94 995 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 996 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 997 Summary: 998 The broadcast mode of NTP is expected to only be used in a 999 trusted network. If the broadcast network is accessible to an 1000 attacker, a potentially exploitable denial of service 1001 vulnerability in ntpd's broadcast mode poll interval enforcement 1002 functionality can be abused. To limit abuse, ntpd restricts the 1003 rate at which each broadcast association will process incoming 1004 packets. ntpd will reject broadcast mode packets that arrive 1005 before the poll interval specified in the preceding broadcast 1006 packet expires. An attacker with access to the NTP broadcast 1007 domain can send specially crafted broadcast mode NTP packets to 1008 the broadcast domain which, while being logged by ntpd, will 1009 cause ntpd to reject broadcast mode packets from legitimate NTP 1010 broadcast servers. 1011 Mitigation: 1012 Implement BCP-38. 1013 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1014 or the NTP Public Services Project Download Page 1015 Properly monitor your ntpd instances, and auto-restart ntpd 1016 (without -g) if it stops running. 1017 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1018 1019* Windows: ntpd DoS by oversized UDP packet 1020 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1021 References: Sec 3110 / CVE-2016-9312 / VU#633847 1022 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1023 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1024 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1025 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1026 Summary: 1027 If a vulnerable instance of ntpd on Windows receives a crafted 1028 malicious packet that is "too big", ntpd will stop working. 1029 Mitigation: 1030 Implement BCP-38. 1031 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1032 or the NTP Public Services Project Download Page 1033 Properly monitor your ntpd instances, and auto-restart ntpd 1034 (without -g) if it stops running. 1035 Credit: This weakness was discovered by Robert Pajak of ABB. 1036 1037* 0rigin (zero origin) issues 1038 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1039 References: Sec 3102 / CVE-2016-7431 / VU#633847 1040 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1041 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1042 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1043 Summary: 1044 Zero Origin timestamp problems were fixed by Bug 2945 in 1045 ntp-4.2.8p6. However, subsequent timestamp validation checks 1046 introduced a regression in the handling of some Zero origin 1047 timestamp checks. 1048 Mitigation: 1049 Implement BCP-38. 1050 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1051 or the NTP Public Services Project Download Page 1052 Properly monitor your ntpd instances, and auto-restart ntpd 1053 (without -g) if it stops running. 1054 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1055 Malhotra of Boston University. 1056 1057* read_mru_list() does inadequate incoming packet checks 1058 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1059 References: Sec 3082 / CVE-2016-7434 / VU#633847 1060 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1061 ntp-4.3.0 up to, but not including ntp-4.3.94. 1062 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1063 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1064 Summary: 1065 If ntpd is configured to allow mrulist query requests from a 1066 server that sends a crafted malicious packet, ntpd will crash 1067 on receipt of that crafted malicious mrulist query packet. 1068 Mitigation: 1069 Only allow mrulist query packets from trusted hosts. 1070 Implement BCP-38. 1071 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1072 or the NTP Public Services Project Download Page 1073 Properly monitor your ntpd instances, and auto-restart ntpd 1074 (without -g) if it stops running. 1075 Credit: This weakness was discovered by Magnus Stubman. 1076 1077* Attack on interface selection 1078 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1079 References: Sec 3072 / CVE-2016-7429 / VU#633847 1080 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1081 ntp-4.3.0 up to, but not including ntp-4.3.94 1082 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1083 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1084 Summary: 1085 When ntpd receives a server response on a socket that corresponds 1086 to a different interface than was used for the request, the peer 1087 structure is updated to use the interface for new requests. If 1088 ntpd is running on a host with multiple interfaces in separate 1089 networks and the operating system doesn't check source address in 1090 received packets (e.g. rp_filter on Linux is set to 0), an 1091 attacker that knows the address of the source can send a packet 1092 with spoofed source address which will cause ntpd to select wrong 1093 interface for the source and prevent it from sending new requests 1094 until the list of interfaces is refreshed, which happens on 1095 routing changes or every 5 minutes by default. If the attack is 1096 repeated often enough (once per second), ntpd will not be able to 1097 synchronize with the source. 1098 Mitigation: 1099 Implement BCP-38. 1100 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1101 or the NTP Public Services Project Download Page 1102 If you are going to configure your OS to disable source address 1103 checks, also configure your firewall configuration to control 1104 what interfaces can receive packets from what networks. 1105 Properly monitor your ntpd instances, and auto-restart ntpd 1106 (without -g) if it stops running. 1107 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1108 1109* Client rate limiting and server responses 1110 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1111 References: Sec 3071 / CVE-2016-7426 / VU#633847 1112 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1113 ntp-4.3.0 up to, but not including ntp-4.3.94 1114 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1115 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1116 Summary: 1117 When ntpd is configured with rate limiting for all associations 1118 (restrict default limited in ntp.conf), the limits are applied 1119 also to responses received from its configured sources. An 1120 attacker who knows the sources (e.g., from an IPv4 refid in 1121 server response) and knows the system is (mis)configured in this 1122 way can periodically send packets with spoofed source address to 1123 keep the rate limiting activated and prevent ntpd from accepting 1124 valid responses from its sources. 1125 1126 While this blanket rate limiting can be useful to prevent 1127 brute-force attacks on the origin timestamp, it allows this DoS 1128 attack. Similarly, it allows the attacker to prevent mobilization 1129 of ephemeral associations. 1130 Mitigation: 1131 Implement BCP-38. 1132 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1133 or the NTP Public Services Project Download Page 1134 Properly monitor your ntpd instances, and auto-restart ntpd 1135 (without -g) if it stops running. 1136 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1137 1138* Fix for bug 2085 broke initial sync calculations 1139 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1140 References: Sec 3067 / CVE-2016-7433 / VU#633847 1141 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1142 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1143 root-distance calculation in general is incorrect in all versions 1144 of ntp-4 until this release. 1145 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1146 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1147 Summary: 1148 Bug 2085 described a condition where the root delay was included 1149 twice, causing the jitter value to be higher than expected. Due 1150 to a misinterpretation of a small-print variable in The Book, the 1151 fix for this problem was incorrect, resulting in a root distance 1152 that did not include the peer dispersion. The calculations and 1153 formulae have been reviewed and reconciled, and the code has been 1154 updated accordingly. 1155 Mitigation: 1156 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1157 or the NTP Public Services Project Download Page 1158 Properly monitor your ntpd instances, and auto-restart ntpd 1159 (without -g) if it stops running. 1160 Credit: This weakness was discovered independently by Brian Utterback of 1161 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1162 1163Other fixes: 1164 1165* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1166* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1167* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1168 - moved retry decision where it belongs. <perlinger@ntp.org> 1169* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1170 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1171* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1172* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1173 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1174* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1175 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1176 - added shim layer for SSL API calls with issues (both directions) 1177* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1178 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1179* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1180* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1181 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1182* [Bug 3067] Root distance calculation needs improvement. HStenn 1183* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1184 - PPS-HACK works again. 1185* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1186 - applied patch by Brian Utterback <brian.utterback@oracle.com> 1187* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1188* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1189 <perlinger@ntp.org> 1190 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1191* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1192 - Patch provided by Kuramatsu. 1193* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1194 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1195* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1196* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1197* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1198* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1199 - fixed GPS week expansion to work based on build date. Special thanks 1200 to Craig Leres for initial patch and testing. 1201* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1202 - fixed Makefile.am <perlinger@ntp.org> 1203* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1204 even if it is very old <perlinger@ntp.org> 1205 - make sure PPS source is alive before processing samples 1206 - improve stability close to the 500ms phase jump (phase gate) 1207* Fix typos in include/ntp.h. 1208* Shim X509_get_signature_nid() if needed 1209* git author attribution cleanup 1210* bk ignore file cleanup 1211* remove locks in Windows IO, use rpc-like thread synchronisation instead 1212 1213--- 1214NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1215 1216Focus: Security, Bug fixes, enhancements. 1217 1218Severity: HIGH 1219 1220In addition to bug fixes and enhancements, this release fixes the 1221following 1 high- and 4 low-severity vulnerabilities: 1222 1223* CRYPTO_NAK crash 1224 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1225 References: Sec 3046 / CVE-2016-4957 / VU#321640 1226 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1227 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1228 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1229 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1230 could cause ntpd to crash. 1231 Mitigation: 1232 Implement BCP-38. 1233 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1234 or the NTP Public Services Project Download Page 1235 If you cannot upgrade from 4.2.8p7, the only other alternatives 1236 are to patch your code or filter CRYPTO_NAK packets. 1237 Properly monitor your ntpd instances, and auto-restart ntpd 1238 (without -g) if it stops running. 1239 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1240 1241* Bad authentication demobilizes ephemeral associations 1242 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1243 References: Sec 3045 / CVE-2016-4953 / VU#321640 1244 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1245 ntp-4.3.0 up to, but not including ntp-4.3.93. 1246 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1247 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1248 Summary: An attacker who knows the origin timestamp and can send a 1249 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1250 target before any other response is sent can demobilize that 1251 association. 1252 Mitigation: 1253 Implement BCP-38. 1254 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1255 or the NTP Public Services Project Download Page 1256 Properly monitor your ntpd instances. 1257 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1258 1259* Processing spoofed server packets 1260 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1261 References: Sec 3044 / CVE-2016-4954 / VU#321640 1262 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1263 ntp-4.3.0 up to, but not including ntp-4.3.93. 1264 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1265 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1266 Summary: An attacker who is able to spoof packets with correct origin 1267 timestamps from enough servers before the expected response 1268 packets arrive at the target machine can affect some peer 1269 variables and, for example, cause a false leap indication to be set. 1270 Mitigation: 1271 Implement BCP-38. 1272 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1273 or the NTP Public Services Project Download Page 1274 Properly monitor your ntpd instances. 1275 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1276 1277* Autokey association reset 1278 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1279 References: Sec 3043 / CVE-2016-4955 / VU#321640 1280 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1281 ntp-4.3.0 up to, but not including ntp-4.3.93. 1282 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1283 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1284 Summary: An attacker who is able to spoof a packet with a correct 1285 origin timestamp before the expected response packet arrives at 1286 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1287 the association's peer variables to be cleared. If this can be 1288 done often enough, it will prevent that association from working. 1289 Mitigation: 1290 Implement BCP-38. 1291 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1292 or the NTP Public Services Project Download Page 1293 Properly monitor your ntpd instances. 1294 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1295 1296* Broadcast interleave 1297 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1298 References: Sec 3042 / CVE-2016-4956 / VU#321640 1299 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1300 ntp-4.3.0 up to, but not including ntp-4.3.93. 1301 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1302 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1303 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1304 so broadcast clients can be triggered to flip into interleave mode. 1305 Mitigation: 1306 Implement BCP-38. 1307 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1308 or the NTP Public Services Project Download Page 1309 Properly monitor your ntpd instances. 1310 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1311 1312Other fixes: 1313* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1314 - provide build environment 1315 - 'wint_t' and 'struct timespec' defined by VS2015 1316 - fixed print()/scanf() format issues 1317* [Bug 3052] Add a .gitignore file. Edmund Wong. 1318* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1319* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1320 JPerlinger, HStenn. 1321* Fix typo in ntp-wait and plot_summary. HStenn. 1322* Make sure we have an "author" file for git imports. HStenn. 1323* Update the sntp problem tests for MacOS. HStenn. 1324 1325--- 1326NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1327 1328Focus: Security, Bug fixes, enhancements. 1329 1330Severity: MEDIUM 1331 1332When building NTP from source, there is a new configure option 1333available, --enable-dynamic-interleave. More information on this below. 1334 1335Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1336versions of ntp. These events have almost certainly happened in the 1337past, it's just that they were silently counted and not logged. With 1338the increasing awareness around security, we feel it's better to clearly 1339log these events to help detect abusive behavior. This increased 1340logging can also help detect other problems, too. 1341 1342In addition to bug fixes and enhancements, this release fixes the 1343following 9 low- and medium-severity vulnerabilities: 1344 1345* Improve NTP security against buffer comparison timing attacks, 1346 AKA: authdecrypt-timing 1347 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1348 References: Sec 2879 / CVE-2016-1550 1349 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1350 4.3.0 up to, but not including 4.3.92 1351 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1352 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1353 Summary: Packet authentication tests have been performed using 1354 memcmp() or possibly bcmp(), and it is potentially possible 1355 for a local or perhaps LAN-based attacker to send a packet with 1356 an authentication payload and indirectly observe how much of 1357 the digest has matched. 1358 Mitigation: 1359 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1360 or the NTP Public Services Project Download Page. 1361 Properly monitor your ntpd instances. 1362 Credit: This weakness was discovered independently by Loganaden 1363 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1364 1365* Zero origin timestamp bypass: Additional KoD checks. 1366 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1367 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1368 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1369 1370* peer associations were broken by the fix for NtpBug2899 1371 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1372 References: Sec 2952 / CVE-2015-7704 1373 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1374 4.3.0 up to, but not including 4.3.92 1375 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1376 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1377 associations did not address all of the issues. 1378 Mitigation: 1379 Implement BCP-38. 1380 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1381 or the NTP Public Services Project Download Page 1382 If you can't upgrade, use "server" associations instead of 1383 "peer" associations. 1384 Monitor your ntpd instances. 1385 Credit: This problem was discovered by Michael Tatarinov. 1386 1387* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1388 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1389 References: Sec 3007 / CVE-2016-1547 / VU#718152 1390 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1391 4.3.0 up to, but not including 4.3.92 1392 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1393 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1394 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1395 off-path attacker can cause a preemptable client association to 1396 be demobilized by sending a crypto NAK packet to a victim client 1397 with a spoofed source address of an existing associated peer. 1398 This is true even if authentication is enabled. 1399 1400 Furthermore, if the attacker keeps sending crypto NAK packets, 1401 for example one every second, the victim never has a chance to 1402 reestablish the association and synchronize time with that 1403 legitimate server. 1404 1405 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1406 stringent checks are performed on incoming packets, but there 1407 are still ways to exploit this vulnerability in versions before 1408 ntp-4.2.8p7. 1409 Mitigation: 1410 Implement BCP-38. 1411 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1412 or the NTP Public Services Project Download Page 1413 Properly monitor your ntpd instances 1414 Credit: This weakness was discovered by Stephen Gray and 1415 Matthew Van Gundy of Cisco ASIG. 1416 1417* ctl_getitem() return value not always checked 1418 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1419 References: Sec 3008 / CVE-2016-2519 1420 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1421 4.3.0 up to, but not including 4.3.92 1422 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1423 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1424 Summary: ntpq and ntpdc can be used to store and retrieve information 1425 in ntpd. It is possible to store a data value that is larger 1426 than the size of the buffer that the ctl_getitem() function of 1427 ntpd uses to report the return value. If the length of the 1428 requested data value returned by ctl_getitem() is too large, 1429 the value NULL is returned instead. There are 2 cases where the 1430 return value from ctl_getitem() was not directly checked to make 1431 sure it's not NULL, but there are subsequent INSIST() checks 1432 that make sure the return value is not NULL. There are no data 1433 values ordinarily stored in ntpd that would exceed this buffer 1434 length. But if one has permission to store values and one stores 1435 a value that is "too large", then ntpd will abort if an attempt 1436 is made to read that oversized value. 1437 Mitigation: 1438 Implement BCP-38. 1439 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1440 or the NTP Public Services Project Download Page 1441 Properly monitor your ntpd instances. 1442 Credit: This weakness was discovered by Yihan Lian of the Cloud 1443 Security Team, Qihoo 360. 1444 1445* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1446 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1447 References: Sec 3009 / CVE-2016-2518 / VU#718152 1448 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1449 4.3.0 up to, but not including 4.3.92 1450 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1451 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1452 Summary: Using a crafted packet to create a peer association with 1453 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1454 out-of-bounds reference. 1455 Mitigation: 1456 Implement BCP-38. 1457 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1458 or the NTP Public Services Project Download Page 1459 Properly monitor your ntpd instances 1460 Credit: This weakness was discovered by Yihan Lian of the Cloud 1461 Security Team, Qihoo 360. 1462 1463* remote configuration trustedkey/requestkey/controlkey values are not 1464 properly validated 1465 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1466 References: Sec 3010 / CVE-2016-2517 / VU#718152 1467 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1468 4.3.0 up to, but not including 4.3.92 1469 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1470 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1471 Summary: If ntpd was expressly configured to allow for remote 1472 configuration, a malicious user who knows the controlkey for 1473 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1474 can create a session with ntpd and then send a crafted packet to 1475 ntpd that will change the value of the trustedkey, controlkey, 1476 or requestkey to a value that will prevent any subsequent 1477 authentication with ntpd until ntpd is restarted. 1478 Mitigation: 1479 Implement BCP-38. 1480 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1481 or the NTP Public Services Project Download Page 1482 Properly monitor your ntpd instances 1483 Credit: This weakness was discovered by Yihan Lian of the Cloud 1484 Security Team, Qihoo 360. 1485 1486* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1487 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1488 References: Sec 3011 / CVE-2016-2516 / VU#718152 1489 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1490 4.3.0 up to, but not including 4.3.92 1491 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1492 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1493 Summary: If ntpd was expressly configured to allow for remote 1494 configuration, a malicious user who knows the controlkey for 1495 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1496 can create a session with ntpd and if an existing association is 1497 unconfigured using the same IP twice on the unconfig directive 1498 line, ntpd will abort. 1499 Mitigation: 1500 Implement BCP-38. 1501 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1502 or the NTP Public Services Project Download Page 1503 Properly monitor your ntpd instances 1504 Credit: This weakness was discovered by Yihan Lian of the Cloud 1505 Security Team, Qihoo 360. 1506 1507* Refclock impersonation vulnerability 1508 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1509 References: Sec 3020 / CVE-2016-1551 1510 Affects: On a very limited number of OSes, all NTP releases up to but 1511 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1512 By "very limited number of OSes" we mean no general-purpose OSes 1513 have yet been identified that have this vulnerability. 1514 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1515 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1516 Summary: While most OSes implement martian packet filtering in their 1517 network stack, at least regarding 127.0.0.0/8, some will allow 1518 packets claiming to be from 127.0.0.0/8 that arrive over a 1519 physical network. On these OSes, if ntpd is configured to use a 1520 reference clock an attacker can inject packets over the network 1521 that look like they are coming from that reference clock. 1522 Mitigation: 1523 Implement martian packet filtering and BCP-38. 1524 Configure ntpd to use an adequate number of time sources. 1525 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1526 or the NTP Public Services Project Download Page 1527 If you are unable to upgrade and if you are running an OS that 1528 has this vulnerability, implement martian packet filters and 1529 lobby your OS vendor to fix this problem, or run your 1530 refclocks on computers that use OSes that are not vulnerable 1531 to these attacks and have your vulnerable machines get their 1532 time from protected resources. 1533 Properly monitor your ntpd instances. 1534 Credit: This weakness was discovered by Matt Street and others of 1535 Cisco ASIG. 1536 1537The following issues were fixed in earlier releases and contain 1538improvements in 4.2.8p7: 1539 1540* Clients that receive a KoD should validate the origin timestamp field. 1541 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1542 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1543 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1544 1545* Skeleton key: passive server with trusted key can serve time. 1546 References: Sec 2936 / CVE-2015-7974 1547 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1548 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1549 1550Two other vulnerabilities have been reported, and the mitigations 1551for these are as follows: 1552 1553* Interleave-pivot 1554 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1555 References: Sec 2978 / CVE-2016-1548 1556 Affects: All ntp-4 releases. 1557 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1558 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1559 Summary: It is possible to change the time of an ntpd client or deny 1560 service to an ntpd client by forcing it to change from basic 1561 client/server mode to interleaved symmetric mode. An attacker 1562 can spoof a packet from a legitimate ntpd server with an origin 1563 timestamp that matches the peer->dst timestamp recorded for that 1564 server. After making this switch, the client will reject all 1565 future legitimate server responses. It is possible to force the 1566 victim client to move time after the mode has been changed. 1567 ntpq gives no indication that the mode has been switched. 1568 Mitigation: 1569 Implement BCP-38. 1570 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1571 or the NTP Public Services Project Download Page. These 1572 versions will not dynamically "flip" into interleave mode 1573 unless configured to do so. 1574 Properly monitor your ntpd instances. 1575 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1576 and separately by Jonathan Gardner of Cisco ASIG. 1577 1578* Sybil vulnerability: ephemeral association attack 1579 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1580 References: Sec 3012 / CVE-2016-1549 1581 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1582 4.3.0 up to, but not including 4.3.92 1583 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1584 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1585 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1586 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1587 field in the ntp.keys file to specify which IPs can serve time, 1588 a malicious authenticated peer can create arbitrarily-many 1589 ephemeral associations in order to win the clock selection of 1590 ntpd and modify a victim's clock. 1591 Mitigation: 1592 Implement BCP-38. 1593 Use the 4th field in the ntp.keys file to specify which IPs 1594 can be time servers. 1595 Properly monitor your ntpd instances. 1596 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1597 1598Other fixes: 1599 1600* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1601 - fixed yet another race condition in the threaded resolver code. 1602* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1603* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1604 - integrated patches by Loganaden Velvidron <logan@ntp.org> 1605 with some modifications & unit tests 1606* [Bug 2960] async name resolution fixes for chroot() environments. 1607 Reinhard Max. 1608* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1609* [Bug 2995] Fixes to compile on Windows 1610* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1611* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1612 - Patch provided by Ch. Weisgerber 1613* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1614 - A change related to [Bug 2853] forbids trailing white space in 1615 remote config commands. perlinger@ntp.org 1616* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1617 - report and patch from Aleksandr Kostikov. 1618 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1619* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1620 - fixed memory leak in access list (auth[read]keys.c) 1621 - refactored handling of key access lists (auth[read]keys.c) 1622 - reduced number of error branches (authreadkeys.c) 1623* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1624* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1625* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1626 when the time of server changed. perlinger@ntp.org 1627 - Check the initial delay calculation and reject/unpeer the broadcast 1628 server if the delay exceeds 50ms. Retry again after the next 1629 broadcast packet. 1630* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1631* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1632* Update html/xleave.html documentation. Harlan Stenn. 1633* Update ntp.conf documentation. Harlan Stenn. 1634* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1635* Fix typo in html/monopt.html. Harlan Stenn. 1636* Add README.pullrequests. Harlan Stenn. 1637* Cleanup to include/ntp.h. Harlan Stenn. 1638 1639New option to 'configure': 1640 1641While looking in to the issues around Bug 2978, the "interleave pivot" 1642issue, it became clear that there are some intricate and unresolved 1643issues with interleave operations. We also realized that the interleave 1644protocol was never added to the NTPv4 Standard, and it should have been. 1645 1646Interleave mode was first released in July of 2008, and can be engaged 1647in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1648contain the 'xleave' option, which will expressly enable interlave mode 1649for that association. Additionally, if a time packet arrives and is 1650found inconsistent with normal protocol behavior but has certain 1651characteristics that are compatible with interleave mode, NTP will 1652dynamically switch to interleave mode. With sufficient knowledge, an 1653attacker can send a crafted forged packet to an NTP instance that 1654triggers only one side to enter interleaved mode. 1655 1656To prevent this attack until we can thoroughly document, describe, 1657fix, and test the dynamic interleave mode, we've added a new 1658'configure' option to the build process: 1659 1660 --enable-dynamic-interleave 1661 1662This option controls whether or not NTP will, if conditions are right, 1663engage dynamic interleave mode. Dynamic interleave mode is disabled by 1664default in ntp-4.2.8p7. 1665 1666--- 1667NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1668 1669Focus: Security, Bug fixes, enhancements. 1670 1671Severity: MEDIUM 1672 1673In addition to bug fixes and enhancements, this release fixes the 1674following 1 low- and 8 medium-severity vulnerabilities: 1675 1676* Potential Infinite Loop in 'ntpq' 1677 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1678 References: Sec 2548 / CVE-2015-8158 1679 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1680 4.3.0 up to, but not including 4.3.90 1681 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1682 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1683 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1684 The loop's only stopping conditions are receiving a complete and 1685 correct response or hitting a small number of error conditions. 1686 If the packet contains incorrect values that don't trigger one of 1687 the error conditions, the loop continues to receive new packets. 1688 Note well, this is an attack against an instance of 'ntpq', not 1689 'ntpd', and this attack requires the attacker to do one of the 1690 following: 1691 * Own a malicious NTP server that the client trusts 1692 * Prevent a legitimate NTP server from sending packets to 1693 the 'ntpq' client 1694 * MITM the 'ntpq' communications between the 'ntpq' client 1695 and the NTP server 1696 Mitigation: 1697 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1698 or the NTP Public Services Project Download Page 1699 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1700 1701* 0rigin: Zero Origin Timestamp Bypass 1702 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1703 References: Sec 2945 / CVE-2015-8138 1704 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1705 4.3.0 up to, but not including 4.3.90 1706 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1707 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1708 (3.7 - LOW if you score AC:L) 1709 Summary: To distinguish legitimate peer responses from forgeries, a 1710 client attempts to verify a response packet by ensuring that the 1711 origin timestamp in the packet matches the origin timestamp it 1712 transmitted in its last request. A logic error exists that 1713 allows packets with an origin timestamp of zero to bypass this 1714 check whenever there is not an outstanding request to the server. 1715 Mitigation: 1716 Configure 'ntpd' to get time from multiple sources. 1717 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1718 or the NTP Public Services Project Download Page. 1719 Monitor your 'ntpd' instances. 1720 Credit: This weakness was discovered by Matthey Van Gundy and 1721 Jonathan Gardner of Cisco ASIG. 1722 1723* Stack exhaustion in recursive traversal of restriction list 1724 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1725 References: Sec 2940 / CVE-2015-7978 1726 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1727 4.3.0 up to, but not including 4.3.90 1728 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1729 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1730 segmentation fault in ntpd by exhausting the call stack. 1731 Mitigation: 1732 Implement BCP-38. 1733 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1734 or the NTP Public Services Project Download Page. 1735 If you are unable to upgrade: 1736 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1737 If you must enable mode 7: 1738 configure the use of a 'requestkey' to control who can 1739 issue mode 7 requests. 1740 configure 'restrict noquery' to further limit mode 7 1741 requests to trusted sources. 1742 Monitor your ntpd instances. 1743 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1744 1745* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1746 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1747 References: Sec 2942 / CVE-2015-7979 1748 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1749 4.3.0 up to, but not including 4.3.90 1750 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1751 Summary: An off-path attacker can send broadcast packets with bad 1752 authentication (wrong key, mismatched key, incorrect MAC, etc) 1753 to broadcast clients. It is observed that the broadcast client 1754 tears down the association with the broadcast server upon 1755 receiving just one bad packet. 1756 Mitigation: 1757 Implement BCP-38. 1758 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1759 or the NTP Public Services Project Download Page. 1760 Monitor your 'ntpd' instances. 1761 If this sort of attack is an active problem for you, you have 1762 deeper problems to investigate. In this case also consider 1763 having smaller NTP broadcast domains. 1764 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1765 University. 1766 1767* reslist NULL pointer dereference 1768 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1769 References: Sec 2939 / CVE-2015-7977 1770 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1771 4.3.0 up to, but not including 4.3.90 1772 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1773 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1774 segmentation fault in ntpd by causing a NULL pointer dereference. 1775 Mitigation: 1776 Implement BCP-38. 1777 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1778 the NTP Public Services Project Download Page. 1779 If you are unable to upgrade: 1780 mode 7 is disabled by default. Don't enable it. 1781 If you must enable mode 7: 1782 configure the use of a 'requestkey' to control who can 1783 issue mode 7 requests. 1784 configure 'restrict noquery' to further limit mode 7 1785 requests to trusted sources. 1786 Monitor your ntpd instances. 1787 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1788 1789* 'ntpq saveconfig' command allows dangerous characters in filenames. 1790 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1791 References: Sec 2938 / CVE-2015-7976 1792 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1793 4.3.0 up to, but not including 4.3.90 1794 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1795 Summary: The ntpq saveconfig command does not do adequate filtering 1796 of special characters from the supplied filename. 1797 Note well: The ability to use the saveconfig command is controlled 1798 by the 'restrict nomodify' directive, and the recommended default 1799 configuration is to disable this capability. If the ability to 1800 execute a 'saveconfig' is required, it can easily (and should) be 1801 limited and restricted to a known small number of IP addresses. 1802 Mitigation: 1803 Implement BCP-38. 1804 use 'restrict default nomodify' in your 'ntp.conf' file. 1805 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1806 If you are unable to upgrade: 1807 build NTP with 'configure --disable-saveconfig' if you will 1808 never need this capability, or 1809 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1810 careful about what IPs have the ability to send 'modify' 1811 requests to 'ntpd'. 1812 Monitor your ntpd instances. 1813 'saveconfig' requests are logged to syslog - monitor your syslog files. 1814 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1815 1816* nextvar() missing length check in ntpq 1817 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1818 References: Sec 2937 / CVE-2015-7975 1819 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1820 4.3.0 up to, but not including 4.3.90 1821 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1822 If you score A:C, this becomes 4.0. 1823 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1824 Summary: ntpq may call nextvar() which executes a memcpy() into the 1825 name buffer without a proper length check against its maximum 1826 length of 256 bytes. Note well that we're taking about ntpq here. 1827 The usual worst-case effect of this vulnerability is that the 1828 specific instance of ntpq will crash and the person or process 1829 that did this will have stopped themselves. 1830 Mitigation: 1831 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1832 or the NTP Public Services Project Download Page. 1833 If you are unable to upgrade: 1834 If you have scripts that feed input to ntpq make sure there are 1835 some sanity checks on the input received from the "outside". 1836 This is potentially more dangerous if ntpq is run as root. 1837 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1838 1839* Skeleton Key: Any trusted key system can serve time 1840 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1841 References: Sec 2936 / CVE-2015-7974 1842 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1843 4.3.0 up to, but not including 4.3.90 1844 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1845 Summary: Symmetric key encryption uses a shared trusted key. The 1846 reported title for this issue was "Missing key check allows 1847 impersonation between authenticated peers" and the report claimed 1848 "A key specified only for one server should only work to 1849 authenticate that server, other trusted keys should be refused." 1850 Except there has never been any correlation between this trusted 1851 key and server v. clients machines and there has never been any 1852 way to specify a key only for one server. We have treated this as 1853 an enhancement request, and ntp-4.2.8p6 includes other checks and 1854 tests to strengthen clients against attacks coming from broadcast 1855 servers. 1856 Mitigation: 1857 Implement BCP-38. 1858 If this scenario represents a real or a potential issue for you, 1859 upgrade to 4.2.8p6, or later, from the NTP Project Download 1860 Page or the NTP Public Services Project Download Page, and 1861 use the new field in the ntp.keys file that specifies the list 1862 of IPs that are allowed to serve time. Note that this alone 1863 will not protect against time packets with forged source IP 1864 addresses, however other changes in ntp-4.2.8p6 provide 1865 significant mitigation against broadcast attacks. MITM attacks 1866 are a different story. 1867 If you are unable to upgrade: 1868 Don't use broadcast mode if you cannot monitor your client 1869 servers. 1870 If you choose to use symmetric keys to authenticate time 1871 packets in a hostile environment where ephemeral time 1872 servers can be created, or if it is expected that malicious 1873 time servers will participate in an NTP broadcast domain, 1874 limit the number of participating systems that participate 1875 in the shared-key group. 1876 Monitor your ntpd instances. 1877 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1878 1879* Deja Vu: Replay attack on authenticated broadcast mode 1880 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1881 References: Sec 2935 / CVE-2015-7973 1882 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1883 4.3.0 up to, but not including 4.3.90 1884 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1885 Summary: If an NTP network is configured for broadcast operations then 1886 either a man-in-the-middle attacker or a malicious participant 1887 that has the same trusted keys as the victim can replay time packets. 1888 Mitigation: 1889 Implement BCP-38. 1890 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1891 or the NTP Public Services Project Download Page. 1892 If you are unable to upgrade: 1893 Don't use broadcast mode if you cannot monitor your client servers. 1894 Monitor your ntpd instances. 1895 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1896 University. 1897 1898Other fixes: 1899 1900* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 1901* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 1902 - applied patch by shenpeng11@huawei.com with minor adjustments 1903* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 1904* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 1905* [Bug 2892] Several test cases assume IPv6 capabilities even when 1906 IPv6 is disabled in the build. perlinger@ntp.org 1907 - Found this already fixed, but validation led to cleanup actions. 1908* [Bug 2905] DNS lookups broken. perlinger@ntp.org 1909 - added limits to stack consumption, fixed some return code handling 1910* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1911 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1912 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 1913* [Bug 2980] reduce number of warnings. perlinger@ntp.org 1914 - integrated several patches from Havard Eidnes (he@uninett.no) 1915* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 1916 - implement 'auth_log2()' using integer bithack instead of float calculation 1917* Make leapsec_query debug messages less verbose. Harlan Stenn. 1918 1919--- 1920NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 1921 1922Focus: Security, Bug fixes, enhancements. 1923 1924Severity: MEDIUM 1925 1926In addition to bug fixes and enhancements, this release fixes the 1927following medium-severity vulnerability: 1928 1929* Small-step/big-step. Close the panic gate earlier. 1930 References: Sec 2956, CVE-2015-5300 1931 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1932 4.3.0 up to, but not including 4.3.78 1933 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1934 Summary: If ntpd is always started with the -g option, which is 1935 common and against long-standing recommendation, and if at the 1936 moment ntpd is restarted an attacker can immediately respond to 1937 enough requests from enough sources trusted by the target, which 1938 is difficult and not common, there is a window of opportunity 1939 where the attacker can cause ntpd to set the time to an 1940 arbitrary value. Similarly, if an attacker is able to respond 1941 to enough requests from enough sources trusted by the target, 1942 the attacker can cause ntpd to abort and restart, at which 1943 point it can tell the target to set the time to an arbitrary 1944 value if and only if ntpd was re-started against long-standing 1945 recommendation with the -g flag, or if ntpd was not given the 1946 -g flag, the attacker can move the target system's time by at 1947 most 900 seconds' time per attack. 1948 Mitigation: 1949 Configure ntpd to get time from multiple sources. 1950 Upgrade to 4.2.8p5, or later, from the NTP Project Download 1951 Page or the NTP Public Services Project Download Page 1952 As we've long documented, only use the -g option to ntpd in 1953 cold-start situations. 1954 Monitor your ntpd instances. 1955 Credit: This weakness was discovered by Aanchal Malhotra, 1956 Isaac E. Cohen, and Sharon Goldberg at Boston University. 1957 1958 NOTE WELL: The -g flag disables the limit check on the panic_gate 1959 in ntpd, which is 900 seconds by default. The bug identified by 1960 the researchers at Boston University is that the panic_gate 1961 check was only re-enabled after the first change to the system 1962 clock that was greater than 128 milliseconds, by default. The 1963 correct behavior is that the panic_gate check should be 1964 re-enabled after any initial time correction. 1965 1966 If an attacker is able to inject consistent but erroneous time 1967 responses to your systems via the network or "over the air", 1968 perhaps by spoofing radio, cellphone, or navigation satellite 1969 transmissions, they are in a great position to affect your 1970 system's clock. There comes a point where your very best 1971 defenses include: 1972 1973 Configure ntpd to get time from multiple sources. 1974 Monitor your ntpd instances. 1975 1976Other fixes: 1977 1978* Coverity submission process updated from Coverity 5 to Coverity 7. 1979 The NTP codebase has been undergoing regular Coverity scans on an 1980 ongoing basis since 2006. As part of our recent upgrade from 1981 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1982 the newly-written Unity test programs. These were fixed. 1983* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 1984* [Bug 2887] stratum -1 config results as showing value 99 1985 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 1986* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1987* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1988* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1989 - applied patch by Christos Zoulas. perlinger@ntp.org 1990* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1991* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1992 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 1993 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 1994* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 1995 - accept key file only if there are no parsing errors 1996 - fixed size_t/u_int format clash 1997 - fixed wrong use of 'strlcpy' 1998* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1999* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 2000 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2001 - promote use of 'size_t' for values that express a size 2002 - use ptr-to-const for read-only arguments 2003 - make sure SOCKET values are not truncated (win32-specific) 2004 - format string fixes 2005* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2006* [Bug 2967] ntpdate command suffers an assertion failure 2007 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 2008* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2009 lots of clients. perlinger@ntp.org 2010* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2011 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2012* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2013* Unity test cleanup. Harlan Stenn. 2014* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2015* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2016* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2017* Quiet a warning from clang. Harlan Stenn. 2018 2019--- 2020NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 2021 2022Focus: Security, Bug fixes, enhancements. 2023 2024Severity: MEDIUM 2025 2026In addition to bug fixes and enhancements, this release fixes the 2027following 13 low- and medium-severity vulnerabilities: 2028 2029* Incomplete vallen (value length) checks in ntp_crypto.c, leading 2030 to potential crashes or potential code injection/information leakage. 2031 2032 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2033 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2034 and 4.3.0 up to, but not including 4.3.77 2035 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2036 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2037 certain code paths where a packet with particular autokey operations 2038 that contained malicious data was not always being completely 2039 validated. Receipt of these packets can cause ntpd to crash. 2040 Mitigation: 2041 Don't use autokey. 2042 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2043 Page or the NTP Public Services Project Download Page 2044 Monitor your ntpd instances. 2045 Credit: This weakness was discovered by Tenable Network Security. 2046 2047* Clients that receive a KoD should validate the origin timestamp field. 2048 2049 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2050 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2051 and 4.3.0 up to, but not including 4.3.77 2052 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2053 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2054 KoD messages that have been forged by an attacker, causing it to 2055 delay or stop querying its servers for time updates. Also, an 2056 attacker can forge packets that claim to be from the target and 2057 send them to servers often enough that a server that implements 2058 KoD rate limiting will send the target machine a KoD response to 2059 attempt to reduce the rate of incoming packets, or it may also 2060 trigger a firewall block at the server for packets from the target 2061 machine. For either of these attacks to succeed, the attacker must 2062 know what servers the target is communicating with. An attacker 2063 can be anywhere on the Internet and can frequently learn the 2064 identity of the target's time source by sending the target a 2065 time query. 2066 Mitigation: 2067 Implement BCP-38. 2068 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2069 or the NTP Public Services Project Download Page 2070 If you can't upgrade, restrict who can query ntpd to learn who 2071 its servers are, and what IPs are allowed to ask your system 2072 for the time. This mitigation is heavy-handed. 2073 Monitor your ntpd instances. 2074 Note: 2075 4.2.8p4 protects against the first attack. For the second attack, 2076 all we can do is warn when it is happening, which we do in 4.2.8p4. 2077 Credit: This weakness was discovered by Aanchal Malhotra, 2078 Issac E. Cohen, and Sharon Goldberg of Boston University. 2079 2080* configuration directives to change "pidfile" and "driftfile" should 2081 only be allowed locally. 2082 2083 References: Sec 2902 / CVE-2015-5196 2084 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2085 and 4.3.0 up to, but not including 4.3.77 2086 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2087 Summary: If ntpd is configured to allow for remote configuration, 2088 and if the (possibly spoofed) source IP address is allowed to 2089 send remote configuration requests, and if the attacker knows 2090 the remote configuration password, it's possible for an attacker 2091 to use the "pidfile" or "driftfile" directives to potentially 2092 overwrite other files. 2093 Mitigation: 2094 Implement BCP-38. 2095 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2096 Page or the NTP Public Services Project Download Page 2097 If you cannot upgrade, don't enable remote configuration. 2098 If you must enable remote configuration and cannot upgrade, 2099 remote configuration of NTF's ntpd requires: 2100 - an explicitly configured trustedkey, and you should also 2101 configure a controlkey. 2102 - access from a permitted IP. You choose the IPs. 2103 - authentication. Don't disable it. Practice secure key safety. 2104 Monitor your ntpd instances. 2105 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2106 2107* Slow memory leak in CRYPTO_ASSOC 2108 2109 References: Sec 2909 / CVE-2015-7701 2110 Affects: All ntp-4 releases that use autokey up to, but not 2111 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2112 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2113 4.6 otherwise 2114 Summary: If ntpd is configured to use autokey, then an attacker can 2115 send packets to ntpd that will, after several days of ongoing 2116 attack, cause it to run out of memory. 2117 Mitigation: 2118 Don't use autokey. 2119 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2120 Page or the NTP Public Services Project Download Page 2121 Monitor your ntpd instances. 2122 Credit: This weakness was discovered by Tenable Network Security. 2123 2124* mode 7 loop counter underrun 2125 2126 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2127 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2128 and 4.3.0 up to, but not including 4.3.77 2129 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2130 Summary: If ntpd is configured to enable mode 7 packets, and if the 2131 use of mode 7 packets is not properly protected thru the use of 2132 the available mode 7 authentication and restriction mechanisms, 2133 and if the (possibly spoofed) source IP address is allowed to 2134 send mode 7 queries, then an attacker can send a crafted packet 2135 to ntpd that will cause it to crash. 2136 Mitigation: 2137 Implement BCP-38. 2138 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2139 Page or the NTP Public Services Project Download Page. 2140 If you are unable to upgrade: 2141 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2142 If you must enable mode 7: 2143 configure the use of a requestkey to control who can issue 2144 mode 7 requests. 2145 configure restrict noquery to further limit mode 7 requests 2146 to trusted sources. 2147 Monitor your ntpd instances. 2148Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2149 2150* memory corruption in password store 2151 2152 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2153 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2154 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2155 Summary: If ntpd is configured to allow remote configuration, and if 2156 the (possibly spoofed) source IP address is allowed to send 2157 remote configuration requests, and if the attacker knows the 2158 remote configuration password or if ntpd was configured to 2159 disable authentication, then an attacker can send a set of 2160 packets to ntpd that may cause a crash or theoretically 2161 perform a code injection attack. 2162 Mitigation: 2163 Implement BCP-38. 2164 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2165 Page or the NTP Public Services Project Download Page. 2166 If you are unable to upgrade, remote configuration of NTF's 2167 ntpd requires: 2168 an explicitly configured "trusted" key. Only configure 2169 this if you need it. 2170 access from a permitted IP address. You choose the IPs. 2171 authentication. Don't disable it. Practice secure key safety. 2172 Monitor your ntpd instances. 2173 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2174 2175* Infinite loop if extended logging enabled and the logfile and 2176 keyfile are the same. 2177 2178 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2179 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2180 and 4.3.0 up to, but not including 4.3.77 2181 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2182 Summary: If ntpd is configured to allow remote configuration, and if 2183 the (possibly spoofed) source IP address is allowed to send 2184 remote configuration requests, and if the attacker knows the 2185 remote configuration password or if ntpd was configured to 2186 disable authentication, then an attacker can send a set of 2187 packets to ntpd that will cause it to crash and/or create a 2188 potentially huge log file. Specifically, the attacker could 2189 enable extended logging, point the key file at the log file, 2190 and cause what amounts to an infinite loop. 2191 Mitigation: 2192 Implement BCP-38. 2193 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2194 Page or the NTP Public Services Project Download Page. 2195 If you are unable to upgrade, remote configuration of NTF's ntpd 2196 requires: 2197 an explicitly configured "trusted" key. Only configure this 2198 if you need it. 2199 access from a permitted IP address. You choose the IPs. 2200 authentication. Don't disable it. Practice secure key safety. 2201 Monitor your ntpd instances. 2202 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2203 2204* Potential path traversal vulnerability in the config file saving of 2205 ntpd on VMS. 2206 2207 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2208 Affects: All ntp-4 releases running under VMS up to, but not 2209 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2210 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2211 Summary: If ntpd is configured to allow remote configuration, and if 2212 the (possibly spoofed) IP address is allowed to send remote 2213 configuration requests, and if the attacker knows the remote 2214 configuration password or if ntpd was configured to disable 2215 authentication, then an attacker can send a set of packets to 2216 ntpd that may cause ntpd to overwrite files. 2217 Mitigation: 2218 Implement BCP-38. 2219 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2220 Page or the NTP Public Services Project Download Page. 2221 If you are unable to upgrade, remote configuration of NTF's ntpd 2222 requires: 2223 an explicitly configured "trusted" key. Only configure 2224 this if you need it. 2225 access from permitted IP addresses. You choose the IPs. 2226 authentication. Don't disable it. Practice key security safety. 2227 Monitor your ntpd instances. 2228 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2229 2230* ntpq atoascii() potential memory corruption 2231 2232 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2233 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2234 and 4.3.0 up to, but not including 4.3.77 2235 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2236 Summary: If an attacker can figure out the precise moment that ntpq 2237 is listening for data and the port number it is listening on or 2238 if the attacker can provide a malicious instance ntpd that 2239 victims will connect to then an attacker can send a set of 2240 crafted mode 6 response packets that, if received by ntpq, 2241 can cause ntpq to crash. 2242 Mitigation: 2243 Implement BCP-38. 2244 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2245 Page or the NTP Public Services Project Download Page. 2246 If you are unable to upgrade and you run ntpq against a server 2247 and ntpq crashes, try again using raw mode. Build or get a 2248 patched ntpq and see if that fixes the problem. Report new 2249 bugs in ntpq or abusive servers appropriately. 2250 If you use ntpq in scripts, make sure ntpq does what you expect 2251 in your scripts. 2252 Credit: This weakness was discovered by Yves Younan and 2253 Aleksander Nikolich of Cisco Talos. 2254 2255* Invalid length data provided by a custom refclock driver could cause 2256 a buffer overflow. 2257 2258 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2259 Affects: Potentially all ntp-4 releases running up to, but not 2260 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2261 that have custom refclocks 2262 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2263 5.9 unusual worst case 2264 Summary: A negative value for the datalen parameter will overflow a 2265 data buffer. NTF's ntpd driver implementations always set this 2266 value to 0 and are therefore not vulnerable to this weakness. 2267 If you are running a custom refclock driver in ntpd and that 2268 driver supplies a negative value for datalen (no custom driver 2269 of even minimal competence would do this) then ntpd would 2270 overflow a data buffer. It is even hypothetically possible 2271 in this case that instead of simply crashing ntpd the attacker 2272 could effect a code injection attack. 2273 Mitigation: 2274 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2275 Page or the NTP Public Services Project Download Page. 2276 If you are unable to upgrade: 2277 If you are running custom refclock drivers, make sure 2278 the signed datalen value is either zero or positive. 2279 Monitor your ntpd instances. 2280 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2281 2282* Password Length Memory Corruption Vulnerability 2283 2284 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2285 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2286 4.3.0 up to, but not including 4.3.77 2287 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2288 1.7 usual case, 6.8, worst case 2289 Summary: If ntpd is configured to allow remote configuration, and if 2290 the (possibly spoofed) source IP address is allowed to send 2291 remote configuration requests, and if the attacker knows the 2292 remote configuration password or if ntpd was (foolishly) 2293 configured to disable authentication, then an attacker can 2294 send a set of packets to ntpd that may cause it to crash, 2295 with the hypothetical possibility of a small code injection. 2296 Mitigation: 2297 Implement BCP-38. 2298 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2299 Page or the NTP Public Services Project Download Page. 2300 If you are unable to upgrade, remote configuration of NTF's 2301 ntpd requires: 2302 an explicitly configured "trusted" key. Only configure 2303 this if you need it. 2304 access from a permitted IP address. You choose the IPs. 2305 authentication. Don't disable it. Practice secure key safety. 2306 Monitor your ntpd instances. 2307 Credit: This weakness was discovered by Yves Younan and 2308 Aleksander Nikolich of Cisco Talos. 2309 2310* decodenetnum() will ASSERT botch instead of returning FAIL on some 2311 bogus values. 2312 2313 References: Sec 2922 / CVE-2015-7855 2314 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2315 4.3.0 up to, but not including 4.3.77 2316 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2317 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2318 an unusually long data value where a network address is expected, 2319 the decodenetnum() function will abort with an assertion failure 2320 instead of simply returning a failure condition. 2321 Mitigation: 2322 Implement BCP-38. 2323 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2324 Page or the NTP Public Services Project Download Page. 2325 If you are unable to upgrade: 2326 mode 7 is disabled by default. Don't enable it. 2327 Use restrict noquery to limit who can send mode 6 2328 and mode 7 requests. 2329 Configure and use the controlkey and requestkey 2330 authentication directives to limit who can 2331 send mode 6 and mode 7 requests. 2332 Monitor your ntpd instances. 2333 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2334 2335* NAK to the Future: Symmetric association authentication bypass via 2336 crypto-NAK. 2337 2338 References: Sec 2941 / CVE-2015-7871 2339 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2340 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2341 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2342 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2343 from unauthenticated ephemeral symmetric peers by bypassing the 2344 authentication required to mobilize peer associations. This 2345 vulnerability appears to have been introduced in ntp-4.2.5p186 2346 when the code handling mobilization of new passive symmetric 2347 associations (lines 1103-1165) was refactored. 2348 Mitigation: 2349 Implement BCP-38. 2350 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2351 Page or the NTP Public Services Project Download Page. 2352 If you are unable to upgrade: 2353 Apply the patch to the bottom of the "authentic" check 2354 block around line 1136 of ntp_proto.c. 2355 Monitor your ntpd instances. 2356 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2357 2358Backward-Incompatible changes: 2359* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2360 While the general default of 32M is still the case, under Linux 2361 the default value has been changed to -1 (do not lock ntpd into 2362 memory). A value of 0 means "lock ntpd into memory with whatever 2363 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2364 value in it, that value will continue to be used. 2365 2366* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2367 If you've written a script that looks for this case in, say, the 2368 output of ntpq, you probably want to change your regex matches 2369 from 'outlyer' to 'outl[iy]er'. 2370 2371New features in this release: 2372* 'rlimit memlock' now has finer-grained control. A value of -1 means 2373 "don't lock ntpd into memore". This is the default for Linux boxes. 2374 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2375 the value is the number of megabytes of memory to lock. The default 2376 is 32 megabytes. 2377 2378* The old Google Test framework has been replaced with a new framework, 2379 based on http://www.throwtheswitch.org/unity/ . 2380 2381Bug Fixes and Improvements: 2382* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2383 privileges and limiting resources in NTPD removes the need to link 2384 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2385* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2386* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2387* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2388* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2389* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2390* [Bug 2849] Systems with more than one default route may never 2391 synchronize. Brian Utterback. Note that this patch might need to 2392 be reverted once Bug 2043 has been fixed. 2393* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2394* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2395* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2396* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2397* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2398* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2399 be configured for the distribution targets. Harlan Stenn. 2400* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2401* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2402* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2403* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2404* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2405* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2406* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2407* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2408* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2409* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2410* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2411* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2412* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2413* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2414* sntp/tests/ function parameter list cleanup. Damir Tomi��. 2415* tests/libntp/ function parameter list cleanup. Damir Tomi��. 2416* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 2417* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2418* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2419* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 2420* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 2421* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2422 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2423 formatting; first declaration, then code (C90); deleted unnecessary comments; 2424 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2425* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2426 fix formatting, cleanup. Tomasz Flendrich 2427* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2428 Tomasz Flendrich 2429* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2430 fix formatting. Tomasz Flendrich 2431* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2432* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2433* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2434 Tomasz Flendrich 2435* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2436* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2437* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2438* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2439* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2440* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2441* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2442fixed formatting. Tomasz Flendrich 2443* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2444 removed unnecessary comments, cleanup. Tomasz Flendrich 2445* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2446 comments, cleanup. Tomasz Flendrich 2447* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2448 Tomasz Flendrich 2449* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2450* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2451* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2452 Tomasz Flendrich 2453* sntp/tests/kodDatabase.c added consts, deleted empty function, 2454 fixed formatting. Tomasz Flendrich 2455* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2456* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2457 fixed formatting, deleted unused variable. Tomasz Flendrich 2458* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2459 Tomasz Flendrich 2460* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2461 fixed formatting. Tomasz Flendrich 2462* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2463 the order of includes, fixed formatting, removed unnecessary comments. 2464 Tomasz Flendrich 2465* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2466* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2467 made one function do its job, deleted unnecessary prints, fixed formatting. 2468 Tomasz Flendrich 2469* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2470* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2471* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2472* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2473* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2474* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2475* Don't build sntp/libevent/sample/. Harlan Stenn. 2476* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2477* br-flock: --enable-local-libevent. Harlan Stenn. 2478* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2479* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2480* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2481* Code cleanup. Harlan Stenn. 2482* libntp/icom.c: Typo fix. Harlan Stenn. 2483* util/ntptime.c: initialization nit. Harlan Stenn. 2484* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2485* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2486* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2487 Tomasz Flendrich 2488* Changed progname to be const in many files - now it's consistent. Tomasz 2489 Flendrich 2490* Typo fix for GCC warning suppression. Harlan Stenn. 2491* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 2492* Added declarations to all Unity tests, and did minor fixes to them. 2493 Reduced the number of warnings by half. Damir Tomi��. 2494* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2495 with the latest Unity updates from Mark. Damir Tomi��. 2496* Retire google test - phase I. Harlan Stenn. 2497* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2498* Update the NEWS file. Harlan Stenn. 2499* Autoconf cleanup. Harlan Stenn. 2500* Unit test dist cleanup. Harlan Stenn. 2501* Cleanup various test Makefile.am files. Harlan Stenn. 2502* Pthread autoconf macro cleanup. Harlan Stenn. 2503* Fix progname definition in unity runner scripts. Harlan Stenn. 2504* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2505* Update the patch for bug 2817. Harlan Stenn. 2506* More updates for bug 2817. Harlan Stenn. 2507* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2508* gcc on older HPUX may need +allowdups. Harlan Stenn. 2509* Adding missing MCAST protection. Harlan Stenn. 2510* Disable certain test programs on certain platforms. Harlan Stenn. 2511* Implement --enable-problem-tests (on by default). Harlan Stenn. 2512* build system tweaks. Harlan Stenn. 2513 2514--- 2515NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2516 2517Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2518 2519Severity: MEDIUM 2520 2521Security Fix: 2522 2523* [Sec 2853] Crafted remote config packet can crash some versions of 2524 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2525 2526Under specific circumstances an attacker can send a crafted packet to 2527cause a vulnerable ntpd instance to crash. This requires each of the 2528following to be true: 2529 25301) ntpd set up to allow remote configuration (not allowed by default), and 25312) knowledge of the configuration password, and 25323) access to a computer entrusted to perform remote configuration. 2533 2534This vulnerability is considered low-risk. 2535 2536New features in this release: 2537 2538Optional (disabled by default) support to have ntpd provide smeared 2539leap second time. A specially built and configured ntpd will only 2540offer smeared time in response to client packets. These response 2541packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2542of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2543format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2544information. 2545 2546 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2547 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2548 2549We've imported the Unity test framework, and have begun converting 2550the existing google-test items to this new framework. If you want 2551to write new tests or change old ones, you'll need to have ruby 2552installed. You don't need ruby to run the test suite. 2553 2554Bug Fixes and Improvements: 2555 2556* CID 739725: Fix a rare resource leak in libevent/listener.c. 2557* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2558* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2559* CID 1269537: Clean up a line of dead code in getShmTime(). 2560* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2561* [Bug 2590] autogen-5.18.5. 2562* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2563 of 'limited'. 2564* [Bug 2650] fix includefile processing. 2565* [Bug 2745] ntpd -x steps clock on leap second 2566 Fixed an initial-value problem that caused misbehaviour in absence of 2567 any leapsecond information. 2568 Do leap second stepping only of the step adjustment is beyond the 2569 proper jump distance limit and step correction is allowed at all. 2570* [Bug 2750] build for Win64 2571 Building for 32bit of loopback ppsapi needs def file 2572* [Bug 2776] Improve ntpq's 'help keytype'. 2573* [Bug 2778] Implement "apeers" ntpq command to include associd. 2574* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2575* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2576 interface is ignored as long as this flag is not set since the 2577 interface is not usable (e.g., no link). 2578* [Bug 2794] Clean up kernel clock status reports. 2579* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2580 of incompatible open/fdopen parameters. 2581* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2582* [Bug 2805] ntpd fails to join multicast group. 2583* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2584* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2585 Fix crash during cleanup if GPS device not present and char device. 2586 Increase internal token buffer to parse all JSON data, even SKY. 2587 Defer logging of errors during driver init until the first unit is 2588 started, so the syslog is not cluttered when the driver is not used. 2589 Various improvements, see http://bugs.ntp.org/2808 for details. 2590 Changed libjsmn to a more recent version. 2591* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2592* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2593* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2594* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2595* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2596* [Bug 2824] Convert update-leap to perl. (also see 2769) 2597* [Bug 2825] Quiet file installation in html/ . 2598* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2599 NTPD transfers the current TAI (instead of an announcement) now. 2600 This might still needed improvement. 2601 Update autokey data ASAP when 'sys_tai' changes. 2602 Fix unit test that was broken by changes for autokey update. 2603 Avoid potential signature length issue and use DPRINTF where possible 2604 in ntp_crypto.c. 2605* [Bug 2832] refclock_jjy.c supports the TDC-300. 2606* [Bug 2834] Correct a broken html tag in html/refclock.html 2607* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2608 robust, and require 2 consecutive timestamps to be consistent. 2609* [Bug 2837] Allow a configurable DSCP value. 2610* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2611* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2612* [Bug 2842] Bug in mdoc2man. 2613* [Bug 2843] make check fails on 4.3.36 2614 Fixed compiler warnings about numeric range overflow 2615 (The original topic was fixed in a byplay to bug#2830) 2616* [Bug 2845] Harden memory allocation in ntpd. 2617* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2618* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2619* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2620* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2621* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2622* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2623* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2624* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2625* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2626* html/drivers/driver22.html: typo fix. Harlan Stenn. 2627* refidsmear test cleanup. Tomasz Flendrich. 2628* refidsmear function support and tests. Harlan Stenn. 2629* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2630 something that was only in the 4.2.6 sntp. Harlan Stenn. 2631* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2632 Damir Tomi�� 2633* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2634 Damir Tomi�� 2635* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2636 Damir Tomi�� 2637* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2638* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 2639* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2640 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2641 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2642 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2643 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2644 Damir Tomi�� 2645* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2646 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2647 fileHandlingTest.h. Damir Tomi�� 2648* Initial support for experimental leap smear code. Harlan Stenn. 2649* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2650* Report select() debug messages at debug level 3 now. 2651* sntp/scripts/genLocInfo: treat raspbian as debian. 2652* Unity test framework fixes. 2653 ** Requires ruby for changes to tests. 2654* Initial support for PACKAGE_VERSION tests. 2655* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2656* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2657* Add an assert to the ntpq ifstats code. 2658* Clean up the RLIMIT_STACK code. 2659* Improve the ntpq documentation around the controlkey keyid. 2660* ntpq.c cleanup. 2661* Windows port build cleanup. 2662 2663--- 2664NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2665 2666Focus: Security and Bug fixes, enhancements. 2667 2668Severity: MEDIUM 2669 2670In addition to bug fixes and enhancements, this release fixes the 2671following medium-severity vulnerabilities involving private key 2672authentication: 2673 2674* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2675 2676 References: Sec 2779 / CVE-2015-1798 / VU#374268 2677 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2678 including ntp-4.2.8p2 where the installation uses symmetric keys 2679 to authenticate remote associations. 2680 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2681 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2682 Summary: When ntpd is configured to use a symmetric key to authenticate 2683 a remote NTP server/peer, it checks if the NTP message 2684 authentication code (MAC) in received packets is valid, but not if 2685 there actually is any MAC included. Packets without a MAC are 2686 accepted as if they had a valid MAC. This allows a MITM attacker to 2687 send false packets that are accepted by the client/peer without 2688 having to know the symmetric key. The attacker needs to know the 2689 transmit timestamp of the client to match it in the forged reply 2690 and the false reply needs to reach the client before the genuine 2691 reply from the server. The attacker doesn't necessarily need to be 2692 relaying the packets between the client and the server. 2693 2694 Authentication using autokey doesn't have this problem as there is 2695 a check that requires the key ID to be larger than NTP_MAXKEY, 2696 which fails for packets without a MAC. 2697 Mitigation: 2698 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2699 or the NTP Public Services Project Download Page 2700 Configure ntpd with enough time sources and monitor it properly. 2701 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2702 2703* [Sec 2781] Authentication doesn't protect symmetric associations against 2704 DoS attacks. 2705 2706 References: Sec 2781 / CVE-2015-1799 / VU#374268 2707 Affects: All NTP releases starting with at least xntp3.3wy up to but 2708 not including ntp-4.2.8p2 where the installation uses symmetric 2709 key authentication. 2710 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2711 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2712 it could be higher than 5.4. 2713 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2714 Summary: An attacker knowing that NTP hosts A and B are peering with 2715 each other (symmetric association) can send a packet to host A 2716 with source address of B which will set the NTP state variables 2717 on A to the values sent by the attacker. Host A will then send 2718 on its next poll to B a packet with originate timestamp that 2719 doesn't match the transmit timestamp of B and the packet will 2720 be dropped. If the attacker does this periodically for both 2721 hosts, they won't be able to synchronize to each other. This is 2722 a known denial-of-service attack, described at 2723 https://www.eecis.udel.edu/~mills/onwire.html . 2724 2725 According to the document the NTP authentication is supposed to 2726 protect symmetric associations against this attack, but that 2727 doesn't seem to be the case. The state variables are updated even 2728 when authentication fails and the peers are sending packets with 2729 originate timestamps that don't match the transmit timestamps on 2730 the receiving side. 2731 2732 This seems to be a very old problem, dating back to at least 2733 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2734 specifications, so other NTP implementations with support for 2735 symmetric associations and authentication may be vulnerable too. 2736 An update to the NTP RFC to correct this error is in-process. 2737 Mitigation: 2738 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2739 or the NTP Public Services Project Download Page 2740 Note that for users of autokey, this specific style of MITM attack 2741 is simply a long-known potential problem. 2742 Configure ntpd with appropriate time sources and monitor ntpd. 2743 Alert your staff if problems are detected. 2744 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2745 2746* New script: update-leap 2747The update-leap script will verify and if necessary, update the 2748leap-second definition file. 2749It requires the following commands in order to work: 2750 2751 wget logger tr sed shasum 2752 2753Some may choose to run this from cron. It needs more portability testing. 2754 2755Bug Fixes and Improvements: 2756 2757* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2758* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2759* [Bug 2346] "graceful termination" signals do not do peer cleanup. 2760* [Bug 2728] See if C99-style structure initialization works. 2761* [Bug 2747] Upgrade libevent to 2.1.5-beta. 2762* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2763* [Bug 2751] jitter.h has stale copies of l_fp macros. 2764* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2765* [Bug 2757] Quiet compiler warnings. 2766* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2767* [Bug 2763] Allow different thresholds for forward and backward steps. 2768* [Bug 2766] ntp-keygen output files should not be world-readable. 2769* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2770* [Bug 2771] nonvolatile value is documented in wrong units. 2771* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2772* [Bug 2774] Unreasonably verbose printout - leap pending/warning 2773* [Bug 2775] ntp-keygen.c fails to compile under Windows. 2774* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2775 Removed non-ASCII characters from some copyright comments. 2776 Removed trailing whitespace. 2777 Updated definitions for Meinberg clocks from current Meinberg header files. 2778 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2779 Account for updated definitions pulled from Meinberg header files. 2780 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2781 Replaced some constant numbers by defines from ntp_calendar.h 2782 Modified creation of parse-specific variables for Meinberg devices 2783 in gps16x_message(). 2784 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2785 Modified mbg_tm_str() which now expexts an additional parameter controlling 2786 if the time status shall be printed. 2787* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2788* [Sec 2781] Authentication doesn't protect symmetric associations against 2789 DoS attacks. 2790* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2791* [Bug 2789] Quiet compiler warnings from libevent. 2792* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2793 pause briefly before measuring system clock precision to yield 2794 correct results. 2795* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2796* Use predefined function types for parse driver functions 2797 used to set up function pointers. 2798 Account for changed prototype of parse_inp_fnc_t functions. 2799 Cast parse conversion results to appropriate types to avoid 2800 compiler warnings. 2801 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2802 when called with pointers to different types. 2803 2804--- 2805NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 2806 2807Focus: Security and Bug fixes, enhancements. 2808 2809Severity: HIGH 2810 2811In addition to bug fixes and enhancements, this release fixes the 2812following high-severity vulnerabilities: 2813 2814* vallen is not validated in several places in ntp_crypto.c, leading 2815 to a potential information leak or possibly a crash 2816 2817 References: Sec 2671 / CVE-2014-9297 / VU#852879 2818 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2819 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2820 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2821 Summary: The vallen packet value is not validated in several code 2822 paths in ntp_crypto.c which can lead to information leakage 2823 or perhaps a crash of the ntpd process. 2824 Mitigation - any of: 2825 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2826 or the NTP Public Services Project Download Page. 2827 Disable Autokey Authentication by removing, or commenting out, 2828 all configuration directives beginning with the "crypto" 2829 keyword in your ntp.conf file. 2830 Credit: This vulnerability was discovered by Stephen Roettger of the 2831 Google Security Team, with additional cases found by Sebastian 2832 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2833 Time Foundation. 2834 2835* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2836 can be bypassed. 2837 2838 References: Sec 2672 / CVE-2014-9298 / VU#852879 2839 Affects: All NTP4 releases before 4.2.8p1, under at least some 2840 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2841 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2842 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2843 Summary: While available kernels will prevent 127.0.0.1 addresses 2844 from "appearing" on non-localhost IPv4 interfaces, some kernels 2845 do not offer the same protection for ::1 source addresses on 2846 IPv6 interfaces. Since NTP's access control is based on source 2847 address and localhost addresses generally have no restrictions, 2848 an attacker can send malicious control and configuration packets 2849 by spoofing ::1 addresses from the outside. Note Well: This is 2850 not really a bug in NTP, it's a problem with some OSes. If you 2851 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2852 ACL restrictions on any application can be bypassed! 2853 Mitigation: 2854 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2855 or the NTP Public Services Project Download Page 2856 Install firewall rules to block packets claiming to come from 2857 ::1 from inappropriate network interfaces. 2858 Credit: This vulnerability was discovered by Stephen Roettger of 2859 the Google Security Team. 2860 2861Additionally, over 30 bugfixes and improvements were made to the codebase. 2862See the ChangeLog for more information. 2863 2864--- 2865NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 2866 2867Focus: Security and Bug fixes, enhancements. 2868 2869Severity: HIGH 2870 2871In addition to bug fixes and enhancements, this release fixes the 2872following high-severity vulnerabilities: 2873 2874************************** vv NOTE WELL vv ***************************** 2875 2876The vulnerabilities listed below can be significantly mitigated by 2877following the BCP of putting 2878 2879 restrict default ... noquery 2880 2881in the ntp.conf file. With the exception of: 2882 2883 receive(): missing return on error 2884 References: Sec 2670 / CVE-2014-9296 / VU#852879 2885 2886below (which is a limited-risk vulnerability), none of the recent 2887vulnerabilities listed below can be exploited if the source IP is 2888restricted from sending a 'query'-class packet by your ntp.conf file. 2889 2890************************** ^^ NOTE WELL ^^ ***************************** 2891 2892* Weak default key in config_auth(). 2893 2894 References: [Sec 2665] / CVE-2014-9293 / VU#852879 2895 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2896 Vulnerable Versions: all releases prior to 4.2.7p11 2897 Date Resolved: 28 Jan 2010 2898 2899 Summary: If no 'auth' key is set in the configuration file, ntpd 2900 would generate a random key on the fly. There were two 2901 problems with this: 1) the generated key was 31 bits in size, 2902 and 2) it used the (now weak) ntp_random() function, which was 2903 seeded with a 32-bit value and could only provide 32 bits of 2904 entropy. This was sufficient back in the late 1990s when the 2905 code was written. Not today. 2906 2907 Mitigation - any of: 2908 - Upgrade to 4.2.7p11 or later. 2909 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2910 2911 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2912 of the Google Security Team. 2913 2914* Non-cryptographic random number generator with weak seed used by 2915 ntp-keygen to generate symmetric keys. 2916 2917 References: [Sec 2666] / CVE-2014-9294 / VU#852879 2918 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2919 Vulnerable Versions: All NTP4 releases before 4.2.7p230 2920 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2921 2922 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2923 prepare a random number generator that was of good quality back 2924 in the late 1990s. The random numbers produced was then used to 2925 generate symmetric keys. In ntp-4.2.8 we use a current-technology 2926 cryptographic random number generator, either RAND_bytes from 2927 OpenSSL, or arc4random(). 2928 2929 Mitigation - any of: 2930 - Upgrade to 4.2.7p230 or later. 2931 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2932 2933 Credit: This vulnerability was discovered in ntp-4.2.6 by 2934 Stephen Roettger of the Google Security Team. 2935 2936* Buffer overflow in crypto_recv() 2937 2938 References: Sec 2667 / CVE-2014-9295 / VU#852879 2939 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2940 Versions: All releases before 4.2.8 2941 Date Resolved: Stable (4.2.8) 18 Dec 2014 2942 2943 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2944 file contains a 'crypto pw ...' directive) a remote attacker 2945 can send a carefully crafted packet that can overflow a stack 2946 buffer and potentially allow malicious code to be executed 2947 with the privilege level of the ntpd process. 2948 2949 Mitigation - any of: 2950 - Upgrade to 4.2.8, or later, or 2951 - Disable Autokey Authentication by removing, or commenting out, 2952 all configuration directives beginning with the crypto keyword 2953 in your ntp.conf file. 2954 2955 Credit: This vulnerability was discovered by Stephen Roettger of the 2956 Google Security Team. 2957 2958* Buffer overflow in ctl_putdata() 2959 2960 References: Sec 2668 / CVE-2014-9295 / VU#852879 2961 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2962 Versions: All NTP4 releases before 4.2.8 2963 Date Resolved: Stable (4.2.8) 18 Dec 2014 2964 2965 Summary: A remote attacker can send a carefully crafted packet that 2966 can overflow a stack buffer and potentially allow malicious 2967 code to be executed with the privilege level of the ntpd process. 2968 2969 Mitigation - any of: 2970 - Upgrade to 4.2.8, or later. 2971 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2972 2973 Credit: This vulnerability was discovered by Stephen Roettger of the 2974 Google Security Team. 2975 2976* Buffer overflow in configure() 2977 2978 References: Sec 2669 / CVE-2014-9295 / VU#852879 2979 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2980 Versions: All NTP4 releases before 4.2.8 2981 Date Resolved: Stable (4.2.8) 18 Dec 2014 2982 2983 Summary: A remote attacker can send a carefully crafted packet that 2984 can overflow a stack buffer and potentially allow malicious 2985 code to be executed with the privilege level of the ntpd process. 2986 2987 Mitigation - any of: 2988 - Upgrade to 4.2.8, or later. 2989 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2990 2991 Credit: This vulnerability was discovered by Stephen Roettger of the 2992 Google Security Team. 2993 2994* receive(): missing return on error 2995 2996 References: Sec 2670 / CVE-2014-9296 / VU#852879 2997 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2998 Versions: All NTP4 releases before 4.2.8 2999 Date Resolved: Stable (4.2.8) 18 Dec 2014 3000 3001 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3002 the code path where an error was detected, which meant 3003 processing did not stop when a specific rare error occurred. 3004 We haven't found a way for this bug to affect system integrity. 3005 If there is no way to affect system integrity the base CVSS 3006 score for this bug is 0. If there is one avenue through which 3007 system integrity can be partially affected, the base score 3008 becomes a 5. If system integrity can be partially affected 3009 via all three integrity metrics, the CVSS base score become 7.5. 3010 3011 Mitigation - any of: 3012 - Upgrade to 4.2.8, or later, 3013 - Remove or comment out all configuration directives 3014 beginning with the crypto keyword in your ntp.conf file. 3015 3016 Credit: This vulnerability was discovered by Stephen Roettger of the 3017 Google Security Team. 3018 3019See http://support.ntp.org/security for more information. 3020 3021New features / changes in this release: 3022 3023Important Changes 3024 3025* Internal NTP Era counters 3026 3027The internal counters that track the "era" (range of years) we are in 3028rolls over every 136 years'. The current "era" started at the stroke of 3029midnight on 1 Jan 1900, and ends just before the stroke of midnight on 30301 Jan 2036. 3031In the past, we have used the "midpoint" of the range to decide which 3032era we were in. Given the longevity of some products, it became clear 3033that it would be more functional to "look back" less, and "look forward" 3034more. We now compile a timestamp into the ntpd executable and when we 3035get a timestamp we us the "built-on" to tell us what era we are in. 3036This check "looks back" 10 years, and "looks forward" 126 years. 3037 3038* ntpdc responses disabled by default 3039 3040Dave Hart writes: 3041 3042For a long time, ntpq and its mostly text-based mode 6 (control) 3043protocol have been preferred over ntpdc and its mode 7 (private 3044request) protocol for runtime queries and configuration. There has 3045been a goal of deprecating ntpdc, previously held back by numerous 3046capabilities exposed by ntpdc with no ntpq equivalent. I have been 3047adding commands to ntpq to cover these cases, and I believe I've 3048covered them all, though I've not compared command-by-command 3049recently. 3050 3051As I've said previously, the binary mode 7 protocol involves a lot of 3052hand-rolled structure layout and byte-swapping code in both ntpd and 3053ntpdc which is hard to get right. As ntpd grows and changes, the 3054changes are difficult to expose via ntpdc while maintaining forward 3055and backward compatibility between ntpdc and ntpd. In contrast, 3056ntpq's text-based, label=value approach involves more code reuse and 3057allows compatible changes without extra work in most cases. 3058 3059Mode 7 has always been defined as vendor/implementation-specific while 3060mode 6 is described in RFC 1305 and intended to be open to interoperate 3061with other implementations. There is an early draft of an updated 3062mode 6 description that likely will join the other NTPv4 RFCs 3063eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3064 3065For these reasons, ntpd 4.2.7p230 by default disables processing of 3066ntpdc queries, reducing ntpd's attack surface and functionally 3067deprecating ntpdc. If you are in the habit of using ntpdc for certain 3068operations, please try the ntpq equivalent. If there's no equivalent, 3069please open a bug report at http://bugs.ntp.org./ 3070 3071In addition to the above, over 1100 issues have been resolved between 3072the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3073lists these. 3074 3075--- 3076NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3077 3078Focus: Bug fixes 3079 3080Severity: Medium 3081 3082This is a recommended upgrade. 3083 3084This release updates sys_rootdisp and sys_jitter calculations to match the 3085RFC specification, fixes a potential IPv6 address matching error for the 3086"nic" and "interface" configuration directives, suppresses the creation of 3087extraneous ephemeral associations for certain broadcastclient and 3088multicastclient configurations, cleans up some ntpq display issues, and 3089includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3090 3091New features / changes in this release: 3092 3093ntpd 3094 3095 * Updated "nic" and "interface" IPv6 address handling to prevent 3096 mismatches with localhost [::1] and wildcard [::] which resulted from 3097 using the address/prefix format (e.g. fe80::/64) 3098 * Fix orphan mode stratum incorrectly counting to infinity 3099 * Orphan parent selection metric updated to includes missing ntohl() 3100 * Non-printable stratum 16 refid no longer sent to ntp 3101 * Duplicate ephemeral associations suppressed for broadcastclient and 3102 multicastclient without broadcastdelay 3103 * Exclude undetermined sys_refid from use in loopback TEST12 3104 * Exclude MODE_SERVER responses from KoD rate limiting 3105 * Include root delay in clock_update() sys_rootdisp calculations 3106 * get_systime() updated to exclude sys_residual offset (which only 3107 affected bits "below" sys_tick, the precision threshold) 3108 * sys.peer jitter weighting corrected in sys_jitter calculation 3109 3110ntpq 3111 3112 * -n option extended to include the billboard "server" column 3113 * IPv6 addresses in the local column truncated to prevent overruns 3114 3115--- 3116NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3117 3118Focus: Bug fixes and portability improvements 3119 3120Severity: Medium 3121 3122This is a recommended upgrade. 3123 3124This release includes build infrastructure updates, code 3125clean-ups, minor bug fixes, fixes for a number of minor 3126ref-clock issues, and documentation revisions. 3127 3128Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3129 3130New features / changes in this release: 3131 3132Build system 3133 3134* Fix checking for struct rtattr 3135* Update config.guess and config.sub for AIX 3136* Upgrade required version of autogen and libopts for building 3137 from our source code repository 3138 3139ntpd 3140 3141* Back-ported several fixes for Coverity warnings from ntp-dev 3142* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3143* Allow "logconfig =allall" configuration directive 3144* Bind tentative IPv6 addresses on Linux 3145* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3146* Improved tally bit handling to prevent incorrect ntpq peer status reports 3147* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3148 candidate list unless they are designated a "prefer peer" 3149* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3150 selection during the 'tos orphanwait' period 3151* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3152 drivers 3153* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3154* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3155* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3156 clock slew on Microsoft Windows 3157* Code cleanup in libntpq 3158 3159ntpdc 3160 3161* Fix timerstats reporting 3162 3163ntpdate 3164 3165* Reduce time required to set clock 3166* Allow a timeout greater than 2 seconds 3167 3168sntp 3169 3170* Backward incompatible command-line option change: 3171 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3172 3173Documentation 3174 3175* Update html2man. Fix some tags in the .html files 3176* Distribute ntp-wait.html 3177 3178--- 3179NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3180 3181Focus: Bug fixes and portability improvements 3182 3183Severity: Medium 3184 3185This is a recommended upgrade. 3186 3187This release includes build infrastructure updates, code 3188clean-ups, minor bug fixes, fixes for a number of minor 3189ref-clock issues, and documentation revisions. 3190 3191Portability improvements in this release affect AIX, Atari FreeMiNT, 3192FreeBSD4, Linux and Microsoft Windows. 3193 3194New features / changes in this release: 3195 3196Build system 3197* Use lsb_release to get information about Linux distributions. 3198* 'test' is in /usr/bin (instead of /bin) on some systems. 3199* Basic sanity checks for the ChangeLog file. 3200* Source certain build files with ./filename for systems without . in PATH. 3201* IRIX portability fix. 3202* Use a single copy of the "libopts" code. 3203* autogen/libopts upgrade. 3204* configure.ac m4 quoting cleanup. 3205 3206ntpd 3207* Do not bind to IN6_IFF_ANYCAST addresses. 3208* Log the reason for exiting under Windows. 3209* Multicast fixes for Windows. 3210* Interpolation fixes for Windows. 3211* IPv4 and IPv6 Multicast fixes. 3212* Manycast solicitation fixes and general repairs. 3213* JJY refclock cleanup. 3214* NMEA refclock improvements. 3215* Oncore debug message cleanup. 3216* Palisade refclock now builds under Linux. 3217* Give RAWDCF more baud rates. 3218* Support Truetime Satellite clocks under Windows. 3219* Support Arbiter 1093C Satellite clocks under Windows. 3220* Make sure that the "filegen" configuration command defaults to "enable". 3221* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3222* Prohibit 'includefile' directive in remote configuration command. 3223* Fix 'nic' interface bindings. 3224* Fix the way we link with openssl if openssl is installed in the base 3225 system. 3226 3227ntp-keygen 3228* Fix -V coredump. 3229* OpenSSL version display cleanup. 3230 3231ntpdc 3232* Many counters should be treated as unsigned. 3233 3234ntpdate 3235* Do not ignore replies with equal receive and transmit timestamps. 3236 3237ntpq 3238* libntpq warning cleanup. 3239 3240ntpsnmpd 3241* Correct SNMP type for "precision" and "resolution". 3242* Update the MIB from the draft version to RFC-5907. 3243 3244sntp 3245* Display timezone offset when showing time for sntp in the local 3246 timezone. 3247* Pay proper attention to RATE KoD packets. 3248* Fix a miscalculation of the offset. 3249* Properly parse empty lines in the key file. 3250* Logging cleanup. 3251* Use tv_usec correctly in set_time(). 3252* Documentation cleanup. 3253 3254--- 3255NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3256 3257Focus: Bug fixes and portability improvements 3258 3259Severity: Medium 3260 3261This is a recommended upgrade. 3262 3263This release includes build infrastructure updates, code 3264clean-ups, minor bug fixes, fixes for a number of minor 3265ref-clock issues, improved KOD handling, OpenSSL related 3266updates and documentation revisions. 3267 3268Portability improvements in this release affect Irix, Linux, 3269Mac OS, Microsoft Windows, OpenBSD and QNX6 3270 3271New features / changes in this release: 3272 3273ntpd 3274* Range syntax for the trustedkey configuration directive 3275* Unified IPv4 and IPv6 restrict lists 3276 3277ntpdate 3278* Rate limiting and KOD handling 3279 3280ntpsnmpd 3281* default connection to net-snmpd via a unix-domain socket 3282* command-line 'socket name' option 3283 3284ntpq / ntpdc 3285* support for the "passwd ..." syntax 3286* key-type specific password prompts 3287 3288sntp 3289* MD5 authentication of an ntpd 3290* Broadcast and crypto 3291* OpenSSL support 3292 3293--- 3294NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3295 3296Focus: Bug fixes, portability fixes, and documentation improvements 3297 3298Severity: Medium 3299 3300This is a recommended upgrade. 3301 3302--- 3303NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3304 3305Focus: enhancements and bug fixes. 3306 3307--- 3308NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3309 3310Focus: Security Fixes 3311 3312Severity: HIGH 3313 3314This release fixes the following high-severity vulnerability: 3315 3316* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3317 3318 See http://support.ntp.org/security for more information. 3319 3320 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3321 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3322 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3323 request or a mode 7 error response from an address which is not listed 3324 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3325 reply with a mode 7 error response (and log a message). In this case: 3326 3327 * If an attacker spoofs the source address of ntpd host A in a 3328 mode 7 response packet sent to ntpd host B, both A and B will 3329 continuously send each other error responses, for as long as 3330 those packets get through. 3331 3332 * If an attacker spoofs an address of ntpd host A in a mode 7 3333 response packet sent to ntpd host A, A will respond to itself 3334 endlessly, consuming CPU and logging excessively. 3335 3336 Credit for finding this vulnerability goes to Robin Park and Dmitri 3337 Vinokurov of Alcatel-Lucent. 3338 3339THIS IS A STRONGLY RECOMMENDED UPGRADE. 3340 3341--- 3342ntpd now syncs to refclocks right away. 3343 3344Backward-Incompatible changes: 3345 3346ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3347Use '--var name' or '--dvar name' instead. (Bug 817) 3348 3349--- 3350NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3351 3352Focus: Security and Bug Fixes 3353 3354Severity: HIGH 3355 3356This release fixes the following high-severity vulnerability: 3357 3358* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3359 3360 See http://support.ntp.org/security for more information. 3361 3362 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3363 line) then a carefully crafted packet sent to the machine will cause 3364 a buffer overflow and possible execution of injected code, running 3365 with the privileges of the ntpd process (often root). 3366 3367 Credit for finding this vulnerability goes to Chris Ries of CMU. 3368 3369This release fixes the following low-severity vulnerabilities: 3370 3371* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3372 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3373 3374* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3375 Credit for finding this issue goes to Dave Hart. 3376 3377This release fixes a number of bugs and adds some improvements: 3378 3379* Improved logging 3380* Fix many compiler warnings 3381* Many fixes and improvements for Windows 3382* Adds support for AIX 6.1 3383* Resolves some issues under MacOS X and Solaris 3384 3385THIS IS A STRONGLY RECOMMENDED UPGRADE. 3386 3387--- 3388NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3389 3390Focus: Security Fix 3391 3392Severity: Low 3393 3394This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3395the OpenSSL library relating to the incorrect checking of the return 3396value of EVP_VerifyFinal function. 3397 3398Credit for finding this issue goes to the Google Security Team for 3399finding the original issue with OpenSSL, and to ocert.org for finding 3400the problem in NTP and telling us about it. 3401 3402This is a recommended upgrade. 3403--- 3404NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3405 3406Focus: Minor Bugfixes 3407 3408This release fixes a number of Windows-specific ntpd bugs and 3409platform-independent ntpdate bugs. A logging bugfix has been applied 3410to the ONCORE driver. 3411 3412The "dynamic" keyword and is now obsolete and deferred binding to local 3413interfaces is the new default. The minimum time restriction for the 3414interface update interval has been dropped. 3415 3416A number of minor build system and documentation fixes are included. 3417 3418This is a recommended upgrade for Windows. 3419 3420--- 3421NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3422 3423Focus: Minor Bugfixes 3424 3425This release updates certain copyright information, fixes several display 3426bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3427shutdown in the parse refclock driver, removes some lint from the code, 3428stops accessing certain buffers immediately after they were freed, fixes 3429a problem with non-command-line specification of -6, and allows the loopback 3430interface to share addresses with other interfaces. 3431 3432--- 3433NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3434 3435Focus: Minor Bugfixes 3436 3437This release fixes a bug in Windows that made it difficult to 3438terminate ntpd under windows. 3439This is a recommended upgrade for Windows. 3440 3441--- 3442NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3443 3444Focus: Minor Bugfixes 3445 3446This release fixes a multicast mode authentication problem, 3447an error in NTP packet handling on Windows that could lead to 3448ntpd crashing, and several other minor bugs. Handling of 3449multicast interfaces and logging configuration were improved. 3450The required versions of autogen and libopts were incremented. 3451This is a recommended upgrade for Windows and multicast users. 3452 3453--- 3454NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3455 3456Focus: enhancements and bug fixes. 3457 3458Dynamic interface rescanning was added to simplify the use of ntpd in 3459conjunction with DHCP. GNU AutoGen is used for its command-line options 3460processing. Separate PPS devices are supported for PARSE refclocks, MD5 3461signatures are now provided for the release files. Drivers have been 3462added for some new ref-clocks and have been removed for some older 3463ref-clocks. This release also includes other improvements, documentation 3464and bug fixes. 3465 3466K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3467C support. 3468 3469--- 3470NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3471 3472Focus: enhancements and bug fixes. 3473