1--- 2NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 3 4Focus: Security, Bug fixes, enhancements. 5 6Severity: HIGH 7 8In addition to bug fixes and enhancements, this release fixes the 9following 1 high- and 4 low-severity vulnerabilities: 10 11* CRYPTO_NAK crash 12 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 13 References: Sec 3046 / CVE-2016-4957 / VU#321640 14 Affects: ntp-4.2.8p7, and ntp-4.3.92. 15 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 16 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 17 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 18 could cause ntpd to crash. 19 Mitigation: 20 Implement BCP-38. 21 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 22 or the NTP Public Services Project Download Page 23 If you cannot upgrade from 4.2.8p7, the only other alternatives 24 are to patch your code or filter CRYPTO_NAK packets. 25 Properly monitor your ntpd instances, and auto-restart ntpd 26 (without -g) if it stops running. 27 Credit: This weakness was discovered by Nicolas Edet of Cisco. 28 29* Bad authentication demobilizes ephemeral associations 30 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 31 References: Sec 3045 / CVE-2016-4953 / VU#321640 32 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 33 ntp-4.3.0 up to, but not including ntp-4.3.93. 34 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 35 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 36 Summary: An attacker who knows the origin timestamp and can send a 37 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 38 target before any other response is sent can demobilize that 39 association. 40 Mitigation: 41 Implement BCP-38. 42 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 43 or the NTP Public Services Project Download Page 44 Properly monitor your ntpd instances. 45 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 46 47* Processing spoofed server packets 48 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 49 References: Sec 3044 / CVE-2016-4954 / VU#321640 50 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 51 ntp-4.3.0 up to, but not including ntp-4.3.93. 52 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 53 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 54 Summary: An attacker who is able to spoof packets with correct origin 55 timestamps from enough servers before the expected response 56 packets arrive at the target machine can affect some peer 57 variables and, for example, cause a false leap indication to be set. 58 Mitigation: 59 Implement BCP-38. 60 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 61 or the NTP Public Services Project Download Page 62 Properly monitor your ntpd instances. 63 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 64 65* Autokey association reset 66 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 67 References: Sec 3043 / CVE-2016-4955 / VU#321640 68 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 69 ntp-4.3.0 up to, but not including ntp-4.3.93. 70 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 71 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 72 Summary: An attacker who is able to spoof a packet with a correct 73 origin timestamp before the expected response packet arrives at 74 the target machine can send a CRYPTO_NAK or a bad MAC and cause 75 the association's peer variables to be cleared. If this can be 76 done often enough, it will prevent that association from working. 77 Mitigation: 78 Implement BCP-38. 79 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 80 or the NTP Public Services Project Download Page 81 Properly monitor your ntpd instances. 82 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 83 84* Broadcast interleave 85 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 86 References: Sec 3042 / CVE-2016-4956 / VU#321640 87 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 88 ntp-4.3.0 up to, but not including ntp-4.3.93. 89 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 90 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 91 Summary: The fix for NtpBug2978 does not cover broadcast associations, 92 so broadcast clients can be triggered to flip into interleave mode. 93 Mitigation: 94 Implement BCP-38. 95 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 96 or the NTP Public Services Project Download Page 97 Properly monitor your ntpd instances. 98 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 99 100Other fixes: 101* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 102 - provide build environment 103 - 'wint_t' and 'struct timespec' defined by VS2015 104 - fixed print()/scanf() format issues 105* [Bug 3052] Add a .gitignore file. Edmund Wong. 106* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 107* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 108 JPerlinger, HStenn. 109* Fix typo in ntp-wait and plot_summary. HStenn. 110* Make sure we have an "author" file for git imports. HStenn. 111* Update the sntp problem tests for MacOS. HStenn. 112 113--- 114NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 115 116Focus: Security, Bug fixes, enhancements. 117 118Severity: MEDIUM 119 120When building NTP from source, there is a new configure option 121available, --enable-dynamic-interleave. More information on this below. 122 123Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 124versions of ntp. These events have almost certainly happened in the 125past, it's just that they were silently counted and not logged. With 126the increasing awareness around security, we feel it's better to clearly 127log these events to help detect abusive behavior. This increased 128logging can also help detect other problems, too. 129 130In addition to bug fixes and enhancements, this release fixes the 131following 9 low- and medium-severity vulnerabilities: 132 133* Improve NTP security against buffer comparison timing attacks, 134 AKA: authdecrypt-timing 135 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 136 References: Sec 2879 / CVE-2016-1550 137 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 138 4.3.0 up to, but not including 4.3.92 139 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 140 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 141 Summary: Packet authentication tests have been performed using 142 memcmp() or possibly bcmp(), and it is potentially possible 143 for a local or perhaps LAN-based attacker to send a packet with 144 an authentication payload and indirectly observe how much of 145 the digest has matched. 146 Mitigation: 147 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 148 or the NTP Public Services Project Download Page. 149 Properly monitor your ntpd instances. 150 Credit: This weakness was discovered independently by Loganaden 151 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 152 153* Zero origin timestamp bypass: Additional KoD checks. 154 References: Sec 2945 / Sec 2901 / CVE-2015-8138 155 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 156 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 157 158* peer associations were broken by the fix for NtpBug2899 159 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 160 References: Sec 2952 / CVE-2015-7704 161 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 162 4.3.0 up to, but not including 4.3.92 163 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 164 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 165 associations did not address all of the issues. 166 Mitigation: 167 Implement BCP-38. 168 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 169 or the NTP Public Services Project Download Page 170 If you can't upgrade, use "server" associations instead of 171 "peer" associations. 172 Monitor your ntpd instances. 173 Credit: This problem was discovered by Michael Tatarinov. 174 175* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 176 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 177 References: Sec 3007 / CVE-2016-1547 / VU#718152 178 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 179 4.3.0 up to, but not including 4.3.92 180 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 181 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 182 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 183 off-path attacker can cause a preemptable client association to 184 be demobilized by sending a crypto NAK packet to a victim client 185 with a spoofed source address of an existing associated peer. 186 This is true even if authentication is enabled. 187 188 Furthermore, if the attacker keeps sending crypto NAK packets, 189 for example one every second, the victim never has a chance to 190 reestablish the association and synchronize time with that 191 legitimate server. 192 193 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 194 stringent checks are performed on incoming packets, but there 195 are still ways to exploit this vulnerability in versions before 196 ntp-4.2.8p7. 197 Mitigation: 198 Implement BCP-38. 199 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 200 or the NTP Public Services Project Download Page 201 Properly monitor your =ntpd= instances 202 Credit: This weakness was discovered by Stephen Gray and 203 Matthew Van Gundy of Cisco ASIG. 204 205* ctl_getitem() return value not always checked 206 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 207 References: Sec 3008 / CVE-2016-2519 208 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 209 4.3.0 up to, but not including 4.3.92 210 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 211 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 212 Summary: ntpq and ntpdc can be used to store and retrieve information 213 in ntpd. It is possible to store a data value that is larger 214 than the size of the buffer that the ctl_getitem() function of 215 ntpd uses to report the return value. If the length of the 216 requested data value returned by ctl_getitem() is too large, 217 the value NULL is returned instead. There are 2 cases where the 218 return value from ctl_getitem() was not directly checked to make 219 sure it's not NULL, but there are subsequent INSIST() checks 220 that make sure the return value is not NULL. There are no data 221 values ordinarily stored in ntpd that would exceed this buffer 222 length. But if one has permission to store values and one stores 223 a value that is "too large", then ntpd will abort if an attempt 224 is made to read that oversized value. 225 Mitigation: 226 Implement BCP-38. 227 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 228 or the NTP Public Services Project Download Page 229 Properly monitor your ntpd instances. 230 Credit: This weakness was discovered by Yihan Lian of the Cloud 231 Security Team, Qihoo 360. 232 233* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 234 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 235 References: Sec 3009 / CVE-2016-2518 / VU#718152 236 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 237 4.3.0 up to, but not including 4.3.92 238 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 239 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 240 Summary: Using a crafted packet to create a peer association with 241 hmode > 7 causes the MATCH_ASSOC() lookup to make an 242 out-of-bounds reference. 243 Mitigation: 244 Implement BCP-38. 245 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 246 or the NTP Public Services Project Download Page 247 Properly monitor your ntpd instances 248 Credit: This weakness was discovered by Yihan Lian of the Cloud 249 Security Team, Qihoo 360. 250 251* remote configuration trustedkey/requestkey/controlkey values are not 252 properly validated 253 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 254 References: Sec 3010 / CVE-2016-2517 / VU#718152 255 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 256 4.3.0 up to, but not including 4.3.92 257 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 258 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 259 Summary: If ntpd was expressly configured to allow for remote 260 configuration, a malicious user who knows the controlkey for 261 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 262 can create a session with ntpd and then send a crafted packet to 263 ntpd that will change the value of the trustedkey, controlkey, 264 or requestkey to a value that will prevent any subsequent 265 authentication with ntpd until ntpd is restarted. 266 Mitigation: 267 Implement BCP-38. 268 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 269 or the NTP Public Services Project Download Page 270 Properly monitor your =ntpd= instances 271 Credit: This weakness was discovered by Yihan Lian of the Cloud 272 Security Team, Qihoo 360. 273 274* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 275 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 276 References: Sec 3011 / CVE-2016-2516 / VU#718152 277 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 278 4.3.0 up to, but not including 4.3.92 279 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 280 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 281 Summary: If ntpd was expressly configured to allow for remote 282 configuration, a malicious user who knows the controlkey for 283 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 284 can create a session with ntpd and if an existing association is 285 unconfigured using the same IP twice on the unconfig directive 286 line, ntpd will abort. 287 Mitigation: 288 Implement BCP-38. 289 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 290 or the NTP Public Services Project Download Page 291 Properly monitor your ntpd instances 292 Credit: This weakness was discovered by Yihan Lian of the Cloud 293 Security Team, Qihoo 360. 294 295* Refclock impersonation vulnerability 296 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 297 References: Sec 3020 / CVE-2016-1551 298 Affects: On a very limited number of OSes, all NTP releases up to but 299 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 300 By "very limited number of OSes" we mean no general-purpose OSes 301 have yet been identified that have this vulnerability. 302 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 303 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 304 Summary: While most OSes implement martian packet filtering in their 305 network stack, at least regarding 127.0.0.0/8, some will allow 306 packets claiming to be from 127.0.0.0/8 that arrive over a 307 physical network. On these OSes, if ntpd is configured to use a 308 reference clock an attacker can inject packets over the network 309 that look like they are coming from that reference clock. 310 Mitigation: 311 Implement martian packet filtering and BCP-38. 312 Configure ntpd to use an adequate number of time sources. 313 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 314 or the NTP Public Services Project Download Page 315 If you are unable to upgrade and if you are running an OS that 316 has this vulnerability, implement martian packet filters and 317 lobby your OS vendor to fix this problem, or run your 318 refclocks on computers that use OSes that are not vulnerable 319 to these attacks and have your vulnerable machines get their 320 time from protected resources. 321 Properly monitor your ntpd instances. 322 Credit: This weakness was discovered by Matt Street and others of 323 Cisco ASIG. 324 325The following issues were fixed in earlier releases and contain 326improvements in 4.2.8p7: 327 328* Clients that receive a KoD should validate the origin timestamp field. 329 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 330 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 331 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 332 333* Skeleton key: passive server with trusted key can serve time. 334 References: Sec 2936 / CVE-2015-7974 335 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 336 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 337 338Two other vulnerabilities have been reported, and the mitigations 339for these are as follows: 340 341* Interleave-pivot 342 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 343 References: Sec 2978 / CVE-2016-1548 344 Affects: All ntp-4 releases. 345 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 346 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 347 Summary: It is possible to change the time of an ntpd client or deny 348 service to an ntpd client by forcing it to change from basic 349 client/server mode to interleaved symmetric mode. An attacker 350 can spoof a packet from a legitimate ntpd server with an origin 351 timestamp that matches the peer->dst timestamp recorded for that 352 server. After making this switch, the client will reject all 353 future legitimate server responses. It is possible to force the 354 victim client to move time after the mode has been changed. 355 ntpq gives no indication that the mode has been switched. 356 Mitigation: 357 Implement BCP-38. 358 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 359 or the NTP Public Services Project Download Page. These 360 versions will not dynamically "flip" into interleave mode 361 unless configured to do so. 362 Properly monitor your ntpd instances. 363 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 364 and separately by Jonathan Gardner of Cisco ASIG. 365 366* Sybil vulnerability: ephemeral association attack 367 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 368 References: Sec 3012 / CVE-2016-1549 369 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 370 4.3.0 up to, but not including 4.3.92 371 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 372 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 373 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 374 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 375 field in the ntp.keys file to specify which IPs can serve time, 376 a malicious authenticated peer can create arbitrarily-many 377 ephemeral associations in order to win the clock selection of 378 ntpd and modify a victim's clock. 379 Mitigation: 380 Implement BCP-38. 381 Use the 4th field in the ntp.keys file to specify which IPs 382 can be time servers. 383 Properly monitor your ntpd instances. 384 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 385 386Other fixes: 387 388* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 389 - fixed yet another race condition in the threaded resolver code. 390* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 391* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 392 - integrated patches by Loganaden Velvidron <logan@ntp.org> 393 with some modifications & unit tests 394* [Bug 2960] async name resolution fixes for chroot() environments. 395 Reinhard Max. 396* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 397* [Bug 2995] Fixes to compile on Windows 398* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 399* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 400 - Patch provided by Ch. Weisgerber 401* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 402 - A change related to [Bug 2853] forbids trailing white space in 403 remote config commands. perlinger@ntp.org 404* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 405 - report and patch from Aleksandr Kostikov. 406 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 407* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 408 - fixed memory leak in access list (auth[read]keys.c) 409 - refactored handling of key access lists (auth[read]keys.c) 410 - reduced number of error branches (authreadkeys.c) 411* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 412* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 413* [Bug 3031] ntp broadcastclient unable to synchronize to an server 414 when the time of server changed. perlinger@ntp.org 415 - Check the initial delay calculation and reject/unpeer the broadcast 416 server if the delay exceeds 50ms. Retry again after the next 417 broadcast packet. 418* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 419* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 420* Update html/xleave.html documentation. Harlan Stenn. 421* Update ntp.conf documentation. Harlan Stenn. 422* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 423* Fix typo in html/monopt.html. Harlan Stenn. 424* Add README.pullrequests. Harlan Stenn. 425* Cleanup to include/ntp.h. Harlan Stenn. 426 427New option to 'configure': 428 429While looking in to the issues around Bug 2978, the "interleave pivot" 430issue, it became clear that there are some intricate and unresolved 431issues with interleave operations. We also realized that the interleave 432protocol was never added to the NTPv4 Standard, and it should have been. 433 434Interleave mode was first released in July of 2008, and can be engaged 435in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 436contain the 'xleave' option, which will expressly enable interlave mode 437for that association. Additionally, if a time packet arrives and is 438found inconsistent with normal protocol behavior but has certain 439characteristics that are compatible with interleave mode, NTP will 440dynamically switch to interleave mode. With sufficient knowledge, an 441attacker can send a crafted forged packet to an NTP instance that 442triggers only one side to enter interleaved mode. 443 444To prevent this attack until we can thoroughly document, describe, 445fix, and test the dynamic interleave mode, we've added a new 446'configure' option to the build process: 447 448 --enable-dynamic-interleave 449 450This option controls whether or not NTP will, if conditions are right, 451engage dynamic interleave mode. Dynamic interleave mode is disabled by 452default in ntp-4.2.8p7. 453 454--- 455NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 456 457Focus: Security, Bug fixes, enhancements. 458 459Severity: MEDIUM 460 461In addition to bug fixes and enhancements, this release fixes the 462following 1 low- and 8 medium-severity vulnerabilities: 463 464* Potential Infinite Loop in 'ntpq' 465 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 466 References: Sec 2548 / CVE-2015-8158 467 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 468 4.3.0 up to, but not including 4.3.90 469 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 470 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 471 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 472 The loop's only stopping conditions are receiving a complete and 473 correct response or hitting a small number of error conditions. 474 If the packet contains incorrect values that don't trigger one of 475 the error conditions, the loop continues to receive new packets. 476 Note well, this is an attack against an instance of 'ntpq', not 477 'ntpd', and this attack requires the attacker to do one of the 478 following: 479 * Own a malicious NTP server that the client trusts 480 * Prevent a legitimate NTP server from sending packets to 481 the 'ntpq' client 482 * MITM the 'ntpq' communications between the 'ntpq' client 483 and the NTP server 484 Mitigation: 485 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 486 or the NTP Public Services Project Download Page 487 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 488 489* 0rigin: Zero Origin Timestamp Bypass 490 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 491 References: Sec 2945 / CVE-2015-8138 492 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 493 4.3.0 up to, but not including 4.3.90 494 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 495 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 496 (3.7 - LOW if you score AC:L) 497 Summary: To distinguish legitimate peer responses from forgeries, a 498 client attempts to verify a response packet by ensuring that the 499 origin timestamp in the packet matches the origin timestamp it 500 transmitted in its last request. A logic error exists that 501 allows packets with an origin timestamp of zero to bypass this 502 check whenever there is not an outstanding request to the server. 503 Mitigation: 504 Configure 'ntpd' to get time from multiple sources. 505 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 506 or the NTP Public Services Project Download Page. 507 Monitor your 'ntpd= instances. 508 Credit: This weakness was discovered by Matthey Van Gundy and 509 Jonathan Gardner of Cisco ASIG. 510 511* Stack exhaustion in recursive traversal of restriction list 512 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 513 References: Sec 2940 / CVE-2015-7978 514 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 515 4.3.0 up to, but not including 4.3.90 516 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 517 Summary: An unauthenticated 'ntpdc reslist' command can cause a 518 segmentation fault in ntpd by exhausting the call stack. 519 Mitigation: 520 Implement BCP-38. 521 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 522 or the NTP Public Services Project Download Page. 523 If you are unable to upgrade: 524 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 525 If you must enable mode 7: 526 configure the use of a 'requestkey' to control who can 527 issue mode 7 requests. 528 configure 'restrict noquery' to further limit mode 7 529 requests to trusted sources. 530 Monitor your ntpd instances. 531 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 532 533* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 534 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 535 References: Sec 2942 / CVE-2015-7979 536 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 537 4.3.0 up to, but not including 4.3.90 538 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 539 Summary: An off-path attacker can send broadcast packets with bad 540 authentication (wrong key, mismatched key, incorrect MAC, etc) 541 to broadcast clients. It is observed that the broadcast client 542 tears down the association with the broadcast server upon 543 receiving just one bad packet. 544 Mitigation: 545 Implement BCP-38. 546 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 547 or the NTP Public Services Project Download Page. 548 Monitor your 'ntpd' instances. 549 If this sort of attack is an active problem for you, you have 550 deeper problems to investigate. In this case also consider 551 having smaller NTP broadcast domains. 552 Credit: This weakness was discovered by Aanchal Malhotra of Boston 553 University. 554 555* reslist NULL pointer dereference 556 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 557 References: Sec 2939 / CVE-2015-7977 558 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 559 4.3.0 up to, but not including 4.3.90 560 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 561 Summary: An unauthenticated 'ntpdc reslist' command can cause a 562 segmentation fault in ntpd by causing a NULL pointer dereference. 563 Mitigation: 564 Implement BCP-38. 565 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 566 the NTP Public Services Project Download Page. 567 If you are unable to upgrade: 568 mode 7 is disabled by default. Don't enable it. 569 If you must enable mode 7: 570 configure the use of a 'requestkey' to control who can 571 issue mode 7 requests. 572 configure 'restrict noquery' to further limit mode 7 573 requests to trusted sources. 574 Monitor your ntpd instances. 575 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 576 577* 'ntpq saveconfig' command allows dangerous characters in filenames. 578 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 579 References: Sec 2938 / CVE-2015-7976 580 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 581 4.3.0 up to, but not including 4.3.90 582 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 583 Summary: The ntpq saveconfig command does not do adequate filtering 584 of special characters from the supplied filename. 585 Note well: The ability to use the saveconfig command is controlled 586 by the 'restrict nomodify' directive, and the recommended default 587 configuration is to disable this capability. If the ability to 588 execute a 'saveconfig' is required, it can easily (and should) be 589 limited and restricted to a known small number of IP addresses. 590 Mitigation: 591 Implement BCP-38. 592 use 'restrict default nomodify' in your 'ntp.conf' file. 593 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 594 If you are unable to upgrade: 595 build NTP with 'configure --disable-saveconfig' if you will 596 never need this capability, or 597 use 'restrict default nomodify' in your 'ntp.conf' file. Be 598 careful about what IPs have the ability to send 'modify' 599 requests to 'ntpd'. 600 Monitor your ntpd instances. 601 'saveconfig' requests are logged to syslog - monitor your syslog files. 602 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 603 604* nextvar() missing length check in ntpq 605 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 606 References: Sec 2937 / CVE-2015-7975 607 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 608 4.3.0 up to, but not including 4.3.90 609 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 610 If you score A:C, this becomes 4.0. 611 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 612 Summary: ntpq may call nextvar() which executes a memcpy() into the 613 name buffer without a proper length check against its maximum 614 length of 256 bytes. Note well that we're taking about ntpq here. 615 The usual worst-case effect of this vulnerability is that the 616 specific instance of ntpq will crash and the person or process 617 that did this will have stopped themselves. 618 Mitigation: 619 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 620 or the NTP Public Services Project Download Page. 621 If you are unable to upgrade: 622 If you have scripts that feed input to ntpq make sure there are 623 some sanity checks on the input received from the "outside". 624 This is potentially more dangerous if ntpq is run as root. 625 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 626 627* Skeleton Key: Any trusted key system can serve time 628 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 629 References: Sec 2936 / CVE-2015-7974 630 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 631 4.3.0 up to, but not including 4.3.90 632 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 633 Summary: Symmetric key encryption uses a shared trusted key. The 634 reported title for this issue was "Missing key check allows 635 impersonation between authenticated peers" and the report claimed 636 "A key specified only for one server should only work to 637 authenticate that server, other trusted keys should be refused." 638 Except there has never been any correlation between this trusted 639 key and server v. clients machines and there has never been any 640 way to specify a key only for one server. We have treated this as 641 an enhancement request, and ntp-4.2.8p6 includes other checks and 642 tests to strengthen clients against attacks coming from broadcast 643 servers. 644 Mitigation: 645 Implement BCP-38. 646 If this scenario represents a real or a potential issue for you, 647 upgrade to 4.2.8p6, or later, from the NTP Project Download 648 Page or the NTP Public Services Project Download Page, and 649 use the new field in the ntp.keys file that specifies the list 650 of IPs that are allowed to serve time. Note that this alone 651 will not protect against time packets with forged source IP 652 addresses, however other changes in ntp-4.2.8p6 provide 653 significant mitigation against broadcast attacks. MITM attacks 654 are a different story. 655 If you are unable to upgrade: 656 Don't use broadcast mode if you cannot monitor your client 657 servers. 658 If you choose to use symmetric keys to authenticate time 659 packets in a hostile environment where ephemeral time 660 servers can be created, or if it is expected that malicious 661 time servers will participate in an NTP broadcast domain, 662 limit the number of participating systems that participate 663 in the shared-key group. 664 Monitor your ntpd instances. 665 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 666 667* Deja Vu: Replay attack on authenticated broadcast mode 668 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 669 References: Sec 2935 / CVE-2015-7973 670 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 671 4.3.0 up to, but not including 4.3.90 672 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 673 Summary: If an NTP network is configured for broadcast operations then 674 either a man-in-the-middle attacker or a malicious participant 675 that has the same trusted keys as the victim can replay time packets. 676 Mitigation: 677 Implement BCP-38. 678 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 679 or the NTP Public Services Project Download Page. 680 If you are unable to upgrade: 681 Don't use broadcast mode if you cannot monitor your client servers. 682 Monitor your ntpd instances. 683 Credit: This weakness was discovered by Aanchal Malhotra of Boston 684 University. 685 686Other fixes: 687 688* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 689* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 690 - applied patch by shenpeng11@huawei.com with minor adjustments 691* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 692* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 693* [Bug 2892] Several test cases assume IPv6 capabilities even when 694 IPv6 is disabled in the build. perlinger@ntp.org 695 - Found this already fixed, but validation led to cleanup actions. 696* [Bug 2905] DNS lookups broken. perlinger@ntp.org 697 - added limits to stack consumption, fixed some return code handling 698* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 699 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 700 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 701* [Bug 2980] reduce number of warnings. perlinger@ntp.org 702 - integrated several patches from Havard Eidnes (he@uninett.no) 703* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 704 - implement 'auth_log2()' using integer bithack instead of float calculation 705* Make leapsec_query debug messages less verbose. Harlan Stenn. 706 707--- 708NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 709 710Focus: Security, Bug fixes, enhancements. 711 712Severity: MEDIUM 713 714In addition to bug fixes and enhancements, this release fixes the 715following medium-severity vulnerability: 716 717* Small-step/big-step. Close the panic gate earlier. 718 References: Sec 2956, CVE-2015-5300 719 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 720 4.3.0 up to, but not including 4.3.78 721 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 722 Summary: If ntpd is always started with the -g option, which is 723 common and against long-standing recommendation, and if at the 724 moment ntpd is restarted an attacker can immediately respond to 725 enough requests from enough sources trusted by the target, which 726 is difficult and not common, there is a window of opportunity 727 where the attacker can cause ntpd to set the time to an 728 arbitrary value. Similarly, if an attacker is able to respond 729 to enough requests from enough sources trusted by the target, 730 the attacker can cause ntpd to abort and restart, at which 731 point it can tell the target to set the time to an arbitrary 732 value if and only if ntpd was re-started against long-standing 733 recommendation with the -g flag, or if ntpd was not given the 734 -g flag, the attacker can move the target system's time by at 735 most 900 seconds' time per attack. 736 Mitigation: 737 Configure ntpd to get time from multiple sources. 738 Upgrade to 4.2.8p5, or later, from the NTP Project Download 739 Page or the NTP Public Services Project Download Page 740 As we've long documented, only use the -g option to ntpd in 741 cold-start situations. 742 Monitor your ntpd instances. 743 Credit: This weakness was discovered by Aanchal Malhotra, 744 Isaac E. Cohen, and Sharon Goldberg at Boston University. 745 746 NOTE WELL: The -g flag disables the limit check on the panic_gate 747 in ntpd, which is 900 seconds by default. The bug identified by 748 the researchers at Boston University is that the panic_gate 749 check was only re-enabled after the first change to the system 750 clock that was greater than 128 milliseconds, by default. The 751 correct behavior is that the panic_gate check should be 752 re-enabled after any initial time correction. 753 754 If an attacker is able to inject consistent but erroneous time 755 responses to your systems via the network or "over the air", 756 perhaps by spoofing radio, cellphone, or navigation satellite 757 transmissions, they are in a great position to affect your 758 system's clock. There comes a point where your very best 759 defenses include: 760 761 Configure ntpd to get time from multiple sources. 762 Monitor your ntpd instances. 763 764Other fixes: 765 766* Coverity submission process updated from Coverity 5 to Coverity 7. 767 The NTP codebase has been undergoing regular Coverity scans on an 768 ongoing basis since 2006. As part of our recent upgrade from 769 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 770 the newly-written Unity test programs. These were fixed. 771* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 772* [Bug 2887] stratum -1 config results as showing value 99 773 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 774* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 775* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 776* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 777 - applied patch by Christos Zoulas. perlinger@ntp.org 778* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 779* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 780 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 781 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 782* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 783 - accept key file only if there are no parsing errors 784 - fixed size_t/u_int format clash 785 - fixed wrong use of 'strlcpy' 786* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 787* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 788 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 789 - promote use of 'size_t' for values that express a size 790 - use ptr-to-const for read-only arguments 791 - make sure SOCKET values are not truncated (win32-specific) 792 - format string fixes 793* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 794* [Bug 2967] ntpdate command suffers an assertion failure 795 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 796* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 797 lots of clients. perlinger@ntp.org 798* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 799 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 800* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 801* Unity test cleanup. Harlan Stenn. 802* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 803* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 804* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 805* Quiet a warning from clang. Harlan Stenn. 806 807--- 808NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 809 810Focus: Security, Bug fixes, enhancements. 811 812Severity: MEDIUM 813 814In addition to bug fixes and enhancements, this release fixes the 815following 13 low- and medium-severity vulnerabilities: 816 817* Incomplete vallen (value length) checks in ntp_crypto.c, leading 818 to potential crashes or potential code injection/information leakage. 819 820 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 821 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 822 and 4.3.0 up to, but not including 4.3.77 823 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 824 Summary: The fix for CVE-2014-9750 was incomplete in that there were 825 certain code paths where a packet with particular autokey operations 826 that contained malicious data was not always being completely 827 validated. Receipt of these packets can cause ntpd to crash. 828 Mitigation: 829 Don't use autokey. 830 Upgrade to 4.2.8p4, or later, from the NTP Project Download 831 Page or the NTP Public Services Project Download Page 832 Monitor your ntpd instances. 833 Credit: This weakness was discovered by Tenable Network Security. 834 835* Clients that receive a KoD should validate the origin timestamp field. 836 837 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 838 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 839 and 4.3.0 up to, but not including 4.3.77 840 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 841 Summary: An ntpd client that honors Kiss-of-Death responses will honor 842 KoD messages that have been forged by an attacker, causing it to 843 delay or stop querying its servers for time updates. Also, an 844 attacker can forge packets that claim to be from the target and 845 send them to servers often enough that a server that implements 846 KoD rate limiting will send the target machine a KoD response to 847 attempt to reduce the rate of incoming packets, or it may also 848 trigger a firewall block at the server for packets from the target 849 machine. For either of these attacks to succeed, the attacker must 850 know what servers the target is communicating with. An attacker 851 can be anywhere on the Internet and can frequently learn the 852 identity of the target's time source by sending the target a 853 time query. 854 Mitigation: 855 Implement BCP-38. 856 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 857 or the NTP Public Services Project Download Page 858 If you can't upgrade, restrict who can query ntpd to learn who 859 its servers are, and what IPs are allowed to ask your system 860 for the time. This mitigation is heavy-handed. 861 Monitor your ntpd instances. 862 Note: 863 4.2.8p4 protects against the first attack. For the second attack, 864 all we can do is warn when it is happening, which we do in 4.2.8p4. 865 Credit: This weakness was discovered by Aanchal Malhotra, 866 Issac E. Cohen, and Sharon Goldberg of Boston University. 867 868* configuration directives to change "pidfile" and "driftfile" should 869 only be allowed locally. 870 871 References: Sec 2902 / CVE-2015-5196 872 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 873 and 4.3.0 up to, but not including 4.3.77 874 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 875 Summary: If ntpd is configured to allow for remote configuration, 876 and if the (possibly spoofed) source IP address is allowed to 877 send remote configuration requests, and if the attacker knows 878 the remote configuration password, it's possible for an attacker 879 to use the "pidfile" or "driftfile" directives to potentially 880 overwrite other files. 881 Mitigation: 882 Implement BCP-38. 883 Upgrade to 4.2.8p4, or later, from the NTP Project Download 884 Page or the NTP Public Services Project Download Page 885 If you cannot upgrade, don't enable remote configuration. 886 If you must enable remote configuration and cannot upgrade, 887 remote configuration of NTF's ntpd requires: 888 - an explicitly configured trustedkey, and you should also 889 configure a controlkey. 890 - access from a permitted IP. You choose the IPs. 891 - authentication. Don't disable it. Practice secure key safety. 892 Monitor your ntpd instances. 893 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 894 895* Slow memory leak in CRYPTO_ASSOC 896 897 References: Sec 2909 / CVE-2015-7701 898 Affects: All ntp-4 releases that use autokey up to, but not 899 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 900 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 901 4.6 otherwise 902 Summary: If ntpd is configured to use autokey, then an attacker can 903 send packets to ntpd that will, after several days of ongoing 904 attack, cause it to run out of memory. 905 Mitigation: 906 Don't use autokey. 907 Upgrade to 4.2.8p4, or later, from the NTP Project Download 908 Page or the NTP Public Services Project Download Page 909 Monitor your ntpd instances. 910 Credit: This weakness was discovered by Tenable Network Security. 911 912* mode 7 loop counter underrun 913 914 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 915 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 916 and 4.3.0 up to, but not including 4.3.77 917 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 918 Summary: If ntpd is configured to enable mode 7 packets, and if the 919 use of mode 7 packets is not properly protected thru the use of 920 the available mode 7 authentication and restriction mechanisms, 921 and if the (possibly spoofed) source IP address is allowed to 922 send mode 7 queries, then an attacker can send a crafted packet 923 to ntpd that will cause it to crash. 924 Mitigation: 925 Implement BCP-38. 926 Upgrade to 4.2.8p4, or later, from the NTP Project Download 927 Page or the NTP Public Services Project Download Page. 928 If you are unable to upgrade: 929 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 930 If you must enable mode 7: 931 configure the use of a requestkey to control who can issue 932 mode 7 requests. 933 configure restrict noquery to further limit mode 7 requests 934 to trusted sources. 935 Monitor your ntpd instances. 936Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 937 938* memory corruption in password store 939 940 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 941 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 942 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 943 Summary: If ntpd is configured to allow remote configuration, and if 944 the (possibly spoofed) source IP address is allowed to send 945 remote configuration requests, and if the attacker knows the 946 remote configuration password or if ntpd was configured to 947 disable authentication, then an attacker can send a set of 948 packets to ntpd that may cause a crash or theoretically 949 perform a code injection attack. 950 Mitigation: 951 Implement BCP-38. 952 Upgrade to 4.2.8p4, or later, from the NTP Project Download 953 Page or the NTP Public Services Project Download Page. 954 If you are unable to upgrade, remote configuration of NTF's 955 ntpd requires: 956 an explicitly configured "trusted" key. Only configure 957 this if you need it. 958 access from a permitted IP address. You choose the IPs. 959 authentication. Don't disable it. Practice secure key safety. 960 Monitor your ntpd instances. 961 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 962 963* Infinite loop if extended logging enabled and the logfile and 964 keyfile are the same. 965 966 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 967 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 968 and 4.3.0 up to, but not including 4.3.77 969 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 970 Summary: If ntpd is configured to allow remote configuration, and if 971 the (possibly spoofed) source IP address is allowed to send 972 remote configuration requests, and if the attacker knows the 973 remote configuration password or if ntpd was configured to 974 disable authentication, then an attacker can send a set of 975 packets to ntpd that will cause it to crash and/or create a 976 potentially huge log file. Specifically, the attacker could 977 enable extended logging, point the key file at the log file, 978 and cause what amounts to an infinite loop. 979 Mitigation: 980 Implement BCP-38. 981 Upgrade to 4.2.8p4, or later, from the NTP Project Download 982 Page or the NTP Public Services Project Download Page. 983 If you are unable to upgrade, remote configuration of NTF's ntpd 984 requires: 985 an explicitly configured "trusted" key. Only configure this 986 if you need it. 987 access from a permitted IP address. You choose the IPs. 988 authentication. Don't disable it. Practice secure key safety. 989 Monitor your ntpd instances. 990 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 991 992* Potential path traversal vulnerability in the config file saving of 993 ntpd on VMS. 994 995 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 996 Affects: All ntp-4 releases running under VMS up to, but not 997 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 998 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 999 Summary: If ntpd is configured to allow remote configuration, and if 1000 the (possibly spoofed) IP address is allowed to send remote 1001 configuration requests, and if the attacker knows the remote 1002 configuration password or if ntpd was configured to disable 1003 authentication, then an attacker can send a set of packets to 1004 ntpd that may cause ntpd to overwrite files. 1005 Mitigation: 1006 Implement BCP-38. 1007 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1008 Page or the NTP Public Services Project Download Page. 1009 If you are unable to upgrade, remote configuration of NTF's ntpd 1010 requires: 1011 an explicitly configured "trusted" key. Only configure 1012 this if you need it. 1013 access from permitted IP addresses. You choose the IPs. 1014 authentication. Don't disable it. Practice key security safety. 1015 Monitor your ntpd instances. 1016 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1017 1018* ntpq atoascii() potential memory corruption 1019 1020 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 1021 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 1022 and 4.3.0 up to, but not including 4.3.77 1023 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 1024 Summary: If an attacker can figure out the precise moment that ntpq 1025 is listening for data and the port number it is listening on or 1026 if the attacker can provide a malicious instance ntpd that 1027 victims will connect to then an attacker can send a set of 1028 crafted mode 6 response packets that, if received by ntpq, 1029 can cause ntpq to crash. 1030 Mitigation: 1031 Implement BCP-38. 1032 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1033 Page or the NTP Public Services Project Download Page. 1034 If you are unable to upgrade and you run ntpq against a server 1035 and ntpq crashes, try again using raw mode. Build or get a 1036 patched ntpq and see if that fixes the problem. Report new 1037 bugs in ntpq or abusive servers appropriately. 1038 If you use ntpq in scripts, make sure ntpq does what you expect 1039 in your scripts. 1040 Credit: This weakness was discovered by Yves Younan and 1041 Aleksander Nikolich of Cisco Talos. 1042 1043* Invalid length data provided by a custom refclock driver could cause 1044 a buffer overflow. 1045 1046 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 1047 Affects: Potentially all ntp-4 releases running up to, but not 1048 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1049 that have custom refclocks 1050 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 1051 5.9 unusual worst case 1052 Summary: A negative value for the datalen parameter will overflow a 1053 data buffer. NTF's ntpd driver implementations always set this 1054 value to 0 and are therefore not vulnerable to this weakness. 1055 If you are running a custom refclock driver in ntpd and that 1056 driver supplies a negative value for datalen (no custom driver 1057 of even minimal competence would do this) then ntpd would 1058 overflow a data buffer. It is even hypothetically possible 1059 in this case that instead of simply crashing ntpd the attacker 1060 could effect a code injection attack. 1061 Mitigation: 1062 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1063 Page or the NTP Public Services Project Download Page. 1064 If you are unable to upgrade: 1065 If you are running custom refclock drivers, make sure 1066 the signed datalen value is either zero or positive. 1067 Monitor your ntpd instances. 1068 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1069 1070* Password Length Memory Corruption Vulnerability 1071 1072 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 1073 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1074 4.3.0 up to, but not including 4.3.77 1075 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 1076 1.7 usual case, 6.8, worst case 1077 Summary: If ntpd is configured to allow remote configuration, and if 1078 the (possibly spoofed) source IP address is allowed to send 1079 remote configuration requests, and if the attacker knows the 1080 remote configuration password or if ntpd was (foolishly) 1081 configured to disable authentication, then an attacker can 1082 send a set of packets to ntpd that may cause it to crash, 1083 with the hypothetical possibility of a small code injection. 1084 Mitigation: 1085 Implement BCP-38. 1086 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1087 Page or the NTP Public Services Project Download Page. 1088 If you are unable to upgrade, remote configuration of NTF's 1089 ntpd requires: 1090 an explicitly configured "trusted" key. Only configure 1091 this if you need it. 1092 access from a permitted IP address. You choose the IPs. 1093 authentication. Don't disable it. Practice secure key safety. 1094 Monitor your ntpd instances. 1095 Credit: This weakness was discovered by Yves Younan and 1096 Aleksander Nikolich of Cisco Talos. 1097 1098* decodenetnum() will ASSERT botch instead of returning FAIL on some 1099 bogus values. 1100 1101 References: Sec 2922 / CVE-2015-7855 1102 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1103 4.3.0 up to, but not including 4.3.77 1104 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 1105 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 1106 an unusually long data value where a network address is expected, 1107 the decodenetnum() function will abort with an assertion failure 1108 instead of simply returning a failure condition. 1109 Mitigation: 1110 Implement BCP-38. 1111 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1112 Page or the NTP Public Services Project Download Page. 1113 If you are unable to upgrade: 1114 mode 7 is disabled by default. Don't enable it. 1115 Use restrict noquery to limit who can send mode 6 1116 and mode 7 requests. 1117 Configure and use the controlkey and requestkey 1118 authentication directives to limit who can 1119 send mode 6 and mode 7 requests. 1120 Monitor your ntpd instances. 1121 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 1122 1123* NAK to the Future: Symmetric association authentication bypass via 1124 crypto-NAK. 1125 1126 References: Sec 2941 / CVE-2015-7871 1127 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 1128 4.2.8p4, and 4.3.0 up to but not including 4.3.77 1129 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 1130 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 1131 from unauthenticated ephemeral symmetric peers by bypassing the 1132 authentication required to mobilize peer associations. This 1133 vulnerability appears to have been introduced in ntp-4.2.5p186 1134 when the code handling mobilization of new passive symmetric 1135 associations (lines 1103-1165) was refactored. 1136 Mitigation: 1137 Implement BCP-38. 1138 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1139 Page or the NTP Public Services Project Download Page. 1140 If you are unable to upgrade: 1141 Apply the patch to the bottom of the "authentic" check 1142 block around line 1136 of ntp_proto.c. 1143 Monitor your ntpd instances. 1144 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1145 1146Backward-Incompatible changes: 1147* [Bug 2817] Default on Linux is now "rlimit memlock -1". 1148 While the general default of 32M is still the case, under Linux 1149 the default value has been changed to -1 (do not lock ntpd into 1150 memory). A value of 0 means "lock ntpd into memory with whatever 1151 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 1152 value in it, that value will continue to be used. 1153 1154* [Bug 2886] Misspelling: "outlyer" should be "outlier". 1155 If you've written a script that looks for this case in, say, the 1156 output of ntpq, you probably want to change your regex matches 1157 from 'outlyer' to 'outl[iy]er'. 1158 1159New features in this release: 1160* 'rlimit memlock' now has finer-grained control. A value of -1 means 1161 "don't lock ntpd into memore". This is the default for Linux boxes. 1162 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 1163 the value is the number of megabytes of memory to lock. The default 1164 is 32 megabytes. 1165 1166* The old Google Test framework has been replaced with a new framework, 1167 based on http://www.throwtheswitch.org/unity/ . 1168 1169Bug Fixes and Improvements: 1170* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 1171 privileges and limiting resources in NTPD removes the need to link 1172 forcefully against 'libgcc_s' which does not always work. J.Perlinger 1173* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 1174* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 1175* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 1176* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 1177* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 1178* [Bug 2849] Systems with more than one default route may never 1179 synchronize. Brian Utterback. Note that this patch might need to 1180 be reverted once Bug 2043 has been fixed. 1181* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 1182* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 1183* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 1184* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 1185* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 1186* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 1187 be configured for the distribution targets. Harlan Stenn. 1188* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 1189* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 1190* [Bug 2888] streamline calendar functions. perlinger@ntp.org 1191* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 1192* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 1193* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 1194* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 1195* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 1196* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 1197* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 1198* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 1199* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 1200* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 1201* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 1202* sntp/tests/ function parameter list cleanup. Damir Tomić. 1203* tests/libntp/ function parameter list cleanup. Damir Tomić. 1204* tests/ntpd/ function parameter list cleanup. Damir Tomić. 1205* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 1206* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 1207* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 1208* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 1209* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1210 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 1211 formatting; first declaration, then code (C90); deleted unnecessary comments; 1212 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 1213* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 1214 fix formatting, cleanup. Tomasz Flendrich 1215* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 1216 Tomasz Flendrich 1217* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 1218 fix formatting. Tomasz Flendrich 1219* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 1220* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 1221* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 1222 Tomasz Flendrich 1223* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 1224* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 1225* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 1226* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 1227* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 1228* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 1229* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 1230fixed formatting. Tomasz Flendrich 1231* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 1232 removed unnecessary comments, cleanup. Tomasz Flendrich 1233* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 1234 comments, cleanup. Tomasz Flendrich 1235* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 1236 Tomasz Flendrich 1237* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 1238* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 1239* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 1240 Tomasz Flendrich 1241* sntp/tests/kodDatabase.c added consts, deleted empty function, 1242 fixed formatting. Tomasz Flendrich 1243* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 1244* sntp/tests/packetHandling.c is now using proper Unity's assertions, 1245 fixed formatting, deleted unused variable. Tomasz Flendrich 1246* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 1247 Tomasz Flendrich 1248* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 1249 fixed formatting. Tomasz Flendrich 1250* sntp/tests/utilities.c is now using proper Unity's assertions, changed 1251 the order of includes, fixed formatting, removed unnecessary comments. 1252 Tomasz Flendrich 1253* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 1254* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 1255 made one function do its job, deleted unnecessary prints, fixed formatting. 1256 Tomasz Flendrich 1257* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 1258* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 1259* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 1260* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 1261* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 1262* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 1263* Don't build sntp/libevent/sample/. Harlan Stenn. 1264* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 1265* br-flock: --enable-local-libevent. Harlan Stenn. 1266* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 1267* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 1268* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 1269* Code cleanup. Harlan Stenn. 1270* libntp/icom.c: Typo fix. Harlan Stenn. 1271* util/ntptime.c: initialization nit. Harlan Stenn. 1272* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 1273* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 1274* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 1275 Tomasz Flendrich 1276* Changed progname to be const in many files - now it's consistent. Tomasz 1277 Flendrich 1278* Typo fix for GCC warning suppression. Harlan Stenn. 1279* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 1280* Added declarations to all Unity tests, and did minor fixes to them. 1281 Reduced the number of warnings by half. Damir Tomić. 1282* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 1283 with the latest Unity updates from Mark. Damir Tomić. 1284* Retire google test - phase I. Harlan Stenn. 1285* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 1286* Update the NEWS file. Harlan Stenn. 1287* Autoconf cleanup. Harlan Stenn. 1288* Unit test dist cleanup. Harlan Stenn. 1289* Cleanup various test Makefile.am files. Harlan Stenn. 1290* Pthread autoconf macro cleanup. Harlan Stenn. 1291* Fix progname definition in unity runner scripts. Harlan Stenn. 1292* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 1293* Update the patch for bug 2817. Harlan Stenn. 1294* More updates for bug 2817. Harlan Stenn. 1295* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 1296* gcc on older HPUX may need +allowdups. Harlan Stenn. 1297* Adding missing MCAST protection. Harlan Stenn. 1298* Disable certain test programs on certain platforms. Harlan Stenn. 1299* Implement --enable-problem-tests (on by default). Harlan Stenn. 1300* build system tweaks. Harlan Stenn. 1301 1302--- 1303NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 1304 1305Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 1306 1307Severity: MEDIUM 1308 1309Security Fix: 1310 1311* [Sec 2853] Crafted remote config packet can crash some versions of 1312 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 1313 1314Under specific circumstances an attacker can send a crafted packet to 1315cause a vulnerable ntpd instance to crash. This requires each of the 1316following to be true: 1317 13181) ntpd set up to allow remote configuration (not allowed by default), and 13192) knowledge of the configuration password, and 13203) access to a computer entrusted to perform remote configuration. 1321 1322This vulnerability is considered low-risk. 1323 1324New features in this release: 1325 1326Optional (disabled by default) support to have ntpd provide smeared 1327leap second time. A specially built and configured ntpd will only 1328offer smeared time in response to client packets. These response 1329packets will also contain a "refid" of 254.a.b.c, where the 24 bits 1330of a, b, and c encode the amount of smear in a 2:22 integer:fraction 1331format. See README.leapsmear and http://bugs.ntp.org/2855 for more 1332information. 1333 1334 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 1335 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 1336 1337We've imported the Unity test framework, and have begun converting 1338the existing google-test items to this new framework. If you want 1339to write new tests or change old ones, you'll need to have ruby 1340installed. You don't need ruby to run the test suite. 1341 1342Bug Fixes and Improvements: 1343 1344* CID 739725: Fix a rare resource leak in libevent/listener.c. 1345* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 1346* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 1347* CID 1269537: Clean up a line of dead code in getShmTime(). 1348* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 1349* [Bug 2590] autogen-5.18.5. 1350* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 1351 of 'limited'. 1352* [Bug 2650] fix includefile processing. 1353* [Bug 2745] ntpd -x steps clock on leap second 1354 Fixed an initial-value problem that caused misbehaviour in absence of 1355 any leapsecond information. 1356 Do leap second stepping only of the step adjustment is beyond the 1357 proper jump distance limit and step correction is allowed at all. 1358* [Bug 2750] build for Win64 1359 Building for 32bit of loopback ppsapi needs def file 1360* [Bug 2776] Improve ntpq's 'help keytype'. 1361* [Bug 2778] Implement "apeers" ntpq command to include associd. 1362* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 1363* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 1364 interface is ignored as long as this flag is not set since the 1365 interface is not usable (e.g., no link). 1366* [Bug 2794] Clean up kernel clock status reports. 1367* [Bug 2800] refclock_true.c true_debug() can't open debug log because 1368 of incompatible open/fdopen parameters. 1369* [Bug 2804] install-local-data assumes GNU 'find' semantics. 1370* [Bug 2805] ntpd fails to join multicast group. 1371* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 1372* [Bug 2808] GPSD_JSON driver enhancements, step 1. 1373 Fix crash during cleanup if GPS device not present and char device. 1374 Increase internal token buffer to parse all JSON data, even SKY. 1375 Defer logging of errors during driver init until the first unit is 1376 started, so the syslog is not cluttered when the driver is not used. 1377 Various improvements, see http://bugs.ntp.org/2808 for details. 1378 Changed libjsmn to a more recent version. 1379* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 1380* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 1381* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 1382* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 1383* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 1384* [Bug 2824] Convert update-leap to perl. (also see 2769) 1385* [Bug 2825] Quiet file installation in html/ . 1386* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 1387 NTPD transfers the current TAI (instead of an announcement) now. 1388 This might still needed improvement. 1389 Update autokey data ASAP when 'sys_tai' changes. 1390 Fix unit test that was broken by changes for autokey update. 1391 Avoid potential signature length issue and use DPRINTF where possible 1392 in ntp_crypto.c. 1393* [Bug 2832] refclock_jjy.c supports the TDC-300. 1394* [Bug 2834] Correct a broken html tag in html/refclock.html 1395* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 1396 robust, and require 2 consecutive timestamps to be consistent. 1397* [Bug 2837] Allow a configurable DSCP value. 1398* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 1399* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 1400* [Bug 2842] Bug in mdoc2man. 1401* [Bug 2843] make check fails on 4.3.36 1402 Fixed compiler warnings about numeric range overflow 1403 (The original topic was fixed in a byplay to bug#2830) 1404* [Bug 2845] Harden memory allocation in ntpd. 1405* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 1406* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 1407* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 1408* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 1409* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 1410* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 1411* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 1412* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 1413* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 1414* html/drivers/driver22.html: typo fix. Harlan Stenn. 1415* refidsmear test cleanup. Tomasz Flendrich. 1416* refidsmear function support and tests. Harlan Stenn. 1417* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 1418 something that was only in the 4.2.6 sntp. Harlan Stenn. 1419* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 1420 Damir Tomić 1421* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 1422 Damir Tomić 1423* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 1424 Damir Tomić 1425* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 1426* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 1427* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 1428 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1429 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 1430 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 1431 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 1432 Damir Tomić 1433* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 1434 networking.c, keyFile.c, utilities.cpp, sntptest.h, 1435 fileHandlingTest.h. Damir Tomić 1436* Initial support for experimental leap smear code. Harlan Stenn. 1437* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 1438* Report select() debug messages at debug level 3 now. 1439* sntp/scripts/genLocInfo: treat raspbian as debian. 1440* Unity test framework fixes. 1441 ** Requires ruby for changes to tests. 1442* Initial support for PACKAGE_VERSION tests. 1443* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 1444* tests/bug-2803/Makefile.am must distribute bug-2803.h. 1445* Add an assert to the ntpq ifstats code. 1446* Clean up the RLIMIT_STACK code. 1447* Improve the ntpq documentation around the controlkey keyid. 1448* ntpq.c cleanup. 1449* Windows port build cleanup. 1450 1451--- 1452NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 1453 1454Focus: Security and Bug fixes, enhancements. 1455 1456Severity: MEDIUM 1457 1458In addition to bug fixes and enhancements, this release fixes the 1459following medium-severity vulnerabilities involving private key 1460authentication: 1461 1462* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1463 1464 References: Sec 2779 / CVE-2015-1798 / VU#374268 1465 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 1466 including ntp-4.2.8p2 where the installation uses symmetric keys 1467 to authenticate remote associations. 1468 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1469 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1470 Summary: When ntpd is configured to use a symmetric key to authenticate 1471 a remote NTP server/peer, it checks if the NTP message 1472 authentication code (MAC) in received packets is valid, but not if 1473 there actually is any MAC included. Packets without a MAC are 1474 accepted as if they had a valid MAC. This allows a MITM attacker to 1475 send false packets that are accepted by the client/peer without 1476 having to know the symmetric key. The attacker needs to know the 1477 transmit timestamp of the client to match it in the forged reply 1478 and the false reply needs to reach the client before the genuine 1479 reply from the server. The attacker doesn't necessarily need to be 1480 relaying the packets between the client and the server. 1481 1482 Authentication using autokey doesn't have this problem as there is 1483 a check that requires the key ID to be larger than NTP_MAXKEY, 1484 which fails for packets without a MAC. 1485 Mitigation: 1486 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1487 or the NTP Public Services Project Download Page 1488 Configure ntpd with enough time sources and monitor it properly. 1489 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1490 1491* [Sec 2781] Authentication doesn't protect symmetric associations against 1492 DoS attacks. 1493 1494 References: Sec 2781 / CVE-2015-1799 / VU#374268 1495 Affects: All NTP releases starting with at least xntp3.3wy up to but 1496 not including ntp-4.2.8p2 where the installation uses symmetric 1497 key authentication. 1498 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1499 Note: the CVSS base Score for this issue could be 4.3 or lower, and 1500 it could be higher than 5.4. 1501 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1502 Summary: An attacker knowing that NTP hosts A and B are peering with 1503 each other (symmetric association) can send a packet to host A 1504 with source address of B which will set the NTP state variables 1505 on A to the values sent by the attacker. Host A will then send 1506 on its next poll to B a packet with originate timestamp that 1507 doesn't match the transmit timestamp of B and the packet will 1508 be dropped. If the attacker does this periodically for both 1509 hosts, they won't be able to synchronize to each other. This is 1510 a known denial-of-service attack, described at 1511 https://www.eecis.udel.edu/~mills/onwire.html . 1512 1513 According to the document the NTP authentication is supposed to 1514 protect symmetric associations against this attack, but that 1515 doesn't seem to be the case. The state variables are updated even 1516 when authentication fails and the peers are sending packets with 1517 originate timestamps that don't match the transmit timestamps on 1518 the receiving side. 1519 1520 This seems to be a very old problem, dating back to at least 1521 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 1522 specifications, so other NTP implementations with support for 1523 symmetric associations and authentication may be vulnerable too. 1524 An update to the NTP RFC to correct this error is in-process. 1525 Mitigation: 1526 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1527 or the NTP Public Services Project Download Page 1528 Note that for users of autokey, this specific style of MITM attack 1529 is simply a long-known potential problem. 1530 Configure ntpd with appropriate time sources and monitor ntpd. 1531 Alert your staff if problems are detected. 1532 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1533 1534* New script: update-leap 1535The update-leap script will verify and if necessary, update the 1536leap-second definition file. 1537It requires the following commands in order to work: 1538 1539 wget logger tr sed shasum 1540 1541Some may choose to run this from cron. It needs more portability testing. 1542 1543Bug Fixes and Improvements: 1544 1545* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 1546* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 1547* [Bug 2346] "graceful termination" signals do not do peer cleanup. 1548* [Bug 2728] See if C99-style structure initialization works. 1549* [Bug 2747] Upgrade libevent to 2.1.5-beta. 1550* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 1551* [Bug 2751] jitter.h has stale copies of l_fp macros. 1552* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 1553* [Bug 2757] Quiet compiler warnings. 1554* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 1555* [Bug 2763] Allow different thresholds for forward and backward steps. 1556* [Bug 2766] ntp-keygen output files should not be world-readable. 1557* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 1558* [Bug 2771] nonvolatile value is documented in wrong units. 1559* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 1560* [Bug 2774] Unreasonably verbose printout - leap pending/warning 1561* [Bug 2775] ntp-keygen.c fails to compile under Windows. 1562* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 1563 Removed non-ASCII characters from some copyright comments. 1564 Removed trailing whitespace. 1565 Updated definitions for Meinberg clocks from current Meinberg header files. 1566 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 1567 Account for updated definitions pulled from Meinberg header files. 1568 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 1569 Replaced some constant numbers by defines from ntp_calendar.h 1570 Modified creation of parse-specific variables for Meinberg devices 1571 in gps16x_message(). 1572 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 1573 Modified mbg_tm_str() which now expexts an additional parameter controlling 1574 if the time status shall be printed. 1575* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1576* [Sec 2781] Authentication doesn't protect symmetric associations against 1577 DoS attacks. 1578* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 1579* [Bug 2789] Quiet compiler warnings from libevent. 1580* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 1581 pause briefly before measuring system clock precision to yield 1582 correct results. 1583* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 1584* Use predefined function types for parse driver functions 1585 used to set up function pointers. 1586 Account for changed prototype of parse_inp_fnc_t functions. 1587 Cast parse conversion results to appropriate types to avoid 1588 compiler warnings. 1589 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 1590 when called with pointers to different types. 1591 1592--- 1593NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 1594 1595Focus: Security and Bug fixes, enhancements. 1596 1597Severity: HIGH 1598 1599In addition to bug fixes and enhancements, this release fixes the 1600following high-severity vulnerabilities: 1601 1602* vallen is not validated in several places in ntp_crypto.c, leading 1603 to a potential information leak or possibly a crash 1604 1605 References: Sec 2671 / CVE-2014-9297 / VU#852879 1606 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 1607 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1608 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 1609 Summary: The vallen packet value is not validated in several code 1610 paths in ntp_crypto.c which can lead to information leakage 1611 or perhaps a crash of the ntpd process. 1612 Mitigation - any of: 1613 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1614 or the NTP Public Services Project Download Page. 1615 Disable Autokey Authentication by removing, or commenting out, 1616 all configuration directives beginning with the "crypto" 1617 keyword in your ntp.conf file. 1618 Credit: This vulnerability was discovered by Stephen Roettger of the 1619 Google Security Team, with additional cases found by Sebastian 1620 Krahmer of the SUSE Security Team and Harlan Stenn of Network 1621 Time Foundation. 1622 1623* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 1624 can be bypassed. 1625 1626 References: Sec 2672 / CVE-2014-9298 / VU#852879 1627 Affects: All NTP4 releases before 4.2.8p1, under at least some 1628 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 1629 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 1630 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 1631 Summary: While available kernels will prevent 127.0.0.1 addresses 1632 from "appearing" on non-localhost IPv4 interfaces, some kernels 1633 do not offer the same protection for ::1 source addresses on 1634 IPv6 interfaces. Since NTP's access control is based on source 1635 address and localhost addresses generally have no restrictions, 1636 an attacker can send malicious control and configuration packets 1637 by spoofing ::1 addresses from the outside. Note Well: This is 1638 not really a bug in NTP, it's a problem with some OSes. If you 1639 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 1640 ACL restrictions on any application can be bypassed! 1641 Mitigation: 1642 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1643 or the NTP Public Services Project Download Page 1644 Install firewall rules to block packets claiming to come from 1645 ::1 from inappropriate network interfaces. 1646 Credit: This vulnerability was discovered by Stephen Roettger of 1647 the Google Security Team. 1648 1649Additionally, over 30 bugfixes and improvements were made to the codebase. 1650See the ChangeLog for more information. 1651 1652--- 1653NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 1654 1655Focus: Security and Bug fixes, enhancements. 1656 1657Severity: HIGH 1658 1659In addition to bug fixes and enhancements, this release fixes the 1660following high-severity vulnerabilities: 1661 1662************************** vv NOTE WELL vv ***************************** 1663 1664The vulnerabilities listed below can be significantly mitigated by 1665following the BCP of putting 1666 1667 restrict default ... noquery 1668 1669in the ntp.conf file. With the exception of: 1670 1671 receive(): missing return on error 1672 References: Sec 2670 / CVE-2014-9296 / VU#852879 1673 1674below (which is a limited-risk vulnerability), none of the recent 1675vulnerabilities listed below can be exploited if the source IP is 1676restricted from sending a 'query'-class packet by your ntp.conf file. 1677 1678************************** ^^ NOTE WELL ^^ ***************************** 1679 1680* Weak default key in config_auth(). 1681 1682 References: [Sec 2665] / CVE-2014-9293 / VU#852879 1683 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1684 Vulnerable Versions: all releases prior to 4.2.7p11 1685 Date Resolved: 28 Jan 2010 1686 1687 Summary: If no 'auth' key is set in the configuration file, ntpd 1688 would generate a random key on the fly. There were two 1689 problems with this: 1) the generated key was 31 bits in size, 1690 and 2) it used the (now weak) ntp_random() function, which was 1691 seeded with a 32-bit value and could only provide 32 bits of 1692 entropy. This was sufficient back in the late 1990s when the 1693 code was written. Not today. 1694 1695 Mitigation - any of: 1696 - Upgrade to 4.2.7p11 or later. 1697 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1698 1699 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 1700 of the Google Security Team. 1701 1702* Non-cryptographic random number generator with weak seed used by 1703 ntp-keygen to generate symmetric keys. 1704 1705 References: [Sec 2666] / CVE-2014-9294 / VU#852879 1706 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1707 Vulnerable Versions: All NTP4 releases before 4.2.7p230 1708 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 1709 1710 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 1711 prepare a random number generator that was of good quality back 1712 in the late 1990s. The random numbers produced was then used to 1713 generate symmetric keys. In ntp-4.2.8 we use a current-technology 1714 cryptographic random number generator, either RAND_bytes from 1715 OpenSSL, or arc4random(). 1716 1717 Mitigation - any of: 1718 - Upgrade to 4.2.7p230 or later. 1719 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1720 1721 Credit: This vulnerability was discovered in ntp-4.2.6 by 1722 Stephen Roettger of the Google Security Team. 1723 1724* Buffer overflow in crypto_recv() 1725 1726 References: Sec 2667 / CVE-2014-9295 / VU#852879 1727 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1728 Versions: All releases before 4.2.8 1729 Date Resolved: Stable (4.2.8) 18 Dec 2014 1730 1731 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 1732 file contains a 'crypto pw ...' directive) a remote attacker 1733 can send a carefully crafted packet that can overflow a stack 1734 buffer and potentially allow malicious code to be executed 1735 with the privilege level of the ntpd process. 1736 1737 Mitigation - any of: 1738 - Upgrade to 4.2.8, or later, or 1739 - Disable Autokey Authentication by removing, or commenting out, 1740 all configuration directives beginning with the crypto keyword 1741 in your ntp.conf file. 1742 1743 Credit: This vulnerability was discovered by Stephen Roettger of the 1744 Google Security Team. 1745 1746* Buffer overflow in ctl_putdata() 1747 1748 References: Sec 2668 / CVE-2014-9295 / VU#852879 1749 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1750 Versions: All NTP4 releases before 4.2.8 1751 Date Resolved: Stable (4.2.8) 18 Dec 2014 1752 1753 Summary: A remote attacker can send a carefully crafted packet that 1754 can overflow a stack buffer and potentially allow malicious 1755 code to be executed with the privilege level of the ntpd process. 1756 1757 Mitigation - any of: 1758 - Upgrade to 4.2.8, or later. 1759 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1760 1761 Credit: This vulnerability was discovered by Stephen Roettger of the 1762 Google Security Team. 1763 1764* Buffer overflow in configure() 1765 1766 References: Sec 2669 / CVE-2014-9295 / VU#852879 1767 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1768 Versions: All NTP4 releases before 4.2.8 1769 Date Resolved: Stable (4.2.8) 18 Dec 2014 1770 1771 Summary: A remote attacker can send a carefully crafted packet that 1772 can overflow a stack buffer and potentially allow malicious 1773 code to be executed with the privilege level of the ntpd process. 1774 1775 Mitigation - any of: 1776 - Upgrade to 4.2.8, or later. 1777 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1778 1779 Credit: This vulnerability was discovered by Stephen Roettger of the 1780 Google Security Team. 1781 1782* receive(): missing return on error 1783 1784 References: Sec 2670 / CVE-2014-9296 / VU#852879 1785 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 1786 Versions: All NTP4 releases before 4.2.8 1787 Date Resolved: Stable (4.2.8) 18 Dec 2014 1788 1789 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 1790 the code path where an error was detected, which meant 1791 processing did not stop when a specific rare error occurred. 1792 We haven't found a way for this bug to affect system integrity. 1793 If there is no way to affect system integrity the base CVSS 1794 score for this bug is 0. If there is one avenue through which 1795 system integrity can be partially affected, the base score 1796 becomes a 5. If system integrity can be partially affected 1797 via all three integrity metrics, the CVSS base score become 7.5. 1798 1799 Mitigation - any of: 1800 - Upgrade to 4.2.8, or later, 1801 - Remove or comment out all configuration directives 1802 beginning with the crypto keyword in your ntp.conf file. 1803 1804 Credit: This vulnerability was discovered by Stephen Roettger of the 1805 Google Security Team. 1806 1807See http://support.ntp.org/security for more information. 1808 1809New features / changes in this release: 1810 1811Important Changes 1812 1813* Internal NTP Era counters 1814 1815The internal counters that track the "era" (range of years) we are in 1816rolls over every 136 years'. The current "era" started at the stroke of 1817midnight on 1 Jan 1900, and ends just before the stroke of midnight on 18181 Jan 2036. 1819In the past, we have used the "midpoint" of the range to decide which 1820era we were in. Given the longevity of some products, it became clear 1821that it would be more functional to "look back" less, and "look forward" 1822more. We now compile a timestamp into the ntpd executable and when we 1823get a timestamp we us the "built-on" to tell us what era we are in. 1824This check "looks back" 10 years, and "looks forward" 126 years. 1825 1826* ntpdc responses disabled by default 1827 1828Dave Hart writes: 1829 1830For a long time, ntpq and its mostly text-based mode 6 (control) 1831protocol have been preferred over ntpdc and its mode 7 (private 1832request) protocol for runtime queries and configuration. There has 1833been a goal of deprecating ntpdc, previously held back by numerous 1834capabilities exposed by ntpdc with no ntpq equivalent. I have been 1835adding commands to ntpq to cover these cases, and I believe I've 1836covered them all, though I've not compared command-by-command 1837recently. 1838 1839As I've said previously, the binary mode 7 protocol involves a lot of 1840hand-rolled structure layout and byte-swapping code in both ntpd and 1841ntpdc which is hard to get right. As ntpd grows and changes, the 1842changes are difficult to expose via ntpdc while maintaining forward 1843and backward compatibility between ntpdc and ntpd. In contrast, 1844ntpq's text-based, label=value approach involves more code reuse and 1845allows compatible changes without extra work in most cases. 1846 1847Mode 7 has always been defined as vendor/implementation-specific while 1848mode 6 is described in RFC 1305 and intended to be open to interoperate 1849with other implementations. There is an early draft of an updated 1850mode 6 description that likely will join the other NTPv4 RFCs 1851eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 1852 1853For these reasons, ntpd 4.2.7p230 by default disables processing of 1854ntpdc queries, reducing ntpd's attack surface and functionally 1855deprecating ntpdc. If you are in the habit of using ntpdc for certain 1856operations, please try the ntpq equivalent. If there's no equivalent, 1857please open a bug report at http://bugs.ntp.org./ 1858 1859In addition to the above, over 1100 issues have been resolved between 1860the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 1861lists these. 1862 1863--- 1864NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 1865 1866Focus: Bug fixes 1867 1868Severity: Medium 1869 1870This is a recommended upgrade. 1871 1872This release updates sys_rootdisp and sys_jitter calculations to match the 1873RFC specification, fixes a potential IPv6 address matching error for the 1874"nic" and "interface" configuration directives, suppresses the creation of 1875extraneous ephemeral associations for certain broadcastclient and 1876multicastclient configurations, cleans up some ntpq display issues, and 1877includes improvements to orphan mode, minor bugs fixes and code clean-ups. 1878 1879New features / changes in this release: 1880 1881ntpd 1882 1883 * Updated "nic" and "interface" IPv6 address handling to prevent 1884 mismatches with localhost [::1] and wildcard [::] which resulted from 1885 using the address/prefix format (e.g. fe80::/64) 1886 * Fix orphan mode stratum incorrectly counting to infinity 1887 * Orphan parent selection metric updated to includes missing ntohl() 1888 * Non-printable stratum 16 refid no longer sent to ntp 1889 * Duplicate ephemeral associations suppressed for broadcastclient and 1890 multicastclient without broadcastdelay 1891 * Exclude undetermined sys_refid from use in loopback TEST12 1892 * Exclude MODE_SERVER responses from KoD rate limiting 1893 * Include root delay in clock_update() sys_rootdisp calculations 1894 * get_systime() updated to exclude sys_residual offset (which only 1895 affected bits "below" sys_tick, the precision threshold) 1896 * sys.peer jitter weighting corrected in sys_jitter calculation 1897 1898ntpq 1899 1900 * -n option extended to include the billboard "server" column 1901 * IPv6 addresses in the local column truncated to prevent overruns 1902 1903--- 1904NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 1905 1906Focus: Bug fixes and portability improvements 1907 1908Severity: Medium 1909 1910This is a recommended upgrade. 1911 1912This release includes build infrastructure updates, code 1913clean-ups, minor bug fixes, fixes for a number of minor 1914ref-clock issues, and documentation revisions. 1915 1916Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 1917 1918New features / changes in this release: 1919 1920Build system 1921 1922* Fix checking for struct rtattr 1923* Update config.guess and config.sub for AIX 1924* Upgrade required version of autogen and libopts for building 1925 from our source code repository 1926 1927ntpd 1928 1929* Back-ported several fixes for Coverity warnings from ntp-dev 1930* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 1931* Allow "logconfig =allall" configuration directive 1932* Bind tentative IPv6 addresses on Linux 1933* Correct WWVB/Spectracom driver to timestamp CR instead of LF 1934* Improved tally bit handling to prevent incorrect ntpq peer status reports 1935* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 1936 candidate list unless they are designated a "prefer peer" 1937* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 1938 selection during the 'tos orphanwait' period 1939* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 1940 drivers 1941* Improved support of the Parse Refclock trusttime flag in Meinberg mode 1942* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 1943* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 1944 clock slew on Microsoft Windows 1945* Code cleanup in libntpq 1946 1947ntpdc 1948 1949* Fix timerstats reporting 1950 1951ntpdate 1952 1953* Reduce time required to set clock 1954* Allow a timeout greater than 2 seconds 1955 1956sntp 1957 1958* Backward incompatible command-line option change: 1959 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 1960 1961Documentation 1962 1963* Update html2man. Fix some tags in the .html files 1964* Distribute ntp-wait.html 1965 1966--- 1967NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 1968 1969Focus: Bug fixes and portability improvements 1970 1971Severity: Medium 1972 1973This is a recommended upgrade. 1974 1975This release includes build infrastructure updates, code 1976clean-ups, minor bug fixes, fixes for a number of minor 1977ref-clock issues, and documentation revisions. 1978 1979Portability improvements in this release affect AIX, Atari FreeMiNT, 1980FreeBSD4, Linux and Microsoft Windows. 1981 1982New features / changes in this release: 1983 1984Build system 1985* Use lsb_release to get information about Linux distributions. 1986* 'test' is in /usr/bin (instead of /bin) on some systems. 1987* Basic sanity checks for the ChangeLog file. 1988* Source certain build files with ./filename for systems without . in PATH. 1989* IRIX portability fix. 1990* Use a single copy of the "libopts" code. 1991* autogen/libopts upgrade. 1992* configure.ac m4 quoting cleanup. 1993 1994ntpd 1995* Do not bind to IN6_IFF_ANYCAST addresses. 1996* Log the reason for exiting under Windows. 1997* Multicast fixes for Windows. 1998* Interpolation fixes for Windows. 1999* IPv4 and IPv6 Multicast fixes. 2000* Manycast solicitation fixes and general repairs. 2001* JJY refclock cleanup. 2002* NMEA refclock improvements. 2003* Oncore debug message cleanup. 2004* Palisade refclock now builds under Linux. 2005* Give RAWDCF more baud rates. 2006* Support Truetime Satellite clocks under Windows. 2007* Support Arbiter 1093C Satellite clocks under Windows. 2008* Make sure that the "filegen" configuration command defaults to "enable". 2009* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 2010* Prohibit 'includefile' directive in remote configuration command. 2011* Fix 'nic' interface bindings. 2012* Fix the way we link with openssl if openssl is installed in the base 2013 system. 2014 2015ntp-keygen 2016* Fix -V coredump. 2017* OpenSSL version display cleanup. 2018 2019ntpdc 2020* Many counters should be treated as unsigned. 2021 2022ntpdate 2023* Do not ignore replies with equal receive and transmit timestamps. 2024 2025ntpq 2026* libntpq warning cleanup. 2027 2028ntpsnmpd 2029* Correct SNMP type for "precision" and "resolution". 2030* Update the MIB from the draft version to RFC-5907. 2031 2032sntp 2033* Display timezone offset when showing time for sntp in the local 2034 timezone. 2035* Pay proper attention to RATE KoD packets. 2036* Fix a miscalculation of the offset. 2037* Properly parse empty lines in the key file. 2038* Logging cleanup. 2039* Use tv_usec correctly in set_time(). 2040* Documentation cleanup. 2041 2042--- 2043NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 2044 2045Focus: Bug fixes and portability improvements 2046 2047Severity: Medium 2048 2049This is a recommended upgrade. 2050 2051This release includes build infrastructure updates, code 2052clean-ups, minor bug fixes, fixes for a number of minor 2053ref-clock issues, improved KOD handling, OpenSSL related 2054updates and documentation revisions. 2055 2056Portability improvements in this release affect Irix, Linux, 2057Mac OS, Microsoft Windows, OpenBSD and QNX6 2058 2059New features / changes in this release: 2060 2061ntpd 2062* Range syntax for the trustedkey configuration directive 2063* Unified IPv4 and IPv6 restrict lists 2064 2065ntpdate 2066* Rate limiting and KOD handling 2067 2068ntpsnmpd 2069* default connection to net-snmpd via a unix-domain socket 2070* command-line 'socket name' option 2071 2072ntpq / ntpdc 2073* support for the "passwd ..." syntax 2074* key-type specific password prompts 2075 2076sntp 2077* MD5 authentication of an ntpd 2078* Broadcast and crypto 2079* OpenSSL support 2080 2081--- 2082NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 2083 2084Focus: Bug fixes, portability fixes, and documentation improvements 2085 2086Severity: Medium 2087 2088This is a recommended upgrade. 2089 2090--- 2091NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 2092 2093Focus: enhancements and bug fixes. 2094 2095--- 2096NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 2097 2098Focus: Security Fixes 2099 2100Severity: HIGH 2101 2102This release fixes the following high-severity vulnerability: 2103 2104* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 2105 2106 See http://support.ntp.org/security for more information. 2107 2108 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 2109 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 2110 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 2111 request or a mode 7 error response from an address which is not listed 2112 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 2113 reply with a mode 7 error response (and log a message). In this case: 2114 2115 * If an attacker spoofs the source address of ntpd host A in a 2116 mode 7 response packet sent to ntpd host B, both A and B will 2117 continuously send each other error responses, for as long as 2118 those packets get through. 2119 2120 * If an attacker spoofs an address of ntpd host A in a mode 7 2121 response packet sent to ntpd host A, A will respond to itself 2122 endlessly, consuming CPU and logging excessively. 2123 2124 Credit for finding this vulnerability goes to Robin Park and Dmitri 2125 Vinokurov of Alcatel-Lucent. 2126 2127THIS IS A STRONGLY RECOMMENDED UPGRADE. 2128 2129--- 2130ntpd now syncs to refclocks right away. 2131 2132Backward-Incompatible changes: 2133 2134ntpd no longer accepts '-v name' or '-V name' to define internal variables. 2135Use '--var name' or '--dvar name' instead. (Bug 817) 2136 2137--- 2138NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 2139 2140Focus: Security and Bug Fixes 2141 2142Severity: HIGH 2143 2144This release fixes the following high-severity vulnerability: 2145 2146* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 2147 2148 See http://support.ntp.org/security for more information. 2149 2150 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 2151 line) then a carefully crafted packet sent to the machine will cause 2152 a buffer overflow and possible execution of injected code, running 2153 with the privileges of the ntpd process (often root). 2154 2155 Credit for finding this vulnerability goes to Chris Ries of CMU. 2156 2157This release fixes the following low-severity vulnerabilities: 2158 2159* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 2160 Credit for finding this vulnerability goes to Geoff Keating of Apple. 2161 2162* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 2163 Credit for finding this issue goes to Dave Hart. 2164 2165This release fixes a number of bugs and adds some improvements: 2166 2167* Improved logging 2168* Fix many compiler warnings 2169* Many fixes and improvements for Windows 2170* Adds support for AIX 6.1 2171* Resolves some issues under MacOS X and Solaris 2172 2173THIS IS A STRONGLY RECOMMENDED UPGRADE. 2174 2175--- 2176NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 2177 2178Focus: Security Fix 2179 2180Severity: Low 2181 2182This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 2183the OpenSSL library relating to the incorrect checking of the return 2184value of EVP_VerifyFinal function. 2185 2186Credit for finding this issue goes to the Google Security Team for 2187finding the original issue with OpenSSL, and to ocert.org for finding 2188the problem in NTP and telling us about it. 2189 2190This is a recommended upgrade. 2191--- 2192NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 2193 2194Focus: Minor Bugfixes 2195 2196This release fixes a number of Windows-specific ntpd bugs and 2197platform-independent ntpdate bugs. A logging bugfix has been applied 2198to the ONCORE driver. 2199 2200The "dynamic" keyword and is now obsolete and deferred binding to local 2201interfaces is the new default. The minimum time restriction for the 2202interface update interval has been dropped. 2203 2204A number of minor build system and documentation fixes are included. 2205 2206This is a recommended upgrade for Windows. 2207 2208--- 2209NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 2210 2211Focus: Minor Bugfixes 2212 2213This release updates certain copyright information, fixes several display 2214bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 2215shutdown in the parse refclock driver, removes some lint from the code, 2216stops accessing certain buffers immediately after they were freed, fixes 2217a problem with non-command-line specification of -6, and allows the loopback 2218interface to share addresses with other interfaces. 2219 2220--- 2221NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 2222 2223Focus: Minor Bugfixes 2224 2225This release fixes a bug in Windows that made it difficult to 2226terminate ntpd under windows. 2227This is a recommended upgrade for Windows. 2228 2229--- 2230NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 2231 2232Focus: Minor Bugfixes 2233 2234This release fixes a multicast mode authentication problem, 2235an error in NTP packet handling on Windows that could lead to 2236ntpd crashing, and several other minor bugs. Handling of 2237multicast interfaces and logging configuration were improved. 2238The required versions of autogen and libopts were incremented. 2239This is a recommended upgrade for Windows and multicast users. 2240 2241--- 2242NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 2243 2244Focus: enhancements and bug fixes. 2245 2246Dynamic interface rescanning was added to simplify the use of ntpd in 2247conjunction with DHCP. GNU AutoGen is used for its command-line options 2248processing. Separate PPS devices are supported for PARSE refclocks, MD5 2249signatures are now provided for the release files. Drivers have been 2250added for some new ref-clocks and have been removed for some older 2251ref-clocks. This release also includes other improvements, documentation 2252and bug fixes. 2253 2254K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 2255C support. 2256 2257--- 2258NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 2259 2260Focus: enhancements and bug fixes. 2261