1--- 2NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03) 3 4Focus: Security, Bug fixes, enhancements. 5 6Severity: MEDIUM 7 8This release fixes three vulnerabilities: a bug that causes causes an ntpd 9instance that is explicitly configured to override the default and allow 10ntpdc (mode 7) connections to be made to a server to read some uninitialized 11memory; fixes the case where an unmonitored ntpd using an unauthenticated 12association to its servers may be susceptible to a forged packet DoS attack; 13and fixes an attack against a client instance that uses a single 14unauthenticated time source. It also fixes 46 other bugs and addresses 154 other issues. 16 17* [Sec 3610] process_control() should bail earlier on short packets. stenn@ 18 - Reported by Philippe Antoine 19* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org> 20 - Reported by Miroslav Lichvar 21* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org> 22 - Reported by Miroslav Lichvar 23* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 24* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org> 25* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org> 26* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 27* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 28 - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org> 29* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org> 30 - integrated patch by Cy Schubert 31* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org> 32 - applied patch by Gerry Garvey 33* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org> 34 - applied patch by Gerry Garvey 35* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org> 36 - integrated patch by Richard Steedman 37* [Bug 3615] accelerate refclock startup <perlinger@ntp.org> 38* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org> 39 - Reported by Martin Burnicki 40* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org> 41 - Reported by Philippe Antoine 42* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org> 43 - officially document new "trust date" mode bit for NMEA driver 44 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 45* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org> 46 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 47* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org> 48 - removed ffs() and fls() prototypes as per Brian Utterback 49* [Bug 3604] Wrong param byte order passing into record_raw_stats() in 50 ntp_io.c <perlinger@ntp.org> 51 - fixed byte and paramter order as suggested by wei6410@sina.com 52* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org> 53* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org> 54 - added padding as suggested by John Paul Adrian Glaubitz 55* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org> 56* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org> 57* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org> 58* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org> 59 - stdout+stderr are set to line buffered during test setup now 60* [Bug 3583] synchronization error <perlinger@ntp.org> 61 - set clock to base date if system time is before that limit 62* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org> 63* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org> 64 - Reported by Paulo Neves 65* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org> 66 - also updates for refclock_nmea.c and refclock_jupiter.c 67* [Bug 3576] New GPS date function API <perlinger@ntp.org> 68* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org> 69* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org> 70* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org> 71 - sidekick: service port resolution in 'ntpdate' 72* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org> 73 - applied patch by Douglas Royds 74* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org> 75* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org> 76 - applied patch by Gerry Garvey 77* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org> 78 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 79 - fix wrong cond-compile tests in unit tests 80* [Bug 3517] Reducing build noise <perlinger@ntp.org> 81* [Bug 3516] Require tooling from this decade <perlinger@ntp.org> 82 - patch by Philipp Prindeville 83* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org> 84 - patch by Philipp Prindeville 85* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org> 86 - patch by Philipp Prindeville 87* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org> 88 - partial application of patch by Philipp Prindeville 89* [Bug 3491] Signed values of LFP datatypes should always display a sign 90 - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org> 91* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org> 92 - applied (modified) patch by Richard Steedman 93* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org> 94 - applied patch by Gerry Garvey (with minor formatting changes) 95* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org> 96 - applied patch by Miroslav Lichvar 97* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 98 <perlinger@ntp.org> 99* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 100 is specified with -u <perlinger@ntp.org> 101 - monitor daemon child startup & propagate exit codes 102* [Bug 1433] runtime check whether the kernel really supports capabilities 103 - (modified) patch by Kurt Roeckx <perlinger@ntp.org> 104* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org> 105* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org> 106* Startup log improvements. <stenn@ntp.org> 107* Update the copyright year. 108 109--- 110NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 111 112Focus: Security, Bug fixes, enhancements. 113 114Severity: MEDIUM 115 116This release fixes a bug that allows an attacker with access to an 117explicitly trusted source to send a crafted malicious mode 6 (ntpq) 118packet that can trigger a NULL pointer dereference, crashing ntpd. 119It also provides 17 other bugfixes and 1 other improvement: 120 121* [Sec 3565] Crafted null dereference attack in authenticated 122 mode 6 packet <perlinger@ntp.org> 123 - reported by Magnus Stubman 124* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 125 - applied patch by Ian Lepore 126* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 127 - isolate and fix linux/windows specific code issue 128* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 129 - provide better function for incremental string formatting 130* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 131 - applied patch by Gerry Garvey 132* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 133 - original finding by Gerry Garvey, additional cleanup needed 134* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 135 - patch by Christous Zoulas 136* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 137 - finding by Chen Jiabin, plus another one by me 138* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 139 - applied patch by Maciej Szmigiero 140* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 141 - applied patch by Andre Charbonneau 142* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 143 - applied patch by Baruch Siach 144* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 145 - applied patch by Baruch Siach 146* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 147 - refactored handling of GPS era based on 'tos basedate' for 148 parse (TSIP) and JUPITER clocks 149* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 150 - patch by Daniel J. Luke; this does not fix a potential linker 151 regression issue on MacOS. 152* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 153 anomaly <perlinger@ntp.org>, reported by GGarvey. 154 - --enable-bug3527-fix support by HStenn 155* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 156 - applied patch by Gerry Garvey 157* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 158 - added missing check, reported by Reinhard Max <perlinger@ntp.org> 159* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 160 - this is a variant of [bug 3558] and should be fixed with it 161* Implement 'configure --disable-signalled-io' 162 163-- 164NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 165 166Focus: Security, Bug fixes, enhancements. 167 168Severity: MEDIUM 169 170This release fixes a "hole" in the noepeer capability introduced to ntpd 171in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 172ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 173 174* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 175 176* [Sec 3012] Fix a hole in the new "noepeer" processing. 177 178* Bug Fixes: 179 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 180 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 181 other TrustedBSD platforms 182 - applied patch by Ian Lepore <perlinger@ntp.org> 183 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 184 - changed interaction with SCM to signal pending startup 185 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 186 - applied patch by Gerry Garvey 187 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 188 - applied patch by Gerry Garvey 189 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 190 - rework of ntpq 'nextvar()' key/value parsing 191 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 192 - applied patch by Gerry Garvey (with mods) 193 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 194 - applied patch by Gerry Garvey 195 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 196 - applied patch by Gerry Garvey (with mods) 197 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 198 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 199 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 200 - applied patch by Gerry Garvey 201 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 202 - applied patch by Gerry Garvey 203 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 204 - add #define ENABLE_CMAC support in configure. HStenn. 205 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 206 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 207 - patch by Stephen Friedl 208 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 209 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 210 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 211 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 212 - initial patch by Hal Murray; also fixed refclock_report() trouble 213 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 214 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 215 - According to Brooks Davis, there was only one location <perlinger@ntp.org> 216 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 217 - applied patch by Gerry Garvey 218 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 219 - applied patch by Gerry Garvey 220 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 221 with modifications 222 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 223 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 224 - applied patch by Miroslav Lichvar 225 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 226 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 227 - integrated patch by Reinhard Max 228 [Bug 2821] minor build issues <perlinger@ntp.org> 229 - applied patches by Christos Zoulas, including real bug fixes 230 html/authopt.html: cleanup, from <stenn@ntp.org> 231 ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 232 Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 233 234-- 235NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 236 237Focus: Security, Bug fixes, enhancements. 238 239Severity: MEDIUM 240 241This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 242vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 243provides 65 other non-security fixes and improvements: 244 245* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 246 association (LOW/MED) 247 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 248 References: Sec 3454 / CVE-2018-7185 / VU#961909 249 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 250 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 251 2.9 and 6.8. 252 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 253 score between 2.6 and 3.1 254 Summary: 255 The NTP Protocol allows for both non-authenticated and 256 authenticated associations, in client/server, symmetric (peer), 257 and several broadcast modes. In addition to the basic NTP 258 operational modes, symmetric mode and broadcast servers can 259 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 260 was inadvertently introduced into the protocol engine that 261 allows a non-authenticated zero-origin (reset) packet to reset 262 an authenticated interleaved peer association. If an attacker 263 can send a packet with a zero-origin timestamp and the source 264 IP address of the "other side" of an interleaved association, 265 the 'victim' ntpd will reset its association. The attacker must 266 continue sending these packets in order to maintain the 267 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 268 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 269 interleaved mode must be explicitly configured/enabled. 270 Mitigation: 271 Implement BCP-38. 272 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 273 or the NTP Public Services Project Download Page. 274 If you are unable to upgrade to 4.2.8p11 or later and have 275 'peer HOST xleave' lines in your ntp.conf file, remove the 276 'xleave' option. 277 Have enough sources of time. 278 Properly monitor your ntpd instances. 279 If ntpd stops running, auto-restart it without -g . 280 Credit: 281 This weakness was discovered by Miroslav Lichvar of Red Hat. 282 283* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 284 state (LOW/MED) 285 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 286 References: Sec 3453 / CVE-2018-7184 / VU#961909 287 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 288 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 289 Could score between 2.9 and 6.8. 290 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 291 Could score between 2.6 and 6.0. 292 Summary: 293 The fix for NtpBug2952 was incomplete, and while it fixed one 294 problem it created another. Specifically, it drops bad packets 295 before updating the "received" timestamp. This means a 296 third-party can inject a packet with a zero-origin timestamp, 297 meaning the sender wants to reset the association, and the 298 transmit timestamp in this bogus packet will be saved as the 299 most recent "received" timestamp. The real remote peer does 300 not know this value and this will disrupt the association until 301 the association resets. 302 Mitigation: 303 Implement BCP-38. 304 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 305 or the NTP Public Services Project Download Page. 306 Use authentication with 'peer' mode. 307 Have enough sources of time. 308 Properly monitor your ntpd instances. 309 If ntpd stops running, auto-restart it without -g . 310 Credit: 311 This weakness was discovered by Miroslav Lichvar of Red Hat. 312 313* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 314 peering (LOW) 315 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 316 References: Sec 3415 / CVE-2018-7170 / VU#961909 317 Sec 3012 / CVE-2016-1549 / VU#718152 318 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 319 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 320 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 321 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 322 Summary: 323 ntpd can be vulnerable to Sybil attacks. If a system is set up to 324 use a trustedkey and if one is not using the feature introduced in 325 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 326 specify which IPs can serve time, a malicious authenticated peer 327 -- i.e. one where the attacker knows the private symmetric key -- 328 can create arbitrarily-many ephemeral associations in order to win 329 the clock selection of ntpd and modify a victim's clock. Three 330 additional protections are offered in ntp-4.2.8p11. One is the 331 new 'noepeer' directive, which disables symmetric passive 332 ephemeral peering. Another is the new 'ippeerlimit' directive, 333 which limits the number of peers that can be created from an IP. 334 The third extends the functionality of the 4th field in the 335 ntp.keys file to include specifying a subnet range. 336 Mitigation: 337 Implement BCP-38. 338 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 339 or the NTP Public Services Project Download Page. 340 Use the 'noepeer' directive to prohibit symmetric passive 341 ephemeral associations. 342 Use the 'ippeerlimit' directive to limit the number of peers 343 that can be created from an IP. 344 Use the 4th argument in the ntp.keys file to limit the IPs and 345 subnets that can be time servers. 346 Have enough sources of time. 347 Properly monitor your ntpd instances. 348 If ntpd stops running, auto-restart it without -g . 349 Credit: 350 This weakness was reported as Bug 3012 by Matthew Van Gundy of 351 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 352 353* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 354 Date Resolved: 27 Feb 2018 355 References: Sec 3414 / CVE-2018-7183 / VU#961909 356 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 357 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 358 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 359 Summary: 360 ntpq is a monitoring and control program for ntpd. decodearr() 361 is an internal function of ntpq that is used to -- wait for it -- 362 decode an array in a response string when formatted data is being 363 displayed. This is a problem in affected versions of ntpq if a 364 maliciously-altered ntpd returns an array result that will trip this 365 bug, or if a bad actor is able to read an ntpq request on its way to 366 a remote ntpd server and forge and send a response before the remote 367 ntpd sends its response. It's potentially possible that the 368 malicious data could become injectable/executable code. 369 Mitigation: 370 Implement BCP-38. 371 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 372 or the NTP Public Services Project Download Page. 373 Credit: 374 This weakness was discovered by Michael Macnair of Thales e-Security. 375 376* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 377 behavior and information leak (Info/Medium) 378 Date Resolved: 27 Feb 2018 379 References: Sec 3412 / CVE-2018-7182 / VU#961909 380 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 381 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 382 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 383 0.0 if C:N 384 Summary: 385 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 386 A malicious mode 6 packet can be sent to an ntpd instance, and 387 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 388 cause ctl_getitem() to read past the end of its buffer. 389 Mitigation: 390 Implement BCP-38. 391 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 392 or the NTP Public Services Project Download Page. 393 Have enough sources of time. 394 Properly monitor your ntpd instances. 395 If ntpd stops running, auto-restart it without -g . 396 Credit: 397 This weakness was discovered by Yihan Lian of Qihoo 360. 398 399* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 400 Also see Bug 3415, above. 401 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 402 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 403 References: Sec 3012 / CVE-2016-1549 / VU#718152 404 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 405 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 406 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 407 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 408 Summary: 409 ntpd can be vulnerable to Sybil attacks. If a system is set up 410 to use a trustedkey and if one is not using the feature 411 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 412 ntp.keys file to specify which IPs can serve time, a malicious 413 authenticated peer -- i.e. one where the attacker knows the 414 private symmetric key -- can create arbitrarily-many ephemeral 415 associations in order to win the clock selection of ntpd and 416 modify a victim's clock. Two additional protections are 417 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 418 disables symmetric passive ephemeral peering. The other extends 419 the functionality of the 4th field in the ntp.keys file to 420 include specifying a subnet range. 421 Mitigation: 422 Implement BCP-38. 423 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 424 the NTP Public Services Project Download Page. 425 Use the 'noepeer' directive to prohibit symmetric passive 426 ephemeral associations. 427 Use the 'ippeerlimit' directive to limit the number of peer 428 associations from an IP. 429 Use the 4th argument in the ntp.keys file to limit the IPs 430 and subnets that can be time servers. 431 Properly monitor your ntpd instances. 432 Credit: 433 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 434 435* Bug fixes: 436 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 437 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 438 - applied patch by Sean Haugh 439 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 440 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 441 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 442 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 443 - refactoring the MAC code, too 444 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 445 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 446 - applied patch by ggarvey 447 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 448 - applied patch by ggarvey (with minor mods) 449 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 450 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 451 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 452 [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 453 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 454 - fixed several issues with hash algos in ntpd, sntp, ntpq, 455 ntpdc and the test suites <perlinger@ntp.org> 456 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 457 - initial patch by Daniel Pouzzner 458 [Bug 3423] QNX adjtime() implementation error checking is 459 wrong <perlinger@ntp.org> 460 [Bug 3417] ntpq ifstats packet counters can be negative 461 made IFSTATS counter quantities unsigned <perlinger@ntp.org> 462 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 463 - raised receive buffer size to 1200 <perlinger@ntp.org> 464 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 465 analysis tool. <abe@ntp.org> 466 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 467 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 468 - fix/drop assumptions on OpenSSL libs directory layout 469 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 470 - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 471 [Bug 3398] tests fail with core dump <perlinger@ntp.org> 472 - patch contributed by Alexander Bluhm 473 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 474 rework of formatting & data transfer stuff in 'ntp_control.c' 475 avoids unecessary buffers and size limitations. <perlinger@ntp.org> 476 [Bug 3394] Leap second deletion does not work on ntpd clients 477 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 478 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 479 - increased mimimum stack size to 32kB <perlinger@ntp.org> 480 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 481 - reverted handling of PPS kernel consumer to 4.2.6 behavior 482 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 483 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 484 [Bug 3016] wrong error position reported for bad ":config pool" 485 - fixed location counter & ntpq output <perlinger@ntp.org> 486 [Bug 2900] libntp build order problem. HStenn. 487 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 488 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 489 perlinger@ntp.org 490 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 491 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 492 Use strlcpy() to copy strings, not memcpy(). HStenn. 493 Typos. HStenn. 494 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 495 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 496 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 497 Fix trivial warnings from 'make check'. perlinger@ntp.org 498 Fix bug in the override portion of the compiler hardening macro. HStenn. 499 record_raw_stats(): Log entire packet. Log writes. HStenn. 500 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 501 sntp: tweak key file logging. HStenn. 502 sntp: pkt_output(): Improve debug output. HStenn. 503 update-leap: updates from Paul McMath. 504 When using pkg-config, report --modversion. HStenn. 505 Clean up libevent configure checks. HStenn. 506 sntp: show the IP of who sent us a crypto-NAK. HStenn. 507 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 508 authistrustedip() - use it in more places. HStenn, JPerlinger. 509 New sysstats: sys_lamport, sys_tsrounding. HStenn. 510 Update ntp.keys .../N documentation. HStenn. 511 Distribute testconf.yml. HStenn. 512 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 513 Rename the configuration flag fifo variables. HStenn. 514 Improve saveconfig output. HStenn. 515 Decode restrict flags on receive() debug output. HStenn. 516 Decode interface flags on receive() debug output. HStenn. 517 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 518 Update the documentation in ntp.conf.def . HStenn. 519 restrictions() must return restrict flags and ippeerlimit. HStenn. 520 Update ntpq peer documentation to describe the 'p' type. HStenn. 521 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 522 Provide dump_restricts() for debugging. HStenn. 523 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 524 525* Other items: 526 527* update-leap needs the following perl modules: 528 Net::SSLeay 529 IO::Socket::SSL 530 531* New sysstats variables: sys_lamport, sys_tsrounding 532See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 533sys_lamport counts the number of observed Lamport violations, while 534sys_tsrounding counts observed timestamp rounding events. 535 536* New ntp.conf items: 537 538- restrict ... noepeer 539- restrict ... ippeerlimit N 540 541The 'noepeer' directive will disallow all ephemeral/passive peer 542requests. 543 544The 'ippeerlimit' directive limits the number of time associations 545for each IP in the designated set of addresses. This limit does not 546apply to explicitly-configured associations. A value of -1, the current 547default, means an unlimited number of associations may connect from a 548single IP. 0 means "none", etc. Ordinarily the only way multiple 549associations would come from the same IP would be if the remote side 550was using a proxy. But a trusted machine might become compromised, 551in which case an attacker might spin up multiple authenticated sessions 552from different ports. This directive should be helpful in this case. 553 554* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 555field may contain a /subnetbits specification, which identifies the 556scope of IPs that may use this key. This IP/subnet restriction can be 557used to limit the IPs that may use the key in most all situations where 558a key is used. 559-- 560NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 561 562Focus: Security, Bug fixes, enhancements. 563 564Severity: MEDIUM 565 566This release fixes 5 medium-, 6 low-, and 4 informational-severity 567vulnerabilities, and provides 15 other non-security fixes and improvements: 568 569* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 570 Date Resolved: 21 Mar 2017 571 References: Sec 3389 / CVE-2017-6464 / VU#325339 572 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 573 ntp-4.3.0 up to, but not including ntp-4.3.94. 574 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 575 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 576 Summary: 577 A vulnerability found in the NTP server makes it possible for an 578 authenticated remote user to crash ntpd via a malformed mode 579 configuration directive. 580 Mitigation: 581 Implement BCP-38. 582 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 583 the NTP Public Services Project Download Page 584 Properly monitor your ntpd instances, and auto-restart 585 ntpd (without -g) if it stops running. 586 Credit: 587 This weakness was discovered by Cure53. 588 589* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 590 Date Resolved: 21 Mar 2017 591 References: Sec 3388 / CVE-2017-6462 / VU#325339 592 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 593 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 594 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 595 Summary: 596 There is a potential for a buffer overflow in the legacy Datum 597 Programmable Time Server refclock driver. Here the packets are 598 processed from the /dev/datum device and handled in 599 datum_pts_receive(). Since an attacker would be required to 600 somehow control a malicious /dev/datum device, this does not 601 appear to be a practical attack and renders this issue "Low" in 602 terms of severity. 603 Mitigation: 604 If you have a Datum reference clock installed and think somebody 605 may maliciously change the device, upgrade to 4.2.8p10, or 606 later, from the NTP Project Download Page or the NTP Public 607 Services Project Download Page 608 Properly monitor your ntpd instances, and auto-restart 609 ntpd (without -g) if it stops running. 610 Credit: 611 This weakness was discovered by Cure53. 612 613* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 614 Date Resolved: 21 Mar 2017 615 References: Sec 3387 / CVE-2017-6463 / VU#325339 616 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 617 ntp-4.3.0 up to, but not including ntp-4.3.94. 618 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 619 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 620 Summary: 621 A vulnerability found in the NTP server allows an authenticated 622 remote attacker to crash the daemon by sending an invalid setting 623 via the :config directive. The unpeer option expects a number or 624 an address as an argument. In case the value is "0", a 625 segmentation fault occurs. 626 Mitigation: 627 Implement BCP-38. 628 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 629 or the NTP Public Services Project Download Page 630 Properly monitor your ntpd instances, and auto-restart 631 ntpd (without -g) if it stops running. 632 Credit: 633 This weakness was discovered by Cure53. 634 635* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 636 Date Resolved: 21 Mar 2017 637 References: Sec 3386 638 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 639 ntp-4.3.0 up to, but not including ntp-4.3.94. 640 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 641 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 642 Summary: 643 The NTP Mode 6 monitoring and control client, ntpq, uses the 644 function ntpq_stripquotes() to remove quotes and escape characters 645 from a given string. According to the documentation, the function 646 is supposed to return the number of copied bytes but due to 647 incorrect pointer usage this value is always zero. Although the 648 return value of this function is never used in the code, this 649 flaw could lead to a vulnerability in the future. Since relying 650 on wrong return values when performing memory operations is a 651 dangerous practice, it is recommended to return the correct value 652 in accordance with the documentation pertinent to the code. 653 Mitigation: 654 Implement BCP-38. 655 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 656 or the NTP Public Services Project Download Page 657 Properly monitor your ntpd instances, and auto-restart 658 ntpd (without -g) if it stops running. 659 Credit: 660 This weakness was discovered by Cure53. 661 662* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 663 Date Resolved: 21 Mar 2017 664 References: Sec 3385 665 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 666 ntp-4.3.0 up to, but not including ntp-4.3.94. 667 Summary: 668 NTP makes use of several wrappers around the standard heap memory 669 allocation functions that are provided by libc. This is mainly 670 done to introduce additional safety checks concentrated on 671 several goals. First, they seek to ensure that memory is not 672 accidentally freed, secondly they verify that a correct amount 673 is always allocated and, thirdly, that allocation failures are 674 correctly handled. There is an additional implementation for 675 scenarios where memory for a specific amount of items of the 676 same size needs to be allocated. The handling can be found in 677 the oreallocarray() function for which a further number-of-elements 678 parameter needs to be provided. Although no considerable threat 679 was identified as tied to a lack of use of this function, it is 680 recommended to correctly apply oreallocarray() as a preferred 681 option across all of the locations where it is possible. 682 Mitigation: 683 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 684 or the NTP Public Services Project Download Page 685 Credit: 686 This weakness was discovered by Cure53. 687 688* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 689 PPSAPI ONLY) (Low) 690 Date Resolved: 21 Mar 2017 691 References: Sec 3384 / CVE-2017-6455 / VU#325339 692 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 693 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 694 including ntp-4.3.94. 695 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 696 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 697 Summary: 698 The Windows NT port has the added capability to preload DLLs 699 defined in the inherited global local environment variable 700 PPSAPI_DLLS. The code contained within those libraries is then 701 called from the NTPD service, usually running with elevated 702 privileges. Depending on how securely the machine is setup and 703 configured, if ntpd is configured to use the PPSAPI under Windows 704 this can easily lead to a code injection. 705 Mitigation: 706 Implement BCP-38. 707 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 708 or the NTP Public Services Project Download Page 709 Credit: 710 This weakness was discovered by Cure53. 711 712* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 713 installer ONLY) (Low) 714 Date Resolved: 21 Mar 2017 715 References: Sec 3383 / CVE-2017-6452 / VU#325339 716 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 717 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 718 to, but not including ntp-4.3.94. 719 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 720 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 721 Summary: 722 The Windows installer for NTP calls strcat(), blindly appending 723 the string passed to the stack buffer in the addSourceToRegistry() 724 function. The stack buffer is 70 bytes smaller than the buffer 725 in the calling main() function. Together with the initially 726 copied Registry path, the combination causes a stack buffer 727 overflow and effectively overwrites the stack frame. The 728 passed application path is actually limited to 256 bytes by the 729 operating system, but this is not sufficient to assure that the 730 affected stack buffer is consistently protected against 731 overflowing at all times. 732 Mitigation: 733 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 734 or the NTP Public Services Project Download Page 735 Credit: 736 This weakness was discovered by Cure53. 737 738* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 739 installer ONLY) (Low) 740 Date Resolved: 21 Mar 2017 741 References: Sec 3382 / CVE-2017-6459 / VU#325339 742 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 743 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 744 up to, but not including ntp-4.3.94. 745 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 746 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 747 Summary: 748 The Windows installer for NTP calls strcpy() with an argument 749 that specifically contains multiple null bytes. strcpy() only 750 copies a single terminating null character into the target 751 buffer instead of copying the required double null bytes in the 752 addKeysToRegistry() function. As a consequence, a garbage 753 registry entry can be created. The additional arsize parameter 754 is erroneously set to contain two null bytes and the following 755 call to RegSetValueEx() claims to be passing in a multi-string 756 value, though this may not be true. 757 Mitigation: 758 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 759 or the NTP Public Services Project Download Page 760 Credit: 761 This weakness was discovered by Cure53. 762 763* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 764 References: Sec 3381 765 Summary: 766 The report says: Statically included external projects 767 potentially introduce several problems and the issue of having 768 extensive amounts of code that is "dead" in the resulting binary 769 must clearly be pointed out. The unnecessary unused code may or 770 may not contain bugs and, quite possibly, might be leveraged for 771 code-gadget-based branch-flow redirection exploits. Analogically, 772 having source trees statically included as well means a failure 773 in taking advantage of the free feature for periodical updates. 774 This solution is offered by the system's Package Manager. The 775 three libraries identified are libisc, libevent, and libopts. 776 Resolution: 777 For libisc, we already only use a portion of the original library. 778 We've found and fixed bugs in the original implementation (and 779 offered the patches to ISC), and plan to see what has changed 780 since we last upgraded the code. libisc is generally not 781 installed, and when it it we usually only see the static libisc.a 782 file installed. Until we know for sure that the bugs we've found 783 and fixed are fixed upstream, we're better off with the copy we 784 are using. 785 786 Version 1 of libevent was the only production version available 787 until recently, and we've been requiring version 2 for a long time. 788 But if the build system has at least version 2 of libevent 789 installed, we'll use the version that is installed on the system. 790 Otherwise, we provide a copy of libevent that we know works. 791 792 libopts is provided by GNU AutoGen, and that library and package 793 undergoes frequent API version updates. The version of autogen 794 used to generate the tables for the code must match the API 795 version in libopts. AutoGen can be ... difficult to build and 796 install, and very few developers really need it. So we have it 797 on our build and development machines, and we provide the 798 specific version of the libopts code in the distribution to make 799 sure that the proper API version of libopts is available. 800 801 As for the point about there being code in these libraries that 802 NTP doesn't use, OK. But other packages used these libraries as 803 well, and it is reasonable to assume that other people are paying 804 attention to security and code quality issues for the overall 805 libraries. It takes significant resources to analyze and 806 customize these libraries to only include what we need, and to 807 date we believe the cost of this effort does not justify the benefit. 808 Credit: 809 This issue was discovered by Cure53. 810 811* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 812 Date Resolved: 21 Mar 2017 813 References: Sec 3380 814 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 815 ntp-4.3.0 up to, but not including ntp-4.3.94. 816 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 817 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 818 Summary: 819 There is a fencepost error in a "recovery branch" of the code for 820 the Oncore GPS receiver if the communication link to the ONCORE 821 is weak / distorted and the decoding doesn't work. 822 Mitigation: 823 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 824 the NTP Public Services Project Download Page 825 Properly monitor your ntpd instances, and auto-restart 826 ntpd (without -g) if it stops running. 827 Credit: 828 This weakness was discovered by Cure53. 829 830* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 831 Date Resolved: 21 Mar 2017 832 References: Sec 3379 / CVE-2017-6458 / VU#325339 833 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 834 ntp-4.3.0 up to, but not including ntp-4.3.94. 835 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 836 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 837 Summary: 838 ntpd makes use of different wrappers around ctl_putdata() to 839 create name/value ntpq (mode 6) response strings. For example, 840 ctl_putstr() is usually used to send string data (variable names 841 or string data). The formatting code was missing a length check 842 for variable names. If somebody explicitly created any unusually 843 long variable names in ntpd (longer than 200-512 bytes, depending 844 on the type of variable), then if any of these variables are 845 added to the response list it would overflow a buffer. 846 Mitigation: 847 Implement BCP-38. 848 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 849 or the NTP Public Services Project Download Page 850 If you don't want to upgrade, then don't setvar variable names 851 longer than 200-512 bytes in your ntp.conf file. 852 Properly monitor your ntpd instances, and auto-restart 853 ntpd (without -g) if it stops running. 854 Credit: 855 This weakness was discovered by Cure53. 856 857* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 858 Date Resolved: 21 Mar 2017 859 References: Sec 3378 / CVE-2017-6451 / VU#325339 860 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 861 ntp-4.3.0 up to, but not including ntp-4.3.94. 862 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 863 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 864 Summary: 865 The legacy MX4200 refclock is only built if is specifically 866 enabled, and furthermore additional code changes are required to 867 compile and use it. But it uses the libc functions snprintf() 868 and vsnprintf() incorrectly, which can lead to an out-of-bounds 869 memory write due to an improper handling of the return value of 870 snprintf()/vsnprintf(). Since the return value is used as an 871 iterator and it can be larger than the buffer's size, it is 872 possible for the iterator to point somewhere outside of the 873 allocated buffer space. This results in an out-of-bound memory 874 write. This behavior can be leveraged to overwrite a saved 875 instruction pointer on the stack and gain control over the 876 execution flow. During testing it was not possible to identify 877 any malicious usage for this vulnerability. Specifically, no 878 way for an attacker to exploit this vulnerability was ultimately 879 unveiled. However, it has the potential to be exploited, so the 880 code should be fixed. 881 Mitigation, if you have a Magnavox MX4200 refclock: 882 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 883 or the NTP Public Services Project Download Page. 884 Properly monitor your ntpd instances, and auto-restart 885 ntpd (without -g) if it stops running. 886 Credit: 887 This weakness was discovered by Cure53. 888 889* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 890 malicious ntpd (Medium) 891 Date Resolved: 21 Mar 2017 892 References: Sec 3377 / CVE-2017-6460 / VU#325339 893 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 894 ntp-4.3.0 up to, but not including ntp-4.3.94. 895 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 896 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 897 Summary: 898 A stack buffer overflow in ntpq can be triggered by a malicious 899 ntpd server when ntpq requests the restriction list from the server. 900 This is due to a missing length check in the reslist() function. 901 It occurs whenever the function parses the server's response and 902 encounters a flagstr variable of an excessive length. The string 903 will be copied into a fixed-size buffer, leading to an overflow on 904 the function's stack-frame. Note well that this problem requires 905 a malicious server, and affects ntpq, not ntpd. 906 Mitigation: 907 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 908 or the NTP Public Services Project Download Page 909 If you can't upgrade your version of ntpq then if you want to know 910 the reslist of an instance of ntpd that you do not control, 911 know that if the target ntpd is malicious that it can send back 912 a response that intends to crash your ntpq process. 913 Credit: 914 This weakness was discovered by Cure53. 915 916* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 917 Date Resolved: 21 Mar 2017 918 References: Sec 3376 919 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 920 ntp-4.3.0 up to, but not including ntp-4.3.94. 921 CVSS2: N/A 922 CVSS3: N/A 923 Summary: 924 The build process for NTP has not, by default, provided compile 925 or link flags to offer "hardened" security options. Package 926 maintainers have always been able to provide hardening security 927 flags for their builds. As of ntp-4.2.8p10, the NTP build 928 system has a way to provide OS-specific hardening flags. Please 929 note that this is still not a really great solution because it 930 is specific to NTP builds. It's inefficient to have every 931 package supply, track and maintain this information for every 932 target build. It would be much better if there was a common way 933 for OSes to provide this information in a way that arbitrary 934 packages could benefit from it. 935 Mitigation: 936 Implement BCP-38. 937 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 938 or the NTP Public Services Project Download Page 939 Properly monitor your ntpd instances, and auto-restart 940 ntpd (without -g) if it stops running. 941 Credit: 942 This weakness was reported by Cure53. 943 944* 0rigin DoS (Medium) 945 Date Resolved: 21 Mar 2017 946 References: Sec 3361 / CVE-2016-9042 / VU#325339 947 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 948 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 949 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 950 Summary: 951 An exploitable denial of service vulnerability exists in the 952 origin timestamp check functionality of ntpd 4.2.8p9. A specially 953 crafted unauthenticated network packet can be used to reset the 954 expected origin timestamp for target peers. Legitimate replies 955 from targeted peers will fail the origin timestamp check (TEST2) 956 causing the reply to be dropped and creating a denial of service 957 condition. This vulnerability can only be exploited if the 958 attacker can spoof all of the servers. 959 Mitigation: 960 Implement BCP-38. 961 Configure enough servers/peers that an attacker cannot target 962 all of your time sources. 963 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 964 or the NTP Public Services Project Download Page 965 Properly monitor your ntpd instances, and auto-restart 966 ntpd (without -g) if it stops running. 967 Credit: 968 This weakness was discovered by Matthew Van Gundy of Cisco. 969 970Other fixes: 971 972* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 973* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 974 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 975* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 976* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 977 on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 978 - original patch by Majdi S. Abbas 979* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 980* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 981 - initial patch by Christos Zoulas 982* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 983 - move loader API from 'inline' to proper source 984 - augment pathless dlls with absolute path to NTPD 985 - use 'msyslog()' instead of 'printf() 'for reporting trouble 986* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 987 - applied patch by Matthew Van Gundy 988* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 989 - applied some of the patches provided by Havard. Not all of them 990 still match the current code base, and I did not touch libopt. 991* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 992 - applied patch by Reinhard Max. See bugzilla for limitations. 993* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 994 - fixed dependency inversion from [Bug 2837] 995* [Bug 2896] Nothing happens if minsane < maxclock < minclock 996 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 997* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 998 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 999* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1000 - Fixed these and some more locations of this pattern. 1001 Probably din't get them all, though. <perlinger@ntp.org> 1002* Update copyright year. 1003 1004-- 1005(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 1006 1007* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 1008 - added missed changeset for automatic openssl lib detection 1009 - fixed some minor warning issues 1010* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 1011* configure.ac cleanup. stenn@ntp.org 1012* openssl configure cleanup. stenn@ntp.org 1013 1014-- 1015NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 1016 1017Focus: Security, Bug fixes, enhancements. 1018 1019Severity: HIGH 1020 1021In addition to bug fixes and enhancements, this release fixes the 1022following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 10235 low-severity vulnerabilities, and provides 28 other non-security 1024fixes and improvements: 1025 1026* Trap crash 1027 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1028 References: Sec 3119 / CVE-2016-9311 / VU#633847 1029 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1030 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1031 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1032 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1033 Summary: 1034 ntpd does not enable trap service by default. If trap service 1035 has been explicitly enabled, an attacker can send a specially 1036 crafted packet to cause a null pointer dereference that will 1037 crash ntpd, resulting in a denial of service. 1038 Mitigation: 1039 Implement BCP-38. 1040 Use "restrict default noquery ..." in your ntp.conf file. Only 1041 allow mode 6 queries from trusted networks and hosts. 1042 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1043 or the NTP Public Services Project Download Page 1044 Properly monitor your ntpd instances, and auto-restart ntpd 1045 (without -g) if it stops running. 1046 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1047 1048* Mode 6 information disclosure and DDoS vector 1049 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1050 References: Sec 3118 / CVE-2016-9310 / VU#633847 1051 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1052 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1053 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1054 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1055 Summary: 1056 An exploitable configuration modification vulnerability exists 1057 in the control mode (mode 6) functionality of ntpd. If, against 1058 long-standing BCP recommendations, "restrict default noquery ..." 1059 is not specified, a specially crafted control mode packet can set 1060 ntpd traps, providing information disclosure and DDoS 1061 amplification, and unset ntpd traps, disabling legitimate 1062 monitoring. A remote, unauthenticated, network attacker can 1063 trigger this vulnerability. 1064 Mitigation: 1065 Implement BCP-38. 1066 Use "restrict default noquery ..." in your ntp.conf file. 1067 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1068 or the NTP Public Services Project Download Page 1069 Properly monitor your ntpd instances, and auto-restart ntpd 1070 (without -g) if it stops running. 1071 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1072 1073* Broadcast Mode Replay Prevention DoS 1074 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1075 References: Sec 3114 / CVE-2016-7427 / VU#633847 1076 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1077 ntp-4.3.90 up to, but not including ntp-4.3.94. 1078 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1079 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1080 Summary: 1081 The broadcast mode of NTP is expected to only be used in a 1082 trusted network. If the broadcast network is accessible to an 1083 attacker, a potentially exploitable denial of service 1084 vulnerability in ntpd's broadcast mode replay prevention 1085 functionality can be abused. An attacker with access to the NTP 1086 broadcast domain can periodically inject specially crafted 1087 broadcast mode NTP packets into the broadcast domain which, 1088 while being logged by ntpd, can cause ntpd to reject broadcast 1089 mode packets from legitimate NTP broadcast servers. 1090 Mitigation: 1091 Implement BCP-38. 1092 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1093 or the NTP Public Services Project Download Page 1094 Properly monitor your ntpd instances, and auto-restart ntpd 1095 (without -g) if it stops running. 1096 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1097 1098* Broadcast Mode Poll Interval Enforcement DoS 1099 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1100 References: Sec 3113 / CVE-2016-7428 / VU#633847 1101 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1102 ntp-4.3.90 up to, but not including ntp-4.3.94 1103 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1104 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1105 Summary: 1106 The broadcast mode of NTP is expected to only be used in a 1107 trusted network. If the broadcast network is accessible to an 1108 attacker, a potentially exploitable denial of service 1109 vulnerability in ntpd's broadcast mode poll interval enforcement 1110 functionality can be abused. To limit abuse, ntpd restricts the 1111 rate at which each broadcast association will process incoming 1112 packets. ntpd will reject broadcast mode packets that arrive 1113 before the poll interval specified in the preceding broadcast 1114 packet expires. An attacker with access to the NTP broadcast 1115 domain can send specially crafted broadcast mode NTP packets to 1116 the broadcast domain which, while being logged by ntpd, will 1117 cause ntpd to reject broadcast mode packets from legitimate NTP 1118 broadcast servers. 1119 Mitigation: 1120 Implement BCP-38. 1121 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1122 or the NTP Public Services Project Download Page 1123 Properly monitor your ntpd instances, and auto-restart ntpd 1124 (without -g) if it stops running. 1125 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1126 1127* Windows: ntpd DoS by oversized UDP packet 1128 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1129 References: Sec 3110 / CVE-2016-9312 / VU#633847 1130 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1131 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1132 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1133 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1134 Summary: 1135 If a vulnerable instance of ntpd on Windows receives a crafted 1136 malicious packet that is "too big", ntpd will stop working. 1137 Mitigation: 1138 Implement BCP-38. 1139 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1140 or the NTP Public Services Project Download Page 1141 Properly monitor your ntpd instances, and auto-restart ntpd 1142 (without -g) if it stops running. 1143 Credit: This weakness was discovered by Robert Pajak of ABB. 1144 1145* 0rigin (zero origin) issues 1146 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1147 References: Sec 3102 / CVE-2016-7431 / VU#633847 1148 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1149 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1150 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1151 Summary: 1152 Zero Origin timestamp problems were fixed by Bug 2945 in 1153 ntp-4.2.8p6. However, subsequent timestamp validation checks 1154 introduced a regression in the handling of some Zero origin 1155 timestamp checks. 1156 Mitigation: 1157 Implement BCP-38. 1158 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1159 or the NTP Public Services Project Download Page 1160 Properly monitor your ntpd instances, and auto-restart ntpd 1161 (without -g) if it stops running. 1162 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1163 Malhotra of Boston University. 1164 1165* read_mru_list() does inadequate incoming packet checks 1166 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1167 References: Sec 3082 / CVE-2016-7434 / VU#633847 1168 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1169 ntp-4.3.0 up to, but not including ntp-4.3.94. 1170 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1171 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1172 Summary: 1173 If ntpd is configured to allow mrulist query requests from a 1174 server that sends a crafted malicious packet, ntpd will crash 1175 on receipt of that crafted malicious mrulist query packet. 1176 Mitigation: 1177 Only allow mrulist query packets from trusted hosts. 1178 Implement BCP-38. 1179 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1180 or the NTP Public Services Project Download Page 1181 Properly monitor your ntpd instances, and auto-restart ntpd 1182 (without -g) if it stops running. 1183 Credit: This weakness was discovered by Magnus Stubman. 1184 1185* Attack on interface selection 1186 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1187 References: Sec 3072 / CVE-2016-7429 / VU#633847 1188 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1189 ntp-4.3.0 up to, but not including ntp-4.3.94 1190 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1191 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1192 Summary: 1193 When ntpd receives a server response on a socket that corresponds 1194 to a different interface than was used for the request, the peer 1195 structure is updated to use the interface for new requests. If 1196 ntpd is running on a host with multiple interfaces in separate 1197 networks and the operating system doesn't check source address in 1198 received packets (e.g. rp_filter on Linux is set to 0), an 1199 attacker that knows the address of the source can send a packet 1200 with spoofed source address which will cause ntpd to select wrong 1201 interface for the source and prevent it from sending new requests 1202 until the list of interfaces is refreshed, which happens on 1203 routing changes or every 5 minutes by default. If the attack is 1204 repeated often enough (once per second), ntpd will not be able to 1205 synchronize with the source. 1206 Mitigation: 1207 Implement BCP-38. 1208 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1209 or the NTP Public Services Project Download Page 1210 If you are going to configure your OS to disable source address 1211 checks, also configure your firewall configuration to control 1212 what interfaces can receive packets from what networks. 1213 Properly monitor your ntpd instances, and auto-restart ntpd 1214 (without -g) if it stops running. 1215 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1216 1217* Client rate limiting and server responses 1218 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1219 References: Sec 3071 / CVE-2016-7426 / VU#633847 1220 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1221 ntp-4.3.0 up to, but not including ntp-4.3.94 1222 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1223 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1224 Summary: 1225 When ntpd is configured with rate limiting for all associations 1226 (restrict default limited in ntp.conf), the limits are applied 1227 also to responses received from its configured sources. An 1228 attacker who knows the sources (e.g., from an IPv4 refid in 1229 server response) and knows the system is (mis)configured in this 1230 way can periodically send packets with spoofed source address to 1231 keep the rate limiting activated and prevent ntpd from accepting 1232 valid responses from its sources. 1233 1234 While this blanket rate limiting can be useful to prevent 1235 brute-force attacks on the origin timestamp, it allows this DoS 1236 attack. Similarly, it allows the attacker to prevent mobilization 1237 of ephemeral associations. 1238 Mitigation: 1239 Implement BCP-38. 1240 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1241 or the NTP Public Services Project Download Page 1242 Properly monitor your ntpd instances, and auto-restart ntpd 1243 (without -g) if it stops running. 1244 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1245 1246* Fix for bug 2085 broke initial sync calculations 1247 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1248 References: Sec 3067 / CVE-2016-7433 / VU#633847 1249 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1250 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1251 root-distance calculation in general is incorrect in all versions 1252 of ntp-4 until this release. 1253 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1254 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1255 Summary: 1256 Bug 2085 described a condition where the root delay was included 1257 twice, causing the jitter value to be higher than expected. Due 1258 to a misinterpretation of a small-print variable in The Book, the 1259 fix for this problem was incorrect, resulting in a root distance 1260 that did not include the peer dispersion. The calculations and 1261 formulae have been reviewed and reconciled, and the code has been 1262 updated accordingly. 1263 Mitigation: 1264 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1265 or the NTP Public Services Project Download Page 1266 Properly monitor your ntpd instances, and auto-restart ntpd 1267 (without -g) if it stops running. 1268 Credit: This weakness was discovered independently by Brian Utterback of 1269 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1270 1271Other fixes: 1272 1273* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1274* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1275* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1276 - moved retry decision where it belongs. <perlinger@ntp.org> 1277* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1278 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1279* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1280* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1281 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1282* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1283 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1284 - added shim layer for SSL API calls with issues (both directions) 1285* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1286 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1287* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1288* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1289 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1290* [Bug 3067] Root distance calculation needs improvement. HStenn 1291* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1292 - PPS-HACK works again. 1293* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1294 - applied patch by Brian Utterback <brian.utterback@oracle.com> 1295* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1296* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1297 <perlinger@ntp.org> 1298 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1299* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1300 - Patch provided by Kuramatsu. 1301* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1302 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1303* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1304* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1305* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1306* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1307 - fixed GPS week expansion to work based on build date. Special thanks 1308 to Craig Leres for initial patch and testing. 1309* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1310 - fixed Makefile.am <perlinger@ntp.org> 1311* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1312 even if it is very old <perlinger@ntp.org> 1313 - make sure PPS source is alive before processing samples 1314 - improve stability close to the 500ms phase jump (phase gate) 1315* Fix typos in include/ntp.h. 1316* Shim X509_get_signature_nid() if needed 1317* git author attribution cleanup 1318* bk ignore file cleanup 1319* remove locks in Windows IO, use rpc-like thread synchronisation instead 1320 1321--- 1322NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1323 1324Focus: Security, Bug fixes, enhancements. 1325 1326Severity: HIGH 1327 1328In addition to bug fixes and enhancements, this release fixes the 1329following 1 high- and 4 low-severity vulnerabilities: 1330 1331* CRYPTO_NAK crash 1332 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1333 References: Sec 3046 / CVE-2016-4957 / VU#321640 1334 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1335 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1336 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1337 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1338 could cause ntpd to crash. 1339 Mitigation: 1340 Implement BCP-38. 1341 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1342 or the NTP Public Services Project Download Page 1343 If you cannot upgrade from 4.2.8p7, the only other alternatives 1344 are to patch your code or filter CRYPTO_NAK packets. 1345 Properly monitor your ntpd instances, and auto-restart ntpd 1346 (without -g) if it stops running. 1347 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1348 1349* Bad authentication demobilizes ephemeral associations 1350 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1351 References: Sec 3045 / CVE-2016-4953 / VU#321640 1352 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1353 ntp-4.3.0 up to, but not including ntp-4.3.93. 1354 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1355 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1356 Summary: An attacker who knows the origin timestamp and can send a 1357 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1358 target before any other response is sent can demobilize that 1359 association. 1360 Mitigation: 1361 Implement BCP-38. 1362 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1363 or the NTP Public Services Project Download Page 1364 Properly monitor your ntpd instances. 1365 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1366 1367* Processing spoofed server packets 1368 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1369 References: Sec 3044 / CVE-2016-4954 / VU#321640 1370 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1371 ntp-4.3.0 up to, but not including ntp-4.3.93. 1372 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1373 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1374 Summary: An attacker who is able to spoof packets with correct origin 1375 timestamps from enough servers before the expected response 1376 packets arrive at the target machine can affect some peer 1377 variables and, for example, cause a false leap indication to be set. 1378 Mitigation: 1379 Implement BCP-38. 1380 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1381 or the NTP Public Services Project Download Page 1382 Properly monitor your ntpd instances. 1383 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1384 1385* Autokey association reset 1386 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1387 References: Sec 3043 / CVE-2016-4955 / VU#321640 1388 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1389 ntp-4.3.0 up to, but not including ntp-4.3.93. 1390 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1391 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1392 Summary: An attacker who is able to spoof a packet with a correct 1393 origin timestamp before the expected response packet arrives at 1394 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1395 the association's peer variables to be cleared. If this can be 1396 done often enough, it will prevent that association from working. 1397 Mitigation: 1398 Implement BCP-38. 1399 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1400 or the NTP Public Services Project Download Page 1401 Properly monitor your ntpd instances. 1402 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1403 1404* Broadcast interleave 1405 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1406 References: Sec 3042 / CVE-2016-4956 / VU#321640 1407 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1408 ntp-4.3.0 up to, but not including ntp-4.3.93. 1409 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1410 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1411 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1412 so broadcast clients can be triggered to flip into interleave mode. 1413 Mitigation: 1414 Implement BCP-38. 1415 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1416 or the NTP Public Services Project Download Page 1417 Properly monitor your ntpd instances. 1418 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1419 1420Other fixes: 1421* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1422 - provide build environment 1423 - 'wint_t' and 'struct timespec' defined by VS2015 1424 - fixed print()/scanf() format issues 1425* [Bug 3052] Add a .gitignore file. Edmund Wong. 1426* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1427* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1428 JPerlinger, HStenn. 1429* Fix typo in ntp-wait and plot_summary. HStenn. 1430* Make sure we have an "author" file for git imports. HStenn. 1431* Update the sntp problem tests for MacOS. HStenn. 1432 1433--- 1434NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1435 1436Focus: Security, Bug fixes, enhancements. 1437 1438Severity: MEDIUM 1439 1440When building NTP from source, there is a new configure option 1441available, --enable-dynamic-interleave. More information on this below. 1442 1443Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1444versions of ntp. These events have almost certainly happened in the 1445past, it's just that they were silently counted and not logged. With 1446the increasing awareness around security, we feel it's better to clearly 1447log these events to help detect abusive behavior. This increased 1448logging can also help detect other problems, too. 1449 1450In addition to bug fixes and enhancements, this release fixes the 1451following 9 low- and medium-severity vulnerabilities: 1452 1453* Improve NTP security against buffer comparison timing attacks, 1454 AKA: authdecrypt-timing 1455 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1456 References: Sec 2879 / CVE-2016-1550 1457 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1458 4.3.0 up to, but not including 4.3.92 1459 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1460 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1461 Summary: Packet authentication tests have been performed using 1462 memcmp() or possibly bcmp(), and it is potentially possible 1463 for a local or perhaps LAN-based attacker to send a packet with 1464 an authentication payload and indirectly observe how much of 1465 the digest has matched. 1466 Mitigation: 1467 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1468 or the NTP Public Services Project Download Page. 1469 Properly monitor your ntpd instances. 1470 Credit: This weakness was discovered independently by Loganaden 1471 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1472 1473* Zero origin timestamp bypass: Additional KoD checks. 1474 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1475 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1476 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1477 1478* peer associations were broken by the fix for NtpBug2899 1479 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1480 References: Sec 2952 / CVE-2015-7704 1481 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1482 4.3.0 up to, but not including 4.3.92 1483 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1484 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1485 associations did not address all of the issues. 1486 Mitigation: 1487 Implement BCP-38. 1488 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1489 or the NTP Public Services Project Download Page 1490 If you can't upgrade, use "server" associations instead of 1491 "peer" associations. 1492 Monitor your ntpd instances. 1493 Credit: This problem was discovered by Michael Tatarinov. 1494 1495* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1496 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1497 References: Sec 3007 / CVE-2016-1547 / VU#718152 1498 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1499 4.3.0 up to, but not including 4.3.92 1500 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1501 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1502 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1503 off-path attacker can cause a preemptable client association to 1504 be demobilized by sending a crypto NAK packet to a victim client 1505 with a spoofed source address of an existing associated peer. 1506 This is true even if authentication is enabled. 1507 1508 Furthermore, if the attacker keeps sending crypto NAK packets, 1509 for example one every second, the victim never has a chance to 1510 reestablish the association and synchronize time with that 1511 legitimate server. 1512 1513 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1514 stringent checks are performed on incoming packets, but there 1515 are still ways to exploit this vulnerability in versions before 1516 ntp-4.2.8p7. 1517 Mitigation: 1518 Implement BCP-38. 1519 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1520 or the NTP Public Services Project Download Page 1521 Properly monitor your ntpd instances 1522 Credit: This weakness was discovered by Stephen Gray and 1523 Matthew Van Gundy of Cisco ASIG. 1524 1525* ctl_getitem() return value not always checked 1526 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1527 References: Sec 3008 / CVE-2016-2519 1528 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1529 4.3.0 up to, but not including 4.3.92 1530 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1531 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1532 Summary: ntpq and ntpdc can be used to store and retrieve information 1533 in ntpd. It is possible to store a data value that is larger 1534 than the size of the buffer that the ctl_getitem() function of 1535 ntpd uses to report the return value. If the length of the 1536 requested data value returned by ctl_getitem() is too large, 1537 the value NULL is returned instead. There are 2 cases where the 1538 return value from ctl_getitem() was not directly checked to make 1539 sure it's not NULL, but there are subsequent INSIST() checks 1540 that make sure the return value is not NULL. There are no data 1541 values ordinarily stored in ntpd that would exceed this buffer 1542 length. But if one has permission to store values and one stores 1543 a value that is "too large", then ntpd will abort if an attempt 1544 is made to read that oversized value. 1545 Mitigation: 1546 Implement BCP-38. 1547 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1548 or the NTP Public Services Project Download Page 1549 Properly monitor your ntpd instances. 1550 Credit: This weakness was discovered by Yihan Lian of the Cloud 1551 Security Team, Qihoo 360. 1552 1553* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1554 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1555 References: Sec 3009 / CVE-2016-2518 / VU#718152 1556 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1557 4.3.0 up to, but not including 4.3.92 1558 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1559 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1560 Summary: Using a crafted packet to create a peer association with 1561 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1562 out-of-bounds reference. 1563 Mitigation: 1564 Implement BCP-38. 1565 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1566 or the NTP Public Services Project Download Page 1567 Properly monitor your ntpd instances 1568 Credit: This weakness was discovered by Yihan Lian of the Cloud 1569 Security Team, Qihoo 360. 1570 1571* remote configuration trustedkey/requestkey/controlkey values are not 1572 properly validated 1573 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1574 References: Sec 3010 / CVE-2016-2517 / VU#718152 1575 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1576 4.3.0 up to, but not including 4.3.92 1577 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1578 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1579 Summary: If ntpd was expressly configured to allow for remote 1580 configuration, a malicious user who knows the controlkey for 1581 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1582 can create a session with ntpd and then send a crafted packet to 1583 ntpd that will change the value of the trustedkey, controlkey, 1584 or requestkey to a value that will prevent any subsequent 1585 authentication with ntpd until ntpd is restarted. 1586 Mitigation: 1587 Implement BCP-38. 1588 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1589 or the NTP Public Services Project Download Page 1590 Properly monitor your ntpd instances 1591 Credit: This weakness was discovered by Yihan Lian of the Cloud 1592 Security Team, Qihoo 360. 1593 1594* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1595 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1596 References: Sec 3011 / CVE-2016-2516 / VU#718152 1597 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1598 4.3.0 up to, but not including 4.3.92 1599 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1600 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1601 Summary: If ntpd was expressly configured to allow for remote 1602 configuration, a malicious user who knows the controlkey for 1603 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1604 can create a session with ntpd and if an existing association is 1605 unconfigured using the same IP twice on the unconfig directive 1606 line, ntpd will abort. 1607 Mitigation: 1608 Implement BCP-38. 1609 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1610 or the NTP Public Services Project Download Page 1611 Properly monitor your ntpd instances 1612 Credit: This weakness was discovered by Yihan Lian of the Cloud 1613 Security Team, Qihoo 360. 1614 1615* Refclock impersonation vulnerability 1616 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1617 References: Sec 3020 / CVE-2016-1551 1618 Affects: On a very limited number of OSes, all NTP releases up to but 1619 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1620 By "very limited number of OSes" we mean no general-purpose OSes 1621 have yet been identified that have this vulnerability. 1622 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1623 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1624 Summary: While most OSes implement martian packet filtering in their 1625 network stack, at least regarding 127.0.0.0/8, some will allow 1626 packets claiming to be from 127.0.0.0/8 that arrive over a 1627 physical network. On these OSes, if ntpd is configured to use a 1628 reference clock an attacker can inject packets over the network 1629 that look like they are coming from that reference clock. 1630 Mitigation: 1631 Implement martian packet filtering and BCP-38. 1632 Configure ntpd to use an adequate number of time sources. 1633 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1634 or the NTP Public Services Project Download Page 1635 If you are unable to upgrade and if you are running an OS that 1636 has this vulnerability, implement martian packet filters and 1637 lobby your OS vendor to fix this problem, or run your 1638 refclocks on computers that use OSes that are not vulnerable 1639 to these attacks and have your vulnerable machines get their 1640 time from protected resources. 1641 Properly monitor your ntpd instances. 1642 Credit: This weakness was discovered by Matt Street and others of 1643 Cisco ASIG. 1644 1645The following issues were fixed in earlier releases and contain 1646improvements in 4.2.8p7: 1647 1648* Clients that receive a KoD should validate the origin timestamp field. 1649 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1650 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1651 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1652 1653* Skeleton key: passive server with trusted key can serve time. 1654 References: Sec 2936 / CVE-2015-7974 1655 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1656 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1657 1658Two other vulnerabilities have been reported, and the mitigations 1659for these are as follows: 1660 1661* Interleave-pivot 1662 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1663 References: Sec 2978 / CVE-2016-1548 1664 Affects: All ntp-4 releases. 1665 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1666 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1667 Summary: It is possible to change the time of an ntpd client or deny 1668 service to an ntpd client by forcing it to change from basic 1669 client/server mode to interleaved symmetric mode. An attacker 1670 can spoof a packet from a legitimate ntpd server with an origin 1671 timestamp that matches the peer->dst timestamp recorded for that 1672 server. After making this switch, the client will reject all 1673 future legitimate server responses. It is possible to force the 1674 victim client to move time after the mode has been changed. 1675 ntpq gives no indication that the mode has been switched. 1676 Mitigation: 1677 Implement BCP-38. 1678 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1679 or the NTP Public Services Project Download Page. These 1680 versions will not dynamically "flip" into interleave mode 1681 unless configured to do so. 1682 Properly monitor your ntpd instances. 1683 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1684 and separately by Jonathan Gardner of Cisco ASIG. 1685 1686* Sybil vulnerability: ephemeral association attack 1687 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1688 References: Sec 3012 / CVE-2016-1549 1689 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1690 4.3.0 up to, but not including 4.3.92 1691 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1692 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1693 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1694 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1695 field in the ntp.keys file to specify which IPs can serve time, 1696 a malicious authenticated peer can create arbitrarily-many 1697 ephemeral associations in order to win the clock selection of 1698 ntpd and modify a victim's clock. 1699 Mitigation: 1700 Implement BCP-38. 1701 Use the 4th field in the ntp.keys file to specify which IPs 1702 can be time servers. 1703 Properly monitor your ntpd instances. 1704 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1705 1706Other fixes: 1707 1708* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1709 - fixed yet another race condition in the threaded resolver code. 1710* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1711* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1712 - integrated patches by Loganaden Velvidron <logan@ntp.org> 1713 with some modifications & unit tests 1714* [Bug 2960] async name resolution fixes for chroot() environments. 1715 Reinhard Max. 1716* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1717* [Bug 2995] Fixes to compile on Windows 1718* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1719* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1720 - Patch provided by Ch. Weisgerber 1721* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1722 - A change related to [Bug 2853] forbids trailing white space in 1723 remote config commands. perlinger@ntp.org 1724* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1725 - report and patch from Aleksandr Kostikov. 1726 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1727* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1728 - fixed memory leak in access list (auth[read]keys.c) 1729 - refactored handling of key access lists (auth[read]keys.c) 1730 - reduced number of error branches (authreadkeys.c) 1731* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1732* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1733* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1734 when the time of server changed. perlinger@ntp.org 1735 - Check the initial delay calculation and reject/unpeer the broadcast 1736 server if the delay exceeds 50ms. Retry again after the next 1737 broadcast packet. 1738* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1739* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1740* Update html/xleave.html documentation. Harlan Stenn. 1741* Update ntp.conf documentation. Harlan Stenn. 1742* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1743* Fix typo in html/monopt.html. Harlan Stenn. 1744* Add README.pullrequests. Harlan Stenn. 1745* Cleanup to include/ntp.h. Harlan Stenn. 1746 1747New option to 'configure': 1748 1749While looking in to the issues around Bug 2978, the "interleave pivot" 1750issue, it became clear that there are some intricate and unresolved 1751issues with interleave operations. We also realized that the interleave 1752protocol was never added to the NTPv4 Standard, and it should have been. 1753 1754Interleave mode was first released in July of 2008, and can be engaged 1755in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1756contain the 'xleave' option, which will expressly enable interlave mode 1757for that association. Additionally, if a time packet arrives and is 1758found inconsistent with normal protocol behavior but has certain 1759characteristics that are compatible with interleave mode, NTP will 1760dynamically switch to interleave mode. With sufficient knowledge, an 1761attacker can send a crafted forged packet to an NTP instance that 1762triggers only one side to enter interleaved mode. 1763 1764To prevent this attack until we can thoroughly document, describe, 1765fix, and test the dynamic interleave mode, we've added a new 1766'configure' option to the build process: 1767 1768 --enable-dynamic-interleave 1769 1770This option controls whether or not NTP will, if conditions are right, 1771engage dynamic interleave mode. Dynamic interleave mode is disabled by 1772default in ntp-4.2.8p7. 1773 1774--- 1775NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1776 1777Focus: Security, Bug fixes, enhancements. 1778 1779Severity: MEDIUM 1780 1781In addition to bug fixes and enhancements, this release fixes the 1782following 1 low- and 8 medium-severity vulnerabilities: 1783 1784* Potential Infinite Loop in 'ntpq' 1785 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1786 References: Sec 2548 / CVE-2015-8158 1787 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1788 4.3.0 up to, but not including 4.3.90 1789 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1790 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1791 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1792 The loop's only stopping conditions are receiving a complete and 1793 correct response or hitting a small number of error conditions. 1794 If the packet contains incorrect values that don't trigger one of 1795 the error conditions, the loop continues to receive new packets. 1796 Note well, this is an attack against an instance of 'ntpq', not 1797 'ntpd', and this attack requires the attacker to do one of the 1798 following: 1799 * Own a malicious NTP server that the client trusts 1800 * Prevent a legitimate NTP server from sending packets to 1801 the 'ntpq' client 1802 * MITM the 'ntpq' communications between the 'ntpq' client 1803 and the NTP server 1804 Mitigation: 1805 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1806 or the NTP Public Services Project Download Page 1807 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1808 1809* 0rigin: Zero Origin Timestamp Bypass 1810 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1811 References: Sec 2945 / CVE-2015-8138 1812 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1813 4.3.0 up to, but not including 4.3.90 1814 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1815 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1816 (3.7 - LOW if you score AC:L) 1817 Summary: To distinguish legitimate peer responses from forgeries, a 1818 client attempts to verify a response packet by ensuring that the 1819 origin timestamp in the packet matches the origin timestamp it 1820 transmitted in its last request. A logic error exists that 1821 allows packets with an origin timestamp of zero to bypass this 1822 check whenever there is not an outstanding request to the server. 1823 Mitigation: 1824 Configure 'ntpd' to get time from multiple sources. 1825 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1826 or the NTP Public Services Project Download Page. 1827 Monitor your 'ntpd' instances. 1828 Credit: This weakness was discovered by Matthey Van Gundy and 1829 Jonathan Gardner of Cisco ASIG. 1830 1831* Stack exhaustion in recursive traversal of restriction list 1832 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1833 References: Sec 2940 / CVE-2015-7978 1834 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1835 4.3.0 up to, but not including 4.3.90 1836 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1837 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1838 segmentation fault in ntpd by exhausting the call stack. 1839 Mitigation: 1840 Implement BCP-38. 1841 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1842 or the NTP Public Services Project Download Page. 1843 If you are unable to upgrade: 1844 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1845 If you must enable mode 7: 1846 configure the use of a 'requestkey' to control who can 1847 issue mode 7 requests. 1848 configure 'restrict noquery' to further limit mode 7 1849 requests to trusted sources. 1850 Monitor your ntpd instances. 1851 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1852 1853* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1854 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1855 References: Sec 2942 / CVE-2015-7979 1856 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1857 4.3.0 up to, but not including 4.3.90 1858 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1859 Summary: An off-path attacker can send broadcast packets with bad 1860 authentication (wrong key, mismatched key, incorrect MAC, etc) 1861 to broadcast clients. It is observed that the broadcast client 1862 tears down the association with the broadcast server upon 1863 receiving just one bad packet. 1864 Mitigation: 1865 Implement BCP-38. 1866 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1867 or the NTP Public Services Project Download Page. 1868 Monitor your 'ntpd' instances. 1869 If this sort of attack is an active problem for you, you have 1870 deeper problems to investigate. In this case also consider 1871 having smaller NTP broadcast domains. 1872 Credit: This weakness was discovered by Aanchal Malhotra of Boston 1873 University. 1874 1875* reslist NULL pointer dereference 1876 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1877 References: Sec 2939 / CVE-2015-7977 1878 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1879 4.3.0 up to, but not including 4.3.90 1880 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1881 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1882 segmentation fault in ntpd by causing a NULL pointer dereference. 1883 Mitigation: 1884 Implement BCP-38. 1885 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1886 the NTP Public Services Project Download Page. 1887 If you are unable to upgrade: 1888 mode 7 is disabled by default. Don't enable it. 1889 If you must enable mode 7: 1890 configure the use of a 'requestkey' to control who can 1891 issue mode 7 requests. 1892 configure 'restrict noquery' to further limit mode 7 1893 requests to trusted sources. 1894 Monitor your ntpd instances. 1895 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1896 1897* 'ntpq saveconfig' command allows dangerous characters in filenames. 1898 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1899 References: Sec 2938 / CVE-2015-7976 1900 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1901 4.3.0 up to, but not including 4.3.90 1902 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1903 Summary: The ntpq saveconfig command does not do adequate filtering 1904 of special characters from the supplied filename. 1905 Note well: The ability to use the saveconfig command is controlled 1906 by the 'restrict nomodify' directive, and the recommended default 1907 configuration is to disable this capability. If the ability to 1908 execute a 'saveconfig' is required, it can easily (and should) be 1909 limited and restricted to a known small number of IP addresses. 1910 Mitigation: 1911 Implement BCP-38. 1912 use 'restrict default nomodify' in your 'ntp.conf' file. 1913 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1914 If you are unable to upgrade: 1915 build NTP with 'configure --disable-saveconfig' if you will 1916 never need this capability, or 1917 use 'restrict default nomodify' in your 'ntp.conf' file. Be 1918 careful about what IPs have the ability to send 'modify' 1919 requests to 'ntpd'. 1920 Monitor your ntpd instances. 1921 'saveconfig' requests are logged to syslog - monitor your syslog files. 1922 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1923 1924* nextvar() missing length check in ntpq 1925 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1926 References: Sec 2937 / CVE-2015-7975 1927 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1928 4.3.0 up to, but not including 4.3.90 1929 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1930 If you score A:C, this becomes 4.0. 1931 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1932 Summary: ntpq may call nextvar() which executes a memcpy() into the 1933 name buffer without a proper length check against its maximum 1934 length of 256 bytes. Note well that we're taking about ntpq here. 1935 The usual worst-case effect of this vulnerability is that the 1936 specific instance of ntpq will crash and the person or process 1937 that did this will have stopped themselves. 1938 Mitigation: 1939 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1940 or the NTP Public Services Project Download Page. 1941 If you are unable to upgrade: 1942 If you have scripts that feed input to ntpq make sure there are 1943 some sanity checks on the input received from the "outside". 1944 This is potentially more dangerous if ntpq is run as root. 1945 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1946 1947* Skeleton Key: Any trusted key system can serve time 1948 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1949 References: Sec 2936 / CVE-2015-7974 1950 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1951 4.3.0 up to, but not including 4.3.90 1952 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1953 Summary: Symmetric key encryption uses a shared trusted key. The 1954 reported title for this issue was "Missing key check allows 1955 impersonation between authenticated peers" and the report claimed 1956 "A key specified only for one server should only work to 1957 authenticate that server, other trusted keys should be refused." 1958 Except there has never been any correlation between this trusted 1959 key and server v. clients machines and there has never been any 1960 way to specify a key only for one server. We have treated this as 1961 an enhancement request, and ntp-4.2.8p6 includes other checks and 1962 tests to strengthen clients against attacks coming from broadcast 1963 servers. 1964 Mitigation: 1965 Implement BCP-38. 1966 If this scenario represents a real or a potential issue for you, 1967 upgrade to 4.2.8p6, or later, from the NTP Project Download 1968 Page or the NTP Public Services Project Download Page, and 1969 use the new field in the ntp.keys file that specifies the list 1970 of IPs that are allowed to serve time. Note that this alone 1971 will not protect against time packets with forged source IP 1972 addresses, however other changes in ntp-4.2.8p6 provide 1973 significant mitigation against broadcast attacks. MITM attacks 1974 are a different story. 1975 If you are unable to upgrade: 1976 Don't use broadcast mode if you cannot monitor your client 1977 servers. 1978 If you choose to use symmetric keys to authenticate time 1979 packets in a hostile environment where ephemeral time 1980 servers can be created, or if it is expected that malicious 1981 time servers will participate in an NTP broadcast domain, 1982 limit the number of participating systems that participate 1983 in the shared-key group. 1984 Monitor your ntpd instances. 1985 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1986 1987* Deja Vu: Replay attack on authenticated broadcast mode 1988 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1989 References: Sec 2935 / CVE-2015-7973 1990 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1991 4.3.0 up to, but not including 4.3.90 1992 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1993 Summary: If an NTP network is configured for broadcast operations then 1994 either a man-in-the-middle attacker or a malicious participant 1995 that has the same trusted keys as the victim can replay time packets. 1996 Mitigation: 1997 Implement BCP-38. 1998 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1999 or the NTP Public Services Project Download Page. 2000 If you are unable to upgrade: 2001 Don't use broadcast mode if you cannot monitor your client servers. 2002 Monitor your ntpd instances. 2003 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2004 University. 2005 2006Other fixes: 2007 2008* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 2009* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 2010 - applied patch by shenpeng11@huawei.com with minor adjustments 2011* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 2012* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 2013* [Bug 2892] Several test cases assume IPv6 capabilities even when 2014 IPv6 is disabled in the build. perlinger@ntp.org 2015 - Found this already fixed, but validation led to cleanup actions. 2016* [Bug 2905] DNS lookups broken. perlinger@ntp.org 2017 - added limits to stack consumption, fixed some return code handling 2018* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2019 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2020 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 2021* [Bug 2980] reduce number of warnings. perlinger@ntp.org 2022 - integrated several patches from Havard Eidnes (he@uninett.no) 2023* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 2024 - implement 'auth_log2()' using integer bithack instead of float calculation 2025* Make leapsec_query debug messages less verbose. Harlan Stenn. 2026 2027--- 2028NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 2029 2030Focus: Security, Bug fixes, enhancements. 2031 2032Severity: MEDIUM 2033 2034In addition to bug fixes and enhancements, this release fixes the 2035following medium-severity vulnerability: 2036 2037* Small-step/big-step. Close the panic gate earlier. 2038 References: Sec 2956, CVE-2015-5300 2039 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2040 4.3.0 up to, but not including 4.3.78 2041 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2042 Summary: If ntpd is always started with the -g option, which is 2043 common and against long-standing recommendation, and if at the 2044 moment ntpd is restarted an attacker can immediately respond to 2045 enough requests from enough sources trusted by the target, which 2046 is difficult and not common, there is a window of opportunity 2047 where the attacker can cause ntpd to set the time to an 2048 arbitrary value. Similarly, if an attacker is able to respond 2049 to enough requests from enough sources trusted by the target, 2050 the attacker can cause ntpd to abort and restart, at which 2051 point it can tell the target to set the time to an arbitrary 2052 value if and only if ntpd was re-started against long-standing 2053 recommendation with the -g flag, or if ntpd was not given the 2054 -g flag, the attacker can move the target system's time by at 2055 most 900 seconds' time per attack. 2056 Mitigation: 2057 Configure ntpd to get time from multiple sources. 2058 Upgrade to 4.2.8p5, or later, from the NTP Project Download 2059 Page or the NTP Public Services Project Download Page 2060 As we've long documented, only use the -g option to ntpd in 2061 cold-start situations. 2062 Monitor your ntpd instances. 2063 Credit: This weakness was discovered by Aanchal Malhotra, 2064 Isaac E. Cohen, and Sharon Goldberg at Boston University. 2065 2066 NOTE WELL: The -g flag disables the limit check on the panic_gate 2067 in ntpd, which is 900 seconds by default. The bug identified by 2068 the researchers at Boston University is that the panic_gate 2069 check was only re-enabled after the first change to the system 2070 clock that was greater than 128 milliseconds, by default. The 2071 correct behavior is that the panic_gate check should be 2072 re-enabled after any initial time correction. 2073 2074 If an attacker is able to inject consistent but erroneous time 2075 responses to your systems via the network or "over the air", 2076 perhaps by spoofing radio, cellphone, or navigation satellite 2077 transmissions, they are in a great position to affect your 2078 system's clock. There comes a point where your very best 2079 defenses include: 2080 2081 Configure ntpd to get time from multiple sources. 2082 Monitor your ntpd instances. 2083 2084Other fixes: 2085 2086* Coverity submission process updated from Coverity 5 to Coverity 7. 2087 The NTP codebase has been undergoing regular Coverity scans on an 2088 ongoing basis since 2006. As part of our recent upgrade from 2089 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2090 the newly-written Unity test programs. These were fixed. 2091* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 2092* [Bug 2887] stratum -1 config results as showing value 99 2093 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 2094* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2095* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2096* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2097 - applied patch by Christos Zoulas. perlinger@ntp.org 2098* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2099* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2100 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 2101 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 2102* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 2103 - accept key file only if there are no parsing errors 2104 - fixed size_t/u_int format clash 2105 - fixed wrong use of 'strlcpy' 2106* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2107* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 2108 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2109 - promote use of 'size_t' for values that express a size 2110 - use ptr-to-const for read-only arguments 2111 - make sure SOCKET values are not truncated (win32-specific) 2112 - format string fixes 2113* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2114* [Bug 2967] ntpdate command suffers an assertion failure 2115 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 2116* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2117 lots of clients. perlinger@ntp.org 2118* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2119 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2120* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2121* Unity test cleanup. Harlan Stenn. 2122* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2123* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2124* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2125* Quiet a warning from clang. Harlan Stenn. 2126 2127--- 2128NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 2129 2130Focus: Security, Bug fixes, enhancements. 2131 2132Severity: MEDIUM 2133 2134In addition to bug fixes and enhancements, this release fixes the 2135following 13 low- and medium-severity vulnerabilities: 2136 2137* Incomplete vallen (value length) checks in ntp_crypto.c, leading 2138 to potential crashes or potential code injection/information leakage. 2139 2140 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2141 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2142 and 4.3.0 up to, but not including 4.3.77 2143 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2144 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2145 certain code paths where a packet with particular autokey operations 2146 that contained malicious data was not always being completely 2147 validated. Receipt of these packets can cause ntpd to crash. 2148 Mitigation: 2149 Don't use autokey. 2150 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2151 Page or the NTP Public Services Project Download Page 2152 Monitor your ntpd instances. 2153 Credit: This weakness was discovered by Tenable Network Security. 2154 2155* Clients that receive a KoD should validate the origin timestamp field. 2156 2157 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2158 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2159 and 4.3.0 up to, but not including 4.3.77 2160 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2161 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2162 KoD messages that have been forged by an attacker, causing it to 2163 delay or stop querying its servers for time updates. Also, an 2164 attacker can forge packets that claim to be from the target and 2165 send them to servers often enough that a server that implements 2166 KoD rate limiting will send the target machine a KoD response to 2167 attempt to reduce the rate of incoming packets, or it may also 2168 trigger a firewall block at the server for packets from the target 2169 machine. For either of these attacks to succeed, the attacker must 2170 know what servers the target is communicating with. An attacker 2171 can be anywhere on the Internet and can frequently learn the 2172 identity of the target's time source by sending the target a 2173 time query. 2174 Mitigation: 2175 Implement BCP-38. 2176 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2177 or the NTP Public Services Project Download Page 2178 If you can't upgrade, restrict who can query ntpd to learn who 2179 its servers are, and what IPs are allowed to ask your system 2180 for the time. This mitigation is heavy-handed. 2181 Monitor your ntpd instances. 2182 Note: 2183 4.2.8p4 protects against the first attack. For the second attack, 2184 all we can do is warn when it is happening, which we do in 4.2.8p4. 2185 Credit: This weakness was discovered by Aanchal Malhotra, 2186 Issac E. Cohen, and Sharon Goldberg of Boston University. 2187 2188* configuration directives to change "pidfile" and "driftfile" should 2189 only be allowed locally. 2190 2191 References: Sec 2902 / CVE-2015-5196 2192 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2193 and 4.3.0 up to, but not including 4.3.77 2194 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2195 Summary: If ntpd is configured to allow for remote configuration, 2196 and if the (possibly spoofed) source IP address is allowed to 2197 send remote configuration requests, and if the attacker knows 2198 the remote configuration password, it's possible for an attacker 2199 to use the "pidfile" or "driftfile" directives to potentially 2200 overwrite other files. 2201 Mitigation: 2202 Implement BCP-38. 2203 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2204 Page or the NTP Public Services Project Download Page 2205 If you cannot upgrade, don't enable remote configuration. 2206 If you must enable remote configuration and cannot upgrade, 2207 remote configuration of NTF's ntpd requires: 2208 - an explicitly configured trustedkey, and you should also 2209 configure a controlkey. 2210 - access from a permitted IP. You choose the IPs. 2211 - authentication. Don't disable it. Practice secure key safety. 2212 Monitor your ntpd instances. 2213 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2214 2215* Slow memory leak in CRYPTO_ASSOC 2216 2217 References: Sec 2909 / CVE-2015-7701 2218 Affects: All ntp-4 releases that use autokey up to, but not 2219 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2220 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2221 4.6 otherwise 2222 Summary: If ntpd is configured to use autokey, then an attacker can 2223 send packets to ntpd that will, after several days of ongoing 2224 attack, cause it to run out of memory. 2225 Mitigation: 2226 Don't use autokey. 2227 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2228 Page or the NTP Public Services Project Download Page 2229 Monitor your ntpd instances. 2230 Credit: This weakness was discovered by Tenable Network Security. 2231 2232* mode 7 loop counter underrun 2233 2234 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2235 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2236 and 4.3.0 up to, but not including 4.3.77 2237 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2238 Summary: If ntpd is configured to enable mode 7 packets, and if the 2239 use of mode 7 packets is not properly protected thru the use of 2240 the available mode 7 authentication and restriction mechanisms, 2241 and if the (possibly spoofed) source IP address is allowed to 2242 send mode 7 queries, then an attacker can send a crafted packet 2243 to ntpd that will cause it to crash. 2244 Mitigation: 2245 Implement BCP-38. 2246 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2247 Page or the NTP Public Services Project Download Page. 2248 If you are unable to upgrade: 2249 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2250 If you must enable mode 7: 2251 configure the use of a requestkey to control who can issue 2252 mode 7 requests. 2253 configure restrict noquery to further limit mode 7 requests 2254 to trusted sources. 2255 Monitor your ntpd instances. 2256Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2257 2258* memory corruption in password store 2259 2260 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2261 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2262 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2263 Summary: If ntpd is configured to allow remote configuration, and if 2264 the (possibly spoofed) source IP address is allowed to send 2265 remote configuration requests, and if the attacker knows the 2266 remote configuration password or if ntpd was configured to 2267 disable authentication, then an attacker can send a set of 2268 packets to ntpd that may cause a crash or theoretically 2269 perform a code injection attack. 2270 Mitigation: 2271 Implement BCP-38. 2272 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2273 Page or the NTP Public Services Project Download Page. 2274 If you are unable to upgrade, remote configuration of NTF's 2275 ntpd requires: 2276 an explicitly configured "trusted" key. Only configure 2277 this if you need it. 2278 access from a permitted IP address. You choose the IPs. 2279 authentication. Don't disable it. Practice secure key safety. 2280 Monitor your ntpd instances. 2281 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2282 2283* Infinite loop if extended logging enabled and the logfile and 2284 keyfile are the same. 2285 2286 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2287 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2288 and 4.3.0 up to, but not including 4.3.77 2289 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2290 Summary: If ntpd is configured to allow remote configuration, and if 2291 the (possibly spoofed) source IP address is allowed to send 2292 remote configuration requests, and if the attacker knows the 2293 remote configuration password or if ntpd was configured to 2294 disable authentication, then an attacker can send a set of 2295 packets to ntpd that will cause it to crash and/or create a 2296 potentially huge log file. Specifically, the attacker could 2297 enable extended logging, point the key file at the log file, 2298 and cause what amounts to an infinite loop. 2299 Mitigation: 2300 Implement BCP-38. 2301 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2302 Page or the NTP Public Services Project Download Page. 2303 If you are unable to upgrade, remote configuration of NTF's ntpd 2304 requires: 2305 an explicitly configured "trusted" key. Only configure this 2306 if you need it. 2307 access from a permitted IP address. You choose the IPs. 2308 authentication. Don't disable it. Practice secure key safety. 2309 Monitor your ntpd instances. 2310 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2311 2312* Potential path traversal vulnerability in the config file saving of 2313 ntpd on VMS. 2314 2315 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2316 Affects: All ntp-4 releases running under VMS up to, but not 2317 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2318 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2319 Summary: If ntpd is configured to allow remote configuration, and if 2320 the (possibly spoofed) IP address is allowed to send remote 2321 configuration requests, and if the attacker knows the remote 2322 configuration password or if ntpd was configured to disable 2323 authentication, then an attacker can send a set of packets to 2324 ntpd that may cause ntpd to overwrite files. 2325 Mitigation: 2326 Implement BCP-38. 2327 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2328 Page or the NTP Public Services Project Download Page. 2329 If you are unable to upgrade, remote configuration of NTF's ntpd 2330 requires: 2331 an explicitly configured "trusted" key. Only configure 2332 this if you need it. 2333 access from permitted IP addresses. You choose the IPs. 2334 authentication. Don't disable it. Practice key security safety. 2335 Monitor your ntpd instances. 2336 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2337 2338* ntpq atoascii() potential memory corruption 2339 2340 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2341 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2342 and 4.3.0 up to, but not including 4.3.77 2343 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2344 Summary: If an attacker can figure out the precise moment that ntpq 2345 is listening for data and the port number it is listening on or 2346 if the attacker can provide a malicious instance ntpd that 2347 victims will connect to then an attacker can send a set of 2348 crafted mode 6 response packets that, if received by ntpq, 2349 can cause ntpq to crash. 2350 Mitigation: 2351 Implement BCP-38. 2352 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2353 Page or the NTP Public Services Project Download Page. 2354 If you are unable to upgrade and you run ntpq against a server 2355 and ntpq crashes, try again using raw mode. Build or get a 2356 patched ntpq and see if that fixes the problem. Report new 2357 bugs in ntpq or abusive servers appropriately. 2358 If you use ntpq in scripts, make sure ntpq does what you expect 2359 in your scripts. 2360 Credit: This weakness was discovered by Yves Younan and 2361 Aleksander Nikolich of Cisco Talos. 2362 2363* Invalid length data provided by a custom refclock driver could cause 2364 a buffer overflow. 2365 2366 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2367 Affects: Potentially all ntp-4 releases running up to, but not 2368 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2369 that have custom refclocks 2370 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2371 5.9 unusual worst case 2372 Summary: A negative value for the datalen parameter will overflow a 2373 data buffer. NTF's ntpd driver implementations always set this 2374 value to 0 and are therefore not vulnerable to this weakness. 2375 If you are running a custom refclock driver in ntpd and that 2376 driver supplies a negative value for datalen (no custom driver 2377 of even minimal competence would do this) then ntpd would 2378 overflow a data buffer. It is even hypothetically possible 2379 in this case that instead of simply crashing ntpd the attacker 2380 could effect a code injection attack. 2381 Mitigation: 2382 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2383 Page or the NTP Public Services Project Download Page. 2384 If you are unable to upgrade: 2385 If you are running custom refclock drivers, make sure 2386 the signed datalen value is either zero or positive. 2387 Monitor your ntpd instances. 2388 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2389 2390* Password Length Memory Corruption Vulnerability 2391 2392 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2393 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2394 4.3.0 up to, but not including 4.3.77 2395 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2396 1.7 usual case, 6.8, worst case 2397 Summary: If ntpd is configured to allow remote configuration, and if 2398 the (possibly spoofed) source IP address is allowed to send 2399 remote configuration requests, and if the attacker knows the 2400 remote configuration password or if ntpd was (foolishly) 2401 configured to disable authentication, then an attacker can 2402 send a set of packets to ntpd that may cause it to crash, 2403 with the hypothetical possibility of a small code injection. 2404 Mitigation: 2405 Implement BCP-38. 2406 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2407 Page or the NTP Public Services Project Download Page. 2408 If you are unable to upgrade, remote configuration of NTF's 2409 ntpd requires: 2410 an explicitly configured "trusted" key. Only configure 2411 this if you need it. 2412 access from a permitted IP address. You choose the IPs. 2413 authentication. Don't disable it. Practice secure key safety. 2414 Monitor your ntpd instances. 2415 Credit: This weakness was discovered by Yves Younan and 2416 Aleksander Nikolich of Cisco Talos. 2417 2418* decodenetnum() will ASSERT botch instead of returning FAIL on some 2419 bogus values. 2420 2421 References: Sec 2922 / CVE-2015-7855 2422 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2423 4.3.0 up to, but not including 4.3.77 2424 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2425 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2426 an unusually long data value where a network address is expected, 2427 the decodenetnum() function will abort with an assertion failure 2428 instead of simply returning a failure condition. 2429 Mitigation: 2430 Implement BCP-38. 2431 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2432 Page or the NTP Public Services Project Download Page. 2433 If you are unable to upgrade: 2434 mode 7 is disabled by default. Don't enable it. 2435 Use restrict noquery to limit who can send mode 6 2436 and mode 7 requests. 2437 Configure and use the controlkey and requestkey 2438 authentication directives to limit who can 2439 send mode 6 and mode 7 requests. 2440 Monitor your ntpd instances. 2441 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2442 2443* NAK to the Future: Symmetric association authentication bypass via 2444 crypto-NAK. 2445 2446 References: Sec 2941 / CVE-2015-7871 2447 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2448 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2449 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2450 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2451 from unauthenticated ephemeral symmetric peers by bypassing the 2452 authentication required to mobilize peer associations. This 2453 vulnerability appears to have been introduced in ntp-4.2.5p186 2454 when the code handling mobilization of new passive symmetric 2455 associations (lines 1103-1165) was refactored. 2456 Mitigation: 2457 Implement BCP-38. 2458 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2459 Page or the NTP Public Services Project Download Page. 2460 If you are unable to upgrade: 2461 Apply the patch to the bottom of the "authentic" check 2462 block around line 1136 of ntp_proto.c. 2463 Monitor your ntpd instances. 2464 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2465 2466Backward-Incompatible changes: 2467* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2468 While the general default of 32M is still the case, under Linux 2469 the default value has been changed to -1 (do not lock ntpd into 2470 memory). A value of 0 means "lock ntpd into memory with whatever 2471 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2472 value in it, that value will continue to be used. 2473 2474* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2475 If you've written a script that looks for this case in, say, the 2476 output of ntpq, you probably want to change your regex matches 2477 from 'outlyer' to 'outl[iy]er'. 2478 2479New features in this release: 2480* 'rlimit memlock' now has finer-grained control. A value of -1 means 2481 "don't lock ntpd into memore". This is the default for Linux boxes. 2482 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2483 the value is the number of megabytes of memory to lock. The default 2484 is 32 megabytes. 2485 2486* The old Google Test framework has been replaced with a new framework, 2487 based on http://www.throwtheswitch.org/unity/ . 2488 2489Bug Fixes and Improvements: 2490* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2491 privileges and limiting resources in NTPD removes the need to link 2492 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2493* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2494* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2495* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2496* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2497* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2498* [Bug 2849] Systems with more than one default route may never 2499 synchronize. Brian Utterback. Note that this patch might need to 2500 be reverted once Bug 2043 has been fixed. 2501* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2502* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2503* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2504* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2505* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2506* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2507 be configured for the distribution targets. Harlan Stenn. 2508* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2509* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2510* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2511* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2512* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2513* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2514* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2515* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2516* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2517* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2518* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2519* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2520* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2521* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2522* sntp/tests/ function parameter list cleanup. Damir Tomić. 2523* tests/libntp/ function parameter list cleanup. Damir Tomić. 2524* tests/ntpd/ function parameter list cleanup. Damir Tomić. 2525* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2526* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2527* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 2528* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 2529* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2530 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2531 formatting; first declaration, then code (C90); deleted unnecessary comments; 2532 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2533* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2534 fix formatting, cleanup. Tomasz Flendrich 2535* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2536 Tomasz Flendrich 2537* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2538 fix formatting. Tomasz Flendrich 2539* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2540* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2541* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2542 Tomasz Flendrich 2543* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2544* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2545* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2546* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2547* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2548* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2549* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2550fixed formatting. Tomasz Flendrich 2551* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2552 removed unnecessary comments, cleanup. Tomasz Flendrich 2553* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2554 comments, cleanup. Tomasz Flendrich 2555* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2556 Tomasz Flendrich 2557* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2558* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2559* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2560 Tomasz Flendrich 2561* sntp/tests/kodDatabase.c added consts, deleted empty function, 2562 fixed formatting. Tomasz Flendrich 2563* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2564* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2565 fixed formatting, deleted unused variable. Tomasz Flendrich 2566* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2567 Tomasz Flendrich 2568* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2569 fixed formatting. Tomasz Flendrich 2570* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2571 the order of includes, fixed formatting, removed unnecessary comments. 2572 Tomasz Flendrich 2573* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2574* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2575 made one function do its job, deleted unnecessary prints, fixed formatting. 2576 Tomasz Flendrich 2577* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2578* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2579* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2580* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2581* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2582* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2583* Don't build sntp/libevent/sample/. Harlan Stenn. 2584* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2585* br-flock: --enable-local-libevent. Harlan Stenn. 2586* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2587* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2588* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2589* Code cleanup. Harlan Stenn. 2590* libntp/icom.c: Typo fix. Harlan Stenn. 2591* util/ntptime.c: initialization nit. Harlan Stenn. 2592* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2593* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2594* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2595 Tomasz Flendrich 2596* Changed progname to be const in many files - now it's consistent. Tomasz 2597 Flendrich 2598* Typo fix for GCC warning suppression. Harlan Stenn. 2599* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 2600* Added declarations to all Unity tests, and did minor fixes to them. 2601 Reduced the number of warnings by half. Damir Tomić. 2602* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2603 with the latest Unity updates from Mark. Damir Tomić. 2604* Retire google test - phase I. Harlan Stenn. 2605* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2606* Update the NEWS file. Harlan Stenn. 2607* Autoconf cleanup. Harlan Stenn. 2608* Unit test dist cleanup. Harlan Stenn. 2609* Cleanup various test Makefile.am files. Harlan Stenn. 2610* Pthread autoconf macro cleanup. Harlan Stenn. 2611* Fix progname definition in unity runner scripts. Harlan Stenn. 2612* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2613* Update the patch for bug 2817. Harlan Stenn. 2614* More updates for bug 2817. Harlan Stenn. 2615* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2616* gcc on older HPUX may need +allowdups. Harlan Stenn. 2617* Adding missing MCAST protection. Harlan Stenn. 2618* Disable certain test programs on certain platforms. Harlan Stenn. 2619* Implement --enable-problem-tests (on by default). Harlan Stenn. 2620* build system tweaks. Harlan Stenn. 2621 2622--- 2623NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2624 2625Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2626 2627Severity: MEDIUM 2628 2629Security Fix: 2630 2631* [Sec 2853] Crafted remote config packet can crash some versions of 2632 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2633 2634Under specific circumstances an attacker can send a crafted packet to 2635cause a vulnerable ntpd instance to crash. This requires each of the 2636following to be true: 2637 26381) ntpd set up to allow remote configuration (not allowed by default), and 26392) knowledge of the configuration password, and 26403) access to a computer entrusted to perform remote configuration. 2641 2642This vulnerability is considered low-risk. 2643 2644New features in this release: 2645 2646Optional (disabled by default) support to have ntpd provide smeared 2647leap second time. A specially built and configured ntpd will only 2648offer smeared time in response to client packets. These response 2649packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2650of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2651format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2652information. 2653 2654 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2655 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2656 2657We've imported the Unity test framework, and have begun converting 2658the existing google-test items to this new framework. If you want 2659to write new tests or change old ones, you'll need to have ruby 2660installed. You don't need ruby to run the test suite. 2661 2662Bug Fixes and Improvements: 2663 2664* CID 739725: Fix a rare resource leak in libevent/listener.c. 2665* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2666* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2667* CID 1269537: Clean up a line of dead code in getShmTime(). 2668* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2669* [Bug 2590] autogen-5.18.5. 2670* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2671 of 'limited'. 2672* [Bug 2650] fix includefile processing. 2673* [Bug 2745] ntpd -x steps clock on leap second 2674 Fixed an initial-value problem that caused misbehaviour in absence of 2675 any leapsecond information. 2676 Do leap second stepping only of the step adjustment is beyond the 2677 proper jump distance limit and step correction is allowed at all. 2678* [Bug 2750] build for Win64 2679 Building for 32bit of loopback ppsapi needs def file 2680* [Bug 2776] Improve ntpq's 'help keytype'. 2681* [Bug 2778] Implement "apeers" ntpq command to include associd. 2682* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2683* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2684 interface is ignored as long as this flag is not set since the 2685 interface is not usable (e.g., no link). 2686* [Bug 2794] Clean up kernel clock status reports. 2687* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2688 of incompatible open/fdopen parameters. 2689* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2690* [Bug 2805] ntpd fails to join multicast group. 2691* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2692* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2693 Fix crash during cleanup if GPS device not present and char device. 2694 Increase internal token buffer to parse all JSON data, even SKY. 2695 Defer logging of errors during driver init until the first unit is 2696 started, so the syslog is not cluttered when the driver is not used. 2697 Various improvements, see http://bugs.ntp.org/2808 for details. 2698 Changed libjsmn to a more recent version. 2699* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2700* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2701* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2702* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2703* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2704* [Bug 2824] Convert update-leap to perl. (also see 2769) 2705* [Bug 2825] Quiet file installation in html/ . 2706* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2707 NTPD transfers the current TAI (instead of an announcement) now. 2708 This might still needed improvement. 2709 Update autokey data ASAP when 'sys_tai' changes. 2710 Fix unit test that was broken by changes for autokey update. 2711 Avoid potential signature length issue and use DPRINTF where possible 2712 in ntp_crypto.c. 2713* [Bug 2832] refclock_jjy.c supports the TDC-300. 2714* [Bug 2834] Correct a broken html tag in html/refclock.html 2715* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2716 robust, and require 2 consecutive timestamps to be consistent. 2717* [Bug 2837] Allow a configurable DSCP value. 2718* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2719* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2720* [Bug 2842] Bug in mdoc2man. 2721* [Bug 2843] make check fails on 4.3.36 2722 Fixed compiler warnings about numeric range overflow 2723 (The original topic was fixed in a byplay to bug#2830) 2724* [Bug 2845] Harden memory allocation in ntpd. 2725* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2726* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2727* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2728* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2729* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2730* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2731* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2732* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2733* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2734* html/drivers/driver22.html: typo fix. Harlan Stenn. 2735* refidsmear test cleanup. Tomasz Flendrich. 2736* refidsmear function support and tests. Harlan Stenn. 2737* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2738 something that was only in the 4.2.6 sntp. Harlan Stenn. 2739* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2740 Damir Tomić 2741* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2742 Damir Tomić 2743* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2744 Damir Tomić 2745* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2746* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 2747* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2748 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2749 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2750 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2751 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2752 Damir Tomić 2753* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2754 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2755 fileHandlingTest.h. Damir Tomić 2756* Initial support for experimental leap smear code. Harlan Stenn. 2757* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2758* Report select() debug messages at debug level 3 now. 2759* sntp/scripts/genLocInfo: treat raspbian as debian. 2760* Unity test framework fixes. 2761 ** Requires ruby for changes to tests. 2762* Initial support for PACKAGE_VERSION tests. 2763* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2764* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2765* Add an assert to the ntpq ifstats code. 2766* Clean up the RLIMIT_STACK code. 2767* Improve the ntpq documentation around the controlkey keyid. 2768* ntpq.c cleanup. 2769* Windows port build cleanup. 2770 2771--- 2772NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2773 2774Focus: Security and Bug fixes, enhancements. 2775 2776Severity: MEDIUM 2777 2778In addition to bug fixes and enhancements, this release fixes the 2779following medium-severity vulnerabilities involving private key 2780authentication: 2781 2782* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2783 2784 References: Sec 2779 / CVE-2015-1798 / VU#374268 2785 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2786 including ntp-4.2.8p2 where the installation uses symmetric keys 2787 to authenticate remote associations. 2788 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2789 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2790 Summary: When ntpd is configured to use a symmetric key to authenticate 2791 a remote NTP server/peer, it checks if the NTP message 2792 authentication code (MAC) in received packets is valid, but not if 2793 there actually is any MAC included. Packets without a MAC are 2794 accepted as if they had a valid MAC. This allows a MITM attacker to 2795 send false packets that are accepted by the client/peer without 2796 having to know the symmetric key. The attacker needs to know the 2797 transmit timestamp of the client to match it in the forged reply 2798 and the false reply needs to reach the client before the genuine 2799 reply from the server. The attacker doesn't necessarily need to be 2800 relaying the packets between the client and the server. 2801 2802 Authentication using autokey doesn't have this problem as there is 2803 a check that requires the key ID to be larger than NTP_MAXKEY, 2804 which fails for packets without a MAC. 2805 Mitigation: 2806 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2807 or the NTP Public Services Project Download Page 2808 Configure ntpd with enough time sources and monitor it properly. 2809 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2810 2811* [Sec 2781] Authentication doesn't protect symmetric associations against 2812 DoS attacks. 2813 2814 References: Sec 2781 / CVE-2015-1799 / VU#374268 2815 Affects: All NTP releases starting with at least xntp3.3wy up to but 2816 not including ntp-4.2.8p2 where the installation uses symmetric 2817 key authentication. 2818 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2819 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2820 it could be higher than 5.4. 2821 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2822 Summary: An attacker knowing that NTP hosts A and B are peering with 2823 each other (symmetric association) can send a packet to host A 2824 with source address of B which will set the NTP state variables 2825 on A to the values sent by the attacker. Host A will then send 2826 on its next poll to B a packet with originate timestamp that 2827 doesn't match the transmit timestamp of B and the packet will 2828 be dropped. If the attacker does this periodically for both 2829 hosts, they won't be able to synchronize to each other. This is 2830 a known denial-of-service attack, described at 2831 https://www.eecis.udel.edu/~mills/onwire.html . 2832 2833 According to the document the NTP authentication is supposed to 2834 protect symmetric associations against this attack, but that 2835 doesn't seem to be the case. The state variables are updated even 2836 when authentication fails and the peers are sending packets with 2837 originate timestamps that don't match the transmit timestamps on 2838 the receiving side. 2839 2840 This seems to be a very old problem, dating back to at least 2841 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2842 specifications, so other NTP implementations with support for 2843 symmetric associations and authentication may be vulnerable too. 2844 An update to the NTP RFC to correct this error is in-process. 2845 Mitigation: 2846 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2847 or the NTP Public Services Project Download Page 2848 Note that for users of autokey, this specific style of MITM attack 2849 is simply a long-known potential problem. 2850 Configure ntpd with appropriate time sources and monitor ntpd. 2851 Alert your staff if problems are detected. 2852 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2853 2854* New script: update-leap 2855The update-leap script will verify and if necessary, update the 2856leap-second definition file. 2857It requires the following commands in order to work: 2858 2859 wget logger tr sed shasum 2860 2861Some may choose to run this from cron. It needs more portability testing. 2862 2863Bug Fixes and Improvements: 2864 2865* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2866* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2867* [Bug 2346] "graceful termination" signals do not do peer cleanup. 2868* [Bug 2728] See if C99-style structure initialization works. 2869* [Bug 2747] Upgrade libevent to 2.1.5-beta. 2870* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2871* [Bug 2751] jitter.h has stale copies of l_fp macros. 2872* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2873* [Bug 2757] Quiet compiler warnings. 2874* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2875* [Bug 2763] Allow different thresholds for forward and backward steps. 2876* [Bug 2766] ntp-keygen output files should not be world-readable. 2877* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2878* [Bug 2771] nonvolatile value is documented in wrong units. 2879* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2880* [Bug 2774] Unreasonably verbose printout - leap pending/warning 2881* [Bug 2775] ntp-keygen.c fails to compile under Windows. 2882* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2883 Removed non-ASCII characters from some copyright comments. 2884 Removed trailing whitespace. 2885 Updated definitions for Meinberg clocks from current Meinberg header files. 2886 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2887 Account for updated definitions pulled from Meinberg header files. 2888 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2889 Replaced some constant numbers by defines from ntp_calendar.h 2890 Modified creation of parse-specific variables for Meinberg devices 2891 in gps16x_message(). 2892 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2893 Modified mbg_tm_str() which now expexts an additional parameter controlling 2894 if the time status shall be printed. 2895* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2896* [Sec 2781] Authentication doesn't protect symmetric associations against 2897 DoS attacks. 2898* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2899* [Bug 2789] Quiet compiler warnings from libevent. 2900* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2901 pause briefly before measuring system clock precision to yield 2902 correct results. 2903* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2904* Use predefined function types for parse driver functions 2905 used to set up function pointers. 2906 Account for changed prototype of parse_inp_fnc_t functions. 2907 Cast parse conversion results to appropriate types to avoid 2908 compiler warnings. 2909 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2910 when called with pointers to different types. 2911 2912--- 2913NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 2914 2915Focus: Security and Bug fixes, enhancements. 2916 2917Severity: HIGH 2918 2919In addition to bug fixes and enhancements, this release fixes the 2920following high-severity vulnerabilities: 2921 2922* vallen is not validated in several places in ntp_crypto.c, leading 2923 to a potential information leak or possibly a crash 2924 2925 References: Sec 2671 / CVE-2014-9297 / VU#852879 2926 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2927 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2928 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2929 Summary: The vallen packet value is not validated in several code 2930 paths in ntp_crypto.c which can lead to information leakage 2931 or perhaps a crash of the ntpd process. 2932 Mitigation - any of: 2933 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2934 or the NTP Public Services Project Download Page. 2935 Disable Autokey Authentication by removing, or commenting out, 2936 all configuration directives beginning with the "crypto" 2937 keyword in your ntp.conf file. 2938 Credit: This vulnerability was discovered by Stephen Roettger of the 2939 Google Security Team, with additional cases found by Sebastian 2940 Krahmer of the SUSE Security Team and Harlan Stenn of Network 2941 Time Foundation. 2942 2943* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2944 can be bypassed. 2945 2946 References: Sec 2672 / CVE-2014-9298 / VU#852879 2947 Affects: All NTP4 releases before 4.2.8p1, under at least some 2948 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2949 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2950 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2951 Summary: While available kernels will prevent 127.0.0.1 addresses 2952 from "appearing" on non-localhost IPv4 interfaces, some kernels 2953 do not offer the same protection for ::1 source addresses on 2954 IPv6 interfaces. Since NTP's access control is based on source 2955 address and localhost addresses generally have no restrictions, 2956 an attacker can send malicious control and configuration packets 2957 by spoofing ::1 addresses from the outside. Note Well: This is 2958 not really a bug in NTP, it's a problem with some OSes. If you 2959 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2960 ACL restrictions on any application can be bypassed! 2961 Mitigation: 2962 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2963 or the NTP Public Services Project Download Page 2964 Install firewall rules to block packets claiming to come from 2965 ::1 from inappropriate network interfaces. 2966 Credit: This vulnerability was discovered by Stephen Roettger of 2967 the Google Security Team. 2968 2969Additionally, over 30 bugfixes and improvements were made to the codebase. 2970See the ChangeLog for more information. 2971 2972--- 2973NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 2974 2975Focus: Security and Bug fixes, enhancements. 2976 2977Severity: HIGH 2978 2979In addition to bug fixes and enhancements, this release fixes the 2980following high-severity vulnerabilities: 2981 2982************************** vv NOTE WELL vv ***************************** 2983 2984The vulnerabilities listed below can be significantly mitigated by 2985following the BCP of putting 2986 2987 restrict default ... noquery 2988 2989in the ntp.conf file. With the exception of: 2990 2991 receive(): missing return on error 2992 References: Sec 2670 / CVE-2014-9296 / VU#852879 2993 2994below (which is a limited-risk vulnerability), none of the recent 2995vulnerabilities listed below can be exploited if the source IP is 2996restricted from sending a 'query'-class packet by your ntp.conf file. 2997 2998************************** ^^ NOTE WELL ^^ ***************************** 2999 3000* Weak default key in config_auth(). 3001 3002 References: [Sec 2665] / CVE-2014-9293 / VU#852879 3003 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3004 Vulnerable Versions: all releases prior to 4.2.7p11 3005 Date Resolved: 28 Jan 2010 3006 3007 Summary: If no 'auth' key is set in the configuration file, ntpd 3008 would generate a random key on the fly. There were two 3009 problems with this: 1) the generated key was 31 bits in size, 3010 and 2) it used the (now weak) ntp_random() function, which was 3011 seeded with a 32-bit value and could only provide 32 bits of 3012 entropy. This was sufficient back in the late 1990s when the 3013 code was written. Not today. 3014 3015 Mitigation - any of: 3016 - Upgrade to 4.2.7p11 or later. 3017 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3018 3019 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3020 of the Google Security Team. 3021 3022* Non-cryptographic random number generator with weak seed used by 3023 ntp-keygen to generate symmetric keys. 3024 3025 References: [Sec 2666] / CVE-2014-9294 / VU#852879 3026 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3027 Vulnerable Versions: All NTP4 releases before 4.2.7p230 3028 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3029 3030 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3031 prepare a random number generator that was of good quality back 3032 in the late 1990s. The random numbers produced was then used to 3033 generate symmetric keys. In ntp-4.2.8 we use a current-technology 3034 cryptographic random number generator, either RAND_bytes from 3035 OpenSSL, or arc4random(). 3036 3037 Mitigation - any of: 3038 - Upgrade to 4.2.7p230 or later. 3039 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3040 3041 Credit: This vulnerability was discovered in ntp-4.2.6 by 3042 Stephen Roettger of the Google Security Team. 3043 3044* Buffer overflow in crypto_recv() 3045 3046 References: Sec 2667 / CVE-2014-9295 / VU#852879 3047 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3048 Versions: All releases before 4.2.8 3049 Date Resolved: Stable (4.2.8) 18 Dec 2014 3050 3051 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3052 file contains a 'crypto pw ...' directive) a remote attacker 3053 can send a carefully crafted packet that can overflow a stack 3054 buffer and potentially allow malicious code to be executed 3055 with the privilege level of the ntpd process. 3056 3057 Mitigation - any of: 3058 - Upgrade to 4.2.8, or later, or 3059 - Disable Autokey Authentication by removing, or commenting out, 3060 all configuration directives beginning with the crypto keyword 3061 in your ntp.conf file. 3062 3063 Credit: This vulnerability was discovered by Stephen Roettger of the 3064 Google Security Team. 3065 3066* Buffer overflow in ctl_putdata() 3067 3068 References: Sec 2668 / CVE-2014-9295 / VU#852879 3069 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3070 Versions: All NTP4 releases before 4.2.8 3071 Date Resolved: Stable (4.2.8) 18 Dec 2014 3072 3073 Summary: A remote attacker can send a carefully crafted packet that 3074 can overflow a stack buffer and potentially allow malicious 3075 code to be executed with the privilege level of the ntpd process. 3076 3077 Mitigation - any of: 3078 - Upgrade to 4.2.8, or later. 3079 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3080 3081 Credit: This vulnerability was discovered by Stephen Roettger of the 3082 Google Security Team. 3083 3084* Buffer overflow in configure() 3085 3086 References: Sec 2669 / CVE-2014-9295 / VU#852879 3087 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3088 Versions: All NTP4 releases before 4.2.8 3089 Date Resolved: Stable (4.2.8) 18 Dec 2014 3090 3091 Summary: A remote attacker can send a carefully crafted packet that 3092 can overflow a stack buffer and potentially allow malicious 3093 code to be executed with the privilege level of the ntpd process. 3094 3095 Mitigation - any of: 3096 - Upgrade to 4.2.8, or later. 3097 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3098 3099 Credit: This vulnerability was discovered by Stephen Roettger of the 3100 Google Security Team. 3101 3102* receive(): missing return on error 3103 3104 References: Sec 2670 / CVE-2014-9296 / VU#852879 3105 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3106 Versions: All NTP4 releases before 4.2.8 3107 Date Resolved: Stable (4.2.8) 18 Dec 2014 3108 3109 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3110 the code path where an error was detected, which meant 3111 processing did not stop when a specific rare error occurred. 3112 We haven't found a way for this bug to affect system integrity. 3113 If there is no way to affect system integrity the base CVSS 3114 score for this bug is 0. If there is one avenue through which 3115 system integrity can be partially affected, the base score 3116 becomes a 5. If system integrity can be partially affected 3117 via all three integrity metrics, the CVSS base score become 7.5. 3118 3119 Mitigation - any of: 3120 - Upgrade to 4.2.8, or later, 3121 - Remove or comment out all configuration directives 3122 beginning with the crypto keyword in your ntp.conf file. 3123 3124 Credit: This vulnerability was discovered by Stephen Roettger of the 3125 Google Security Team. 3126 3127See http://support.ntp.org/security for more information. 3128 3129New features / changes in this release: 3130 3131Important Changes 3132 3133* Internal NTP Era counters 3134 3135The internal counters that track the "era" (range of years) we are in 3136rolls over every 136 years'. The current "era" started at the stroke of 3137midnight on 1 Jan 1900, and ends just before the stroke of midnight on 31381 Jan 2036. 3139In the past, we have used the "midpoint" of the range to decide which 3140era we were in. Given the longevity of some products, it became clear 3141that it would be more functional to "look back" less, and "look forward" 3142more. We now compile a timestamp into the ntpd executable and when we 3143get a timestamp we us the "built-on" to tell us what era we are in. 3144This check "looks back" 10 years, and "looks forward" 126 years. 3145 3146* ntpdc responses disabled by default 3147 3148Dave Hart writes: 3149 3150For a long time, ntpq and its mostly text-based mode 6 (control) 3151protocol have been preferred over ntpdc and its mode 7 (private 3152request) protocol for runtime queries and configuration. There has 3153been a goal of deprecating ntpdc, previously held back by numerous 3154capabilities exposed by ntpdc with no ntpq equivalent. I have been 3155adding commands to ntpq to cover these cases, and I believe I've 3156covered them all, though I've not compared command-by-command 3157recently. 3158 3159As I've said previously, the binary mode 7 protocol involves a lot of 3160hand-rolled structure layout and byte-swapping code in both ntpd and 3161ntpdc which is hard to get right. As ntpd grows and changes, the 3162changes are difficult to expose via ntpdc while maintaining forward 3163and backward compatibility between ntpdc and ntpd. In contrast, 3164ntpq's text-based, label=value approach involves more code reuse and 3165allows compatible changes without extra work in most cases. 3166 3167Mode 7 has always been defined as vendor/implementation-specific while 3168mode 6 is described in RFC 1305 and intended to be open to interoperate 3169with other implementations. There is an early draft of an updated 3170mode 6 description that likely will join the other NTPv4 RFCs 3171eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3172 3173For these reasons, ntpd 4.2.7p230 by default disables processing of 3174ntpdc queries, reducing ntpd's attack surface and functionally 3175deprecating ntpdc. If you are in the habit of using ntpdc for certain 3176operations, please try the ntpq equivalent. If there's no equivalent, 3177please open a bug report at http://bugs.ntp.org./ 3178 3179In addition to the above, over 1100 issues have been resolved between 3180the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3181lists these. 3182 3183--- 3184NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3185 3186Focus: Bug fixes 3187 3188Severity: Medium 3189 3190This is a recommended upgrade. 3191 3192This release updates sys_rootdisp and sys_jitter calculations to match the 3193RFC specification, fixes a potential IPv6 address matching error for the 3194"nic" and "interface" configuration directives, suppresses the creation of 3195extraneous ephemeral associations for certain broadcastclient and 3196multicastclient configurations, cleans up some ntpq display issues, and 3197includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3198 3199New features / changes in this release: 3200 3201ntpd 3202 3203 * Updated "nic" and "interface" IPv6 address handling to prevent 3204 mismatches with localhost [::1] and wildcard [::] which resulted from 3205 using the address/prefix format (e.g. fe80::/64) 3206 * Fix orphan mode stratum incorrectly counting to infinity 3207 * Orphan parent selection metric updated to includes missing ntohl() 3208 * Non-printable stratum 16 refid no longer sent to ntp 3209 * Duplicate ephemeral associations suppressed for broadcastclient and 3210 multicastclient without broadcastdelay 3211 * Exclude undetermined sys_refid from use in loopback TEST12 3212 * Exclude MODE_SERVER responses from KoD rate limiting 3213 * Include root delay in clock_update() sys_rootdisp calculations 3214 * get_systime() updated to exclude sys_residual offset (which only 3215 affected bits "below" sys_tick, the precision threshold) 3216 * sys.peer jitter weighting corrected in sys_jitter calculation 3217 3218ntpq 3219 3220 * -n option extended to include the billboard "server" column 3221 * IPv6 addresses in the local column truncated to prevent overruns 3222 3223--- 3224NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3225 3226Focus: Bug fixes and portability improvements 3227 3228Severity: Medium 3229 3230This is a recommended upgrade. 3231 3232This release includes build infrastructure updates, code 3233clean-ups, minor bug fixes, fixes for a number of minor 3234ref-clock issues, and documentation revisions. 3235 3236Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3237 3238New features / changes in this release: 3239 3240Build system 3241 3242* Fix checking for struct rtattr 3243* Update config.guess and config.sub for AIX 3244* Upgrade required version of autogen and libopts for building 3245 from our source code repository 3246 3247ntpd 3248 3249* Back-ported several fixes for Coverity warnings from ntp-dev 3250* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3251* Allow "logconfig =allall" configuration directive 3252* Bind tentative IPv6 addresses on Linux 3253* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3254* Improved tally bit handling to prevent incorrect ntpq peer status reports 3255* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3256 candidate list unless they are designated a "prefer peer" 3257* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3258 selection during the 'tos orphanwait' period 3259* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3260 drivers 3261* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3262* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3263* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3264 clock slew on Microsoft Windows 3265* Code cleanup in libntpq 3266 3267ntpdc 3268 3269* Fix timerstats reporting 3270 3271ntpdate 3272 3273* Reduce time required to set clock 3274* Allow a timeout greater than 2 seconds 3275 3276sntp 3277 3278* Backward incompatible command-line option change: 3279 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3280 3281Documentation 3282 3283* Update html2man. Fix some tags in the .html files 3284* Distribute ntp-wait.html 3285 3286--- 3287NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3288 3289Focus: Bug fixes and portability improvements 3290 3291Severity: Medium 3292 3293This is a recommended upgrade. 3294 3295This release includes build infrastructure updates, code 3296clean-ups, minor bug fixes, fixes for a number of minor 3297ref-clock issues, and documentation revisions. 3298 3299Portability improvements in this release affect AIX, Atari FreeMiNT, 3300FreeBSD4, Linux and Microsoft Windows. 3301 3302New features / changes in this release: 3303 3304Build system 3305* Use lsb_release to get information about Linux distributions. 3306* 'test' is in /usr/bin (instead of /bin) on some systems. 3307* Basic sanity checks for the ChangeLog file. 3308* Source certain build files with ./filename for systems without . in PATH. 3309* IRIX portability fix. 3310* Use a single copy of the "libopts" code. 3311* autogen/libopts upgrade. 3312* configure.ac m4 quoting cleanup. 3313 3314ntpd 3315* Do not bind to IN6_IFF_ANYCAST addresses. 3316* Log the reason for exiting under Windows. 3317* Multicast fixes for Windows. 3318* Interpolation fixes for Windows. 3319* IPv4 and IPv6 Multicast fixes. 3320* Manycast solicitation fixes and general repairs. 3321* JJY refclock cleanup. 3322* NMEA refclock improvements. 3323* Oncore debug message cleanup. 3324* Palisade refclock now builds under Linux. 3325* Give RAWDCF more baud rates. 3326* Support Truetime Satellite clocks under Windows. 3327* Support Arbiter 1093C Satellite clocks under Windows. 3328* Make sure that the "filegen" configuration command defaults to "enable". 3329* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3330* Prohibit 'includefile' directive in remote configuration command. 3331* Fix 'nic' interface bindings. 3332* Fix the way we link with openssl if openssl is installed in the base 3333 system. 3334 3335ntp-keygen 3336* Fix -V coredump. 3337* OpenSSL version display cleanup. 3338 3339ntpdc 3340* Many counters should be treated as unsigned. 3341 3342ntpdate 3343* Do not ignore replies with equal receive and transmit timestamps. 3344 3345ntpq 3346* libntpq warning cleanup. 3347 3348ntpsnmpd 3349* Correct SNMP type for "precision" and "resolution". 3350* Update the MIB from the draft version to RFC-5907. 3351 3352sntp 3353* Display timezone offset when showing time for sntp in the local 3354 timezone. 3355* Pay proper attention to RATE KoD packets. 3356* Fix a miscalculation of the offset. 3357* Properly parse empty lines in the key file. 3358* Logging cleanup. 3359* Use tv_usec correctly in set_time(). 3360* Documentation cleanup. 3361 3362--- 3363NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3364 3365Focus: Bug fixes and portability improvements 3366 3367Severity: Medium 3368 3369This is a recommended upgrade. 3370 3371This release includes build infrastructure updates, code 3372clean-ups, minor bug fixes, fixes for a number of minor 3373ref-clock issues, improved KOD handling, OpenSSL related 3374updates and documentation revisions. 3375 3376Portability improvements in this release affect Irix, Linux, 3377Mac OS, Microsoft Windows, OpenBSD and QNX6 3378 3379New features / changes in this release: 3380 3381ntpd 3382* Range syntax for the trustedkey configuration directive 3383* Unified IPv4 and IPv6 restrict lists 3384 3385ntpdate 3386* Rate limiting and KOD handling 3387 3388ntpsnmpd 3389* default connection to net-snmpd via a unix-domain socket 3390* command-line 'socket name' option 3391 3392ntpq / ntpdc 3393* support for the "passwd ..." syntax 3394* key-type specific password prompts 3395 3396sntp 3397* MD5 authentication of an ntpd 3398* Broadcast and crypto 3399* OpenSSL support 3400 3401--- 3402NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3403 3404Focus: Bug fixes, portability fixes, and documentation improvements 3405 3406Severity: Medium 3407 3408This is a recommended upgrade. 3409 3410--- 3411NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3412 3413Focus: enhancements and bug fixes. 3414 3415--- 3416NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3417 3418Focus: Security Fixes 3419 3420Severity: HIGH 3421 3422This release fixes the following high-severity vulnerability: 3423 3424* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3425 3426 See http://support.ntp.org/security for more information. 3427 3428 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3429 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3430 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3431 request or a mode 7 error response from an address which is not listed 3432 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3433 reply with a mode 7 error response (and log a message). In this case: 3434 3435 * If an attacker spoofs the source address of ntpd host A in a 3436 mode 7 response packet sent to ntpd host B, both A and B will 3437 continuously send each other error responses, for as long as 3438 those packets get through. 3439 3440 * If an attacker spoofs an address of ntpd host A in a mode 7 3441 response packet sent to ntpd host A, A will respond to itself 3442 endlessly, consuming CPU and logging excessively. 3443 3444 Credit for finding this vulnerability goes to Robin Park and Dmitri 3445 Vinokurov of Alcatel-Lucent. 3446 3447THIS IS A STRONGLY RECOMMENDED UPGRADE. 3448 3449--- 3450ntpd now syncs to refclocks right away. 3451 3452Backward-Incompatible changes: 3453 3454ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3455Use '--var name' or '--dvar name' instead. (Bug 817) 3456 3457--- 3458NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3459 3460Focus: Security and Bug Fixes 3461 3462Severity: HIGH 3463 3464This release fixes the following high-severity vulnerability: 3465 3466* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3467 3468 See http://support.ntp.org/security for more information. 3469 3470 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3471 line) then a carefully crafted packet sent to the machine will cause 3472 a buffer overflow and possible execution of injected code, running 3473 with the privileges of the ntpd process (often root). 3474 3475 Credit for finding this vulnerability goes to Chris Ries of CMU. 3476 3477This release fixes the following low-severity vulnerabilities: 3478 3479* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3480 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3481 3482* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3483 Credit for finding this issue goes to Dave Hart. 3484 3485This release fixes a number of bugs and adds some improvements: 3486 3487* Improved logging 3488* Fix many compiler warnings 3489* Many fixes and improvements for Windows 3490* Adds support for AIX 6.1 3491* Resolves some issues under MacOS X and Solaris 3492 3493THIS IS A STRONGLY RECOMMENDED UPGRADE. 3494 3495--- 3496NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3497 3498Focus: Security Fix 3499 3500Severity: Low 3501 3502This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3503the OpenSSL library relating to the incorrect checking of the return 3504value of EVP_VerifyFinal function. 3505 3506Credit for finding this issue goes to the Google Security Team for 3507finding the original issue with OpenSSL, and to ocert.org for finding 3508the problem in NTP and telling us about it. 3509 3510This is a recommended upgrade. 3511--- 3512NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3513 3514Focus: Minor Bugfixes 3515 3516This release fixes a number of Windows-specific ntpd bugs and 3517platform-independent ntpdate bugs. A logging bugfix has been applied 3518to the ONCORE driver. 3519 3520The "dynamic" keyword and is now obsolete and deferred binding to local 3521interfaces is the new default. The minimum time restriction for the 3522interface update interval has been dropped. 3523 3524A number of minor build system and documentation fixes are included. 3525 3526This is a recommended upgrade for Windows. 3527 3528--- 3529NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3530 3531Focus: Minor Bugfixes 3532 3533This release updates certain copyright information, fixes several display 3534bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3535shutdown in the parse refclock driver, removes some lint from the code, 3536stops accessing certain buffers immediately after they were freed, fixes 3537a problem with non-command-line specification of -6, and allows the loopback 3538interface to share addresses with other interfaces. 3539 3540--- 3541NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3542 3543Focus: Minor Bugfixes 3544 3545This release fixes a bug in Windows that made it difficult to 3546terminate ntpd under windows. 3547This is a recommended upgrade for Windows. 3548 3549--- 3550NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3551 3552Focus: Minor Bugfixes 3553 3554This release fixes a multicast mode authentication problem, 3555an error in NTP packet handling on Windows that could lead to 3556ntpd crashing, and several other minor bugs. Handling of 3557multicast interfaces and logging configuration were improved. 3558The required versions of autogen and libopts were incremented. 3559This is a recommended upgrade for Windows and multicast users. 3560 3561--- 3562NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3563 3564Focus: enhancements and bug fixes. 3565 3566Dynamic interface rescanning was added to simplify the use of ntpd in 3567conjunction with DHCP. GNU AutoGen is used for its command-line options 3568processing. Separate PPS devices are supported for PARSE refclocks, MD5 3569signatures are now provided for the release files. Drivers have been 3570added for some new ref-clocks and have been removed for some older 3571ref-clocks. This release also includes other improvements, documentation 3572and bug fixes. 3573 3574K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3575C support. 3576 3577--- 3578NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3579 3580Focus: enhancements and bug fixes. 3581