1--- 2NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30) 3 4Focus: Security, Bug fixes 5 6Severity: LOW 7 8This release: 9 10- fixes 4 vulnerabilities (3 LOW and 1 None severity), 11- fixes 46 bugs 12- includes 15 general improvements 13- adds support for OpenSSL-3.0 14 15Details below: 16 17* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org> 18* [Sec 3807] praecis_parse() in the Palisade refclock driver has a 19 hypothetical input buffer overflow. Reported by ... stenn@ 20* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org> 21 - solved numerically instead of using string manipulation 22* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled. 23 <stenn@ntp.org> 24* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@> 25* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org> 26* [Bug 3814] First poll delay of new or cleared associations miscalculated. 27 <hart@ntp.org> 28* [Bug 3802] ntp-keygen -I default identity modulus bits too small for 29 OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org> 30* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org> 31* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org> 32* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org> 33* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when 34 disconnected, breaking ntpq and ntpdc. <hart@ntp.org> 35* [Bug 3795] pollskewlist documentation uses | when it shouldn't. 36 - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org> 37* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org> 38 - Report and patch by Yuezhen LUAN <wei6410@sina.com>. 39* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org> 40* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded. 41 <hart@ntp.org> 42* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org> 43* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org> 44 - Reported by Edward McGuire, fix identified by <wei6410@sina.com>. 45* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org> 46* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org> 47* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org> 48* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian. 49 Philippe De Muyter <phdm@macqel.be> 50* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org> 51 - openssl applink needed again for openSSL-1.1.1 52* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing. 53 Reported by Brian Utterback, broken in 2010 by <hart@ntp.org> 54* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org> 55 - command line options override config statements where applicable 56 - make initial frequency settings idempotent and reversible 57 - make sure kernel PLL gets a recovered drift componsation 58* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org> 59* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages 60 - misleading title; essentially a request to ignore the receiver status. 61 Added a mode bit for this. <perlinger@ntp.org> 62* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org> 63 - original patch by Richard Schmidt, with mods & unit test fixes 64* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org> 65 - implement/wrap 'realpath()' to resolve symlinks in device names 66* [Bug 3691] Buffer Overflow reading GPSD output 67 - original patch by matt<ntpbr@mattcorallo.com> 68 - increased max PDU size to 4k to avoid truncation 69* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org> 70 - patch by Frank Kardel 71* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org> 72 - ntp{q,dc} now use the same password processing as ntpd does in the key 73 file, so having a binary secret >= 11 bytes is possible for all keys. 74 (This is a different approach to the problem than suggested) 75* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org> 76* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org> 77 - patch by Gerry Garvey 78* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org> 79 - original patch by Gerry Garvey 80* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org> 81 - original patch by Gerry Garvey 82* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough) 83 - applied patches by Gerry Garvey 84* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage 85* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org> 86 - idea+patch by Gerry Garvey 87* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org> 88* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 89 - follow-up: fix inverted sense in check, reset shortfall counter 90* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org> 91* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org> 92 - fixed bug identified by Edward McGuire <perlinger@ntp.org> 93* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org> 94 - applied patch by Gerry Garvey 95* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org> 96 - backport from -dev, plus some more work on warnings for unchecked results 97* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table. 98 Reported by Israel G. Lugo. <hart@ntp.org> 99* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org> 100* [Bug 2990] multicastclient incorrectly causes bind to broadcast address. 101 Integrated patch from Brian Utterback. <hart@ntp.org> 102* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org> 103* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com> 104* Use correct rounding in mstolfp(). perlinger/hart 105* M_ADDF should use u_int32. <hart@ntp.org> 106* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org> 107* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn 108* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org> 109* If DEBUG is enabled, the startup banner now says that debug assertions 110 are in force and that ntpd will abort if any are violated. <stenn@ntp.org> 111* syslog valid incoming KoDs. <stenn@ntp.org> 112* Rename a poorly-named variable. <stenn@ntp.org> 113* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@> 114* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org> 115* Implement NTP_FUNC_REALPATH. <stenn@ntp.org> 116* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org> 117* upgrade to: autogen-5.18.16 118* upgrade to: libopts-42.1.17 119* upgrade to: autoconf-2.71 120* upgrade to: automake-1.16.15 121* Upgrade to libevent-2.1.12-stable <stenn@ntp.org> 122* Support OpenSSL-3.0 123 124--- 125NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23) 126 127Focus: Security, Bug fixes 128 129Severity: MEDIUM 130 131This release fixes one vulnerability: Associations that use CMAC 132authentication between ntpd from versions 4.2.8p11/4.3.97 and 1334.2.8p14/4.3.100 will leak a small amount of memory for each packet. 134Eventually, ntpd will run out of memory and abort. 135 136It also fixes 13 other bugs. 137 138* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org> 139* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 140 - Thanks to Sylar Tao 141* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org> 142 - rewrite 'decodenetnum()' in terms of inet_pton 143* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 144 - limit number of receive buffers, with an iron reserve for refclocks 145* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org> 146* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org> 147* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org> 148 - integrated patch from Charles Claggett 149* [Bug 3659] Move definition of psl[] from ntp_config.h to 150 ntp_config.h <perlinger@ntp.org> 151* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org> 152* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org> 153 - fix by Gerry garvey 154* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org> 155 - thanks to Gerry Garvey 156* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org> 157 - patch by Gerry Garvey 158* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org> 159* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org> 160 - applied patch by Takao Abe 161 162--- 163NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03) 164 165Focus: Security, Bug fixes, enhancements. 166 167Severity: MEDIUM 168 169This release fixes three vulnerabilities: a bug that causes causes an ntpd 170instance that is explicitly configured to override the default and allow 171ntpdc (mode 7) connections to be made to a server to read some uninitialized 172memory; fixes the case where an unmonitored ntpd using an unauthenticated 173association to its servers may be susceptible to a forged packet DoS attack; 174and fixes an attack against a client instance that uses a single 175unauthenticated time source. It also fixes 46 other bugs and addresses 1764 other issues. 177 178* [Sec 3610] process_control() should bail earlier on short packets. stenn@ 179 - Reported by Philippe Antoine 180* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org> 181 - Reported by Miroslav Lichvar 182* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org> 183 - Reported by Miroslav Lichvar 184* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 185* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org> 186* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org> 187* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 188* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 189 - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org> 190* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org> 191 - integrated patch by Cy Schubert 192* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org> 193 - applied patch by Gerry Garvey 194* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org> 195 - applied patch by Gerry Garvey 196* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org> 197 - integrated patch by Richard Steedman 198* [Bug 3615] accelerate refclock startup <perlinger@ntp.org> 199* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org> 200 - Reported by Martin Burnicki 201* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org> 202 - Reported by Philippe Antoine 203* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org> 204 - officially document new "trust date" mode bit for NMEA driver 205 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 206* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org> 207 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 208* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org> 209 - removed ffs() and fls() prototypes as per Brian Utterback 210* [Bug 3604] Wrong param byte order passing into record_raw_stats() in 211 ntp_io.c <perlinger@ntp.org> 212 - fixed byte and paramter order as suggested by wei6410@sina.com 213* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org> 214* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org> 215 - added padding as suggested by John Paul Adrian Glaubitz 216* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org> 217* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org> 218* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org> 219* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org> 220 - stdout+stderr are set to line buffered during test setup now 221* [Bug 3583] synchronization error <perlinger@ntp.org> 222 - set clock to base date if system time is before that limit 223* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org> 224* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org> 225 - Reported by Paulo Neves 226* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org> 227 - also updates for refclock_nmea.c and refclock_jupiter.c 228* [Bug 3576] New GPS date function API <perlinger@ntp.org> 229* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org> 230* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org> 231* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org> 232 - sidekick: service port resolution in 'ntpdate' 233* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org> 234 - applied patch by Douglas Royds 235* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org> 236* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org> 237 - applied patch by Gerry Garvey 238* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org> 239 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 240 - fix wrong cond-compile tests in unit tests 241* [Bug 3517] Reducing build noise <perlinger@ntp.org> 242* [Bug 3516] Require tooling from this decade <perlinger@ntp.org> 243 - patch by Philipp Prindeville 244* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org> 245 - patch by Philipp Prindeville 246* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org> 247 - patch by Philipp Prindeville 248* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org> 249 - partial application of patch by Philipp Prindeville 250* [Bug 3491] Signed values of LFP datatypes should always display a sign 251 - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org> 252* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org> 253 - applied (modified) patch by Richard Steedman 254* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org> 255 - applied patch by Gerry Garvey (with minor formatting changes) 256* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org> 257 - applied patch by Miroslav Lichvar 258* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 259 <perlinger@ntp.org> 260* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 261 is specified with -u <perlinger@ntp.org> 262 - monitor daemon child startup & propagate exit codes 263* [Bug 1433] runtime check whether the kernel really supports capabilities 264 - (modified) patch by Kurt Roeckx <perlinger@ntp.org> 265* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org> 266* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org> 267* Startup log improvements. <stenn@ntp.org> 268* Update the copyright year. 269 270--- 271NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 272 273Focus: Security, Bug fixes, enhancements. 274 275Severity: MEDIUM 276 277This release fixes a bug that allows an attacker with access to an 278explicitly trusted source to send a crafted malicious mode 6 (ntpq) 279packet that can trigger a NULL pointer dereference, crashing ntpd. 280It also provides 17 other bugfixes and 1 other improvement: 281 282* [Sec 3565] Crafted null dereference attack in authenticated 283 mode 6 packet <perlinger@ntp.org> 284 - reported by Magnus Stubman 285* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 286 - applied patch by Ian Lepore 287* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 288 - isolate and fix linux/windows specific code issue 289* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 290 - provide better function for incremental string formatting 291* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 292 - applied patch by Gerry Garvey 293* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 294 - original finding by Gerry Garvey, additional cleanup needed 295* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 296 - patch by Christous Zoulas 297* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 298 - finding by Chen Jiabin, plus another one by me 299* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 300 - applied patch by Maciej Szmigiero 301* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 302 - applied patch by Andre Charbonneau 303* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 304 - applied patch by Baruch Siach 305* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 306 - applied patch by Baruch Siach 307* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 308 - refactored handling of GPS era based on 'tos basedate' for 309 parse (TSIP) and JUPITER clocks 310* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 311 - patch by Daniel J. Luke; this does not fix a potential linker 312 regression issue on MacOS. 313* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 314 anomaly <perlinger@ntp.org>, reported by GGarvey. 315 - --enable-bug3527-fix support by HStenn 316* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 317 - applied patch by Gerry Garvey 318* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 319 - added missing check, reported by Reinhard Max <perlinger@ntp.org> 320* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 321 - this is a variant of [bug 3558] and should be fixed with it 322* Implement 'configure --disable-signalled-io' 323 324-- 325NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 326 327Focus: Security, Bug fixes, enhancements. 328 329Severity: MEDIUM 330 331This release fixes a "hole" in the noepeer capability introduced to ntpd 332in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 333ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 334 335* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 336 337* [Sec 3012] Fix a hole in the new "noepeer" processing. 338 339* Bug Fixes: 340 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 341 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 342 other TrustedBSD platforms 343 - applied patch by Ian Lepore <perlinger@ntp.org> 344 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 345 - changed interaction with SCM to signal pending startup 346 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 347 - applied patch by Gerry Garvey 348 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 349 - applied patch by Gerry Garvey 350 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 351 - rework of ntpq 'nextvar()' key/value parsing 352 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 353 - applied patch by Gerry Garvey (with mods) 354 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 355 - applied patch by Gerry Garvey 356 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 357 - applied patch by Gerry Garvey (with mods) 358 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 359 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 360 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 361 - applied patch by Gerry Garvey 362 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 363 - applied patch by Gerry Garvey 364 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 365 - add #define ENABLE_CMAC support in configure. HStenn. 366 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 367 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 368 - patch by Stephen Friedl 369 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 370 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 371 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 372 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 373 - initial patch by Hal Murray; also fixed refclock_report() trouble 374 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 375 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 376 - According to Brooks Davis, there was only one location <perlinger@ntp.org> 377 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 378 - applied patch by Gerry Garvey 379 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 380 - applied patch by Gerry Garvey 381 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 382 with modifications 383 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 384 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 385 - applied patch by Miroslav Lichvar 386 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 387 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 388 - integrated patch by Reinhard Max 389 [Bug 2821] minor build issues <perlinger@ntp.org> 390 - applied patches by Christos Zoulas, including real bug fixes 391 html/authopt.html: cleanup, from <stenn@ntp.org> 392 ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 393 Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 394 395-- 396NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 397 398Focus: Security, Bug fixes, enhancements. 399 400Severity: MEDIUM 401 402This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 403vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 404provides 65 other non-security fixes and improvements: 405 406* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 407 association (LOW/MED) 408 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 409 References: Sec 3454 / CVE-2018-7185 / VU#961909 410 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 411 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 412 2.9 and 6.8. 413 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 414 score between 2.6 and 3.1 415 Summary: 416 The NTP Protocol allows for both non-authenticated and 417 authenticated associations, in client/server, symmetric (peer), 418 and several broadcast modes. In addition to the basic NTP 419 operational modes, symmetric mode and broadcast servers can 420 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 421 was inadvertently introduced into the protocol engine that 422 allows a non-authenticated zero-origin (reset) packet to reset 423 an authenticated interleaved peer association. If an attacker 424 can send a packet with a zero-origin timestamp and the source 425 IP address of the "other side" of an interleaved association, 426 the 'victim' ntpd will reset its association. The attacker must 427 continue sending these packets in order to maintain the 428 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 429 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 430 interleaved mode must be explicitly configured/enabled. 431 Mitigation: 432 Implement BCP-38. 433 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 434 or the NTP Public Services Project Download Page. 435 If you are unable to upgrade to 4.2.8p11 or later and have 436 'peer HOST xleave' lines in your ntp.conf file, remove the 437 'xleave' option. 438 Have enough sources of time. 439 Properly monitor your ntpd instances. 440 If ntpd stops running, auto-restart it without -g . 441 Credit: 442 This weakness was discovered by Miroslav Lichvar of Red Hat. 443 444* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 445 state (LOW/MED) 446 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 447 References: Sec 3453 / CVE-2018-7184 / VU#961909 448 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 449 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 450 Could score between 2.9 and 6.8. 451 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 452 Could score between 2.6 and 6.0. 453 Summary: 454 The fix for NtpBug2952 was incomplete, and while it fixed one 455 problem it created another. Specifically, it drops bad packets 456 before updating the "received" timestamp. This means a 457 third-party can inject a packet with a zero-origin timestamp, 458 meaning the sender wants to reset the association, and the 459 transmit timestamp in this bogus packet will be saved as the 460 most recent "received" timestamp. The real remote peer does 461 not know this value and this will disrupt the association until 462 the association resets. 463 Mitigation: 464 Implement BCP-38. 465 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 466 or the NTP Public Services Project Download Page. 467 Use authentication with 'peer' mode. 468 Have enough sources of time. 469 Properly monitor your ntpd instances. 470 If ntpd stops running, auto-restart it without -g . 471 Credit: 472 This weakness was discovered by Miroslav Lichvar of Red Hat. 473 474* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 475 peering (LOW) 476 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 477 References: Sec 3415 / CVE-2018-7170 / VU#961909 478 Sec 3012 / CVE-2016-1549 / VU#718152 479 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 480 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 481 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 482 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 483 Summary: 484 ntpd can be vulnerable to Sybil attacks. If a system is set up to 485 use a trustedkey and if one is not using the feature introduced in 486 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 487 specify which IPs can serve time, a malicious authenticated peer 488 -- i.e. one where the attacker knows the private symmetric key -- 489 can create arbitrarily-many ephemeral associations in order to win 490 the clock selection of ntpd and modify a victim's clock. Three 491 additional protections are offered in ntp-4.2.8p11. One is the 492 new 'noepeer' directive, which disables symmetric passive 493 ephemeral peering. Another is the new 'ippeerlimit' directive, 494 which limits the number of peers that can be created from an IP. 495 The third extends the functionality of the 4th field in the 496 ntp.keys file to include specifying a subnet range. 497 Mitigation: 498 Implement BCP-38. 499 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 500 or the NTP Public Services Project Download Page. 501 Use the 'noepeer' directive to prohibit symmetric passive 502 ephemeral associations. 503 Use the 'ippeerlimit' directive to limit the number of peers 504 that can be created from an IP. 505 Use the 4th argument in the ntp.keys file to limit the IPs and 506 subnets that can be time servers. 507 Have enough sources of time. 508 Properly monitor your ntpd instances. 509 If ntpd stops running, auto-restart it without -g . 510 Credit: 511 This weakness was reported as Bug 3012 by Matthew Van Gundy of 512 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 513 514* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 515 Date Resolved: 27 Feb 2018 516 References: Sec 3414 / CVE-2018-7183 / VU#961909 517 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 518 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 519 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 520 Summary: 521 ntpq is a monitoring and control program for ntpd. decodearr() 522 is an internal function of ntpq that is used to -- wait for it -- 523 decode an array in a response string when formatted data is being 524 displayed. This is a problem in affected versions of ntpq if a 525 maliciously-altered ntpd returns an array result that will trip this 526 bug, or if a bad actor is able to read an ntpq request on its way to 527 a remote ntpd server and forge and send a response before the remote 528 ntpd sends its response. It's potentially possible that the 529 malicious data could become injectable/executable code. 530 Mitigation: 531 Implement BCP-38. 532 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 533 or the NTP Public Services Project Download Page. 534 Credit: 535 This weakness was discovered by Michael Macnair of Thales e-Security. 536 537* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 538 behavior and information leak (Info/Medium) 539 Date Resolved: 27 Feb 2018 540 References: Sec 3412 / CVE-2018-7182 / VU#961909 541 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 542 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 543 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 544 0.0 if C:N 545 Summary: 546 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 547 A malicious mode 6 packet can be sent to an ntpd instance, and 548 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 549 cause ctl_getitem() to read past the end of its buffer. 550 Mitigation: 551 Implement BCP-38. 552 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 553 or the NTP Public Services Project Download Page. 554 Have enough sources of time. 555 Properly monitor your ntpd instances. 556 If ntpd stops running, auto-restart it without -g . 557 Credit: 558 This weakness was discovered by Yihan Lian of Qihoo 360. 559 560* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 561 Also see Bug 3415, above. 562 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 563 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 564 References: Sec 3012 / CVE-2016-1549 / VU#718152 565 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 566 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 567 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 568 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 569 Summary: 570 ntpd can be vulnerable to Sybil attacks. If a system is set up 571 to use a trustedkey and if one is not using the feature 572 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 573 ntp.keys file to specify which IPs can serve time, a malicious 574 authenticated peer -- i.e. one where the attacker knows the 575 private symmetric key -- can create arbitrarily-many ephemeral 576 associations in order to win the clock selection of ntpd and 577 modify a victim's clock. Two additional protections are 578 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 579 disables symmetric passive ephemeral peering. The other extends 580 the functionality of the 4th field in the ntp.keys file to 581 include specifying a subnet range. 582 Mitigation: 583 Implement BCP-38. 584 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 585 the NTP Public Services Project Download Page. 586 Use the 'noepeer' directive to prohibit symmetric passive 587 ephemeral associations. 588 Use the 'ippeerlimit' directive to limit the number of peer 589 associations from an IP. 590 Use the 4th argument in the ntp.keys file to limit the IPs 591 and subnets that can be time servers. 592 Properly monitor your ntpd instances. 593 Credit: 594 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 595 596* Bug fixes: 597 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 598 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 599 - applied patch by Sean Haugh 600 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 601 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 602 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 603 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 604 - refactoring the MAC code, too 605 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 606 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 607 - applied patch by ggarvey 608 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 609 - applied patch by ggarvey (with minor mods) 610 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 611 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 612 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 613 [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 614 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 615 - fixed several issues with hash algos in ntpd, sntp, ntpq, 616 ntpdc and the test suites <perlinger@ntp.org> 617 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 618 - initial patch by Daniel Pouzzner 619 [Bug 3423] QNX adjtime() implementation error checking is 620 wrong <perlinger@ntp.org> 621 [Bug 3417] ntpq ifstats packet counters can be negative 622 made IFSTATS counter quantities unsigned <perlinger@ntp.org> 623 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 624 - raised receive buffer size to 1200 <perlinger@ntp.org> 625 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 626 analysis tool. <abe@ntp.org> 627 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 628 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 629 - fix/drop assumptions on OpenSSL libs directory layout 630 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 631 - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 632 [Bug 3398] tests fail with core dump <perlinger@ntp.org> 633 - patch contributed by Alexander Bluhm 634 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 635 rework of formatting & data transfer stuff in 'ntp_control.c' 636 avoids unecessary buffers and size limitations. <perlinger@ntp.org> 637 [Bug 3394] Leap second deletion does not work on ntpd clients 638 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 639 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 640 - increased mimimum stack size to 32kB <perlinger@ntp.org> 641 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 642 - reverted handling of PPS kernel consumer to 4.2.6 behavior 643 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 644 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 645 [Bug 3016] wrong error position reported for bad ":config pool" 646 - fixed location counter & ntpq output <perlinger@ntp.org> 647 [Bug 2900] libntp build order problem. HStenn. 648 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 649 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 650 perlinger@ntp.org 651 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 652 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 653 Use strlcpy() to copy strings, not memcpy(). HStenn. 654 Typos. HStenn. 655 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 656 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 657 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 658 Fix trivial warnings from 'make check'. perlinger@ntp.org 659 Fix bug in the override portion of the compiler hardening macro. HStenn. 660 record_raw_stats(): Log entire packet. Log writes. HStenn. 661 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 662 sntp: tweak key file logging. HStenn. 663 sntp: pkt_output(): Improve debug output. HStenn. 664 update-leap: updates from Paul McMath. 665 When using pkg-config, report --modversion. HStenn. 666 Clean up libevent configure checks. HStenn. 667 sntp: show the IP of who sent us a crypto-NAK. HStenn. 668 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 669 authistrustedip() - use it in more places. HStenn, JPerlinger. 670 New sysstats: sys_lamport, sys_tsrounding. HStenn. 671 Update ntp.keys .../N documentation. HStenn. 672 Distribute testconf.yml. HStenn. 673 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 674 Rename the configuration flag fifo variables. HStenn. 675 Improve saveconfig output. HStenn. 676 Decode restrict flags on receive() debug output. HStenn. 677 Decode interface flags on receive() debug output. HStenn. 678 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 679 Update the documentation in ntp.conf.def . HStenn. 680 restrictions() must return restrict flags and ippeerlimit. HStenn. 681 Update ntpq peer documentation to describe the 'p' type. HStenn. 682 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 683 Provide dump_restricts() for debugging. HStenn. 684 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 685 686* Other items: 687 688* update-leap needs the following perl modules: 689 Net::SSLeay 690 IO::Socket::SSL 691 692* New sysstats variables: sys_lamport, sys_tsrounding 693See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 694sys_lamport counts the number of observed Lamport violations, while 695sys_tsrounding counts observed timestamp rounding events. 696 697* New ntp.conf items: 698 699- restrict ... noepeer 700- restrict ... ippeerlimit N 701 702The 'noepeer' directive will disallow all ephemeral/passive peer 703requests. 704 705The 'ippeerlimit' directive limits the number of time associations 706for each IP in the designated set of addresses. This limit does not 707apply to explicitly-configured associations. A value of -1, the current 708default, means an unlimited number of associations may connect from a 709single IP. 0 means "none", etc. Ordinarily the only way multiple 710associations would come from the same IP would be if the remote side 711was using a proxy. But a trusted machine might become compromised, 712in which case an attacker might spin up multiple authenticated sessions 713from different ports. This directive should be helpful in this case. 714 715* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 716field may contain a /subnetbits specification, which identifies the 717scope of IPs that may use this key. This IP/subnet restriction can be 718used to limit the IPs that may use the key in most all situations where 719a key is used. 720-- 721NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 722 723Focus: Security, Bug fixes, enhancements. 724 725Severity: MEDIUM 726 727This release fixes 5 medium-, 6 low-, and 4 informational-severity 728vulnerabilities, and provides 15 other non-security fixes and improvements: 729 730* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 731 Date Resolved: 21 Mar 2017 732 References: Sec 3389 / CVE-2017-6464 / VU#325339 733 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 734 ntp-4.3.0 up to, but not including ntp-4.3.94. 735 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 736 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 737 Summary: 738 A vulnerability found in the NTP server makes it possible for an 739 authenticated remote user to crash ntpd via a malformed mode 740 configuration directive. 741 Mitigation: 742 Implement BCP-38. 743 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 744 the NTP Public Services Project Download Page 745 Properly monitor your ntpd instances, and auto-restart 746 ntpd (without -g) if it stops running. 747 Credit: 748 This weakness was discovered by Cure53. 749 750* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 751 Date Resolved: 21 Mar 2017 752 References: Sec 3388 / CVE-2017-6462 / VU#325339 753 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 754 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 755 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 756 Summary: 757 There is a potential for a buffer overflow in the legacy Datum 758 Programmable Time Server refclock driver. Here the packets are 759 processed from the /dev/datum device and handled in 760 datum_pts_receive(). Since an attacker would be required to 761 somehow control a malicious /dev/datum device, this does not 762 appear to be a practical attack and renders this issue "Low" in 763 terms of severity. 764 Mitigation: 765 If you have a Datum reference clock installed and think somebody 766 may maliciously change the device, upgrade to 4.2.8p10, or 767 later, from the NTP Project Download Page or the NTP Public 768 Services Project Download Page 769 Properly monitor your ntpd instances, and auto-restart 770 ntpd (without -g) if it stops running. 771 Credit: 772 This weakness was discovered by Cure53. 773 774* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 775 Date Resolved: 21 Mar 2017 776 References: Sec 3387 / CVE-2017-6463 / VU#325339 777 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 778 ntp-4.3.0 up to, but not including ntp-4.3.94. 779 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 780 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 781 Summary: 782 A vulnerability found in the NTP server allows an authenticated 783 remote attacker to crash the daemon by sending an invalid setting 784 via the :config directive. The unpeer option expects a number or 785 an address as an argument. In case the value is "0", a 786 segmentation fault occurs. 787 Mitigation: 788 Implement BCP-38. 789 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 790 or the NTP Public Services Project Download Page 791 Properly monitor your ntpd instances, and auto-restart 792 ntpd (without -g) if it stops running. 793 Credit: 794 This weakness was discovered by Cure53. 795 796* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 797 Date Resolved: 21 Mar 2017 798 References: Sec 3386 799 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 800 ntp-4.3.0 up to, but not including ntp-4.3.94. 801 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 802 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 803 Summary: 804 The NTP Mode 6 monitoring and control client, ntpq, uses the 805 function ntpq_stripquotes() to remove quotes and escape characters 806 from a given string. According to the documentation, the function 807 is supposed to return the number of copied bytes but due to 808 incorrect pointer usage this value is always zero. Although the 809 return value of this function is never used in the code, this 810 flaw could lead to a vulnerability in the future. Since relying 811 on wrong return values when performing memory operations is a 812 dangerous practice, it is recommended to return the correct value 813 in accordance with the documentation pertinent to the code. 814 Mitigation: 815 Implement BCP-38. 816 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 817 or the NTP Public Services Project Download Page 818 Properly monitor your ntpd instances, and auto-restart 819 ntpd (without -g) if it stops running. 820 Credit: 821 This weakness was discovered by Cure53. 822 823* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 824 Date Resolved: 21 Mar 2017 825 References: Sec 3385 826 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 827 ntp-4.3.0 up to, but not including ntp-4.3.94. 828 Summary: 829 NTP makes use of several wrappers around the standard heap memory 830 allocation functions that are provided by libc. This is mainly 831 done to introduce additional safety checks concentrated on 832 several goals. First, they seek to ensure that memory is not 833 accidentally freed, secondly they verify that a correct amount 834 is always allocated and, thirdly, that allocation failures are 835 correctly handled. There is an additional implementation for 836 scenarios where memory for a specific amount of items of the 837 same size needs to be allocated. The handling can be found in 838 the oreallocarray() function for which a further number-of-elements 839 parameter needs to be provided. Although no considerable threat 840 was identified as tied to a lack of use of this function, it is 841 recommended to correctly apply oreallocarray() as a preferred 842 option across all of the locations where it is possible. 843 Mitigation: 844 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 845 or the NTP Public Services Project Download Page 846 Credit: 847 This weakness was discovered by Cure53. 848 849* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 850 PPSAPI ONLY) (Low) 851 Date Resolved: 21 Mar 2017 852 References: Sec 3384 / CVE-2017-6455 / VU#325339 853 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 854 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 855 including ntp-4.3.94. 856 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 857 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 858 Summary: 859 The Windows NT port has the added capability to preload DLLs 860 defined in the inherited global local environment variable 861 PPSAPI_DLLS. The code contained within those libraries is then 862 called from the NTPD service, usually running with elevated 863 privileges. Depending on how securely the machine is setup and 864 configured, if ntpd is configured to use the PPSAPI under Windows 865 this can easily lead to a code injection. 866 Mitigation: 867 Implement BCP-38. 868 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 869 or the NTP Public Services Project Download Page 870 Credit: 871 This weakness was discovered by Cure53. 872 873* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 874 installer ONLY) (Low) 875 Date Resolved: 21 Mar 2017 876 References: Sec 3383 / CVE-2017-6452 / VU#325339 877 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 878 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 879 to, but not including ntp-4.3.94. 880 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 881 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 882 Summary: 883 The Windows installer for NTP calls strcat(), blindly appending 884 the string passed to the stack buffer in the addSourceToRegistry() 885 function. The stack buffer is 70 bytes smaller than the buffer 886 in the calling main() function. Together with the initially 887 copied Registry path, the combination causes a stack buffer 888 overflow and effectively overwrites the stack frame. The 889 passed application path is actually limited to 256 bytes by the 890 operating system, but this is not sufficient to assure that the 891 affected stack buffer is consistently protected against 892 overflowing at all times. 893 Mitigation: 894 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 895 or the NTP Public Services Project Download Page 896 Credit: 897 This weakness was discovered by Cure53. 898 899* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 900 installer ONLY) (Low) 901 Date Resolved: 21 Mar 2017 902 References: Sec 3382 / CVE-2017-6459 / VU#325339 903 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 904 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 905 up to, but not including ntp-4.3.94. 906 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 907 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 908 Summary: 909 The Windows installer for NTP calls strcpy() with an argument 910 that specifically contains multiple null bytes. strcpy() only 911 copies a single terminating null character into the target 912 buffer instead of copying the required double null bytes in the 913 addKeysToRegistry() function. As a consequence, a garbage 914 registry entry can be created. The additional arsize parameter 915 is erroneously set to contain two null bytes and the following 916 call to RegSetValueEx() claims to be passing in a multi-string 917 value, though this may not be true. 918 Mitigation: 919 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 920 or the NTP Public Services Project Download Page 921 Credit: 922 This weakness was discovered by Cure53. 923 924* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 925 References: Sec 3381 926 Summary: 927 The report says: Statically included external projects 928 potentially introduce several problems and the issue of having 929 extensive amounts of code that is "dead" in the resulting binary 930 must clearly be pointed out. The unnecessary unused code may or 931 may not contain bugs and, quite possibly, might be leveraged for 932 code-gadget-based branch-flow redirection exploits. Analogically, 933 having source trees statically included as well means a failure 934 in taking advantage of the free feature for periodical updates. 935 This solution is offered by the system's Package Manager. The 936 three libraries identified are libisc, libevent, and libopts. 937 Resolution: 938 For libisc, we already only use a portion of the original library. 939 We've found and fixed bugs in the original implementation (and 940 offered the patches to ISC), and plan to see what has changed 941 since we last upgraded the code. libisc is generally not 942 installed, and when it it we usually only see the static libisc.a 943 file installed. Until we know for sure that the bugs we've found 944 and fixed are fixed upstream, we're better off with the copy we 945 are using. 946 947 Version 1 of libevent was the only production version available 948 until recently, and we've been requiring version 2 for a long time. 949 But if the build system has at least version 2 of libevent 950 installed, we'll use the version that is installed on the system. 951 Otherwise, we provide a copy of libevent that we know works. 952 953 libopts is provided by GNU AutoGen, and that library and package 954 undergoes frequent API version updates. The version of autogen 955 used to generate the tables for the code must match the API 956 version in libopts. AutoGen can be ... difficult to build and 957 install, and very few developers really need it. So we have it 958 on our build and development machines, and we provide the 959 specific version of the libopts code in the distribution to make 960 sure that the proper API version of libopts is available. 961 962 As for the point about there being code in these libraries that 963 NTP doesn't use, OK. But other packages used these libraries as 964 well, and it is reasonable to assume that other people are paying 965 attention to security and code quality issues for the overall 966 libraries. It takes significant resources to analyze and 967 customize these libraries to only include what we need, and to 968 date we believe the cost of this effort does not justify the benefit. 969 Credit: 970 This issue was discovered by Cure53. 971 972* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 973 Date Resolved: 21 Mar 2017 974 References: Sec 3380 975 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 976 ntp-4.3.0 up to, but not including ntp-4.3.94. 977 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 978 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 979 Summary: 980 There is a fencepost error in a "recovery branch" of the code for 981 the Oncore GPS receiver if the communication link to the ONCORE 982 is weak / distorted and the decoding doesn't work. 983 Mitigation: 984 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 985 the NTP Public Services Project Download Page 986 Properly monitor your ntpd instances, and auto-restart 987 ntpd (without -g) if it stops running. 988 Credit: 989 This weakness was discovered by Cure53. 990 991* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 992 Date Resolved: 21 Mar 2017 993 References: Sec 3379 / CVE-2017-6458 / VU#325339 994 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 995 ntp-4.3.0 up to, but not including ntp-4.3.94. 996 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 997 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 998 Summary: 999 ntpd makes use of different wrappers around ctl_putdata() to 1000 create name/value ntpq (mode 6) response strings. For example, 1001 ctl_putstr() is usually used to send string data (variable names 1002 or string data). The formatting code was missing a length check 1003 for variable names. If somebody explicitly created any unusually 1004 long variable names in ntpd (longer than 200-512 bytes, depending 1005 on the type of variable), then if any of these variables are 1006 added to the response list it would overflow a buffer. 1007 Mitigation: 1008 Implement BCP-38. 1009 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1010 or the NTP Public Services Project Download Page 1011 If you don't want to upgrade, then don't setvar variable names 1012 longer than 200-512 bytes in your ntp.conf file. 1013 Properly monitor your ntpd instances, and auto-restart 1014 ntpd (without -g) if it stops running. 1015 Credit: 1016 This weakness was discovered by Cure53. 1017 1018* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 1019 Date Resolved: 21 Mar 2017 1020 References: Sec 3378 / CVE-2017-6451 / VU#325339 1021 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1022 ntp-4.3.0 up to, but not including ntp-4.3.94. 1023 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 1024 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 1025 Summary: 1026 The legacy MX4200 refclock is only built if is specifically 1027 enabled, and furthermore additional code changes are required to 1028 compile and use it. But it uses the libc functions snprintf() 1029 and vsnprintf() incorrectly, which can lead to an out-of-bounds 1030 memory write due to an improper handling of the return value of 1031 snprintf()/vsnprintf(). Since the return value is used as an 1032 iterator and it can be larger than the buffer's size, it is 1033 possible for the iterator to point somewhere outside of the 1034 allocated buffer space. This results in an out-of-bound memory 1035 write. This behavior can be leveraged to overwrite a saved 1036 instruction pointer on the stack and gain control over the 1037 execution flow. During testing it was not possible to identify 1038 any malicious usage for this vulnerability. Specifically, no 1039 way for an attacker to exploit this vulnerability was ultimately 1040 unveiled. However, it has the potential to be exploited, so the 1041 code should be fixed. 1042 Mitigation, if you have a Magnavox MX4200 refclock: 1043 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1044 or the NTP Public Services Project Download Page. 1045 Properly monitor your ntpd instances, and auto-restart 1046 ntpd (without -g) if it stops running. 1047 Credit: 1048 This weakness was discovered by Cure53. 1049 1050* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 1051 malicious ntpd (Medium) 1052 Date Resolved: 21 Mar 2017 1053 References: Sec 3377 / CVE-2017-6460 / VU#325339 1054 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 1055 ntp-4.3.0 up to, but not including ntp-4.3.94. 1056 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1057 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1058 Summary: 1059 A stack buffer overflow in ntpq can be triggered by a malicious 1060 ntpd server when ntpq requests the restriction list from the server. 1061 This is due to a missing length check in the reslist() function. 1062 It occurs whenever the function parses the server's response and 1063 encounters a flagstr variable of an excessive length. The string 1064 will be copied into a fixed-size buffer, leading to an overflow on 1065 the function's stack-frame. Note well that this problem requires 1066 a malicious server, and affects ntpq, not ntpd. 1067 Mitigation: 1068 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1069 or the NTP Public Services Project Download Page 1070 If you can't upgrade your version of ntpq then if you want to know 1071 the reslist of an instance of ntpd that you do not control, 1072 know that if the target ntpd is malicious that it can send back 1073 a response that intends to crash your ntpq process. 1074 Credit: 1075 This weakness was discovered by Cure53. 1076 1077* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 1078 Date Resolved: 21 Mar 2017 1079 References: Sec 3376 1080 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1081 ntp-4.3.0 up to, but not including ntp-4.3.94. 1082 CVSS2: N/A 1083 CVSS3: N/A 1084 Summary: 1085 The build process for NTP has not, by default, provided compile 1086 or link flags to offer "hardened" security options. Package 1087 maintainers have always been able to provide hardening security 1088 flags for their builds. As of ntp-4.2.8p10, the NTP build 1089 system has a way to provide OS-specific hardening flags. Please 1090 note that this is still not a really great solution because it 1091 is specific to NTP builds. It's inefficient to have every 1092 package supply, track and maintain this information for every 1093 target build. It would be much better if there was a common way 1094 for OSes to provide this information in a way that arbitrary 1095 packages could benefit from it. 1096 Mitigation: 1097 Implement BCP-38. 1098 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1099 or the NTP Public Services Project Download Page 1100 Properly monitor your ntpd instances, and auto-restart 1101 ntpd (without -g) if it stops running. 1102 Credit: 1103 This weakness was reported by Cure53. 1104 1105* 0rigin DoS (Medium) 1106 Date Resolved: 21 Mar 2017 1107 References: Sec 3361 / CVE-2016-9042 / VU#325339 1108 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 1109 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 1110 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 1111 Summary: 1112 An exploitable denial of service vulnerability exists in the 1113 origin timestamp check functionality of ntpd 4.2.8p9. A specially 1114 crafted unauthenticated network packet can be used to reset the 1115 expected origin timestamp for target peers. Legitimate replies 1116 from targeted peers will fail the origin timestamp check (TEST2) 1117 causing the reply to be dropped and creating a denial of service 1118 condition. This vulnerability can only be exploited if the 1119 attacker can spoof all of the servers. 1120 Mitigation: 1121 Implement BCP-38. 1122 Configure enough servers/peers that an attacker cannot target 1123 all of your time sources. 1124 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1125 or the NTP Public Services Project Download Page 1126 Properly monitor your ntpd instances, and auto-restart 1127 ntpd (without -g) if it stops running. 1128 Credit: 1129 This weakness was discovered by Matthew Van Gundy of Cisco. 1130 1131Other fixes: 1132 1133* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 1134* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1135 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 1136* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 1137* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1138 on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 1139 - original patch by Majdi S. Abbas 1140* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 1141* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 1142 - initial patch by Christos Zoulas 1143* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 1144 - move loader API from 'inline' to proper source 1145 - augment pathless dlls with absolute path to NTPD 1146 - use 'msyslog()' instead of 'printf() 'for reporting trouble 1147* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 1148 - applied patch by Matthew Van Gundy 1149* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 1150 - applied some of the patches provided by Havard. Not all of them 1151 still match the current code base, and I did not touch libopt. 1152* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 1153 - applied patch by Reinhard Max. See bugzilla for limitations. 1154* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 1155 - fixed dependency inversion from [Bug 2837] 1156* [Bug 2896] Nothing happens if minsane < maxclock < minclock 1157 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 1158* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 1159 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1160* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1161 - Fixed these and some more locations of this pattern. 1162 Probably din't get them all, though. <perlinger@ntp.org> 1163* Update copyright year. 1164 1165-- 1166(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 1167 1168* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 1169 - added missed changeset for automatic openssl lib detection 1170 - fixed some minor warning issues 1171* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 1172* configure.ac cleanup. stenn@ntp.org 1173* openssl configure cleanup. stenn@ntp.org 1174 1175-- 1176NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 1177 1178Focus: Security, Bug fixes, enhancements. 1179 1180Severity: HIGH 1181 1182In addition to bug fixes and enhancements, this release fixes the 1183following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 11845 low-severity vulnerabilities, and provides 28 other non-security 1185fixes and improvements: 1186 1187* Trap crash 1188 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1189 References: Sec 3119 / CVE-2016-9311 / VU#633847 1190 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1191 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1192 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1193 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1194 Summary: 1195 ntpd does not enable trap service by default. If trap service 1196 has been explicitly enabled, an attacker can send a specially 1197 crafted packet to cause a null pointer dereference that will 1198 crash ntpd, resulting in a denial of service. 1199 Mitigation: 1200 Implement BCP-38. 1201 Use "restrict default noquery ..." in your ntp.conf file. Only 1202 allow mode 6 queries from trusted networks and hosts. 1203 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1204 or the NTP Public Services Project Download Page 1205 Properly monitor your ntpd instances, and auto-restart ntpd 1206 (without -g) if it stops running. 1207 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1208 1209* Mode 6 information disclosure and DDoS vector 1210 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1211 References: Sec 3118 / CVE-2016-9310 / VU#633847 1212 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1213 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1214 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1215 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1216 Summary: 1217 An exploitable configuration modification vulnerability exists 1218 in the control mode (mode 6) functionality of ntpd. If, against 1219 long-standing BCP recommendations, "restrict default noquery ..." 1220 is not specified, a specially crafted control mode packet can set 1221 ntpd traps, providing information disclosure and DDoS 1222 amplification, and unset ntpd traps, disabling legitimate 1223 monitoring. A remote, unauthenticated, network attacker can 1224 trigger this vulnerability. 1225 Mitigation: 1226 Implement BCP-38. 1227 Use "restrict default noquery ..." in your ntp.conf file. 1228 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1229 or the NTP Public Services Project Download Page 1230 Properly monitor your ntpd instances, and auto-restart ntpd 1231 (without -g) if it stops running. 1232 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1233 1234* Broadcast Mode Replay Prevention DoS 1235 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1236 References: Sec 3114 / CVE-2016-7427 / VU#633847 1237 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1238 ntp-4.3.90 up to, but not including ntp-4.3.94. 1239 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1240 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1241 Summary: 1242 The broadcast mode of NTP is expected to only be used in a 1243 trusted network. If the broadcast network is accessible to an 1244 attacker, a potentially exploitable denial of service 1245 vulnerability in ntpd's broadcast mode replay prevention 1246 functionality can be abused. An attacker with access to the NTP 1247 broadcast domain can periodically inject specially crafted 1248 broadcast mode NTP packets into the broadcast domain which, 1249 while being logged by ntpd, can cause ntpd to reject broadcast 1250 mode packets from legitimate NTP broadcast servers. 1251 Mitigation: 1252 Implement BCP-38. 1253 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1254 or the NTP Public Services Project Download Page 1255 Properly monitor your ntpd instances, and auto-restart ntpd 1256 (without -g) if it stops running. 1257 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1258 1259* Broadcast Mode Poll Interval Enforcement DoS 1260 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1261 References: Sec 3113 / CVE-2016-7428 / VU#633847 1262 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1263 ntp-4.3.90 up to, but not including ntp-4.3.94 1264 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1265 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1266 Summary: 1267 The broadcast mode of NTP is expected to only be used in a 1268 trusted network. If the broadcast network is accessible to an 1269 attacker, a potentially exploitable denial of service 1270 vulnerability in ntpd's broadcast mode poll interval enforcement 1271 functionality can be abused. To limit abuse, ntpd restricts the 1272 rate at which each broadcast association will process incoming 1273 packets. ntpd will reject broadcast mode packets that arrive 1274 before the poll interval specified in the preceding broadcast 1275 packet expires. An attacker with access to the NTP broadcast 1276 domain can send specially crafted broadcast mode NTP packets to 1277 the broadcast domain which, while being logged by ntpd, will 1278 cause ntpd to reject broadcast mode packets from legitimate NTP 1279 broadcast servers. 1280 Mitigation: 1281 Implement BCP-38. 1282 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1283 or the NTP Public Services Project Download Page 1284 Properly monitor your ntpd instances, and auto-restart ntpd 1285 (without -g) if it stops running. 1286 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1287 1288* Windows: ntpd DoS by oversized UDP packet 1289 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1290 References: Sec 3110 / CVE-2016-9312 / VU#633847 1291 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1292 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1293 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1294 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1295 Summary: 1296 If a vulnerable instance of ntpd on Windows receives a crafted 1297 malicious packet that is "too big", ntpd will stop working. 1298 Mitigation: 1299 Implement BCP-38. 1300 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1301 or the NTP Public Services Project Download Page 1302 Properly monitor your ntpd instances, and auto-restart ntpd 1303 (without -g) if it stops running. 1304 Credit: This weakness was discovered by Robert Pajak of ABB. 1305 1306* 0rigin (zero origin) issues 1307 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1308 References: Sec 3102 / CVE-2016-7431 / VU#633847 1309 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1310 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1311 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1312 Summary: 1313 Zero Origin timestamp problems were fixed by Bug 2945 in 1314 ntp-4.2.8p6. However, subsequent timestamp validation checks 1315 introduced a regression in the handling of some Zero origin 1316 timestamp checks. 1317 Mitigation: 1318 Implement BCP-38. 1319 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1320 or the NTP Public Services Project Download Page 1321 Properly monitor your ntpd instances, and auto-restart ntpd 1322 (without -g) if it stops running. 1323 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1324 Malhotra of Boston University. 1325 1326* read_mru_list() does inadequate incoming packet checks 1327 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1328 References: Sec 3082 / CVE-2016-7434 / VU#633847 1329 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1330 ntp-4.3.0 up to, but not including ntp-4.3.94. 1331 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1332 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1333 Summary: 1334 If ntpd is configured to allow mrulist query requests from a 1335 server that sends a crafted malicious packet, ntpd will crash 1336 on receipt of that crafted malicious mrulist query packet. 1337 Mitigation: 1338 Only allow mrulist query packets from trusted hosts. 1339 Implement BCP-38. 1340 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1341 or the NTP Public Services Project Download Page 1342 Properly monitor your ntpd instances, and auto-restart ntpd 1343 (without -g) if it stops running. 1344 Credit: This weakness was discovered by Magnus Stubman. 1345 1346* Attack on interface selection 1347 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1348 References: Sec 3072 / CVE-2016-7429 / VU#633847 1349 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1350 ntp-4.3.0 up to, but not including ntp-4.3.94 1351 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1352 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1353 Summary: 1354 When ntpd receives a server response on a socket that corresponds 1355 to a different interface than was used for the request, the peer 1356 structure is updated to use the interface for new requests. If 1357 ntpd is running on a host with multiple interfaces in separate 1358 networks and the operating system doesn't check source address in 1359 received packets (e.g. rp_filter on Linux is set to 0), an 1360 attacker that knows the address of the source can send a packet 1361 with spoofed source address which will cause ntpd to select wrong 1362 interface for the source and prevent it from sending new requests 1363 until the list of interfaces is refreshed, which happens on 1364 routing changes or every 5 minutes by default. If the attack is 1365 repeated often enough (once per second), ntpd will not be able to 1366 synchronize with the source. 1367 Mitigation: 1368 Implement BCP-38. 1369 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1370 or the NTP Public Services Project Download Page 1371 If you are going to configure your OS to disable source address 1372 checks, also configure your firewall configuration to control 1373 what interfaces can receive packets from what networks. 1374 Properly monitor your ntpd instances, and auto-restart ntpd 1375 (without -g) if it stops running. 1376 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1377 1378* Client rate limiting and server responses 1379 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1380 References: Sec 3071 / CVE-2016-7426 / VU#633847 1381 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1382 ntp-4.3.0 up to, but not including ntp-4.3.94 1383 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1384 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1385 Summary: 1386 When ntpd is configured with rate limiting for all associations 1387 (restrict default limited in ntp.conf), the limits are applied 1388 also to responses received from its configured sources. An 1389 attacker who knows the sources (e.g., from an IPv4 refid in 1390 server response) and knows the system is (mis)configured in this 1391 way can periodically send packets with spoofed source address to 1392 keep the rate limiting activated and prevent ntpd from accepting 1393 valid responses from its sources. 1394 1395 While this blanket rate limiting can be useful to prevent 1396 brute-force attacks on the origin timestamp, it allows this DoS 1397 attack. Similarly, it allows the attacker to prevent mobilization 1398 of ephemeral associations. 1399 Mitigation: 1400 Implement BCP-38. 1401 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1402 or the NTP Public Services Project Download Page 1403 Properly monitor your ntpd instances, and auto-restart ntpd 1404 (without -g) if it stops running. 1405 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1406 1407* Fix for bug 2085 broke initial sync calculations 1408 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1409 References: Sec 3067 / CVE-2016-7433 / VU#633847 1410 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1411 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1412 root-distance calculation in general is incorrect in all versions 1413 of ntp-4 until this release. 1414 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1415 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1416 Summary: 1417 Bug 2085 described a condition where the root delay was included 1418 twice, causing the jitter value to be higher than expected. Due 1419 to a misinterpretation of a small-print variable in The Book, the 1420 fix for this problem was incorrect, resulting in a root distance 1421 that did not include the peer dispersion. The calculations and 1422 formulae have been reviewed and reconciled, and the code has been 1423 updated accordingly. 1424 Mitigation: 1425 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1426 or the NTP Public Services Project Download Page 1427 Properly monitor your ntpd instances, and auto-restart ntpd 1428 (without -g) if it stops running. 1429 Credit: This weakness was discovered independently by Brian Utterback of 1430 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1431 1432Other fixes: 1433 1434* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1435* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1436* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1437 - moved retry decision where it belongs. <perlinger@ntp.org> 1438* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1439 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1440* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1441* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1442 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1443* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1444 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1445 - added shim layer for SSL API calls with issues (both directions) 1446* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1447 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1448* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1449* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1450 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1451* [Bug 3067] Root distance calculation needs improvement. HStenn 1452* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1453 - PPS-HACK works again. 1454* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1455 - applied patch by Brian Utterback <brian.utterback@oracle.com> 1456* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1457* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1458 <perlinger@ntp.org> 1459 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1460* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1461 - Patch provided by Kuramatsu. 1462* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1463 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1464* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1465* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1466* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1467* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1468 - fixed GPS week expansion to work based on build date. Special thanks 1469 to Craig Leres for initial patch and testing. 1470* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1471 - fixed Makefile.am <perlinger@ntp.org> 1472* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1473 even if it is very old <perlinger@ntp.org> 1474 - make sure PPS source is alive before processing samples 1475 - improve stability close to the 500ms phase jump (phase gate) 1476* Fix typos in include/ntp.h. 1477* Shim X509_get_signature_nid() if needed 1478* git author attribution cleanup 1479* bk ignore file cleanup 1480* remove locks in Windows IO, use rpc-like thread synchronisation instead 1481 1482--- 1483NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1484 1485Focus: Security, Bug fixes, enhancements. 1486 1487Severity: HIGH 1488 1489In addition to bug fixes and enhancements, this release fixes the 1490following 1 high- and 4 low-severity vulnerabilities: 1491 1492* CRYPTO_NAK crash 1493 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1494 References: Sec 3046 / CVE-2016-4957 / VU#321640 1495 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1496 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1497 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1498 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1499 could cause ntpd to crash. 1500 Mitigation: 1501 Implement BCP-38. 1502 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1503 or the NTP Public Services Project Download Page 1504 If you cannot upgrade from 4.2.8p7, the only other alternatives 1505 are to patch your code or filter CRYPTO_NAK packets. 1506 Properly monitor your ntpd instances, and auto-restart ntpd 1507 (without -g) if it stops running. 1508 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1509 1510* Bad authentication demobilizes ephemeral associations 1511 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1512 References: Sec 3045 / CVE-2016-4953 / VU#321640 1513 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1514 ntp-4.3.0 up to, but not including ntp-4.3.93. 1515 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1516 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1517 Summary: An attacker who knows the origin timestamp and can send a 1518 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1519 target before any other response is sent can demobilize that 1520 association. 1521 Mitigation: 1522 Implement BCP-38. 1523 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1524 or the NTP Public Services Project Download Page 1525 Properly monitor your ntpd instances. 1526 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1527 1528* Processing spoofed server packets 1529 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1530 References: Sec 3044 / CVE-2016-4954 / VU#321640 1531 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1532 ntp-4.3.0 up to, but not including ntp-4.3.93. 1533 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1534 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1535 Summary: An attacker who is able to spoof packets with correct origin 1536 timestamps from enough servers before the expected response 1537 packets arrive at the target machine can affect some peer 1538 variables and, for example, cause a false leap indication to be set. 1539 Mitigation: 1540 Implement BCP-38. 1541 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1542 or the NTP Public Services Project Download Page 1543 Properly monitor your ntpd instances. 1544 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1545 1546* Autokey association reset 1547 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1548 References: Sec 3043 / CVE-2016-4955 / VU#321640 1549 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1550 ntp-4.3.0 up to, but not including ntp-4.3.93. 1551 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1552 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1553 Summary: An attacker who is able to spoof a packet with a correct 1554 origin timestamp before the expected response packet arrives at 1555 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1556 the association's peer variables to be cleared. If this can be 1557 done often enough, it will prevent that association from working. 1558 Mitigation: 1559 Implement BCP-38. 1560 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1561 or the NTP Public Services Project Download Page 1562 Properly monitor your ntpd instances. 1563 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1564 1565* Broadcast interleave 1566 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1567 References: Sec 3042 / CVE-2016-4956 / VU#321640 1568 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1569 ntp-4.3.0 up to, but not including ntp-4.3.93. 1570 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1571 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1572 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1573 so broadcast clients can be triggered to flip into interleave mode. 1574 Mitigation: 1575 Implement BCP-38. 1576 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1577 or the NTP Public Services Project Download Page 1578 Properly monitor your ntpd instances. 1579 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1580 1581Other fixes: 1582* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1583 - provide build environment 1584 - 'wint_t' and 'struct timespec' defined by VS2015 1585 - fixed print()/scanf() format issues 1586* [Bug 3052] Add a .gitignore file. Edmund Wong. 1587* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1588* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1589 JPerlinger, HStenn. 1590* Fix typo in ntp-wait and plot_summary. HStenn. 1591* Make sure we have an "author" file for git imports. HStenn. 1592* Update the sntp problem tests for MacOS. HStenn. 1593 1594--- 1595NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1596 1597Focus: Security, Bug fixes, enhancements. 1598 1599Severity: MEDIUM 1600 1601When building NTP from source, there is a new configure option 1602available, --enable-dynamic-interleave. More information on this below. 1603 1604Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1605versions of ntp. These events have almost certainly happened in the 1606past, it's just that they were silently counted and not logged. With 1607the increasing awareness around security, we feel it's better to clearly 1608log these events to help detect abusive behavior. This increased 1609logging can also help detect other problems, too. 1610 1611In addition to bug fixes and enhancements, this release fixes the 1612following 9 low- and medium-severity vulnerabilities: 1613 1614* Improve NTP security against buffer comparison timing attacks, 1615 AKA: authdecrypt-timing 1616 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1617 References: Sec 2879 / CVE-2016-1550 1618 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1619 4.3.0 up to, but not including 4.3.92 1620 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1621 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1622 Summary: Packet authentication tests have been performed using 1623 memcmp() or possibly bcmp(), and it is potentially possible 1624 for a local or perhaps LAN-based attacker to send a packet with 1625 an authentication payload and indirectly observe how much of 1626 the digest has matched. 1627 Mitigation: 1628 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1629 or the NTP Public Services Project Download Page. 1630 Properly monitor your ntpd instances. 1631 Credit: This weakness was discovered independently by Loganaden 1632 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1633 1634* Zero origin timestamp bypass: Additional KoD checks. 1635 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1636 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1637 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1638 1639* peer associations were broken by the fix for NtpBug2899 1640 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1641 References: Sec 2952 / CVE-2015-7704 1642 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1643 4.3.0 up to, but not including 4.3.92 1644 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1645 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1646 associations did not address all of the issues. 1647 Mitigation: 1648 Implement BCP-38. 1649 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1650 or the NTP Public Services Project Download Page 1651 If you can't upgrade, use "server" associations instead of 1652 "peer" associations. 1653 Monitor your ntpd instances. 1654 Credit: This problem was discovered by Michael Tatarinov. 1655 1656* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1657 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1658 References: Sec 3007 / CVE-2016-1547 / VU#718152 1659 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1660 4.3.0 up to, but not including 4.3.92 1661 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1662 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1663 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1664 off-path attacker can cause a preemptable client association to 1665 be demobilized by sending a crypto NAK packet to a victim client 1666 with a spoofed source address of an existing associated peer. 1667 This is true even if authentication is enabled. 1668 1669 Furthermore, if the attacker keeps sending crypto NAK packets, 1670 for example one every second, the victim never has a chance to 1671 reestablish the association and synchronize time with that 1672 legitimate server. 1673 1674 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1675 stringent checks are performed on incoming packets, but there 1676 are still ways to exploit this vulnerability in versions before 1677 ntp-4.2.8p7. 1678 Mitigation: 1679 Implement BCP-38. 1680 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1681 or the NTP Public Services Project Download Page 1682 Properly monitor your ntpd instances 1683 Credit: This weakness was discovered by Stephen Gray and 1684 Matthew Van Gundy of Cisco ASIG. 1685 1686* ctl_getitem() return value not always checked 1687 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1688 References: Sec 3008 / CVE-2016-2519 1689 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1690 4.3.0 up to, but not including 4.3.92 1691 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1692 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1693 Summary: ntpq and ntpdc can be used to store and retrieve information 1694 in ntpd. It is possible to store a data value that is larger 1695 than the size of the buffer that the ctl_getitem() function of 1696 ntpd uses to report the return value. If the length of the 1697 requested data value returned by ctl_getitem() is too large, 1698 the value NULL is returned instead. There are 2 cases where the 1699 return value from ctl_getitem() was not directly checked to make 1700 sure it's not NULL, but there are subsequent INSIST() checks 1701 that make sure the return value is not NULL. There are no data 1702 values ordinarily stored in ntpd that would exceed this buffer 1703 length. But if one has permission to store values and one stores 1704 a value that is "too large", then ntpd will abort if an attempt 1705 is made to read that oversized value. 1706 Mitigation: 1707 Implement BCP-38. 1708 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1709 or the NTP Public Services Project Download Page 1710 Properly monitor your ntpd instances. 1711 Credit: This weakness was discovered by Yihan Lian of the Cloud 1712 Security Team, Qihoo 360. 1713 1714* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1715 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1716 References: Sec 3009 / CVE-2016-2518 / VU#718152 1717 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1718 4.3.0 up to, but not including 4.3.92 1719 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1720 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1721 Summary: Using a crafted packet to create a peer association with 1722 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1723 out-of-bounds reference. 1724 Mitigation: 1725 Implement BCP-38. 1726 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1727 or the NTP Public Services Project Download Page 1728 Properly monitor your ntpd instances 1729 Credit: This weakness was discovered by Yihan Lian of the Cloud 1730 Security Team, Qihoo 360. 1731 1732* remote configuration trustedkey/requestkey/controlkey values are not 1733 properly validated 1734 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1735 References: Sec 3010 / CVE-2016-2517 / VU#718152 1736 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1737 4.3.0 up to, but not including 4.3.92 1738 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1739 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1740 Summary: If ntpd was expressly configured to allow for remote 1741 configuration, a malicious user who knows the controlkey for 1742 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1743 can create a session with ntpd and then send a crafted packet to 1744 ntpd that will change the value of the trustedkey, controlkey, 1745 or requestkey to a value that will prevent any subsequent 1746 authentication with ntpd until ntpd is restarted. 1747 Mitigation: 1748 Implement BCP-38. 1749 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1750 or the NTP Public Services Project Download Page 1751 Properly monitor your ntpd instances 1752 Credit: This weakness was discovered by Yihan Lian of the Cloud 1753 Security Team, Qihoo 360. 1754 1755* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1756 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1757 References: Sec 3011 / CVE-2016-2516 / VU#718152 1758 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1759 4.3.0 up to, but not including 4.3.92 1760 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1761 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1762 Summary: If ntpd was expressly configured to allow for remote 1763 configuration, a malicious user who knows the controlkey for 1764 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1765 can create a session with ntpd and if an existing association is 1766 unconfigured using the same IP twice on the unconfig directive 1767 line, ntpd will abort. 1768 Mitigation: 1769 Implement BCP-38. 1770 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1771 or the NTP Public Services Project Download Page 1772 Properly monitor your ntpd instances 1773 Credit: This weakness was discovered by Yihan Lian of the Cloud 1774 Security Team, Qihoo 360. 1775 1776* Refclock impersonation vulnerability 1777 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1778 References: Sec 3020 / CVE-2016-1551 1779 Affects: On a very limited number of OSes, all NTP releases up to but 1780 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1781 By "very limited number of OSes" we mean no general-purpose OSes 1782 have yet been identified that have this vulnerability. 1783 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1784 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1785 Summary: While most OSes implement martian packet filtering in their 1786 network stack, at least regarding 127.0.0.0/8, some will allow 1787 packets claiming to be from 127.0.0.0/8 that arrive over a 1788 physical network. On these OSes, if ntpd is configured to use a 1789 reference clock an attacker can inject packets over the network 1790 that look like they are coming from that reference clock. 1791 Mitigation: 1792 Implement martian packet filtering and BCP-38. 1793 Configure ntpd to use an adequate number of time sources. 1794 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1795 or the NTP Public Services Project Download Page 1796 If you are unable to upgrade and if you are running an OS that 1797 has this vulnerability, implement martian packet filters and 1798 lobby your OS vendor to fix this problem, or run your 1799 refclocks on computers that use OSes that are not vulnerable 1800 to these attacks and have your vulnerable machines get their 1801 time from protected resources. 1802 Properly monitor your ntpd instances. 1803 Credit: This weakness was discovered by Matt Street and others of 1804 Cisco ASIG. 1805 1806The following issues were fixed in earlier releases and contain 1807improvements in 4.2.8p7: 1808 1809* Clients that receive a KoD should validate the origin timestamp field. 1810 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1811 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1812 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1813 1814* Skeleton key: passive server with trusted key can serve time. 1815 References: Sec 2936 / CVE-2015-7974 1816 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1817 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1818 1819Two other vulnerabilities have been reported, and the mitigations 1820for these are as follows: 1821 1822* Interleave-pivot 1823 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1824 References: Sec 2978 / CVE-2016-1548 1825 Affects: All ntp-4 releases. 1826 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1827 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1828 Summary: It is possible to change the time of an ntpd client or deny 1829 service to an ntpd client by forcing it to change from basic 1830 client/server mode to interleaved symmetric mode. An attacker 1831 can spoof a packet from a legitimate ntpd server with an origin 1832 timestamp that matches the peer->dst timestamp recorded for that 1833 server. After making this switch, the client will reject all 1834 future legitimate server responses. It is possible to force the 1835 victim client to move time after the mode has been changed. 1836 ntpq gives no indication that the mode has been switched. 1837 Mitigation: 1838 Implement BCP-38. 1839 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1840 or the NTP Public Services Project Download Page. These 1841 versions will not dynamically "flip" into interleave mode 1842 unless configured to do so. 1843 Properly monitor your ntpd instances. 1844 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1845 and separately by Jonathan Gardner of Cisco ASIG. 1846 1847* Sybil vulnerability: ephemeral association attack 1848 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1849 References: Sec 3012 / CVE-2016-1549 1850 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1851 4.3.0 up to, but not including 4.3.92 1852 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1853 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1854 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1855 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1856 field in the ntp.keys file to specify which IPs can serve time, 1857 a malicious authenticated peer can create arbitrarily-many 1858 ephemeral associations in order to win the clock selection of 1859 ntpd and modify a victim's clock. 1860 Mitigation: 1861 Implement BCP-38. 1862 Use the 4th field in the ntp.keys file to specify which IPs 1863 can be time servers. 1864 Properly monitor your ntpd instances. 1865 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1866 1867Other fixes: 1868 1869* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1870 - fixed yet another race condition in the threaded resolver code. 1871* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1872* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1873 - integrated patches by Loganaden Velvidron <logan@ntp.org> 1874 with some modifications & unit tests 1875* [Bug 2960] async name resolution fixes for chroot() environments. 1876 Reinhard Max. 1877* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1878* [Bug 2995] Fixes to compile on Windows 1879* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1880* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1881 - Patch provided by Ch. Weisgerber 1882* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1883 - A change related to [Bug 2853] forbids trailing white space in 1884 remote config commands. perlinger@ntp.org 1885* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1886 - report and patch from Aleksandr Kostikov. 1887 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1888* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1889 - fixed memory leak in access list (auth[read]keys.c) 1890 - refactored handling of key access lists (auth[read]keys.c) 1891 - reduced number of error branches (authreadkeys.c) 1892* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1893* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1894* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1895 when the time of server changed. perlinger@ntp.org 1896 - Check the initial delay calculation and reject/unpeer the broadcast 1897 server if the delay exceeds 50ms. Retry again after the next 1898 broadcast packet. 1899* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1900* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1901* Update html/xleave.html documentation. Harlan Stenn. 1902* Update ntp.conf documentation. Harlan Stenn. 1903* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1904* Fix typo in html/monopt.html. Harlan Stenn. 1905* Add README.pullrequests. Harlan Stenn. 1906* Cleanup to include/ntp.h. Harlan Stenn. 1907 1908New option to 'configure': 1909 1910While looking in to the issues around Bug 2978, the "interleave pivot" 1911issue, it became clear that there are some intricate and unresolved 1912issues with interleave operations. We also realized that the interleave 1913protocol was never added to the NTPv4 Standard, and it should have been. 1914 1915Interleave mode was first released in July of 2008, and can be engaged 1916in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1917contain the 'xleave' option, which will expressly enable interlave mode 1918for that association. Additionally, if a time packet arrives and is 1919found inconsistent with normal protocol behavior but has certain 1920characteristics that are compatible with interleave mode, NTP will 1921dynamically switch to interleave mode. With sufficient knowledge, an 1922attacker can send a crafted forged packet to an NTP instance that 1923triggers only one side to enter interleaved mode. 1924 1925To prevent this attack until we can thoroughly document, describe, 1926fix, and test the dynamic interleave mode, we've added a new 1927'configure' option to the build process: 1928 1929 --enable-dynamic-interleave 1930 1931This option controls whether or not NTP will, if conditions are right, 1932engage dynamic interleave mode. Dynamic interleave mode is disabled by 1933default in ntp-4.2.8p7. 1934 1935--- 1936NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1937 1938Focus: Security, Bug fixes, enhancements. 1939 1940Severity: MEDIUM 1941 1942In addition to bug fixes and enhancements, this release fixes the 1943following 1 low- and 8 medium-severity vulnerabilities: 1944 1945* Potential Infinite Loop in 'ntpq' 1946 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1947 References: Sec 2548 / CVE-2015-8158 1948 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1949 4.3.0 up to, but not including 4.3.90 1950 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1951 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1952 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1953 The loop's only stopping conditions are receiving a complete and 1954 correct response or hitting a small number of error conditions. 1955 If the packet contains incorrect values that don't trigger one of 1956 the error conditions, the loop continues to receive new packets. 1957 Note well, this is an attack against an instance of 'ntpq', not 1958 'ntpd', and this attack requires the attacker to do one of the 1959 following: 1960 * Own a malicious NTP server that the client trusts 1961 * Prevent a legitimate NTP server from sending packets to 1962 the 'ntpq' client 1963 * MITM the 'ntpq' communications between the 'ntpq' client 1964 and the NTP server 1965 Mitigation: 1966 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1967 or the NTP Public Services Project Download Page 1968 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1969 1970* 0rigin: Zero Origin Timestamp Bypass 1971 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1972 References: Sec 2945 / CVE-2015-8138 1973 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1974 4.3.0 up to, but not including 4.3.90 1975 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1976 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1977 (3.7 - LOW if you score AC:L) 1978 Summary: To distinguish legitimate peer responses from forgeries, a 1979 client attempts to verify a response packet by ensuring that the 1980 origin timestamp in the packet matches the origin timestamp it 1981 transmitted in its last request. A logic error exists that 1982 allows packets with an origin timestamp of zero to bypass this 1983 check whenever there is not an outstanding request to the server. 1984 Mitigation: 1985 Configure 'ntpd' to get time from multiple sources. 1986 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1987 or the NTP Public Services Project Download Page. 1988 Monitor your 'ntpd' instances. 1989 Credit: This weakness was discovered by Matthey Van Gundy and 1990 Jonathan Gardner of Cisco ASIG. 1991 1992* Stack exhaustion in recursive traversal of restriction list 1993 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1994 References: Sec 2940 / CVE-2015-7978 1995 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1996 4.3.0 up to, but not including 4.3.90 1997 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1998 Summary: An unauthenticated 'ntpdc reslist' command can cause a 1999 segmentation fault in ntpd by exhausting the call stack. 2000 Mitigation: 2001 Implement BCP-38. 2002 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2003 or the NTP Public Services Project Download Page. 2004 If you are unable to upgrade: 2005 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2006 If you must enable mode 7: 2007 configure the use of a 'requestkey' to control who can 2008 issue mode 7 requests. 2009 configure 'restrict noquery' to further limit mode 7 2010 requests to trusted sources. 2011 Monitor your ntpd instances. 2012 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 2013 2014* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 2015 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2016 References: Sec 2942 / CVE-2015-7979 2017 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2018 4.3.0 up to, but not including 4.3.90 2019 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 2020 Summary: An off-path attacker can send broadcast packets with bad 2021 authentication (wrong key, mismatched key, incorrect MAC, etc) 2022 to broadcast clients. It is observed that the broadcast client 2023 tears down the association with the broadcast server upon 2024 receiving just one bad packet. 2025 Mitigation: 2026 Implement BCP-38. 2027 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2028 or the NTP Public Services Project Download Page. 2029 Monitor your 'ntpd' instances. 2030 If this sort of attack is an active problem for you, you have 2031 deeper problems to investigate. In this case also consider 2032 having smaller NTP broadcast domains. 2033 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2034 University. 2035 2036* reslist NULL pointer dereference 2037 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2038 References: Sec 2939 / CVE-2015-7977 2039 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2040 4.3.0 up to, but not including 4.3.90 2041 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2042 Summary: An unauthenticated 'ntpdc reslist' command can cause a 2043 segmentation fault in ntpd by causing a NULL pointer dereference. 2044 Mitigation: 2045 Implement BCP-38. 2046 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 2047 the NTP Public Services Project Download Page. 2048 If you are unable to upgrade: 2049 mode 7 is disabled by default. Don't enable it. 2050 If you must enable mode 7: 2051 configure the use of a 'requestkey' to control who can 2052 issue mode 7 requests. 2053 configure 'restrict noquery' to further limit mode 7 2054 requests to trusted sources. 2055 Monitor your ntpd instances. 2056 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 2057 2058* 'ntpq saveconfig' command allows dangerous characters in filenames. 2059 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2060 References: Sec 2938 / CVE-2015-7976 2061 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2062 4.3.0 up to, but not including 4.3.90 2063 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 2064 Summary: The ntpq saveconfig command does not do adequate filtering 2065 of special characters from the supplied filename. 2066 Note well: The ability to use the saveconfig command is controlled 2067 by the 'restrict nomodify' directive, and the recommended default 2068 configuration is to disable this capability. If the ability to 2069 execute a 'saveconfig' is required, it can easily (and should) be 2070 limited and restricted to a known small number of IP addresses. 2071 Mitigation: 2072 Implement BCP-38. 2073 use 'restrict default nomodify' in your 'ntp.conf' file. 2074 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 2075 If you are unable to upgrade: 2076 build NTP with 'configure --disable-saveconfig' if you will 2077 never need this capability, or 2078 use 'restrict default nomodify' in your 'ntp.conf' file. Be 2079 careful about what IPs have the ability to send 'modify' 2080 requests to 'ntpd'. 2081 Monitor your ntpd instances. 2082 'saveconfig' requests are logged to syslog - monitor your syslog files. 2083 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 2084 2085* nextvar() missing length check in ntpq 2086 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2087 References: Sec 2937 / CVE-2015-7975 2088 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2089 4.3.0 up to, but not including 4.3.90 2090 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 2091 If you score A:C, this becomes 4.0. 2092 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 2093 Summary: ntpq may call nextvar() which executes a memcpy() into the 2094 name buffer without a proper length check against its maximum 2095 length of 256 bytes. Note well that we're taking about ntpq here. 2096 The usual worst-case effect of this vulnerability is that the 2097 specific instance of ntpq will crash and the person or process 2098 that did this will have stopped themselves. 2099 Mitigation: 2100 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2101 or the NTP Public Services Project Download Page. 2102 If you are unable to upgrade: 2103 If you have scripts that feed input to ntpq make sure there are 2104 some sanity checks on the input received from the "outside". 2105 This is potentially more dangerous if ntpq is run as root. 2106 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 2107 2108* Skeleton Key: Any trusted key system can serve time 2109 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2110 References: Sec 2936 / CVE-2015-7974 2111 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2112 4.3.0 up to, but not including 4.3.90 2113 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 2114 Summary: Symmetric key encryption uses a shared trusted key. The 2115 reported title for this issue was "Missing key check allows 2116 impersonation between authenticated peers" and the report claimed 2117 "A key specified only for one server should only work to 2118 authenticate that server, other trusted keys should be refused." 2119 Except there has never been any correlation between this trusted 2120 key and server v. clients machines and there has never been any 2121 way to specify a key only for one server. We have treated this as 2122 an enhancement request, and ntp-4.2.8p6 includes other checks and 2123 tests to strengthen clients against attacks coming from broadcast 2124 servers. 2125 Mitigation: 2126 Implement BCP-38. 2127 If this scenario represents a real or a potential issue for you, 2128 upgrade to 4.2.8p6, or later, from the NTP Project Download 2129 Page or the NTP Public Services Project Download Page, and 2130 use the new field in the ntp.keys file that specifies the list 2131 of IPs that are allowed to serve time. Note that this alone 2132 will not protect against time packets with forged source IP 2133 addresses, however other changes in ntp-4.2.8p6 provide 2134 significant mitigation against broadcast attacks. MITM attacks 2135 are a different story. 2136 If you are unable to upgrade: 2137 Don't use broadcast mode if you cannot monitor your client 2138 servers. 2139 If you choose to use symmetric keys to authenticate time 2140 packets in a hostile environment where ephemeral time 2141 servers can be created, or if it is expected that malicious 2142 time servers will participate in an NTP broadcast domain, 2143 limit the number of participating systems that participate 2144 in the shared-key group. 2145 Monitor your ntpd instances. 2146 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 2147 2148* Deja Vu: Replay attack on authenticated broadcast mode 2149 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2150 References: Sec 2935 / CVE-2015-7973 2151 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2152 4.3.0 up to, but not including 4.3.90 2153 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 2154 Summary: If an NTP network is configured for broadcast operations then 2155 either a man-in-the-middle attacker or a malicious participant 2156 that has the same trusted keys as the victim can replay time packets. 2157 Mitigation: 2158 Implement BCP-38. 2159 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2160 or the NTP Public Services Project Download Page. 2161 If you are unable to upgrade: 2162 Don't use broadcast mode if you cannot monitor your client servers. 2163 Monitor your ntpd instances. 2164 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2165 University. 2166 2167Other fixes: 2168 2169* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 2170* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 2171 - applied patch by shenpeng11@huawei.com with minor adjustments 2172* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 2173* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 2174* [Bug 2892] Several test cases assume IPv6 capabilities even when 2175 IPv6 is disabled in the build. perlinger@ntp.org 2176 - Found this already fixed, but validation led to cleanup actions. 2177* [Bug 2905] DNS lookups broken. perlinger@ntp.org 2178 - added limits to stack consumption, fixed some return code handling 2179* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2180 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2181 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 2182* [Bug 2980] reduce number of warnings. perlinger@ntp.org 2183 - integrated several patches from Havard Eidnes (he@uninett.no) 2184* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 2185 - implement 'auth_log2()' using integer bithack instead of float calculation 2186* Make leapsec_query debug messages less verbose. Harlan Stenn. 2187 2188--- 2189NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 2190 2191Focus: Security, Bug fixes, enhancements. 2192 2193Severity: MEDIUM 2194 2195In addition to bug fixes and enhancements, this release fixes the 2196following medium-severity vulnerability: 2197 2198* Small-step/big-step. Close the panic gate earlier. 2199 References: Sec 2956, CVE-2015-5300 2200 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2201 4.3.0 up to, but not including 4.3.78 2202 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2203 Summary: If ntpd is always started with the -g option, which is 2204 common and against long-standing recommendation, and if at the 2205 moment ntpd is restarted an attacker can immediately respond to 2206 enough requests from enough sources trusted by the target, which 2207 is difficult and not common, there is a window of opportunity 2208 where the attacker can cause ntpd to set the time to an 2209 arbitrary value. Similarly, if an attacker is able to respond 2210 to enough requests from enough sources trusted by the target, 2211 the attacker can cause ntpd to abort and restart, at which 2212 point it can tell the target to set the time to an arbitrary 2213 value if and only if ntpd was re-started against long-standing 2214 recommendation with the -g flag, or if ntpd was not given the 2215 -g flag, the attacker can move the target system's time by at 2216 most 900 seconds' time per attack. 2217 Mitigation: 2218 Configure ntpd to get time from multiple sources. 2219 Upgrade to 4.2.8p5, or later, from the NTP Project Download 2220 Page or the NTP Public Services Project Download Page 2221 As we've long documented, only use the -g option to ntpd in 2222 cold-start situations. 2223 Monitor your ntpd instances. 2224 Credit: This weakness was discovered by Aanchal Malhotra, 2225 Isaac E. Cohen, and Sharon Goldberg at Boston University. 2226 2227 NOTE WELL: The -g flag disables the limit check on the panic_gate 2228 in ntpd, which is 900 seconds by default. The bug identified by 2229 the researchers at Boston University is that the panic_gate 2230 check was only re-enabled after the first change to the system 2231 clock that was greater than 128 milliseconds, by default. The 2232 correct behavior is that the panic_gate check should be 2233 re-enabled after any initial time correction. 2234 2235 If an attacker is able to inject consistent but erroneous time 2236 responses to your systems via the network or "over the air", 2237 perhaps by spoofing radio, cellphone, or navigation satellite 2238 transmissions, they are in a great position to affect your 2239 system's clock. There comes a point where your very best 2240 defenses include: 2241 2242 Configure ntpd to get time from multiple sources. 2243 Monitor your ntpd instances. 2244 2245Other fixes: 2246 2247* Coverity submission process updated from Coverity 5 to Coverity 7. 2248 The NTP codebase has been undergoing regular Coverity scans on an 2249 ongoing basis since 2006. As part of our recent upgrade from 2250 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2251 the newly-written Unity test programs. These were fixed. 2252* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 2253* [Bug 2887] stratum -1 config results as showing value 99 2254 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 2255* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2256* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2257* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2258 - applied patch by Christos Zoulas. perlinger@ntp.org 2259* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2260* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2261 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 2262 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 2263* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 2264 - accept key file only if there are no parsing errors 2265 - fixed size_t/u_int format clash 2266 - fixed wrong use of 'strlcpy' 2267* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2268* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 2269 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2270 - promote use of 'size_t' for values that express a size 2271 - use ptr-to-const for read-only arguments 2272 - make sure SOCKET values are not truncated (win32-specific) 2273 - format string fixes 2274* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2275* [Bug 2967] ntpdate command suffers an assertion failure 2276 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 2277* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2278 lots of clients. perlinger@ntp.org 2279* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2280 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2281* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2282* Unity test cleanup. Harlan Stenn. 2283* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2284* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2285* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2286* Quiet a warning from clang. Harlan Stenn. 2287 2288--- 2289NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 2290 2291Focus: Security, Bug fixes, enhancements. 2292 2293Severity: MEDIUM 2294 2295In addition to bug fixes and enhancements, this release fixes the 2296following 13 low- and medium-severity vulnerabilities: 2297 2298* Incomplete vallen (value length) checks in ntp_crypto.c, leading 2299 to potential crashes or potential code injection/information leakage. 2300 2301 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2302 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2303 and 4.3.0 up to, but not including 4.3.77 2304 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2305 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2306 certain code paths where a packet with particular autokey operations 2307 that contained malicious data was not always being completely 2308 validated. Receipt of these packets can cause ntpd to crash. 2309 Mitigation: 2310 Don't use autokey. 2311 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2312 Page or the NTP Public Services Project Download Page 2313 Monitor your ntpd instances. 2314 Credit: This weakness was discovered by Tenable Network Security. 2315 2316* Clients that receive a KoD should validate the origin timestamp field. 2317 2318 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2319 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2320 and 4.3.0 up to, but not including 4.3.77 2321 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2322 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2323 KoD messages that have been forged by an attacker, causing it to 2324 delay or stop querying its servers for time updates. Also, an 2325 attacker can forge packets that claim to be from the target and 2326 send them to servers often enough that a server that implements 2327 KoD rate limiting will send the target machine a KoD response to 2328 attempt to reduce the rate of incoming packets, or it may also 2329 trigger a firewall block at the server for packets from the target 2330 machine. For either of these attacks to succeed, the attacker must 2331 know what servers the target is communicating with. An attacker 2332 can be anywhere on the Internet and can frequently learn the 2333 identity of the target's time source by sending the target a 2334 time query. 2335 Mitigation: 2336 Implement BCP-38. 2337 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2338 or the NTP Public Services Project Download Page 2339 If you can't upgrade, restrict who can query ntpd to learn who 2340 its servers are, and what IPs are allowed to ask your system 2341 for the time. This mitigation is heavy-handed. 2342 Monitor your ntpd instances. 2343 Note: 2344 4.2.8p4 protects against the first attack. For the second attack, 2345 all we can do is warn when it is happening, which we do in 4.2.8p4. 2346 Credit: This weakness was discovered by Aanchal Malhotra, 2347 Issac E. Cohen, and Sharon Goldberg of Boston University. 2348 2349* configuration directives to change "pidfile" and "driftfile" should 2350 only be allowed locally. 2351 2352 References: Sec 2902 / CVE-2015-5196 2353 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2354 and 4.3.0 up to, but not including 4.3.77 2355 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2356 Summary: If ntpd is configured to allow for remote configuration, 2357 and if the (possibly spoofed) source IP address is allowed to 2358 send remote configuration requests, and if the attacker knows 2359 the remote configuration password, it's possible for an attacker 2360 to use the "pidfile" or "driftfile" directives to potentially 2361 overwrite other files. 2362 Mitigation: 2363 Implement BCP-38. 2364 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2365 Page or the NTP Public Services Project Download Page 2366 If you cannot upgrade, don't enable remote configuration. 2367 If you must enable remote configuration and cannot upgrade, 2368 remote configuration of NTF's ntpd requires: 2369 - an explicitly configured trustedkey, and you should also 2370 configure a controlkey. 2371 - access from a permitted IP. You choose the IPs. 2372 - authentication. Don't disable it. Practice secure key safety. 2373 Monitor your ntpd instances. 2374 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2375 2376* Slow memory leak in CRYPTO_ASSOC 2377 2378 References: Sec 2909 / CVE-2015-7701 2379 Affects: All ntp-4 releases that use autokey up to, but not 2380 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2381 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2382 4.6 otherwise 2383 Summary: If ntpd is configured to use autokey, then an attacker can 2384 send packets to ntpd that will, after several days of ongoing 2385 attack, cause it to run out of memory. 2386 Mitigation: 2387 Don't use autokey. 2388 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2389 Page or the NTP Public Services Project Download Page 2390 Monitor your ntpd instances. 2391 Credit: This weakness was discovered by Tenable Network Security. 2392 2393* mode 7 loop counter underrun 2394 2395 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2396 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2397 and 4.3.0 up to, but not including 4.3.77 2398 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2399 Summary: If ntpd is configured to enable mode 7 packets, and if the 2400 use of mode 7 packets is not properly protected thru the use of 2401 the available mode 7 authentication and restriction mechanisms, 2402 and if the (possibly spoofed) source IP address is allowed to 2403 send mode 7 queries, then an attacker can send a crafted packet 2404 to ntpd that will cause it to crash. 2405 Mitigation: 2406 Implement BCP-38. 2407 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2408 Page or the NTP Public Services Project Download Page. 2409 If you are unable to upgrade: 2410 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2411 If you must enable mode 7: 2412 configure the use of a requestkey to control who can issue 2413 mode 7 requests. 2414 configure restrict noquery to further limit mode 7 requests 2415 to trusted sources. 2416 Monitor your ntpd instances. 2417Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2418 2419* memory corruption in password store 2420 2421 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2422 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2423 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2424 Summary: If ntpd is configured to allow remote configuration, and if 2425 the (possibly spoofed) source IP address is allowed to send 2426 remote configuration requests, and if the attacker knows the 2427 remote configuration password or if ntpd was configured to 2428 disable authentication, then an attacker can send a set of 2429 packets to ntpd that may cause a crash or theoretically 2430 perform a code injection attack. 2431 Mitigation: 2432 Implement BCP-38. 2433 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2434 Page or the NTP Public Services Project Download Page. 2435 If you are unable to upgrade, remote configuration of NTF's 2436 ntpd requires: 2437 an explicitly configured "trusted" key. Only configure 2438 this if you need it. 2439 access from a permitted IP address. You choose the IPs. 2440 authentication. Don't disable it. Practice secure key safety. 2441 Monitor your ntpd instances. 2442 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2443 2444* Infinite loop if extended logging enabled and the logfile and 2445 keyfile are the same. 2446 2447 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2448 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2449 and 4.3.0 up to, but not including 4.3.77 2450 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2451 Summary: If ntpd is configured to allow remote configuration, and if 2452 the (possibly spoofed) source IP address is allowed to send 2453 remote configuration requests, and if the attacker knows the 2454 remote configuration password or if ntpd was configured to 2455 disable authentication, then an attacker can send a set of 2456 packets to ntpd that will cause it to crash and/or create a 2457 potentially huge log file. Specifically, the attacker could 2458 enable extended logging, point the key file at the log file, 2459 and cause what amounts to an infinite loop. 2460 Mitigation: 2461 Implement BCP-38. 2462 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2463 Page or the NTP Public Services Project Download Page. 2464 If you are unable to upgrade, remote configuration of NTF's ntpd 2465 requires: 2466 an explicitly configured "trusted" key. Only configure this 2467 if you need it. 2468 access from a permitted IP address. You choose the IPs. 2469 authentication. Don't disable it. Practice secure key safety. 2470 Monitor your ntpd instances. 2471 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2472 2473* Potential path traversal vulnerability in the config file saving of 2474 ntpd on VMS. 2475 2476 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2477 Affects: All ntp-4 releases running under VMS up to, but not 2478 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2479 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2480 Summary: If ntpd is configured to allow remote configuration, and if 2481 the (possibly spoofed) IP address is allowed to send remote 2482 configuration requests, and if the attacker knows the remote 2483 configuration password or if ntpd was configured to disable 2484 authentication, then an attacker can send a set of packets to 2485 ntpd that may cause ntpd to overwrite files. 2486 Mitigation: 2487 Implement BCP-38. 2488 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2489 Page or the NTP Public Services Project Download Page. 2490 If you are unable to upgrade, remote configuration of NTF's ntpd 2491 requires: 2492 an explicitly configured "trusted" key. Only configure 2493 this if you need it. 2494 access from permitted IP addresses. You choose the IPs. 2495 authentication. Don't disable it. Practice key security safety. 2496 Monitor your ntpd instances. 2497 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2498 2499* ntpq atoascii() potential memory corruption 2500 2501 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2502 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2503 and 4.3.0 up to, but not including 4.3.77 2504 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2505 Summary: If an attacker can figure out the precise moment that ntpq 2506 is listening for data and the port number it is listening on or 2507 if the attacker can provide a malicious instance ntpd that 2508 victims will connect to then an attacker can send a set of 2509 crafted mode 6 response packets that, if received by ntpq, 2510 can cause ntpq to crash. 2511 Mitigation: 2512 Implement BCP-38. 2513 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2514 Page or the NTP Public Services Project Download Page. 2515 If you are unable to upgrade and you run ntpq against a server 2516 and ntpq crashes, try again using raw mode. Build or get a 2517 patched ntpq and see if that fixes the problem. Report new 2518 bugs in ntpq or abusive servers appropriately. 2519 If you use ntpq in scripts, make sure ntpq does what you expect 2520 in your scripts. 2521 Credit: This weakness was discovered by Yves Younan and 2522 Aleksander Nikolich of Cisco Talos. 2523 2524* Invalid length data provided by a custom refclock driver could cause 2525 a buffer overflow. 2526 2527 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2528 Affects: Potentially all ntp-4 releases running up to, but not 2529 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2530 that have custom refclocks 2531 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2532 5.9 unusual worst case 2533 Summary: A negative value for the datalen parameter will overflow a 2534 data buffer. NTF's ntpd driver implementations always set this 2535 value to 0 and are therefore not vulnerable to this weakness. 2536 If you are running a custom refclock driver in ntpd and that 2537 driver supplies a negative value for datalen (no custom driver 2538 of even minimal competence would do this) then ntpd would 2539 overflow a data buffer. It is even hypothetically possible 2540 in this case that instead of simply crashing ntpd the attacker 2541 could effect a code injection attack. 2542 Mitigation: 2543 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2544 Page or the NTP Public Services Project Download Page. 2545 If you are unable to upgrade: 2546 If you are running custom refclock drivers, make sure 2547 the signed datalen value is either zero or positive. 2548 Monitor your ntpd instances. 2549 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2550 2551* Password Length Memory Corruption Vulnerability 2552 2553 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2554 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2555 4.3.0 up to, but not including 4.3.77 2556 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2557 1.7 usual case, 6.8, worst case 2558 Summary: If ntpd is configured to allow remote configuration, and if 2559 the (possibly spoofed) source IP address is allowed to send 2560 remote configuration requests, and if the attacker knows the 2561 remote configuration password or if ntpd was (foolishly) 2562 configured to disable authentication, then an attacker can 2563 send a set of packets to ntpd that may cause it to crash, 2564 with the hypothetical possibility of a small code injection. 2565 Mitigation: 2566 Implement BCP-38. 2567 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2568 Page or the NTP Public Services Project Download Page. 2569 If you are unable to upgrade, remote configuration of NTF's 2570 ntpd requires: 2571 an explicitly configured "trusted" key. Only configure 2572 this if you need it. 2573 access from a permitted IP address. You choose the IPs. 2574 authentication. Don't disable it. Practice secure key safety. 2575 Monitor your ntpd instances. 2576 Credit: This weakness was discovered by Yves Younan and 2577 Aleksander Nikolich of Cisco Talos. 2578 2579* decodenetnum() will ASSERT botch instead of returning FAIL on some 2580 bogus values. 2581 2582 References: Sec 2922 / CVE-2015-7855 2583 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2584 4.3.0 up to, but not including 4.3.77 2585 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2586 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2587 an unusually long data value where a network address is expected, 2588 the decodenetnum() function will abort with an assertion failure 2589 instead of simply returning a failure condition. 2590 Mitigation: 2591 Implement BCP-38. 2592 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2593 Page or the NTP Public Services Project Download Page. 2594 If you are unable to upgrade: 2595 mode 7 is disabled by default. Don't enable it. 2596 Use restrict noquery to limit who can send mode 6 2597 and mode 7 requests. 2598 Configure and use the controlkey and requestkey 2599 authentication directives to limit who can 2600 send mode 6 and mode 7 requests. 2601 Monitor your ntpd instances. 2602 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2603 2604* NAK to the Future: Symmetric association authentication bypass via 2605 crypto-NAK. 2606 2607 References: Sec 2941 / CVE-2015-7871 2608 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2609 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2610 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2611 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2612 from unauthenticated ephemeral symmetric peers by bypassing the 2613 authentication required to mobilize peer associations. This 2614 vulnerability appears to have been introduced in ntp-4.2.5p186 2615 when the code handling mobilization of new passive symmetric 2616 associations (lines 1103-1165) was refactored. 2617 Mitigation: 2618 Implement BCP-38. 2619 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2620 Page or the NTP Public Services Project Download Page. 2621 If you are unable to upgrade: 2622 Apply the patch to the bottom of the "authentic" check 2623 block around line 1136 of ntp_proto.c. 2624 Monitor your ntpd instances. 2625 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2626 2627Backward-Incompatible changes: 2628* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2629 While the general default of 32M is still the case, under Linux 2630 the default value has been changed to -1 (do not lock ntpd into 2631 memory). A value of 0 means "lock ntpd into memory with whatever 2632 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2633 value in it, that value will continue to be used. 2634 2635* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2636 If you've written a script that looks for this case in, say, the 2637 output of ntpq, you probably want to change your regex matches 2638 from 'outlyer' to 'outl[iy]er'. 2639 2640New features in this release: 2641* 'rlimit memlock' now has finer-grained control. A value of -1 means 2642 "don't lock ntpd into memore". This is the default for Linux boxes. 2643 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2644 the value is the number of megabytes of memory to lock. The default 2645 is 32 megabytes. 2646 2647* The old Google Test framework has been replaced with a new framework, 2648 based on http://www.throwtheswitch.org/unity/ . 2649 2650Bug Fixes and Improvements: 2651* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2652 privileges and limiting resources in NTPD removes the need to link 2653 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2654* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2655* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2656* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2657* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2658* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2659* [Bug 2849] Systems with more than one default route may never 2660 synchronize. Brian Utterback. Note that this patch might need to 2661 be reverted once Bug 2043 has been fixed. 2662* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2663* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2664* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2665* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2666* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2667* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2668 be configured for the distribution targets. Harlan Stenn. 2669* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2670* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2671* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2672* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2673* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2674* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2675* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2676* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2677* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2678* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2679* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2680* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2681* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2682* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2683* sntp/tests/ function parameter list cleanup. Damir Tomić. 2684* tests/libntp/ function parameter list cleanup. Damir Tomić. 2685* tests/ntpd/ function parameter list cleanup. Damir Tomić. 2686* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2687* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2688* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 2689* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 2690* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2691 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2692 formatting; first declaration, then code (C90); deleted unnecessary comments; 2693 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2694* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2695 fix formatting, cleanup. Tomasz Flendrich 2696* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2697 Tomasz Flendrich 2698* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2699 fix formatting. Tomasz Flendrich 2700* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2701* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2702* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2703 Tomasz Flendrich 2704* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2705* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2706* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2707* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2708* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2709* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2710* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2711fixed formatting. Tomasz Flendrich 2712* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2713 removed unnecessary comments, cleanup. Tomasz Flendrich 2714* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2715 comments, cleanup. Tomasz Flendrich 2716* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2717 Tomasz Flendrich 2718* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2719* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2720* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2721 Tomasz Flendrich 2722* sntp/tests/kodDatabase.c added consts, deleted empty function, 2723 fixed formatting. Tomasz Flendrich 2724* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2725* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2726 fixed formatting, deleted unused variable. Tomasz Flendrich 2727* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2728 Tomasz Flendrich 2729* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2730 fixed formatting. Tomasz Flendrich 2731* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2732 the order of includes, fixed formatting, removed unnecessary comments. 2733 Tomasz Flendrich 2734* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2735* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2736 made one function do its job, deleted unnecessary prints, fixed formatting. 2737 Tomasz Flendrich 2738* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2739* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2740* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2741* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2742* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2743* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2744* Don't build sntp/libevent/sample/. Harlan Stenn. 2745* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2746* br-flock: --enable-local-libevent. Harlan Stenn. 2747* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2748* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2749* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2750* Code cleanup. Harlan Stenn. 2751* libntp/icom.c: Typo fix. Harlan Stenn. 2752* util/ntptime.c: initialization nit. Harlan Stenn. 2753* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2754* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2755* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2756 Tomasz Flendrich 2757* Changed progname to be const in many files - now it's consistent. Tomasz 2758 Flendrich 2759* Typo fix for GCC warning suppression. Harlan Stenn. 2760* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 2761* Added declarations to all Unity tests, and did minor fixes to them. 2762 Reduced the number of warnings by half. Damir Tomić. 2763* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2764 with the latest Unity updates from Mark. Damir Tomić. 2765* Retire google test - phase I. Harlan Stenn. 2766* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2767* Update the NEWS file. Harlan Stenn. 2768* Autoconf cleanup. Harlan Stenn. 2769* Unit test dist cleanup. Harlan Stenn. 2770* Cleanup various test Makefile.am files. Harlan Stenn. 2771* Pthread autoconf macro cleanup. Harlan Stenn. 2772* Fix progname definition in unity runner scripts. Harlan Stenn. 2773* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2774* Update the patch for bug 2817. Harlan Stenn. 2775* More updates for bug 2817. Harlan Stenn. 2776* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2777* gcc on older HPUX may need +allowdups. Harlan Stenn. 2778* Adding missing MCAST protection. Harlan Stenn. 2779* Disable certain test programs on certain platforms. Harlan Stenn. 2780* Implement --enable-problem-tests (on by default). Harlan Stenn. 2781* build system tweaks. Harlan Stenn. 2782 2783--- 2784NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2785 2786Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2787 2788Severity: MEDIUM 2789 2790Security Fix: 2791 2792* [Sec 2853] Crafted remote config packet can crash some versions of 2793 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2794 2795Under specific circumstances an attacker can send a crafted packet to 2796cause a vulnerable ntpd instance to crash. This requires each of the 2797following to be true: 2798 27991) ntpd set up to allow remote configuration (not allowed by default), and 28002) knowledge of the configuration password, and 28013) access to a computer entrusted to perform remote configuration. 2802 2803This vulnerability is considered low-risk. 2804 2805New features in this release: 2806 2807Optional (disabled by default) support to have ntpd provide smeared 2808leap second time. A specially built and configured ntpd will only 2809offer smeared time in response to client packets. These response 2810packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2811of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2812format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2813information. 2814 2815 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2816 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2817 2818We've imported the Unity test framework, and have begun converting 2819the existing google-test items to this new framework. If you want 2820to write new tests or change old ones, you'll need to have ruby 2821installed. You don't need ruby to run the test suite. 2822 2823Bug Fixes and Improvements: 2824 2825* CID 739725: Fix a rare resource leak in libevent/listener.c. 2826* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2827* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2828* CID 1269537: Clean up a line of dead code in getShmTime(). 2829* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2830* [Bug 2590] autogen-5.18.5. 2831* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2832 of 'limited'. 2833* [Bug 2650] fix includefile processing. 2834* [Bug 2745] ntpd -x steps clock on leap second 2835 Fixed an initial-value problem that caused misbehaviour in absence of 2836 any leapsecond information. 2837 Do leap second stepping only of the step adjustment is beyond the 2838 proper jump distance limit and step correction is allowed at all. 2839* [Bug 2750] build for Win64 2840 Building for 32bit of loopback ppsapi needs def file 2841* [Bug 2776] Improve ntpq's 'help keytype'. 2842* [Bug 2778] Implement "apeers" ntpq command to include associd. 2843* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2844* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2845 interface is ignored as long as this flag is not set since the 2846 interface is not usable (e.g., no link). 2847* [Bug 2794] Clean up kernel clock status reports. 2848* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2849 of incompatible open/fdopen parameters. 2850* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2851* [Bug 2805] ntpd fails to join multicast group. 2852* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2853* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2854 Fix crash during cleanup if GPS device not present and char device. 2855 Increase internal token buffer to parse all JSON data, even SKY. 2856 Defer logging of errors during driver init until the first unit is 2857 started, so the syslog is not cluttered when the driver is not used. 2858 Various improvements, see http://bugs.ntp.org/2808 for details. 2859 Changed libjsmn to a more recent version. 2860* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2861* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2862* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2863* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2864* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2865* [Bug 2824] Convert update-leap to perl. (also see 2769) 2866* [Bug 2825] Quiet file installation in html/ . 2867* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2868 NTPD transfers the current TAI (instead of an announcement) now. 2869 This might still needed improvement. 2870 Update autokey data ASAP when 'sys_tai' changes. 2871 Fix unit test that was broken by changes for autokey update. 2872 Avoid potential signature length issue and use DPRINTF where possible 2873 in ntp_crypto.c. 2874* [Bug 2832] refclock_jjy.c supports the TDC-300. 2875* [Bug 2834] Correct a broken html tag in html/refclock.html 2876* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2877 robust, and require 2 consecutive timestamps to be consistent. 2878* [Bug 2837] Allow a configurable DSCP value. 2879* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2880* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2881* [Bug 2842] Bug in mdoc2man. 2882* [Bug 2843] make check fails on 4.3.36 2883 Fixed compiler warnings about numeric range overflow 2884 (The original topic was fixed in a byplay to bug#2830) 2885* [Bug 2845] Harden memory allocation in ntpd. 2886* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2887* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2888* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2889* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2890* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2891* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2892* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2893* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2894* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2895* html/drivers/driver22.html: typo fix. Harlan Stenn. 2896* refidsmear test cleanup. Tomasz Flendrich. 2897* refidsmear function support and tests. Harlan Stenn. 2898* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2899 something that was only in the 4.2.6 sntp. Harlan Stenn. 2900* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2901 Damir Tomić 2902* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2903 Damir Tomić 2904* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2905 Damir Tomić 2906* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2907* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 2908* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2909 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2910 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2911 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2912 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2913 Damir Tomić 2914* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2915 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2916 fileHandlingTest.h. Damir Tomić 2917* Initial support for experimental leap smear code. Harlan Stenn. 2918* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2919* Report select() debug messages at debug level 3 now. 2920* sntp/scripts/genLocInfo: treat raspbian as debian. 2921* Unity test framework fixes. 2922 ** Requires ruby for changes to tests. 2923* Initial support for PACKAGE_VERSION tests. 2924* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2925* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2926* Add an assert to the ntpq ifstats code. 2927* Clean up the RLIMIT_STACK code. 2928* Improve the ntpq documentation around the controlkey keyid. 2929* ntpq.c cleanup. 2930* Windows port build cleanup. 2931 2932--- 2933NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2934 2935Focus: Security and Bug fixes, enhancements. 2936 2937Severity: MEDIUM 2938 2939In addition to bug fixes and enhancements, this release fixes the 2940following medium-severity vulnerabilities involving private key 2941authentication: 2942 2943* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2944 2945 References: Sec 2779 / CVE-2015-1798 / VU#374268 2946 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2947 including ntp-4.2.8p2 where the installation uses symmetric keys 2948 to authenticate remote associations. 2949 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2950 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2951 Summary: When ntpd is configured to use a symmetric key to authenticate 2952 a remote NTP server/peer, it checks if the NTP message 2953 authentication code (MAC) in received packets is valid, but not if 2954 there actually is any MAC included. Packets without a MAC are 2955 accepted as if they had a valid MAC. This allows a MITM attacker to 2956 send false packets that are accepted by the client/peer without 2957 having to know the symmetric key. The attacker needs to know the 2958 transmit timestamp of the client to match it in the forged reply 2959 and the false reply needs to reach the client before the genuine 2960 reply from the server. The attacker doesn't necessarily need to be 2961 relaying the packets between the client and the server. 2962 2963 Authentication using autokey doesn't have this problem as there is 2964 a check that requires the key ID to be larger than NTP_MAXKEY, 2965 which fails for packets without a MAC. 2966 Mitigation: 2967 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2968 or the NTP Public Services Project Download Page 2969 Configure ntpd with enough time sources and monitor it properly. 2970 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2971 2972* [Sec 2781] Authentication doesn't protect symmetric associations against 2973 DoS attacks. 2974 2975 References: Sec 2781 / CVE-2015-1799 / VU#374268 2976 Affects: All NTP releases starting with at least xntp3.3wy up to but 2977 not including ntp-4.2.8p2 where the installation uses symmetric 2978 key authentication. 2979 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2980 Note: the CVSS base Score for this issue could be 4.3 or lower, and 2981 it could be higher than 5.4. 2982 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2983 Summary: An attacker knowing that NTP hosts A and B are peering with 2984 each other (symmetric association) can send a packet to host A 2985 with source address of B which will set the NTP state variables 2986 on A to the values sent by the attacker. Host A will then send 2987 on its next poll to B a packet with originate timestamp that 2988 doesn't match the transmit timestamp of B and the packet will 2989 be dropped. If the attacker does this periodically for both 2990 hosts, they won't be able to synchronize to each other. This is 2991 a known denial-of-service attack, described at 2992 https://www.eecis.udel.edu/~mills/onwire.html . 2993 2994 According to the document the NTP authentication is supposed to 2995 protect symmetric associations against this attack, but that 2996 doesn't seem to be the case. The state variables are updated even 2997 when authentication fails and the peers are sending packets with 2998 originate timestamps that don't match the transmit timestamps on 2999 the receiving side. 3000 3001 This seems to be a very old problem, dating back to at least 3002 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 3003 specifications, so other NTP implementations with support for 3004 symmetric associations and authentication may be vulnerable too. 3005 An update to the NTP RFC to correct this error is in-process. 3006 Mitigation: 3007 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 3008 or the NTP Public Services Project Download Page 3009 Note that for users of autokey, this specific style of MITM attack 3010 is simply a long-known potential problem. 3011 Configure ntpd with appropriate time sources and monitor ntpd. 3012 Alert your staff if problems are detected. 3013 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 3014 3015* New script: update-leap 3016The update-leap script will verify and if necessary, update the 3017leap-second definition file. 3018It requires the following commands in order to work: 3019 3020 wget logger tr sed shasum 3021 3022Some may choose to run this from cron. It needs more portability testing. 3023 3024Bug Fixes and Improvements: 3025 3026* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 3027* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 3028* [Bug 2346] "graceful termination" signals do not do peer cleanup. 3029* [Bug 2728] See if C99-style structure initialization works. 3030* [Bug 2747] Upgrade libevent to 2.1.5-beta. 3031* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 3032* [Bug 2751] jitter.h has stale copies of l_fp macros. 3033* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 3034* [Bug 2757] Quiet compiler warnings. 3035* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 3036* [Bug 2763] Allow different thresholds for forward and backward steps. 3037* [Bug 2766] ntp-keygen output files should not be world-readable. 3038* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 3039* [Bug 2771] nonvolatile value is documented in wrong units. 3040* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 3041* [Bug 2774] Unreasonably verbose printout - leap pending/warning 3042* [Bug 2775] ntp-keygen.c fails to compile under Windows. 3043* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 3044 Removed non-ASCII characters from some copyright comments. 3045 Removed trailing whitespace. 3046 Updated definitions for Meinberg clocks from current Meinberg header files. 3047 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 3048 Account for updated definitions pulled from Meinberg header files. 3049 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 3050 Replaced some constant numbers by defines from ntp_calendar.h 3051 Modified creation of parse-specific variables for Meinberg devices 3052 in gps16x_message(). 3053 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 3054 Modified mbg_tm_str() which now expexts an additional parameter controlling 3055 if the time status shall be printed. 3056* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 3057* [Sec 2781] Authentication doesn't protect symmetric associations against 3058 DoS attacks. 3059* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 3060* [Bug 2789] Quiet compiler warnings from libevent. 3061* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 3062 pause briefly before measuring system clock precision to yield 3063 correct results. 3064* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 3065* Use predefined function types for parse driver functions 3066 used to set up function pointers. 3067 Account for changed prototype of parse_inp_fnc_t functions. 3068 Cast parse conversion results to appropriate types to avoid 3069 compiler warnings. 3070 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 3071 when called with pointers to different types. 3072 3073--- 3074NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 3075 3076Focus: Security and Bug fixes, enhancements. 3077 3078Severity: HIGH 3079 3080In addition to bug fixes and enhancements, this release fixes the 3081following high-severity vulnerabilities: 3082 3083* vallen is not validated in several places in ntp_crypto.c, leading 3084 to a potential information leak or possibly a crash 3085 3086 References: Sec 2671 / CVE-2014-9297 / VU#852879 3087 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 3088 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3089 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 3090 Summary: The vallen packet value is not validated in several code 3091 paths in ntp_crypto.c which can lead to information leakage 3092 or perhaps a crash of the ntpd process. 3093 Mitigation - any of: 3094 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3095 or the NTP Public Services Project Download Page. 3096 Disable Autokey Authentication by removing, or commenting out, 3097 all configuration directives beginning with the "crypto" 3098 keyword in your ntp.conf file. 3099 Credit: This vulnerability was discovered by Stephen Roettger of the 3100 Google Security Team, with additional cases found by Sebastian 3101 Krahmer of the SUSE Security Team and Harlan Stenn of Network 3102 Time Foundation. 3103 3104* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 3105 can be bypassed. 3106 3107 References: Sec 2672 / CVE-2014-9298 / VU#852879 3108 Affects: All NTP4 releases before 4.2.8p1, under at least some 3109 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 3110 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 3111 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 3112 Summary: While available kernels will prevent 127.0.0.1 addresses 3113 from "appearing" on non-localhost IPv4 interfaces, some kernels 3114 do not offer the same protection for ::1 source addresses on 3115 IPv6 interfaces. Since NTP's access control is based on source 3116 address and localhost addresses generally have no restrictions, 3117 an attacker can send malicious control and configuration packets 3118 by spoofing ::1 addresses from the outside. Note Well: This is 3119 not really a bug in NTP, it's a problem with some OSes. If you 3120 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 3121 ACL restrictions on any application can be bypassed! 3122 Mitigation: 3123 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3124 or the NTP Public Services Project Download Page 3125 Install firewall rules to block packets claiming to come from 3126 ::1 from inappropriate network interfaces. 3127 Credit: This vulnerability was discovered by Stephen Roettger of 3128 the Google Security Team. 3129 3130Additionally, over 30 bugfixes and improvements were made to the codebase. 3131See the ChangeLog for more information. 3132 3133--- 3134NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 3135 3136Focus: Security and Bug fixes, enhancements. 3137 3138Severity: HIGH 3139 3140In addition to bug fixes and enhancements, this release fixes the 3141following high-severity vulnerabilities: 3142 3143************************** vv NOTE WELL vv ***************************** 3144 3145The vulnerabilities listed below can be significantly mitigated by 3146following the BCP of putting 3147 3148 restrict default ... noquery 3149 3150in the ntp.conf file. With the exception of: 3151 3152 receive(): missing return on error 3153 References: Sec 2670 / CVE-2014-9296 / VU#852879 3154 3155below (which is a limited-risk vulnerability), none of the recent 3156vulnerabilities listed below can be exploited if the source IP is 3157restricted from sending a 'query'-class packet by your ntp.conf file. 3158 3159************************** ^^ NOTE WELL ^^ ***************************** 3160 3161* Weak default key in config_auth(). 3162 3163 References: [Sec 2665] / CVE-2014-9293 / VU#852879 3164 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3165 Vulnerable Versions: all releases prior to 4.2.7p11 3166 Date Resolved: 28 Jan 2010 3167 3168 Summary: If no 'auth' key is set in the configuration file, ntpd 3169 would generate a random key on the fly. There were two 3170 problems with this: 1) the generated key was 31 bits in size, 3171 and 2) it used the (now weak) ntp_random() function, which was 3172 seeded with a 32-bit value and could only provide 32 bits of 3173 entropy. This was sufficient back in the late 1990s when the 3174 code was written. Not today. 3175 3176 Mitigation - any of: 3177 - Upgrade to 4.2.7p11 or later. 3178 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3179 3180 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3181 of the Google Security Team. 3182 3183* Non-cryptographic random number generator with weak seed used by 3184 ntp-keygen to generate symmetric keys. 3185 3186 References: [Sec 2666] / CVE-2014-9294 / VU#852879 3187 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3188 Vulnerable Versions: All NTP4 releases before 4.2.7p230 3189 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3190 3191 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3192 prepare a random number generator that was of good quality back 3193 in the late 1990s. The random numbers produced was then used to 3194 generate symmetric keys. In ntp-4.2.8 we use a current-technology 3195 cryptographic random number generator, either RAND_bytes from 3196 OpenSSL, or arc4random(). 3197 3198 Mitigation - any of: 3199 - Upgrade to 4.2.7p230 or later. 3200 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3201 3202 Credit: This vulnerability was discovered in ntp-4.2.6 by 3203 Stephen Roettger of the Google Security Team. 3204 3205* Buffer overflow in crypto_recv() 3206 3207 References: Sec 2667 / CVE-2014-9295 / VU#852879 3208 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3209 Versions: All releases before 4.2.8 3210 Date Resolved: Stable (4.2.8) 18 Dec 2014 3211 3212 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3213 file contains a 'crypto pw ...' directive) a remote attacker 3214 can send a carefully crafted packet that can overflow a stack 3215 buffer and potentially allow malicious code to be executed 3216 with the privilege level of the ntpd process. 3217 3218 Mitigation - any of: 3219 - Upgrade to 4.2.8, or later, or 3220 - Disable Autokey Authentication by removing, or commenting out, 3221 all configuration directives beginning with the crypto keyword 3222 in your ntp.conf file. 3223 3224 Credit: This vulnerability was discovered by Stephen Roettger of the 3225 Google Security Team. 3226 3227* Buffer overflow in ctl_putdata() 3228 3229 References: Sec 2668 / CVE-2014-9295 / VU#852879 3230 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3231 Versions: All NTP4 releases before 4.2.8 3232 Date Resolved: Stable (4.2.8) 18 Dec 2014 3233 3234 Summary: A remote attacker can send a carefully crafted packet that 3235 can overflow a stack buffer and potentially allow malicious 3236 code to be executed with the privilege level of the ntpd process. 3237 3238 Mitigation - any of: 3239 - Upgrade to 4.2.8, or later. 3240 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3241 3242 Credit: This vulnerability was discovered by Stephen Roettger of the 3243 Google Security Team. 3244 3245* Buffer overflow in configure() 3246 3247 References: Sec 2669 / CVE-2014-9295 / VU#852879 3248 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3249 Versions: All NTP4 releases before 4.2.8 3250 Date Resolved: Stable (4.2.8) 18 Dec 2014 3251 3252 Summary: A remote attacker can send a carefully crafted packet that 3253 can overflow a stack buffer and potentially allow malicious 3254 code to be executed with the privilege level of the ntpd process. 3255 3256 Mitigation - any of: 3257 - Upgrade to 4.2.8, or later. 3258 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3259 3260 Credit: This vulnerability was discovered by Stephen Roettger of the 3261 Google Security Team. 3262 3263* receive(): missing return on error 3264 3265 References: Sec 2670 / CVE-2014-9296 / VU#852879 3266 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3267 Versions: All NTP4 releases before 4.2.8 3268 Date Resolved: Stable (4.2.8) 18 Dec 2014 3269 3270 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3271 the code path where an error was detected, which meant 3272 processing did not stop when a specific rare error occurred. 3273 We haven't found a way for this bug to affect system integrity. 3274 If there is no way to affect system integrity the base CVSS 3275 score for this bug is 0. If there is one avenue through which 3276 system integrity can be partially affected, the base score 3277 becomes a 5. If system integrity can be partially affected 3278 via all three integrity metrics, the CVSS base score become 7.5. 3279 3280 Mitigation - any of: 3281 - Upgrade to 4.2.8, or later, 3282 - Remove or comment out all configuration directives 3283 beginning with the crypto keyword in your ntp.conf file. 3284 3285 Credit: This vulnerability was discovered by Stephen Roettger of the 3286 Google Security Team. 3287 3288See http://support.ntp.org/security for more information. 3289 3290New features / changes in this release: 3291 3292Important Changes 3293 3294* Internal NTP Era counters 3295 3296The internal counters that track the "era" (range of years) we are in 3297rolls over every 136 years'. The current "era" started at the stroke of 3298midnight on 1 Jan 1900, and ends just before the stroke of midnight on 32991 Jan 2036. 3300In the past, we have used the "midpoint" of the range to decide which 3301era we were in. Given the longevity of some products, it became clear 3302that it would be more functional to "look back" less, and "look forward" 3303more. We now compile a timestamp into the ntpd executable and when we 3304get a timestamp we us the "built-on" to tell us what era we are in. 3305This check "looks back" 10 years, and "looks forward" 126 years. 3306 3307* ntpdc responses disabled by default 3308 3309Dave Hart writes: 3310 3311For a long time, ntpq and its mostly text-based mode 6 (control) 3312protocol have been preferred over ntpdc and its mode 7 (private 3313request) protocol for runtime queries and configuration. There has 3314been a goal of deprecating ntpdc, previously held back by numerous 3315capabilities exposed by ntpdc with no ntpq equivalent. I have been 3316adding commands to ntpq to cover these cases, and I believe I've 3317covered them all, though I've not compared command-by-command 3318recently. 3319 3320As I've said previously, the binary mode 7 protocol involves a lot of 3321hand-rolled structure layout and byte-swapping code in both ntpd and 3322ntpdc which is hard to get right. As ntpd grows and changes, the 3323changes are difficult to expose via ntpdc while maintaining forward 3324and backward compatibility between ntpdc and ntpd. In contrast, 3325ntpq's text-based, label=value approach involves more code reuse and 3326allows compatible changes without extra work in most cases. 3327 3328Mode 7 has always been defined as vendor/implementation-specific while 3329mode 6 is described in RFC 1305 and intended to be open to interoperate 3330with other implementations. There is an early draft of an updated 3331mode 6 description that likely will join the other NTPv4 RFCs 3332eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3333 3334For these reasons, ntpd 4.2.7p230 by default disables processing of 3335ntpdc queries, reducing ntpd's attack surface and functionally 3336deprecating ntpdc. If you are in the habit of using ntpdc for certain 3337operations, please try the ntpq equivalent. If there's no equivalent, 3338please open a bug report at http://bugs.ntp.org./ 3339 3340In addition to the above, over 1100 issues have been resolved between 3341the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3342lists these. 3343 3344--- 3345NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3346 3347Focus: Bug fixes 3348 3349Severity: Medium 3350 3351This is a recommended upgrade. 3352 3353This release updates sys_rootdisp and sys_jitter calculations to match the 3354RFC specification, fixes a potential IPv6 address matching error for the 3355"nic" and "interface" configuration directives, suppresses the creation of 3356extraneous ephemeral associations for certain broadcastclient and 3357multicastclient configurations, cleans up some ntpq display issues, and 3358includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3359 3360New features / changes in this release: 3361 3362ntpd 3363 3364 * Updated "nic" and "interface" IPv6 address handling to prevent 3365 mismatches with localhost [::1] and wildcard [::] which resulted from 3366 using the address/prefix format (e.g. fe80::/64) 3367 * Fix orphan mode stratum incorrectly counting to infinity 3368 * Orphan parent selection metric updated to includes missing ntohl() 3369 * Non-printable stratum 16 refid no longer sent to ntp 3370 * Duplicate ephemeral associations suppressed for broadcastclient and 3371 multicastclient without broadcastdelay 3372 * Exclude undetermined sys_refid from use in loopback TEST12 3373 * Exclude MODE_SERVER responses from KoD rate limiting 3374 * Include root delay in clock_update() sys_rootdisp calculations 3375 * get_systime() updated to exclude sys_residual offset (which only 3376 affected bits "below" sys_tick, the precision threshold) 3377 * sys.peer jitter weighting corrected in sys_jitter calculation 3378 3379ntpq 3380 3381 * -n option extended to include the billboard "server" column 3382 * IPv6 addresses in the local column truncated to prevent overruns 3383 3384--- 3385NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3386 3387Focus: Bug fixes and portability improvements 3388 3389Severity: Medium 3390 3391This is a recommended upgrade. 3392 3393This release includes build infrastructure updates, code 3394clean-ups, minor bug fixes, fixes for a number of minor 3395ref-clock issues, and documentation revisions. 3396 3397Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3398 3399New features / changes in this release: 3400 3401Build system 3402 3403* Fix checking for struct rtattr 3404* Update config.guess and config.sub for AIX 3405* Upgrade required version of autogen and libopts for building 3406 from our source code repository 3407 3408ntpd 3409 3410* Back-ported several fixes for Coverity warnings from ntp-dev 3411* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3412* Allow "logconfig =allall" configuration directive 3413* Bind tentative IPv6 addresses on Linux 3414* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3415* Improved tally bit handling to prevent incorrect ntpq peer status reports 3416* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3417 candidate list unless they are designated a "prefer peer" 3418* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3419 selection during the 'tos orphanwait' period 3420* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3421 drivers 3422* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3423* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3424* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3425 clock slew on Microsoft Windows 3426* Code cleanup in libntpq 3427 3428ntpdc 3429 3430* Fix timerstats reporting 3431 3432ntpdate 3433 3434* Reduce time required to set clock 3435* Allow a timeout greater than 2 seconds 3436 3437sntp 3438 3439* Backward incompatible command-line option change: 3440 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3441 3442Documentation 3443 3444* Update html2man. Fix some tags in the .html files 3445* Distribute ntp-wait.html 3446 3447--- 3448NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3449 3450Focus: Bug fixes and portability improvements 3451 3452Severity: Medium 3453 3454This is a recommended upgrade. 3455 3456This release includes build infrastructure updates, code 3457clean-ups, minor bug fixes, fixes for a number of minor 3458ref-clock issues, and documentation revisions. 3459 3460Portability improvements in this release affect AIX, Atari FreeMiNT, 3461FreeBSD4, Linux and Microsoft Windows. 3462 3463New features / changes in this release: 3464 3465Build system 3466* Use lsb_release to get information about Linux distributions. 3467* 'test' is in /usr/bin (instead of /bin) on some systems. 3468* Basic sanity checks for the ChangeLog file. 3469* Source certain build files with ./filename for systems without . in PATH. 3470* IRIX portability fix. 3471* Use a single copy of the "libopts" code. 3472* autogen/libopts upgrade. 3473* configure.ac m4 quoting cleanup. 3474 3475ntpd 3476* Do not bind to IN6_IFF_ANYCAST addresses. 3477* Log the reason for exiting under Windows. 3478* Multicast fixes for Windows. 3479* Interpolation fixes for Windows. 3480* IPv4 and IPv6 Multicast fixes. 3481* Manycast solicitation fixes and general repairs. 3482* JJY refclock cleanup. 3483* NMEA refclock improvements. 3484* Oncore debug message cleanup. 3485* Palisade refclock now builds under Linux. 3486* Give RAWDCF more baud rates. 3487* Support Truetime Satellite clocks under Windows. 3488* Support Arbiter 1093C Satellite clocks under Windows. 3489* Make sure that the "filegen" configuration command defaults to "enable". 3490* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3491* Prohibit 'includefile' directive in remote configuration command. 3492* Fix 'nic' interface bindings. 3493* Fix the way we link with openssl if openssl is installed in the base 3494 system. 3495 3496ntp-keygen 3497* Fix -V coredump. 3498* OpenSSL version display cleanup. 3499 3500ntpdc 3501* Many counters should be treated as unsigned. 3502 3503ntpdate 3504* Do not ignore replies with equal receive and transmit timestamps. 3505 3506ntpq 3507* libntpq warning cleanup. 3508 3509ntpsnmpd 3510* Correct SNMP type for "precision" and "resolution". 3511* Update the MIB from the draft version to RFC-5907. 3512 3513sntp 3514* Display timezone offset when showing time for sntp in the local 3515 timezone. 3516* Pay proper attention to RATE KoD packets. 3517* Fix a miscalculation of the offset. 3518* Properly parse empty lines in the key file. 3519* Logging cleanup. 3520* Use tv_usec correctly in set_time(). 3521* Documentation cleanup. 3522 3523--- 3524NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3525 3526Focus: Bug fixes and portability improvements 3527 3528Severity: Medium 3529 3530This is a recommended upgrade. 3531 3532This release includes build infrastructure updates, code 3533clean-ups, minor bug fixes, fixes for a number of minor 3534ref-clock issues, improved KOD handling, OpenSSL related 3535updates and documentation revisions. 3536 3537Portability improvements in this release affect Irix, Linux, 3538Mac OS, Microsoft Windows, OpenBSD and QNX6 3539 3540New features / changes in this release: 3541 3542ntpd 3543* Range syntax for the trustedkey configuration directive 3544* Unified IPv4 and IPv6 restrict lists 3545 3546ntpdate 3547* Rate limiting and KOD handling 3548 3549ntpsnmpd 3550* default connection to net-snmpd via a unix-domain socket 3551* command-line 'socket name' option 3552 3553ntpq / ntpdc 3554* support for the "passwd ..." syntax 3555* key-type specific password prompts 3556 3557sntp 3558* MD5 authentication of an ntpd 3559* Broadcast and crypto 3560* OpenSSL support 3561 3562--- 3563NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3564 3565Focus: Bug fixes, portability fixes, and documentation improvements 3566 3567Severity: Medium 3568 3569This is a recommended upgrade. 3570 3571--- 3572NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3573 3574Focus: enhancements and bug fixes. 3575 3576--- 3577NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3578 3579Focus: Security Fixes 3580 3581Severity: HIGH 3582 3583This release fixes the following high-severity vulnerability: 3584 3585* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3586 3587 See http://support.ntp.org/security for more information. 3588 3589 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3590 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3591 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3592 request or a mode 7 error response from an address which is not listed 3593 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3594 reply with a mode 7 error response (and log a message). In this case: 3595 3596 * If an attacker spoofs the source address of ntpd host A in a 3597 mode 7 response packet sent to ntpd host B, both A and B will 3598 continuously send each other error responses, for as long as 3599 those packets get through. 3600 3601 * If an attacker spoofs an address of ntpd host A in a mode 7 3602 response packet sent to ntpd host A, A will respond to itself 3603 endlessly, consuming CPU and logging excessively. 3604 3605 Credit for finding this vulnerability goes to Robin Park and Dmitri 3606 Vinokurov of Alcatel-Lucent. 3607 3608THIS IS A STRONGLY RECOMMENDED UPGRADE. 3609 3610--- 3611ntpd now syncs to refclocks right away. 3612 3613Backward-Incompatible changes: 3614 3615ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3616Use '--var name' or '--dvar name' instead. (Bug 817) 3617 3618--- 3619NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3620 3621Focus: Security and Bug Fixes 3622 3623Severity: HIGH 3624 3625This release fixes the following high-severity vulnerability: 3626 3627* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3628 3629 See http://support.ntp.org/security for more information. 3630 3631 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3632 line) then a carefully crafted packet sent to the machine will cause 3633 a buffer overflow and possible execution of injected code, running 3634 with the privileges of the ntpd process (often root). 3635 3636 Credit for finding this vulnerability goes to Chris Ries of CMU. 3637 3638This release fixes the following low-severity vulnerabilities: 3639 3640* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3641 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3642 3643* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3644 Credit for finding this issue goes to Dave Hart. 3645 3646This release fixes a number of bugs and adds some improvements: 3647 3648* Improved logging 3649* Fix many compiler warnings 3650* Many fixes and improvements for Windows 3651* Adds support for AIX 6.1 3652* Resolves some issues under MacOS X and Solaris 3653 3654THIS IS A STRONGLY RECOMMENDED UPGRADE. 3655 3656--- 3657NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3658 3659Focus: Security Fix 3660 3661Severity: Low 3662 3663This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3664the OpenSSL library relating to the incorrect checking of the return 3665value of EVP_VerifyFinal function. 3666 3667Credit for finding this issue goes to the Google Security Team for 3668finding the original issue with OpenSSL, and to ocert.org for finding 3669the problem in NTP and telling us about it. 3670 3671This is a recommended upgrade. 3672--- 3673NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3674 3675Focus: Minor Bugfixes 3676 3677This release fixes a number of Windows-specific ntpd bugs and 3678platform-independent ntpdate bugs. A logging bugfix has been applied 3679to the ONCORE driver. 3680 3681The "dynamic" keyword and is now obsolete and deferred binding to local 3682interfaces is the new default. The minimum time restriction for the 3683interface update interval has been dropped. 3684 3685A number of minor build system and documentation fixes are included. 3686 3687This is a recommended upgrade for Windows. 3688 3689--- 3690NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3691 3692Focus: Minor Bugfixes 3693 3694This release updates certain copyright information, fixes several display 3695bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3696shutdown in the parse refclock driver, removes some lint from the code, 3697stops accessing certain buffers immediately after they were freed, fixes 3698a problem with non-command-line specification of -6, and allows the loopback 3699interface to share addresses with other interfaces. 3700 3701--- 3702NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3703 3704Focus: Minor Bugfixes 3705 3706This release fixes a bug in Windows that made it difficult to 3707terminate ntpd under windows. 3708This is a recommended upgrade for Windows. 3709 3710--- 3711NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3712 3713Focus: Minor Bugfixes 3714 3715This release fixes a multicast mode authentication problem, 3716an error in NTP packet handling on Windows that could lead to 3717ntpd crashing, and several other minor bugs. Handling of 3718multicast interfaces and logging configuration were improved. 3719The required versions of autogen and libopts were incremented. 3720This is a recommended upgrade for Windows and multicast users. 3721 3722--- 3723NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3724 3725Focus: enhancements and bug fixes. 3726 3727Dynamic interface rescanning was added to simplify the use of ntpd in 3728conjunction with DHCP. GNU AutoGen is used for its command-line options 3729processing. Separate PPS devices are supported for PARSE refclocks, MD5 3730signatures are now provided for the release files. Drivers have been 3731added for some new ref-clocks and have been removed for some older 3732ref-clocks. This release also includes other improvements, documentation 3733and bug fixes. 3734 3735K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3736C support. 3737 3738--- 3739NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3740 3741Focus: enhancements and bug fixes. 3742