1--- 2NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06) 3 4Focus: Bug fixes 5 6Severity: HIGH (for people running 4.2.8p16) 7 8This release: 9 10- fixes 3 bugs, including a regression 11- adds new unit tests 12 13Details below: 14 15* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at 16 event_sync. Reported by Edward McGuire. <hart@ntp.org> 17* [Bug 3822] ntpd significantly delays first poll of servers specified by name. 18 <hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16. 19* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with 20 4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to 21 Miroslav Lichvar and Matt for rapid testing and identifying the 22 problem. <hart@ntp.org> 23* Add tests/libntp/digests.c to catch regressions reading keys file or with 24 symmetric authentication digest output. 25 26--- 27NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30) 28 29Focus: Security, Bug fixes 30 31Severity: LOW 32 33This release: 34 35- fixes 4 vulnerabilities (3 LOW and 1 None severity), 36- fixes 46 bugs 37- includes 15 general improvements 38- adds support for OpenSSL-3.0 39 40Details below: 41 42* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org> 43* [Sec 3807] praecis_parse() in the Palisade refclock driver has a 44 hypothetical input buffer overflow. Reported by ... stenn@ 45* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org> 46 - solved numerically instead of using string manipulation 47* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled. 48 <stenn@ntp.org> 49* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@> 50* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org> 51* [Bug 3814] First poll delay of new or cleared associations miscalculated. 52 <hart@ntp.org> 53* [Bug 3802] ntp-keygen -I default identity modulus bits too small for 54 OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org> 55* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org> 56* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org> 57* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org> 58* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when 59 disconnected, breaking ntpq and ntpdc. <hart@ntp.org> 60* [Bug 3795] pollskewlist documentation uses | when it shouldn't. 61 - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org> 62* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org> 63 - Report and patch by Yuezhen LUAN <wei6410@sina.com>. 64* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org> 65* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded. 66 <hart@ntp.org> 67* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org> 68* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org> 69 - Reported by Edward McGuire, fix identified by <wei6410@sina.com>. 70* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org> 71* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org> 72* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org> 73* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian. 74 Philippe De Muyter <phdm@macqel.be> 75* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org> 76 - openssl applink needed again for openSSL-1.1.1 77* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing. 78 Reported by Brian Utterback, broken in 2010 by <hart@ntp.org> 79* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org> 80 - command line options override config statements where applicable 81 - make initial frequency settings idempotent and reversible 82 - make sure kernel PLL gets a recovered drift componsation 83* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org> 84* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages 85 - misleading title; essentially a request to ignore the receiver status. 86 Added a mode bit for this. <perlinger@ntp.org> 87* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org> 88 - original patch by Richard Schmidt, with mods & unit test fixes 89* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org> 90 - implement/wrap 'realpath()' to resolve symlinks in device names 91* [Bug 3691] Buffer Overflow reading GPSD output 92 - original patch by matt<ntpbr@mattcorallo.com> 93 - increased max PDU size to 4k to avoid truncation 94* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org> 95 - patch by Frank Kardel 96* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org> 97 - ntp{q,dc} now use the same password processing as ntpd does in the key 98 file, so having a binary secret >= 11 bytes is possible for all keys. 99 (This is a different approach to the problem than suggested) 100* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org> 101* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org> 102 - patch by Gerry Garvey 103* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org> 104 - original patch by Gerry Garvey 105* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org> 106 - original patch by Gerry Garvey 107* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough) 108 - applied patches by Gerry Garvey 109* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage 110* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org> 111 - idea+patch by Gerry Garvey 112* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org> 113* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 114 - follow-up: fix inverted sense in check, reset shortfall counter 115* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org> 116* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org> 117 - fixed bug identified by Edward McGuire <perlinger@ntp.org> 118* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org> 119 - applied patch by Gerry Garvey 120* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org> 121 - backport from -dev, plus some more work on warnings for unchecked results 122* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table. 123 Reported by Israel G. Lugo. <hart@ntp.org> 124* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org> 125* [Bug 2990] multicastclient incorrectly causes bind to broadcast address. 126 Integrated patch from Brian Utterback. <hart@ntp.org> 127* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org> 128* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com> 129* Use correct rounding in mstolfp(). perlinger/hart 130* M_ADDF should use u_int32. <hart@ntp.org> 131* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org> 132* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn 133* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org> 134* If DEBUG is enabled, the startup banner now says that debug assertions 135 are in force and that ntpd will abort if any are violated. <stenn@ntp.org> 136* syslog valid incoming KoDs. <stenn@ntp.org> 137* Rename a poorly-named variable. <stenn@ntp.org> 138* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@> 139* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org> 140* Implement NTP_FUNC_REALPATH. <stenn@ntp.org> 141* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org> 142* upgrade to: autogen-5.18.16 143* upgrade to: libopts-42.1.17 144* upgrade to: autoconf-2.71 145* upgrade to: automake-1.16.15 146* Upgrade to libevent-2.1.12-stable <stenn@ntp.org> 147* Support OpenSSL-3.0 148 149--- 150NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23) 151 152Focus: Security, Bug fixes 153 154Severity: MEDIUM 155 156This release fixes one vulnerability: Associations that use CMAC 157authentication between ntpd from versions 4.2.8p11/4.3.97 and 1584.2.8p14/4.3.100 will leak a small amount of memory for each packet. 159Eventually, ntpd will run out of memory and abort. 160 161It also fixes 13 other bugs. 162 163* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org> 164* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 165 - Thanks to Sylar Tao 166* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org> 167 - rewrite 'decodenetnum()' in terms of inet_pton 168* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 169 - limit number of receive buffers, with an iron reserve for refclocks 170* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org> 171* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org> 172* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org> 173 - integrated patch from Charles Claggett 174* [Bug 3659] Move definition of psl[] from ntp_config.h to 175 ntp_config.h <perlinger@ntp.org> 176* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org> 177* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org> 178 - fix by Gerry garvey 179* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org> 180 - thanks to Gerry Garvey 181* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org> 182 - patch by Gerry Garvey 183* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org> 184* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org> 185 - applied patch by Takao Abe 186 187--- 188NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03) 189 190Focus: Security, Bug fixes, enhancements. 191 192Severity: MEDIUM 193 194This release fixes three vulnerabilities: a bug that causes causes an ntpd 195instance that is explicitly configured to override the default and allow 196ntpdc (mode 7) connections to be made to a server to read some uninitialized 197memory; fixes the case where an unmonitored ntpd using an unauthenticated 198association to its servers may be susceptible to a forged packet DoS attack; 199and fixes an attack against a client instance that uses a single 200unauthenticated time source. It also fixes 46 other bugs and addresses 2014 other issues. 202 203* [Sec 3610] process_control() should bail earlier on short packets. stenn@ 204 - Reported by Philippe Antoine 205* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org> 206 - Reported by Miroslav Lichvar 207* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org> 208 - Reported by Miroslav Lichvar 209* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 210* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org> 211* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org> 212* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 213* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 214 - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org> 215* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org> 216 - integrated patch by Cy Schubert 217* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org> 218 - applied patch by Gerry Garvey 219* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org> 220 - applied patch by Gerry Garvey 221* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org> 222 - integrated patch by Richard Steedman 223* [Bug 3615] accelerate refclock startup <perlinger@ntp.org> 224* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org> 225 - Reported by Martin Burnicki 226* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org> 227 - Reported by Philippe Antoine 228* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org> 229 - officially document new "trust date" mode bit for NMEA driver 230 - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 231* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org> 232 - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 233* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org> 234 - removed ffs() and fls() prototypes as per Brian Utterback 235* [Bug 3604] Wrong param byte order passing into record_raw_stats() in 236 ntp_io.c <perlinger@ntp.org> 237 - fixed byte and paramter order as suggested by wei6410@sina.com 238* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org> 239* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org> 240 - added padding as suggested by John Paul Adrian Glaubitz 241* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org> 242* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org> 243* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org> 244* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org> 245 - stdout+stderr are set to line buffered during test setup now 246* [Bug 3583] synchronization error <perlinger@ntp.org> 247 - set clock to base date if system time is before that limit 248* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org> 249* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org> 250 - Reported by Paulo Neves 251* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org> 252 - also updates for refclock_nmea.c and refclock_jupiter.c 253* [Bug 3576] New GPS date function API <perlinger@ntp.org> 254* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org> 255* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org> 256* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org> 257 - sidekick: service port resolution in 'ntpdate' 258* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org> 259 - applied patch by Douglas Royds 260* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org> 261* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org> 262 - applied patch by Gerry Garvey 263* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org> 264 - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 265 - fix wrong cond-compile tests in unit tests 266* [Bug 3517] Reducing build noise <perlinger@ntp.org> 267* [Bug 3516] Require tooling from this decade <perlinger@ntp.org> 268 - patch by Philipp Prindeville 269* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org> 270 - patch by Philipp Prindeville 271* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org> 272 - patch by Philipp Prindeville 273* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org> 274 - partial application of patch by Philipp Prindeville 275* [Bug 3491] Signed values of LFP datatypes should always display a sign 276 - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org> 277* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org> 278 - applied (modified) patch by Richard Steedman 279* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org> 280 - applied patch by Gerry Garvey (with minor formatting changes) 281* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org> 282 - applied patch by Miroslav Lichvar 283* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 284 <perlinger@ntp.org> 285* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 286 is specified with -u <perlinger@ntp.org> 287 - monitor daemon child startup & propagate exit codes 288* [Bug 1433] runtime check whether the kernel really supports capabilities 289 - (modified) patch by Kurt Roeckx <perlinger@ntp.org> 290* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org> 291* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org> 292* Startup log improvements. <stenn@ntp.org> 293* Update the copyright year. 294 295--- 296NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 297 298Focus: Security, Bug fixes, enhancements. 299 300Severity: MEDIUM 301 302This release fixes a bug that allows an attacker with access to an 303explicitly trusted source to send a crafted malicious mode 6 (ntpq) 304packet that can trigger a NULL pointer dereference, crashing ntpd. 305It also provides 17 other bugfixes and 1 other improvement: 306 307* [Sec 3565] Crafted null dereference attack in authenticated 308 mode 6 packet <perlinger@ntp.org> 309 - reported by Magnus Stubman 310* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 311 - applied patch by Ian Lepore 312* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 313 - isolate and fix linux/windows specific code issue 314* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 315 - provide better function for incremental string formatting 316* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 317 - applied patch by Gerry Garvey 318* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 319 - original finding by Gerry Garvey, additional cleanup needed 320* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 321 - patch by Christous Zoulas 322* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 323 - finding by Chen Jiabin, plus another one by me 324* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 325 - applied patch by Maciej Szmigiero 326* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 327 - applied patch by Andre Charbonneau 328* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 329 - applied patch by Baruch Siach 330* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 331 - applied patch by Baruch Siach 332* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 333 - refactored handling of GPS era based on 'tos basedate' for 334 parse (TSIP) and JUPITER clocks 335* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 336 - patch by Daniel J. Luke; this does not fix a potential linker 337 regression issue on MacOS. 338* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 339 anomaly <perlinger@ntp.org>, reported by GGarvey. 340 - --enable-bug3527-fix support by HStenn 341* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 342 - applied patch by Gerry Garvey 343* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 344 - added missing check, reported by Reinhard Max <perlinger@ntp.org> 345* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 346 - this is a variant of [bug 3558] and should be fixed with it 347* Implement 'configure --disable-signalled-io' 348 349-- 350NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 351 352Focus: Security, Bug fixes, enhancements. 353 354Severity: MEDIUM 355 356This release fixes a "hole" in the noepeer capability introduced to ntpd 357in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 358ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 359 360* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 361 362* [Sec 3012] Fix a hole in the new "noepeer" processing. 363 364* Bug Fixes: 365 [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 366 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 367 other TrustedBSD platforms 368 - applied patch by Ian Lepore <perlinger@ntp.org> 369 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 370 - changed interaction with SCM to signal pending startup 371 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 372 - applied patch by Gerry Garvey 373 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 374 - applied patch by Gerry Garvey 375 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 376 - rework of ntpq 'nextvar()' key/value parsing 377 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 378 - applied patch by Gerry Garvey (with mods) 379 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 380 - applied patch by Gerry Garvey 381 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 382 - applied patch by Gerry Garvey (with mods) 383 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 384 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 385 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 386 - applied patch by Gerry Garvey 387 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 388 - applied patch by Gerry Garvey 389 [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 390 - add #define ENABLE_CMAC support in configure. HStenn. 391 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 392 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 393 - patch by Stephen Friedl 394 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 395 - fixed IO redirection and CTRL-C handling in ntq and ntpdc 396 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 397 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 398 - initial patch by Hal Murray; also fixed refclock_report() trouble 399 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 400 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 401 - According to Brooks Davis, there was only one location <perlinger@ntp.org> 402 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 403 - applied patch by Gerry Garvey 404 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 405 - applied patch by Gerry Garvey 406 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 407 with modifications 408 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 409 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 410 - applied patch by Miroslav Lichvar 411 [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 412 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 413 - integrated patch by Reinhard Max 414 [Bug 2821] minor build issues <perlinger@ntp.org> 415 - applied patches by Christos Zoulas, including real bug fixes 416 html/authopt.html: cleanup, from <stenn@ntp.org> 417 ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 418 Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 419 420-- 421NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 422 423Focus: Security, Bug fixes, enhancements. 424 425Severity: MEDIUM 426 427This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 428vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 429provides 65 other non-security fixes and improvements: 430 431* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 432 association (LOW/MED) 433 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 434 References: Sec 3454 / CVE-2018-7185 / VU#961909 435 Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 436 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 437 2.9 and 6.8. 438 CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 439 score between 2.6 and 3.1 440 Summary: 441 The NTP Protocol allows for both non-authenticated and 442 authenticated associations, in client/server, symmetric (peer), 443 and several broadcast modes. In addition to the basic NTP 444 operational modes, symmetric mode and broadcast servers can 445 support an interleaved mode of operation. In ntp-4.2.8p4 a bug 446 was inadvertently introduced into the protocol engine that 447 allows a non-authenticated zero-origin (reset) packet to reset 448 an authenticated interleaved peer association. If an attacker 449 can send a packet with a zero-origin timestamp and the source 450 IP address of the "other side" of an interleaved association, 451 the 'victim' ntpd will reset its association. The attacker must 452 continue sending these packets in order to maintain the 453 disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 454 interleave mode could be entered dynamically. As of ntp-4.2.8p7, 455 interleaved mode must be explicitly configured/enabled. 456 Mitigation: 457 Implement BCP-38. 458 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 459 or the NTP Public Services Project Download Page. 460 If you are unable to upgrade to 4.2.8p11 or later and have 461 'peer HOST xleave' lines in your ntp.conf file, remove the 462 'xleave' option. 463 Have enough sources of time. 464 Properly monitor your ntpd instances. 465 If ntpd stops running, auto-restart it without -g . 466 Credit: 467 This weakness was discovered by Miroslav Lichvar of Red Hat. 468 469* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 470 state (LOW/MED) 471 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 472 References: Sec 3453 / CVE-2018-7184 / VU#961909 473 Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 474 CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 475 Could score between 2.9 and 6.8. 476 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 477 Could score between 2.6 and 6.0. 478 Summary: 479 The fix for NtpBug2952 was incomplete, and while it fixed one 480 problem it created another. Specifically, it drops bad packets 481 before updating the "received" timestamp. This means a 482 third-party can inject a packet with a zero-origin timestamp, 483 meaning the sender wants to reset the association, and the 484 transmit timestamp in this bogus packet will be saved as the 485 most recent "received" timestamp. The real remote peer does 486 not know this value and this will disrupt the association until 487 the association resets. 488 Mitigation: 489 Implement BCP-38. 490 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 491 or the NTP Public Services Project Download Page. 492 Use authentication with 'peer' mode. 493 Have enough sources of time. 494 Properly monitor your ntpd instances. 495 If ntpd stops running, auto-restart it without -g . 496 Credit: 497 This weakness was discovered by Miroslav Lichvar of Red Hat. 498 499* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 500 peering (LOW) 501 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 502 References: Sec 3415 / CVE-2018-7170 / VU#961909 503 Sec 3012 / CVE-2016-1549 / VU#718152 504 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 505 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 506 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 507 CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 508 Summary: 509 ntpd can be vulnerable to Sybil attacks. If a system is set up to 510 use a trustedkey and if one is not using the feature introduced in 511 ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 512 specify which IPs can serve time, a malicious authenticated peer 513 -- i.e. one where the attacker knows the private symmetric key -- 514 can create arbitrarily-many ephemeral associations in order to win 515 the clock selection of ntpd and modify a victim's clock. Three 516 additional protections are offered in ntp-4.2.8p11. One is the 517 new 'noepeer' directive, which disables symmetric passive 518 ephemeral peering. Another is the new 'ippeerlimit' directive, 519 which limits the number of peers that can be created from an IP. 520 The third extends the functionality of the 4th field in the 521 ntp.keys file to include specifying a subnet range. 522 Mitigation: 523 Implement BCP-38. 524 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 525 or the NTP Public Services Project Download Page. 526 Use the 'noepeer' directive to prohibit symmetric passive 527 ephemeral associations. 528 Use the 'ippeerlimit' directive to limit the number of peers 529 that can be created from an IP. 530 Use the 4th argument in the ntp.keys file to limit the IPs and 531 subnets that can be time servers. 532 Have enough sources of time. 533 Properly monitor your ntpd instances. 534 If ntpd stops running, auto-restart it without -g . 535 Credit: 536 This weakness was reported as Bug 3012 by Matthew Van Gundy of 537 Cisco ASIG, and separately by Stefan Moser as Bug 3415. 538 539* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 540 Date Resolved: 27 Feb 2018 541 References: Sec 3414 / CVE-2018-7183 / VU#961909 542 Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 543 CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 544 CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 545 Summary: 546 ntpq is a monitoring and control program for ntpd. decodearr() 547 is an internal function of ntpq that is used to -- wait for it -- 548 decode an array in a response string when formatted data is being 549 displayed. This is a problem in affected versions of ntpq if a 550 maliciously-altered ntpd returns an array result that will trip this 551 bug, or if a bad actor is able to read an ntpq request on its way to 552 a remote ntpd server and forge and send a response before the remote 553 ntpd sends its response. It's potentially possible that the 554 malicious data could become injectable/executable code. 555 Mitigation: 556 Implement BCP-38. 557 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 558 or the NTP Public Services Project Download Page. 559 Credit: 560 This weakness was discovered by Michael Macnair of Thales e-Security. 561 562* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 563 behavior and information leak (Info/Medium) 564 Date Resolved: 27 Feb 2018 565 References: Sec 3412 / CVE-2018-7182 / VU#961909 566 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 567 CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 568 CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 569 0.0 if C:N 570 Summary: 571 ctl_getitem() is used by ntpd to process incoming mode 6 packets. 572 A malicious mode 6 packet can be sent to an ntpd instance, and 573 if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 574 cause ctl_getitem() to read past the end of its buffer. 575 Mitigation: 576 Implement BCP-38. 577 Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 578 or the NTP Public Services Project Download Page. 579 Have enough sources of time. 580 Properly monitor your ntpd instances. 581 If ntpd stops running, auto-restart it without -g . 582 Credit: 583 This weakness was discovered by Yihan Lian of Qihoo 360. 584 585* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 586 Also see Bug 3415, above. 587 Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 588 Date Resolved: Stable (4.2.8p11) 27 Feb 2018 589 References: Sec 3012 / CVE-2016-1549 / VU#718152 590 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 591 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 592 CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 593 CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 594 Summary: 595 ntpd can be vulnerable to Sybil attacks. If a system is set up 596 to use a trustedkey and if one is not using the feature 597 introduced in ntp-4.2.8p6 allowing an optional 4th field in the 598 ntp.keys file to specify which IPs can serve time, a malicious 599 authenticated peer -- i.e. one where the attacker knows the 600 private symmetric key -- can create arbitrarily-many ephemeral 601 associations in order to win the clock selection of ntpd and 602 modify a victim's clock. Two additional protections are 603 offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 604 disables symmetric passive ephemeral peering. The other extends 605 the functionality of the 4th field in the ntp.keys file to 606 include specifying a subnet range. 607 Mitigation: 608 Implement BCP-38. 609 Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 610 the NTP Public Services Project Download Page. 611 Use the 'noepeer' directive to prohibit symmetric passive 612 ephemeral associations. 613 Use the 'ippeerlimit' directive to limit the number of peer 614 associations from an IP. 615 Use the 4th argument in the ntp.keys file to limit the IPs 616 and subnets that can be time servers. 617 Properly monitor your ntpd instances. 618 Credit: 619 This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 620 621* Bug fixes: 622 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 623 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 624 - applied patch by Sean Haugh 625 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 626 [Bug 3450] Dubious error messages from plausibility checks in get_systime() 627 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 628 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 629 - refactoring the MAC code, too 630 [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 631 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 632 - applied patch by ggarvey 633 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 634 - applied patch by ggarvey (with minor mods) 635 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 636 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 637 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 638 [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 639 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 640 - fixed several issues with hash algos in ntpd, sntp, ntpq, 641 ntpdc and the test suites <perlinger@ntp.org> 642 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 643 - initial patch by Daniel Pouzzner 644 [Bug 3423] QNX adjtime() implementation error checking is 645 wrong <perlinger@ntp.org> 646 [Bug 3417] ntpq ifstats packet counters can be negative 647 made IFSTATS counter quantities unsigned <perlinger@ntp.org> 648 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 649 - raised receive buffer size to 1200 <perlinger@ntp.org> 650 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 651 analysis tool. <abe@ntp.org> 652 [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 653 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 654 - fix/drop assumptions on OpenSSL libs directory layout 655 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 656 - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 657 [Bug 3398] tests fail with core dump <perlinger@ntp.org> 658 - patch contributed by Alexander Bluhm 659 [Bug 3397] ctl_putstr() asserts that data fits in its buffer 660 rework of formatting & data transfer stuff in 'ntp_control.c' 661 avoids unecessary buffers and size limitations. <perlinger@ntp.org> 662 [Bug 3394] Leap second deletion does not work on ntpd clients 663 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 664 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 665 - increased mimimum stack size to 32kB <perlinger@ntp.org> 666 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 667 - reverted handling of PPS kernel consumer to 4.2.6 behavior 668 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 669 [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 670 [Bug 3016] wrong error position reported for bad ":config pool" 671 - fixed location counter & ntpq output <perlinger@ntp.org> 672 [Bug 2900] libntp build order problem. HStenn. 673 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 674 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 675 perlinger@ntp.org 676 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 677 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 678 Use strlcpy() to copy strings, not memcpy(). HStenn. 679 Typos. HStenn. 680 test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 681 refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 682 Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 683 Fix trivial warnings from 'make check'. perlinger@ntp.org 684 Fix bug in the override portion of the compiler hardening macro. HStenn. 685 record_raw_stats(): Log entire packet. Log writes. HStenn. 686 AES-128-CMAC support. BInglis, HStenn, JPerlinger. 687 sntp: tweak key file logging. HStenn. 688 sntp: pkt_output(): Improve debug output. HStenn. 689 update-leap: updates from Paul McMath. 690 When using pkg-config, report --modversion. HStenn. 691 Clean up libevent configure checks. HStenn. 692 sntp: show the IP of who sent us a crypto-NAK. HStenn. 693 Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 694 authistrustedip() - use it in more places. HStenn, JPerlinger. 695 New sysstats: sys_lamport, sys_tsrounding. HStenn. 696 Update ntp.keys .../N documentation. HStenn. 697 Distribute testconf.yml. HStenn. 698 Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 699 Rename the configuration flag fifo variables. HStenn. 700 Improve saveconfig output. HStenn. 701 Decode restrict flags on receive() debug output. HStenn. 702 Decode interface flags on receive() debug output. HStenn. 703 Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 704 Update the documentation in ntp.conf.def . HStenn. 705 restrictions() must return restrict flags and ippeerlimit. HStenn. 706 Update ntpq peer documentation to describe the 'p' type. HStenn. 707 Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 708 Provide dump_restricts() for debugging. HStenn. 709 Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 710 711* Other items: 712 713* update-leap needs the following perl modules: 714 Net::SSLeay 715 IO::Socket::SSL 716 717* New sysstats variables: sys_lamport, sys_tsrounding 718See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 719sys_lamport counts the number of observed Lamport violations, while 720sys_tsrounding counts observed timestamp rounding events. 721 722* New ntp.conf items: 723 724- restrict ... noepeer 725- restrict ... ippeerlimit N 726 727The 'noepeer' directive will disallow all ephemeral/passive peer 728requests. 729 730The 'ippeerlimit' directive limits the number of time associations 731for each IP in the designated set of addresses. This limit does not 732apply to explicitly-configured associations. A value of -1, the current 733default, means an unlimited number of associations may connect from a 734single IP. 0 means "none", etc. Ordinarily the only way multiple 735associations would come from the same IP would be if the remote side 736was using a proxy. But a trusted machine might become compromised, 737in which case an attacker might spin up multiple authenticated sessions 738from different ports. This directive should be helpful in this case. 739 740* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 741field may contain a /subnetbits specification, which identifies the 742scope of IPs that may use this key. This IP/subnet restriction can be 743used to limit the IPs that may use the key in most all situations where 744a key is used. 745-- 746NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 747 748Focus: Security, Bug fixes, enhancements. 749 750Severity: MEDIUM 751 752This release fixes 5 medium-, 6 low-, and 4 informational-severity 753vulnerabilities, and provides 15 other non-security fixes and improvements: 754 755* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 756 Date Resolved: 21 Mar 2017 757 References: Sec 3389 / CVE-2017-6464 / VU#325339 758 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 759 ntp-4.3.0 up to, but not including ntp-4.3.94. 760 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 761 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 762 Summary: 763 A vulnerability found in the NTP server makes it possible for an 764 authenticated remote user to crash ntpd via a malformed mode 765 configuration directive. 766 Mitigation: 767 Implement BCP-38. 768 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 769 the NTP Public Services Project Download Page 770 Properly monitor your ntpd instances, and auto-restart 771 ntpd (without -g) if it stops running. 772 Credit: 773 This weakness was discovered by Cure53. 774 775* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 776 Date Resolved: 21 Mar 2017 777 References: Sec 3388 / CVE-2017-6462 / VU#325339 778 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 779 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 780 CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 781 Summary: 782 There is a potential for a buffer overflow in the legacy Datum 783 Programmable Time Server refclock driver. Here the packets are 784 processed from the /dev/datum device and handled in 785 datum_pts_receive(). Since an attacker would be required to 786 somehow control a malicious /dev/datum device, this does not 787 appear to be a practical attack and renders this issue "Low" in 788 terms of severity. 789 Mitigation: 790 If you have a Datum reference clock installed and think somebody 791 may maliciously change the device, upgrade to 4.2.8p10, or 792 later, from the NTP Project Download Page or the NTP Public 793 Services Project Download Page 794 Properly monitor your ntpd instances, and auto-restart 795 ntpd (without -g) if it stops running. 796 Credit: 797 This weakness was discovered by Cure53. 798 799* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 800 Date Resolved: 21 Mar 2017 801 References: Sec 3387 / CVE-2017-6463 / VU#325339 802 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 803 ntp-4.3.0 up to, but not including ntp-4.3.94. 804 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 805 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 806 Summary: 807 A vulnerability found in the NTP server allows an authenticated 808 remote attacker to crash the daemon by sending an invalid setting 809 via the :config directive. The unpeer option expects a number or 810 an address as an argument. In case the value is "0", a 811 segmentation fault occurs. 812 Mitigation: 813 Implement BCP-38. 814 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 815 or the NTP Public Services Project Download Page 816 Properly monitor your ntpd instances, and auto-restart 817 ntpd (without -g) if it stops running. 818 Credit: 819 This weakness was discovered by Cure53. 820 821* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 822 Date Resolved: 21 Mar 2017 823 References: Sec 3386 824 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 825 ntp-4.3.0 up to, but not including ntp-4.3.94. 826 CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 827 CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 828 Summary: 829 The NTP Mode 6 monitoring and control client, ntpq, uses the 830 function ntpq_stripquotes() to remove quotes and escape characters 831 from a given string. According to the documentation, the function 832 is supposed to return the number of copied bytes but due to 833 incorrect pointer usage this value is always zero. Although the 834 return value of this function is never used in the code, this 835 flaw could lead to a vulnerability in the future. Since relying 836 on wrong return values when performing memory operations is a 837 dangerous practice, it is recommended to return the correct value 838 in accordance with the documentation pertinent to the code. 839 Mitigation: 840 Implement BCP-38. 841 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 842 or the NTP Public Services Project Download Page 843 Properly monitor your ntpd instances, and auto-restart 844 ntpd (without -g) if it stops running. 845 Credit: 846 This weakness was discovered by Cure53. 847 848* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 849 Date Resolved: 21 Mar 2017 850 References: Sec 3385 851 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 852 ntp-4.3.0 up to, but not including ntp-4.3.94. 853 Summary: 854 NTP makes use of several wrappers around the standard heap memory 855 allocation functions that are provided by libc. This is mainly 856 done to introduce additional safety checks concentrated on 857 several goals. First, they seek to ensure that memory is not 858 accidentally freed, secondly they verify that a correct amount 859 is always allocated and, thirdly, that allocation failures are 860 correctly handled. There is an additional implementation for 861 scenarios where memory for a specific amount of items of the 862 same size needs to be allocated. The handling can be found in 863 the oreallocarray() function for which a further number-of-elements 864 parameter needs to be provided. Although no considerable threat 865 was identified as tied to a lack of use of this function, it is 866 recommended to correctly apply oreallocarray() as a preferred 867 option across all of the locations where it is possible. 868 Mitigation: 869 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 870 or the NTP Public Services Project Download Page 871 Credit: 872 This weakness was discovered by Cure53. 873 874* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 875 PPSAPI ONLY) (Low) 876 Date Resolved: 21 Mar 2017 877 References: Sec 3384 / CVE-2017-6455 / VU#325339 878 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 879 not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 880 including ntp-4.3.94. 881 CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 882 CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 883 Summary: 884 The Windows NT port has the added capability to preload DLLs 885 defined in the inherited global local environment variable 886 PPSAPI_DLLS. The code contained within those libraries is then 887 called from the NTPD service, usually running with elevated 888 privileges. Depending on how securely the machine is setup and 889 configured, if ntpd is configured to use the PPSAPI under Windows 890 this can easily lead to a code injection. 891 Mitigation: 892 Implement BCP-38. 893 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 894 or the NTP Public Services Project Download Page 895 Credit: 896 This weakness was discovered by Cure53. 897 898* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 899 installer ONLY) (Low) 900 Date Resolved: 21 Mar 2017 901 References: Sec 3383 / CVE-2017-6452 / VU#325339 902 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 903 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 904 to, but not including ntp-4.3.94. 905 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 906 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 907 Summary: 908 The Windows installer for NTP calls strcat(), blindly appending 909 the string passed to the stack buffer in the addSourceToRegistry() 910 function. The stack buffer is 70 bytes smaller than the buffer 911 in the calling main() function. Together with the initially 912 copied Registry path, the combination causes a stack buffer 913 overflow and effectively overwrites the stack frame. The 914 passed application path is actually limited to 256 bytes by the 915 operating system, but this is not sufficient to assure that the 916 affected stack buffer is consistently protected against 917 overflowing at all times. 918 Mitigation: 919 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 920 or the NTP Public Services Project Download Page 921 Credit: 922 This weakness was discovered by Cure53. 923 924* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 925 installer ONLY) (Low) 926 Date Resolved: 21 Mar 2017 927 References: Sec 3382 / CVE-2017-6459 / VU#325339 928 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 929 installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 930 up to, but not including ntp-4.3.94. 931 CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 932 CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 933 Summary: 934 The Windows installer for NTP calls strcpy() with an argument 935 that specifically contains multiple null bytes. strcpy() only 936 copies a single terminating null character into the target 937 buffer instead of copying the required double null bytes in the 938 addKeysToRegistry() function. As a consequence, a garbage 939 registry entry can be created. The additional arsize parameter 940 is erroneously set to contain two null bytes and the following 941 call to RegSetValueEx() claims to be passing in a multi-string 942 value, though this may not be true. 943 Mitigation: 944 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 945 or the NTP Public Services Project Download Page 946 Credit: 947 This weakness was discovered by Cure53. 948 949* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 950 References: Sec 3381 951 Summary: 952 The report says: Statically included external projects 953 potentially introduce several problems and the issue of having 954 extensive amounts of code that is "dead" in the resulting binary 955 must clearly be pointed out. The unnecessary unused code may or 956 may not contain bugs and, quite possibly, might be leveraged for 957 code-gadget-based branch-flow redirection exploits. Analogically, 958 having source trees statically included as well means a failure 959 in taking advantage of the free feature for periodical updates. 960 This solution is offered by the system's Package Manager. The 961 three libraries identified are libisc, libevent, and libopts. 962 Resolution: 963 For libisc, we already only use a portion of the original library. 964 We've found and fixed bugs in the original implementation (and 965 offered the patches to ISC), and plan to see what has changed 966 since we last upgraded the code. libisc is generally not 967 installed, and when it it we usually only see the static libisc.a 968 file installed. Until we know for sure that the bugs we've found 969 and fixed are fixed upstream, we're better off with the copy we 970 are using. 971 972 Version 1 of libevent was the only production version available 973 until recently, and we've been requiring version 2 for a long time. 974 But if the build system has at least version 2 of libevent 975 installed, we'll use the version that is installed on the system. 976 Otherwise, we provide a copy of libevent that we know works. 977 978 libopts is provided by GNU AutoGen, and that library and package 979 undergoes frequent API version updates. The version of autogen 980 used to generate the tables for the code must match the API 981 version in libopts. AutoGen can be ... difficult to build and 982 install, and very few developers really need it. So we have it 983 on our build and development machines, and we provide the 984 specific version of the libopts code in the distribution to make 985 sure that the proper API version of libopts is available. 986 987 As for the point about there being code in these libraries that 988 NTP doesn't use, OK. But other packages used these libraries as 989 well, and it is reasonable to assume that other people are paying 990 attention to security and code quality issues for the overall 991 libraries. It takes significant resources to analyze and 992 customize these libraries to only include what we need, and to 993 date we believe the cost of this effort does not justify the benefit. 994 Credit: 995 This issue was discovered by Cure53. 996 997* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 998 Date Resolved: 21 Mar 2017 999 References: Sec 3380 1000 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1001 ntp-4.3.0 up to, but not including ntp-4.3.94. 1002 CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 1003 CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 1004 Summary: 1005 There is a fencepost error in a "recovery branch" of the code for 1006 the Oncore GPS receiver if the communication link to the ONCORE 1007 is weak / distorted and the decoding doesn't work. 1008 Mitigation: 1009 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 1010 the NTP Public Services Project Download Page 1011 Properly monitor your ntpd instances, and auto-restart 1012 ntpd (without -g) if it stops running. 1013 Credit: 1014 This weakness was discovered by Cure53. 1015 1016* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 1017 Date Resolved: 21 Mar 2017 1018 References: Sec 3379 / CVE-2017-6458 / VU#325339 1019 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1020 ntp-4.3.0 up to, but not including ntp-4.3.94. 1021 CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 1022 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1023 Summary: 1024 ntpd makes use of different wrappers around ctl_putdata() to 1025 create name/value ntpq (mode 6) response strings. For example, 1026 ctl_putstr() is usually used to send string data (variable names 1027 or string data). The formatting code was missing a length check 1028 for variable names. If somebody explicitly created any unusually 1029 long variable names in ntpd (longer than 200-512 bytes, depending 1030 on the type of variable), then if any of these variables are 1031 added to the response list it would overflow a buffer. 1032 Mitigation: 1033 Implement BCP-38. 1034 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1035 or the NTP Public Services Project Download Page 1036 If you don't want to upgrade, then don't setvar variable names 1037 longer than 200-512 bytes in your ntp.conf file. 1038 Properly monitor your ntpd instances, and auto-restart 1039 ntpd (without -g) if it stops running. 1040 Credit: 1041 This weakness was discovered by Cure53. 1042 1043* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 1044 Date Resolved: 21 Mar 2017 1045 References: Sec 3378 / CVE-2017-6451 / VU#325339 1046 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1047 ntp-4.3.0 up to, but not including ntp-4.3.94. 1048 CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 1049 CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 1050 Summary: 1051 The legacy MX4200 refclock is only built if is specifically 1052 enabled, and furthermore additional code changes are required to 1053 compile and use it. But it uses the libc functions snprintf() 1054 and vsnprintf() incorrectly, which can lead to an out-of-bounds 1055 memory write due to an improper handling of the return value of 1056 snprintf()/vsnprintf(). Since the return value is used as an 1057 iterator and it can be larger than the buffer's size, it is 1058 possible for the iterator to point somewhere outside of the 1059 allocated buffer space. This results in an out-of-bound memory 1060 write. This behavior can be leveraged to overwrite a saved 1061 instruction pointer on the stack and gain control over the 1062 execution flow. During testing it was not possible to identify 1063 any malicious usage for this vulnerability. Specifically, no 1064 way for an attacker to exploit this vulnerability was ultimately 1065 unveiled. However, it has the potential to be exploited, so the 1066 code should be fixed. 1067 Mitigation, if you have a Magnavox MX4200 refclock: 1068 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1069 or the NTP Public Services Project Download Page. 1070 Properly monitor your ntpd instances, and auto-restart 1071 ntpd (without -g) if it stops running. 1072 Credit: 1073 This weakness was discovered by Cure53. 1074 1075* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 1076 malicious ntpd (Medium) 1077 Date Resolved: 21 Mar 2017 1078 References: Sec 3377 / CVE-2017-6460 / VU#325339 1079 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 1080 ntp-4.3.0 up to, but not including ntp-4.3.94. 1081 CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1082 CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1083 Summary: 1084 A stack buffer overflow in ntpq can be triggered by a malicious 1085 ntpd server when ntpq requests the restriction list from the server. 1086 This is due to a missing length check in the reslist() function. 1087 It occurs whenever the function parses the server's response and 1088 encounters a flagstr variable of an excessive length. The string 1089 will be copied into a fixed-size buffer, leading to an overflow on 1090 the function's stack-frame. Note well that this problem requires 1091 a malicious server, and affects ntpq, not ntpd. 1092 Mitigation: 1093 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1094 or the NTP Public Services Project Download Page 1095 If you can't upgrade your version of ntpq then if you want to know 1096 the reslist of an instance of ntpd that you do not control, 1097 know that if the target ntpd is malicious that it can send back 1098 a response that intends to crash your ntpq process. 1099 Credit: 1100 This weakness was discovered by Cure53. 1101 1102* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 1103 Date Resolved: 21 Mar 2017 1104 References: Sec 3376 1105 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1106 ntp-4.3.0 up to, but not including ntp-4.3.94. 1107 CVSS2: N/A 1108 CVSS3: N/A 1109 Summary: 1110 The build process for NTP has not, by default, provided compile 1111 or link flags to offer "hardened" security options. Package 1112 maintainers have always been able to provide hardening security 1113 flags for their builds. As of ntp-4.2.8p10, the NTP build 1114 system has a way to provide OS-specific hardening flags. Please 1115 note that this is still not a really great solution because it 1116 is specific to NTP builds. It's inefficient to have every 1117 package supply, track and maintain this information for every 1118 target build. It would be much better if there was a common way 1119 for OSes to provide this information in a way that arbitrary 1120 packages could benefit from it. 1121 Mitigation: 1122 Implement BCP-38. 1123 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1124 or the NTP Public Services Project Download Page 1125 Properly monitor your ntpd instances, and auto-restart 1126 ntpd (without -g) if it stops running. 1127 Credit: 1128 This weakness was reported by Cure53. 1129 1130* 0rigin DoS (Medium) 1131 Date Resolved: 21 Mar 2017 1132 References: Sec 3361 / CVE-2016-9042 / VU#325339 1133 Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 1134 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 1135 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 1136 Summary: 1137 An exploitable denial of service vulnerability exists in the 1138 origin timestamp check functionality of ntpd 4.2.8p9. A specially 1139 crafted unauthenticated network packet can be used to reset the 1140 expected origin timestamp for target peers. Legitimate replies 1141 from targeted peers will fail the origin timestamp check (TEST2) 1142 causing the reply to be dropped and creating a denial of service 1143 condition. This vulnerability can only be exploited if the 1144 attacker can spoof all of the servers. 1145 Mitigation: 1146 Implement BCP-38. 1147 Configure enough servers/peers that an attacker cannot target 1148 all of your time sources. 1149 Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1150 or the NTP Public Services Project Download Page 1151 Properly monitor your ntpd instances, and auto-restart 1152 ntpd (without -g) if it stops running. 1153 Credit: 1154 This weakness was discovered by Matthew Van Gundy of Cisco. 1155 1156Other fixes: 1157 1158* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 1159* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1160 - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 1161* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 1162* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1163 on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 1164 - original patch by Majdi S. Abbas 1165* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 1166* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 1167 - initial patch by Christos Zoulas 1168* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 1169 - move loader API from 'inline' to proper source 1170 - augment pathless dlls with absolute path to NTPD 1171 - use 'msyslog()' instead of 'printf() 'for reporting trouble 1172* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 1173 - applied patch by Matthew Van Gundy 1174* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 1175 - applied some of the patches provided by Havard. Not all of them 1176 still match the current code base, and I did not touch libopt. 1177* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 1178 - applied patch by Reinhard Max. See bugzilla for limitations. 1179* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 1180 - fixed dependency inversion from [Bug 2837] 1181* [Bug 2896] Nothing happens if minsane < maxclock < minclock 1182 - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 1183* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 1184 - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1185* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1186 - Fixed these and some more locations of this pattern. 1187 Probably din't get them all, though. <perlinger@ntp.org> 1188* Update copyright year. 1189 1190-- 1191(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 1192 1193* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 1194 - added missed changeset for automatic openssl lib detection 1195 - fixed some minor warning issues 1196* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 1197* configure.ac cleanup. stenn@ntp.org 1198* openssl configure cleanup. stenn@ntp.org 1199 1200-- 1201NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 1202 1203Focus: Security, Bug fixes, enhancements. 1204 1205Severity: HIGH 1206 1207In addition to bug fixes and enhancements, this release fixes the 1208following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 12095 low-severity vulnerabilities, and provides 28 other non-security 1210fixes and improvements: 1211 1212* Trap crash 1213 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1214 References: Sec 3119 / CVE-2016-9311 / VU#633847 1215 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1216 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1217 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1218 CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1219 Summary: 1220 ntpd does not enable trap service by default. If trap service 1221 has been explicitly enabled, an attacker can send a specially 1222 crafted packet to cause a null pointer dereference that will 1223 crash ntpd, resulting in a denial of service. 1224 Mitigation: 1225 Implement BCP-38. 1226 Use "restrict default noquery ..." in your ntp.conf file. Only 1227 allow mode 6 queries from trusted networks and hosts. 1228 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1229 or the NTP Public Services Project Download Page 1230 Properly monitor your ntpd instances, and auto-restart ntpd 1231 (without -g) if it stops running. 1232 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1233 1234* Mode 6 information disclosure and DDoS vector 1235 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1236 References: Sec 3118 / CVE-2016-9310 / VU#633847 1237 Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1238 including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1239 CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1240 CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1241 Summary: 1242 An exploitable configuration modification vulnerability exists 1243 in the control mode (mode 6) functionality of ntpd. If, against 1244 long-standing BCP recommendations, "restrict default noquery ..." 1245 is not specified, a specially crafted control mode packet can set 1246 ntpd traps, providing information disclosure and DDoS 1247 amplification, and unset ntpd traps, disabling legitimate 1248 monitoring. A remote, unauthenticated, network attacker can 1249 trigger this vulnerability. 1250 Mitigation: 1251 Implement BCP-38. 1252 Use "restrict default noquery ..." in your ntp.conf file. 1253 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1254 or the NTP Public Services Project Download Page 1255 Properly monitor your ntpd instances, and auto-restart ntpd 1256 (without -g) if it stops running. 1257 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1258 1259* Broadcast Mode Replay Prevention DoS 1260 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1261 References: Sec 3114 / CVE-2016-7427 / VU#633847 1262 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1263 ntp-4.3.90 up to, but not including ntp-4.3.94. 1264 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1265 CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1266 Summary: 1267 The broadcast mode of NTP is expected to only be used in a 1268 trusted network. If the broadcast network is accessible to an 1269 attacker, a potentially exploitable denial of service 1270 vulnerability in ntpd's broadcast mode replay prevention 1271 functionality can be abused. An attacker with access to the NTP 1272 broadcast domain can periodically inject specially crafted 1273 broadcast mode NTP packets into the broadcast domain which, 1274 while being logged by ntpd, can cause ntpd to reject broadcast 1275 mode packets from legitimate NTP broadcast servers. 1276 Mitigation: 1277 Implement BCP-38. 1278 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1279 or the NTP Public Services Project Download Page 1280 Properly monitor your ntpd instances, and auto-restart ntpd 1281 (without -g) if it stops running. 1282 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1283 1284* Broadcast Mode Poll Interval Enforcement DoS 1285 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1286 References: Sec 3113 / CVE-2016-7428 / VU#633847 1287 Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1288 ntp-4.3.90 up to, but not including ntp-4.3.94 1289 CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1290 CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1291 Summary: 1292 The broadcast mode of NTP is expected to only be used in a 1293 trusted network. If the broadcast network is accessible to an 1294 attacker, a potentially exploitable denial of service 1295 vulnerability in ntpd's broadcast mode poll interval enforcement 1296 functionality can be abused. To limit abuse, ntpd restricts the 1297 rate at which each broadcast association will process incoming 1298 packets. ntpd will reject broadcast mode packets that arrive 1299 before the poll interval specified in the preceding broadcast 1300 packet expires. An attacker with access to the NTP broadcast 1301 domain can send specially crafted broadcast mode NTP packets to 1302 the broadcast domain which, while being logged by ntpd, will 1303 cause ntpd to reject broadcast mode packets from legitimate NTP 1304 broadcast servers. 1305 Mitigation: 1306 Implement BCP-38. 1307 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1308 or the NTP Public Services Project Download Page 1309 Properly monitor your ntpd instances, and auto-restart ntpd 1310 (without -g) if it stops running. 1311 Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1312 1313* Windows: ntpd DoS by oversized UDP packet 1314 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1315 References: Sec 3110 / CVE-2016-9312 / VU#633847 1316 Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1317 and ntp-4.3.0 up to, but not including ntp-4.3.94. 1318 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1319 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1320 Summary: 1321 If a vulnerable instance of ntpd on Windows receives a crafted 1322 malicious packet that is "too big", ntpd will stop working. 1323 Mitigation: 1324 Implement BCP-38. 1325 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1326 or the NTP Public Services Project Download Page 1327 Properly monitor your ntpd instances, and auto-restart ntpd 1328 (without -g) if it stops running. 1329 Credit: This weakness was discovered by Robert Pajak of ABB. 1330 1331* 0rigin (zero origin) issues 1332 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1333 References: Sec 3102 / CVE-2016-7431 / VU#633847 1334 Affects: ntp-4.2.8p8, and ntp-4.3.93. 1335 CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1336 CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1337 Summary: 1338 Zero Origin timestamp problems were fixed by Bug 2945 in 1339 ntp-4.2.8p6. However, subsequent timestamp validation checks 1340 introduced a regression in the handling of some Zero origin 1341 timestamp checks. 1342 Mitigation: 1343 Implement BCP-38. 1344 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1345 or the NTP Public Services Project Download Page 1346 Properly monitor your ntpd instances, and auto-restart ntpd 1347 (without -g) if it stops running. 1348 Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1349 Malhotra of Boston University. 1350 1351* read_mru_list() does inadequate incoming packet checks 1352 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1353 References: Sec 3082 / CVE-2016-7434 / VU#633847 1354 Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1355 ntp-4.3.0 up to, but not including ntp-4.3.94. 1356 CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1357 CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1358 Summary: 1359 If ntpd is configured to allow mrulist query requests from a 1360 server that sends a crafted malicious packet, ntpd will crash 1361 on receipt of that crafted malicious mrulist query packet. 1362 Mitigation: 1363 Only allow mrulist query packets from trusted hosts. 1364 Implement BCP-38. 1365 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1366 or the NTP Public Services Project Download Page 1367 Properly monitor your ntpd instances, and auto-restart ntpd 1368 (without -g) if it stops running. 1369 Credit: This weakness was discovered by Magnus Stubman. 1370 1371* Attack on interface selection 1372 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1373 References: Sec 3072 / CVE-2016-7429 / VU#633847 1374 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1375 ntp-4.3.0 up to, but not including ntp-4.3.94 1376 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1377 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1378 Summary: 1379 When ntpd receives a server response on a socket that corresponds 1380 to a different interface than was used for the request, the peer 1381 structure is updated to use the interface for new requests. If 1382 ntpd is running on a host with multiple interfaces in separate 1383 networks and the operating system doesn't check source address in 1384 received packets (e.g. rp_filter on Linux is set to 0), an 1385 attacker that knows the address of the source can send a packet 1386 with spoofed source address which will cause ntpd to select wrong 1387 interface for the source and prevent it from sending new requests 1388 until the list of interfaces is refreshed, which happens on 1389 routing changes or every 5 minutes by default. If the attack is 1390 repeated often enough (once per second), ntpd will not be able to 1391 synchronize with the source. 1392 Mitigation: 1393 Implement BCP-38. 1394 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1395 or the NTP Public Services Project Download Page 1396 If you are going to configure your OS to disable source address 1397 checks, also configure your firewall configuration to control 1398 what interfaces can receive packets from what networks. 1399 Properly monitor your ntpd instances, and auto-restart ntpd 1400 (without -g) if it stops running. 1401 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1402 1403* Client rate limiting and server responses 1404 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1405 References: Sec 3071 / CVE-2016-7426 / VU#633847 1406 Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1407 ntp-4.3.0 up to, but not including ntp-4.3.94 1408 CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1409 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1410 Summary: 1411 When ntpd is configured with rate limiting for all associations 1412 (restrict default limited in ntp.conf), the limits are applied 1413 also to responses received from its configured sources. An 1414 attacker who knows the sources (e.g., from an IPv4 refid in 1415 server response) and knows the system is (mis)configured in this 1416 way can periodically send packets with spoofed source address to 1417 keep the rate limiting activated and prevent ntpd from accepting 1418 valid responses from its sources. 1419 1420 While this blanket rate limiting can be useful to prevent 1421 brute-force attacks on the origin timestamp, it allows this DoS 1422 attack. Similarly, it allows the attacker to prevent mobilization 1423 of ephemeral associations. 1424 Mitigation: 1425 Implement BCP-38. 1426 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1427 or the NTP Public Services Project Download Page 1428 Properly monitor your ntpd instances, and auto-restart ntpd 1429 (without -g) if it stops running. 1430 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1431 1432* Fix for bug 2085 broke initial sync calculations 1433 Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1434 References: Sec 3067 / CVE-2016-7433 / VU#633847 1435 Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1436 ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1437 root-distance calculation in general is incorrect in all versions 1438 of ntp-4 until this release. 1439 CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1440 CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1441 Summary: 1442 Bug 2085 described a condition where the root delay was included 1443 twice, causing the jitter value to be higher than expected. Due 1444 to a misinterpretation of a small-print variable in The Book, the 1445 fix for this problem was incorrect, resulting in a root distance 1446 that did not include the peer dispersion. The calculations and 1447 formulae have been reviewed and reconciled, and the code has been 1448 updated accordingly. 1449 Mitigation: 1450 Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1451 or the NTP Public Services Project Download Page 1452 Properly monitor your ntpd instances, and auto-restart ntpd 1453 (without -g) if it stops running. 1454 Credit: This weakness was discovered independently by Brian Utterback of 1455 Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1456 1457Other fixes: 1458 1459* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1460* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1461* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1462 - moved retry decision where it belongs. <perlinger@ntp.org> 1463* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1464 using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1465* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1466* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1467 - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1468* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1469 - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1470 - added shim layer for SSL API calls with issues (both directions) 1471* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1472 - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1473* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1474* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1475 - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1476* [Bug 3067] Root distance calculation needs improvement. HStenn 1477* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1478 - PPS-HACK works again. 1479* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1480 - applied patch by Brian Utterback <brian.utterback@oracle.com> 1481* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1482* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1483 <perlinger@ntp.org> 1484 - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1485* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1486 - Patch provided by Kuramatsu. 1487* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1488 - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1489* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1490* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1491* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1492* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1493 - fixed GPS week expansion to work based on build date. Special thanks 1494 to Craig Leres for initial patch and testing. 1495* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1496 - fixed Makefile.am <perlinger@ntp.org> 1497* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1498 even if it is very old <perlinger@ntp.org> 1499 - make sure PPS source is alive before processing samples 1500 - improve stability close to the 500ms phase jump (phase gate) 1501* Fix typos in include/ntp.h. 1502* Shim X509_get_signature_nid() if needed 1503* git author attribution cleanup 1504* bk ignore file cleanup 1505* remove locks in Windows IO, use rpc-like thread synchronisation instead 1506 1507--- 1508NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1509 1510Focus: Security, Bug fixes, enhancements. 1511 1512Severity: HIGH 1513 1514In addition to bug fixes and enhancements, this release fixes the 1515following 1 high- and 4 low-severity vulnerabilities: 1516 1517* CRYPTO_NAK crash 1518 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1519 References: Sec 3046 / CVE-2016-4957 / VU#321640 1520 Affects: ntp-4.2.8p7, and ntp-4.3.92. 1521 CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1522 CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1523 Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1524 could cause ntpd to crash. 1525 Mitigation: 1526 Implement BCP-38. 1527 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1528 or the NTP Public Services Project Download Page 1529 If you cannot upgrade from 4.2.8p7, the only other alternatives 1530 are to patch your code or filter CRYPTO_NAK packets. 1531 Properly monitor your ntpd instances, and auto-restart ntpd 1532 (without -g) if it stops running. 1533 Credit: This weakness was discovered by Nicolas Edet of Cisco. 1534 1535* Bad authentication demobilizes ephemeral associations 1536 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1537 References: Sec 3045 / CVE-2016-4953 / VU#321640 1538 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1539 ntp-4.3.0 up to, but not including ntp-4.3.93. 1540 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1541 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1542 Summary: An attacker who knows the origin timestamp and can send a 1543 spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1544 target before any other response is sent can demobilize that 1545 association. 1546 Mitigation: 1547 Implement BCP-38. 1548 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1549 or the NTP Public Services Project Download Page 1550 Properly monitor your ntpd instances. 1551 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1552 1553* Processing spoofed server packets 1554 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1555 References: Sec 3044 / CVE-2016-4954 / VU#321640 1556 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1557 ntp-4.3.0 up to, but not including ntp-4.3.93. 1558 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1559 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1560 Summary: An attacker who is able to spoof packets with correct origin 1561 timestamps from enough servers before the expected response 1562 packets arrive at the target machine can affect some peer 1563 variables and, for example, cause a false leap indication to be set. 1564 Mitigation: 1565 Implement BCP-38. 1566 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1567 or the NTP Public Services Project Download Page 1568 Properly monitor your ntpd instances. 1569 Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1570 1571* Autokey association reset 1572 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1573 References: Sec 3043 / CVE-2016-4955 / VU#321640 1574 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1575 ntp-4.3.0 up to, but not including ntp-4.3.93. 1576 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1577 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1578 Summary: An attacker who is able to spoof a packet with a correct 1579 origin timestamp before the expected response packet arrives at 1580 the target machine can send a CRYPTO_NAK or a bad MAC and cause 1581 the association's peer variables to be cleared. If this can be 1582 done often enough, it will prevent that association from working. 1583 Mitigation: 1584 Implement BCP-38. 1585 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1586 or the NTP Public Services Project Download Page 1587 Properly monitor your ntpd instances. 1588 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1589 1590* Broadcast interleave 1591 Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1592 References: Sec 3042 / CVE-2016-4956 / VU#321640 1593 Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1594 ntp-4.3.0 up to, but not including ntp-4.3.93. 1595 CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1596 CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1597 Summary: The fix for NtpBug2978 does not cover broadcast associations, 1598 so broadcast clients can be triggered to flip into interleave mode. 1599 Mitigation: 1600 Implement BCP-38. 1601 Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1602 or the NTP Public Services Project Download Page 1603 Properly monitor your ntpd instances. 1604 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1605 1606Other fixes: 1607* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1608 - provide build environment 1609 - 'wint_t' and 'struct timespec' defined by VS2015 1610 - fixed print()/scanf() format issues 1611* [Bug 3052] Add a .gitignore file. Edmund Wong. 1612* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1613* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1614 JPerlinger, HStenn. 1615* Fix typo in ntp-wait and plot_summary. HStenn. 1616* Make sure we have an "author" file for git imports. HStenn. 1617* Update the sntp problem tests for MacOS. HStenn. 1618 1619--- 1620NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1621 1622Focus: Security, Bug fixes, enhancements. 1623 1624Severity: MEDIUM 1625 1626When building NTP from source, there is a new configure option 1627available, --enable-dynamic-interleave. More information on this below. 1628 1629Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 1630versions of ntp. These events have almost certainly happened in the 1631past, it's just that they were silently counted and not logged. With 1632the increasing awareness around security, we feel it's better to clearly 1633log these events to help detect abusive behavior. This increased 1634logging can also help detect other problems, too. 1635 1636In addition to bug fixes and enhancements, this release fixes the 1637following 9 low- and medium-severity vulnerabilities: 1638 1639* Improve NTP security against buffer comparison timing attacks, 1640 AKA: authdecrypt-timing 1641 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1642 References: Sec 2879 / CVE-2016-1550 1643 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1644 4.3.0 up to, but not including 4.3.92 1645 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1646 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1647 Summary: Packet authentication tests have been performed using 1648 memcmp() or possibly bcmp(), and it is potentially possible 1649 for a local or perhaps LAN-based attacker to send a packet with 1650 an authentication payload and indirectly observe how much of 1651 the digest has matched. 1652 Mitigation: 1653 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1654 or the NTP Public Services Project Download Page. 1655 Properly monitor your ntpd instances. 1656 Credit: This weakness was discovered independently by Loganaden 1657 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1658 1659* Zero origin timestamp bypass: Additional KoD checks. 1660 References: Sec 2945 / Sec 2901 / CVE-2015-8138 1661 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1662 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1663 1664* peer associations were broken by the fix for NtpBug2899 1665 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1666 References: Sec 2952 / CVE-2015-7704 1667 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1668 4.3.0 up to, but not including 4.3.92 1669 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1670 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1671 associations did not address all of the issues. 1672 Mitigation: 1673 Implement BCP-38. 1674 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1675 or the NTP Public Services Project Download Page 1676 If you can't upgrade, use "server" associations instead of 1677 "peer" associations. 1678 Monitor your ntpd instances. 1679 Credit: This problem was discovered by Michael Tatarinov. 1680 1681* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1682 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1683 References: Sec 3007 / CVE-2016-1547 / VU#718152 1684 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1685 4.3.0 up to, but not including 4.3.92 1686 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1687 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1688 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1689 off-path attacker can cause a preemptable client association to 1690 be demobilized by sending a crypto NAK packet to a victim client 1691 with a spoofed source address of an existing associated peer. 1692 This is true even if authentication is enabled. 1693 1694 Furthermore, if the attacker keeps sending crypto NAK packets, 1695 for example one every second, the victim never has a chance to 1696 reestablish the association and synchronize time with that 1697 legitimate server. 1698 1699 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1700 stringent checks are performed on incoming packets, but there 1701 are still ways to exploit this vulnerability in versions before 1702 ntp-4.2.8p7. 1703 Mitigation: 1704 Implement BCP-38. 1705 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1706 or the NTP Public Services Project Download Page 1707 Properly monitor your ntpd instances 1708 Credit: This weakness was discovered by Stephen Gray and 1709 Matthew Van Gundy of Cisco ASIG. 1710 1711* ctl_getitem() return value not always checked 1712 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1713 References: Sec 3008 / CVE-2016-2519 1714 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1715 4.3.0 up to, but not including 4.3.92 1716 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1717 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1718 Summary: ntpq and ntpdc can be used to store and retrieve information 1719 in ntpd. It is possible to store a data value that is larger 1720 than the size of the buffer that the ctl_getitem() function of 1721 ntpd uses to report the return value. If the length of the 1722 requested data value returned by ctl_getitem() is too large, 1723 the value NULL is returned instead. There are 2 cases where the 1724 return value from ctl_getitem() was not directly checked to make 1725 sure it's not NULL, but there are subsequent INSIST() checks 1726 that make sure the return value is not NULL. There are no data 1727 values ordinarily stored in ntpd that would exceed this buffer 1728 length. But if one has permission to store values and one stores 1729 a value that is "too large", then ntpd will abort if an attempt 1730 is made to read that oversized value. 1731 Mitigation: 1732 Implement BCP-38. 1733 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1734 or the NTP Public Services Project Download Page 1735 Properly monitor your ntpd instances. 1736 Credit: This weakness was discovered by Yihan Lian of the Cloud 1737 Security Team, Qihoo 360. 1738 1739* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1740 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1741 References: Sec 3009 / CVE-2016-2518 / VU#718152 1742 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1743 4.3.0 up to, but not including 4.3.92 1744 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1745 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1746 Summary: Using a crafted packet to create a peer association with 1747 hmode > 7 causes the MATCH_ASSOC() lookup to make an 1748 out-of-bounds reference. 1749 Mitigation: 1750 Implement BCP-38. 1751 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1752 or the NTP Public Services Project Download Page 1753 Properly monitor your ntpd instances 1754 Credit: This weakness was discovered by Yihan Lian of the Cloud 1755 Security Team, Qihoo 360. 1756 1757* remote configuration trustedkey/requestkey/controlkey values are not 1758 properly validated 1759 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1760 References: Sec 3010 / CVE-2016-2517 / VU#718152 1761 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1762 4.3.0 up to, but not including 4.3.92 1763 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1764 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1765 Summary: If ntpd was expressly configured to allow for remote 1766 configuration, a malicious user who knows the controlkey for 1767 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1768 can create a session with ntpd and then send a crafted packet to 1769 ntpd that will change the value of the trustedkey, controlkey, 1770 or requestkey to a value that will prevent any subsequent 1771 authentication with ntpd until ntpd is restarted. 1772 Mitigation: 1773 Implement BCP-38. 1774 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1775 or the NTP Public Services Project Download Page 1776 Properly monitor your ntpd instances 1777 Credit: This weakness was discovered by Yihan Lian of the Cloud 1778 Security Team, Qihoo 360. 1779 1780* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1781 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1782 References: Sec 3011 / CVE-2016-2516 / VU#718152 1783 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1784 4.3.0 up to, but not including 4.3.92 1785 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1786 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1787 Summary: If ntpd was expressly configured to allow for remote 1788 configuration, a malicious user who knows the controlkey for 1789 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1790 can create a session with ntpd and if an existing association is 1791 unconfigured using the same IP twice on the unconfig directive 1792 line, ntpd will abort. 1793 Mitigation: 1794 Implement BCP-38. 1795 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1796 or the NTP Public Services Project Download Page 1797 Properly monitor your ntpd instances 1798 Credit: This weakness was discovered by Yihan Lian of the Cloud 1799 Security Team, Qihoo 360. 1800 1801* Refclock impersonation vulnerability 1802 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1803 References: Sec 3020 / CVE-2016-1551 1804 Affects: On a very limited number of OSes, all NTP releases up to but 1805 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1806 By "very limited number of OSes" we mean no general-purpose OSes 1807 have yet been identified that have this vulnerability. 1808 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1809 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1810 Summary: While most OSes implement martian packet filtering in their 1811 network stack, at least regarding 127.0.0.0/8, some will allow 1812 packets claiming to be from 127.0.0.0/8 that arrive over a 1813 physical network. On these OSes, if ntpd is configured to use a 1814 reference clock an attacker can inject packets over the network 1815 that look like they are coming from that reference clock. 1816 Mitigation: 1817 Implement martian packet filtering and BCP-38. 1818 Configure ntpd to use an adequate number of time sources. 1819 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1820 or the NTP Public Services Project Download Page 1821 If you are unable to upgrade and if you are running an OS that 1822 has this vulnerability, implement martian packet filters and 1823 lobby your OS vendor to fix this problem, or run your 1824 refclocks on computers that use OSes that are not vulnerable 1825 to these attacks and have your vulnerable machines get their 1826 time from protected resources. 1827 Properly monitor your ntpd instances. 1828 Credit: This weakness was discovered by Matt Street and others of 1829 Cisco ASIG. 1830 1831The following issues were fixed in earlier releases and contain 1832improvements in 4.2.8p7: 1833 1834* Clients that receive a KoD should validate the origin timestamp field. 1835 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1836 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1837 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1838 1839* Skeleton key: passive server with trusted key can serve time. 1840 References: Sec 2936 / CVE-2015-7974 1841 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1842 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1843 1844Two other vulnerabilities have been reported, and the mitigations 1845for these are as follows: 1846 1847* Interleave-pivot 1848 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1849 References: Sec 2978 / CVE-2016-1548 1850 Affects: All ntp-4 releases. 1851 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1852 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1853 Summary: It is possible to change the time of an ntpd client or deny 1854 service to an ntpd client by forcing it to change from basic 1855 client/server mode to interleaved symmetric mode. An attacker 1856 can spoof a packet from a legitimate ntpd server with an origin 1857 timestamp that matches the peer->dst timestamp recorded for that 1858 server. After making this switch, the client will reject all 1859 future legitimate server responses. It is possible to force the 1860 victim client to move time after the mode has been changed. 1861 ntpq gives no indication that the mode has been switched. 1862 Mitigation: 1863 Implement BCP-38. 1864 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1865 or the NTP Public Services Project Download Page. These 1866 versions will not dynamically "flip" into interleave mode 1867 unless configured to do so. 1868 Properly monitor your ntpd instances. 1869 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1870 and separately by Jonathan Gardner of Cisco ASIG. 1871 1872* Sybil vulnerability: ephemeral association attack 1873 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1874 References: Sec 3012 / CVE-2016-1549 1875 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1876 4.3.0 up to, but not including 4.3.92 1877 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1878 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1879 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1880 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1881 field in the ntp.keys file to specify which IPs can serve time, 1882 a malicious authenticated peer can create arbitrarily-many 1883 ephemeral associations in order to win the clock selection of 1884 ntpd and modify a victim's clock. 1885 Mitigation: 1886 Implement BCP-38. 1887 Use the 4th field in the ntp.keys file to specify which IPs 1888 can be time servers. 1889 Properly monitor your ntpd instances. 1890 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1891 1892Other fixes: 1893 1894* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1895 - fixed yet another race condition in the threaded resolver code. 1896* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1897* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1898 - integrated patches by Loganaden Velvidron <logan@ntp.org> 1899 with some modifications & unit tests 1900* [Bug 2960] async name resolution fixes for chroot() environments. 1901 Reinhard Max. 1902* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1903* [Bug 2995] Fixes to compile on Windows 1904* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1905* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1906 - Patch provided by Ch. Weisgerber 1907* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1908 - A change related to [Bug 2853] forbids trailing white space in 1909 remote config commands. perlinger@ntp.org 1910* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1911 - report and patch from Aleksandr Kostikov. 1912 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1913* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1914 - fixed memory leak in access list (auth[read]keys.c) 1915 - refactored handling of key access lists (auth[read]keys.c) 1916 - reduced number of error branches (authreadkeys.c) 1917* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1918* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1919* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1920 when the time of server changed. perlinger@ntp.org 1921 - Check the initial delay calculation and reject/unpeer the broadcast 1922 server if the delay exceeds 50ms. Retry again after the next 1923 broadcast packet. 1924* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1925* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1926* Update html/xleave.html documentation. Harlan Stenn. 1927* Update ntp.conf documentation. Harlan Stenn. 1928* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1929* Fix typo in html/monopt.html. Harlan Stenn. 1930* Add README.pullrequests. Harlan Stenn. 1931* Cleanup to include/ntp.h. Harlan Stenn. 1932 1933New option to 'configure': 1934 1935While looking in to the issues around Bug 2978, the "interleave pivot" 1936issue, it became clear that there are some intricate and unresolved 1937issues with interleave operations. We also realized that the interleave 1938protocol was never added to the NTPv4 Standard, and it should have been. 1939 1940Interleave mode was first released in July of 2008, and can be engaged 1941in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1942contain the 'xleave' option, which will expressly enable interlave mode 1943for that association. Additionally, if a time packet arrives and is 1944found inconsistent with normal protocol behavior but has certain 1945characteristics that are compatible with interleave mode, NTP will 1946dynamically switch to interleave mode. With sufficient knowledge, an 1947attacker can send a crafted forged packet to an NTP instance that 1948triggers only one side to enter interleaved mode. 1949 1950To prevent this attack until we can thoroughly document, describe, 1951fix, and test the dynamic interleave mode, we've added a new 1952'configure' option to the build process: 1953 1954 --enable-dynamic-interleave 1955 1956This option controls whether or not NTP will, if conditions are right, 1957engage dynamic interleave mode. Dynamic interleave mode is disabled by 1958default in ntp-4.2.8p7. 1959 1960--- 1961NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1962 1963Focus: Security, Bug fixes, enhancements. 1964 1965Severity: MEDIUM 1966 1967In addition to bug fixes and enhancements, this release fixes the 1968following 1 low- and 8 medium-severity vulnerabilities: 1969 1970* Potential Infinite Loop in 'ntpq' 1971 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1972 References: Sec 2548 / CVE-2015-8158 1973 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1974 4.3.0 up to, but not including 4.3.90 1975 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1976 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1977 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1978 The loop's only stopping conditions are receiving a complete and 1979 correct response or hitting a small number of error conditions. 1980 If the packet contains incorrect values that don't trigger one of 1981 the error conditions, the loop continues to receive new packets. 1982 Note well, this is an attack against an instance of 'ntpq', not 1983 'ntpd', and this attack requires the attacker to do one of the 1984 following: 1985 * Own a malicious NTP server that the client trusts 1986 * Prevent a legitimate NTP server from sending packets to 1987 the 'ntpq' client 1988 * MITM the 'ntpq' communications between the 'ntpq' client 1989 and the NTP server 1990 Mitigation: 1991 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1992 or the NTP Public Services Project Download Page 1993 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1994 1995* 0rigin: Zero Origin Timestamp Bypass 1996 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1997 References: Sec 2945 / CVE-2015-8138 1998 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1999 4.3.0 up to, but not including 4.3.90 2000 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 2001 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 2002 (3.7 - LOW if you score AC:L) 2003 Summary: To distinguish legitimate peer responses from forgeries, a 2004 client attempts to verify a response packet by ensuring that the 2005 origin timestamp in the packet matches the origin timestamp it 2006 transmitted in its last request. A logic error exists that 2007 allows packets with an origin timestamp of zero to bypass this 2008 check whenever there is not an outstanding request to the server. 2009 Mitigation: 2010 Configure 'ntpd' to get time from multiple sources. 2011 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2012 or the NTP Public Services Project Download Page. 2013 Monitor your 'ntpd' instances. 2014 Credit: This weakness was discovered by Matthey Van Gundy and 2015 Jonathan Gardner of Cisco ASIG. 2016 2017* Stack exhaustion in recursive traversal of restriction list 2018 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 2019 References: Sec 2940 / CVE-2015-7978 2020 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2021 4.3.0 up to, but not including 4.3.90 2022 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2023 Summary: An unauthenticated 'ntpdc reslist' command can cause a 2024 segmentation fault in ntpd by exhausting the call stack. 2025 Mitigation: 2026 Implement BCP-38. 2027 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2028 or the NTP Public Services Project Download Page. 2029 If you are unable to upgrade: 2030 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2031 If you must enable mode 7: 2032 configure the use of a 'requestkey' to control who can 2033 issue mode 7 requests. 2034 configure 'restrict noquery' to further limit mode 7 2035 requests to trusted sources. 2036 Monitor your ntpd instances. 2037 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 2038 2039* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 2040 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2041 References: Sec 2942 / CVE-2015-7979 2042 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2043 4.3.0 up to, but not including 4.3.90 2044 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 2045 Summary: An off-path attacker can send broadcast packets with bad 2046 authentication (wrong key, mismatched key, incorrect MAC, etc) 2047 to broadcast clients. It is observed that the broadcast client 2048 tears down the association with the broadcast server upon 2049 receiving just one bad packet. 2050 Mitigation: 2051 Implement BCP-38. 2052 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2053 or the NTP Public Services Project Download Page. 2054 Monitor your 'ntpd' instances. 2055 If this sort of attack is an active problem for you, you have 2056 deeper problems to investigate. In this case also consider 2057 having smaller NTP broadcast domains. 2058 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2059 University. 2060 2061* reslist NULL pointer dereference 2062 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2063 References: Sec 2939 / CVE-2015-7977 2064 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2065 4.3.0 up to, but not including 4.3.90 2066 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 2067 Summary: An unauthenticated 'ntpdc reslist' command can cause a 2068 segmentation fault in ntpd by causing a NULL pointer dereference. 2069 Mitigation: 2070 Implement BCP-38. 2071 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 2072 the NTP Public Services Project Download Page. 2073 If you are unable to upgrade: 2074 mode 7 is disabled by default. Don't enable it. 2075 If you must enable mode 7: 2076 configure the use of a 'requestkey' to control who can 2077 issue mode 7 requests. 2078 configure 'restrict noquery' to further limit mode 7 2079 requests to trusted sources. 2080 Monitor your ntpd instances. 2081 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 2082 2083* 'ntpq saveconfig' command allows dangerous characters in filenames. 2084 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2085 References: Sec 2938 / CVE-2015-7976 2086 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2087 4.3.0 up to, but not including 4.3.90 2088 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 2089 Summary: The ntpq saveconfig command does not do adequate filtering 2090 of special characters from the supplied filename. 2091 Note well: The ability to use the saveconfig command is controlled 2092 by the 'restrict nomodify' directive, and the recommended default 2093 configuration is to disable this capability. If the ability to 2094 execute a 'saveconfig' is required, it can easily (and should) be 2095 limited and restricted to a known small number of IP addresses. 2096 Mitigation: 2097 Implement BCP-38. 2098 use 'restrict default nomodify' in your 'ntp.conf' file. 2099 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 2100 If you are unable to upgrade: 2101 build NTP with 'configure --disable-saveconfig' if you will 2102 never need this capability, or 2103 use 'restrict default nomodify' in your 'ntp.conf' file. Be 2104 careful about what IPs have the ability to send 'modify' 2105 requests to 'ntpd'. 2106 Monitor your ntpd instances. 2107 'saveconfig' requests are logged to syslog - monitor your syslog files. 2108 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 2109 2110* nextvar() missing length check in ntpq 2111 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2112 References: Sec 2937 / CVE-2015-7975 2113 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2114 4.3.0 up to, but not including 4.3.90 2115 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 2116 If you score A:C, this becomes 4.0. 2117 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 2118 Summary: ntpq may call nextvar() which executes a memcpy() into the 2119 name buffer without a proper length check against its maximum 2120 length of 256 bytes. Note well that we're taking about ntpq here. 2121 The usual worst-case effect of this vulnerability is that the 2122 specific instance of ntpq will crash and the person or process 2123 that did this will have stopped themselves. 2124 Mitigation: 2125 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2126 or the NTP Public Services Project Download Page. 2127 If you are unable to upgrade: 2128 If you have scripts that feed input to ntpq make sure there are 2129 some sanity checks on the input received from the "outside". 2130 This is potentially more dangerous if ntpq is run as root. 2131 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 2132 2133* Skeleton Key: Any trusted key system can serve time 2134 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2135 References: Sec 2936 / CVE-2015-7974 2136 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2137 4.3.0 up to, but not including 4.3.90 2138 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 2139 Summary: Symmetric key encryption uses a shared trusted key. The 2140 reported title for this issue was "Missing key check allows 2141 impersonation between authenticated peers" and the report claimed 2142 "A key specified only for one server should only work to 2143 authenticate that server, other trusted keys should be refused." 2144 Except there has never been any correlation between this trusted 2145 key and server v. clients machines and there has never been any 2146 way to specify a key only for one server. We have treated this as 2147 an enhancement request, and ntp-4.2.8p6 includes other checks and 2148 tests to strengthen clients against attacks coming from broadcast 2149 servers. 2150 Mitigation: 2151 Implement BCP-38. 2152 If this scenario represents a real or a potential issue for you, 2153 upgrade to 4.2.8p6, or later, from the NTP Project Download 2154 Page or the NTP Public Services Project Download Page, and 2155 use the new field in the ntp.keys file that specifies the list 2156 of IPs that are allowed to serve time. Note that this alone 2157 will not protect against time packets with forged source IP 2158 addresses, however other changes in ntp-4.2.8p6 provide 2159 significant mitigation against broadcast attacks. MITM attacks 2160 are a different story. 2161 If you are unable to upgrade: 2162 Don't use broadcast mode if you cannot monitor your client 2163 servers. 2164 If you choose to use symmetric keys to authenticate time 2165 packets in a hostile environment where ephemeral time 2166 servers can be created, or if it is expected that malicious 2167 time servers will participate in an NTP broadcast domain, 2168 limit the number of participating systems that participate 2169 in the shared-key group. 2170 Monitor your ntpd instances. 2171 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 2172 2173* Deja Vu: Replay attack on authenticated broadcast mode 2174 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2175 References: Sec 2935 / CVE-2015-7973 2176 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2177 4.3.0 up to, but not including 4.3.90 2178 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 2179 Summary: If an NTP network is configured for broadcast operations then 2180 either a man-in-the-middle attacker or a malicious participant 2181 that has the same trusted keys as the victim can replay time packets. 2182 Mitigation: 2183 Implement BCP-38. 2184 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2185 or the NTP Public Services Project Download Page. 2186 If you are unable to upgrade: 2187 Don't use broadcast mode if you cannot monitor your client servers. 2188 Monitor your ntpd instances. 2189 Credit: This weakness was discovered by Aanchal Malhotra of Boston 2190 University. 2191 2192Other fixes: 2193 2194* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 2195* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 2196 - applied patch by shenpeng11@huawei.com with minor adjustments 2197* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 2198* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 2199* [Bug 2892] Several test cases assume IPv6 capabilities even when 2200 IPv6 is disabled in the build. perlinger@ntp.org 2201 - Found this already fixed, but validation led to cleanup actions. 2202* [Bug 2905] DNS lookups broken. perlinger@ntp.org 2203 - added limits to stack consumption, fixed some return code handling 2204* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2205 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2206 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 2207* [Bug 2980] reduce number of warnings. perlinger@ntp.org 2208 - integrated several patches from Havard Eidnes (he@uninett.no) 2209* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 2210 - implement 'auth_log2()' using integer bithack instead of float calculation 2211* Make leapsec_query debug messages less verbose. Harlan Stenn. 2212 2213--- 2214NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 2215 2216Focus: Security, Bug fixes, enhancements. 2217 2218Severity: MEDIUM 2219 2220In addition to bug fixes and enhancements, this release fixes the 2221following medium-severity vulnerability: 2222 2223* Small-step/big-step. Close the panic gate earlier. 2224 References: Sec 2956, CVE-2015-5300 2225 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2226 4.3.0 up to, but not including 4.3.78 2227 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2228 Summary: If ntpd is always started with the -g option, which is 2229 common and against long-standing recommendation, and if at the 2230 moment ntpd is restarted an attacker can immediately respond to 2231 enough requests from enough sources trusted by the target, which 2232 is difficult and not common, there is a window of opportunity 2233 where the attacker can cause ntpd to set the time to an 2234 arbitrary value. Similarly, if an attacker is able to respond 2235 to enough requests from enough sources trusted by the target, 2236 the attacker can cause ntpd to abort and restart, at which 2237 point it can tell the target to set the time to an arbitrary 2238 value if and only if ntpd was re-started against long-standing 2239 recommendation with the -g flag, or if ntpd was not given the 2240 -g flag, the attacker can move the target system's time by at 2241 most 900 seconds' time per attack. 2242 Mitigation: 2243 Configure ntpd to get time from multiple sources. 2244 Upgrade to 4.2.8p5, or later, from the NTP Project Download 2245 Page or the NTP Public Services Project Download Page 2246 As we've long documented, only use the -g option to ntpd in 2247 cold-start situations. 2248 Monitor your ntpd instances. 2249 Credit: This weakness was discovered by Aanchal Malhotra, 2250 Isaac E. Cohen, and Sharon Goldberg at Boston University. 2251 2252 NOTE WELL: The -g flag disables the limit check on the panic_gate 2253 in ntpd, which is 900 seconds by default. The bug identified by 2254 the researchers at Boston University is that the panic_gate 2255 check was only re-enabled after the first change to the system 2256 clock that was greater than 128 milliseconds, by default. The 2257 correct behavior is that the panic_gate check should be 2258 re-enabled after any initial time correction. 2259 2260 If an attacker is able to inject consistent but erroneous time 2261 responses to your systems via the network or "over the air", 2262 perhaps by spoofing radio, cellphone, or navigation satellite 2263 transmissions, they are in a great position to affect your 2264 system's clock. There comes a point where your very best 2265 defenses include: 2266 2267 Configure ntpd to get time from multiple sources. 2268 Monitor your ntpd instances. 2269 2270Other fixes: 2271 2272* Coverity submission process updated from Coverity 5 to Coverity 7. 2273 The NTP codebase has been undergoing regular Coverity scans on an 2274 ongoing basis since 2006. As part of our recent upgrade from 2275 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2276 the newly-written Unity test programs. These were fixed. 2277* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 2278* [Bug 2887] stratum -1 config results as showing value 99 2279 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 2280* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2281* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2282* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2283 - applied patch by Christos Zoulas. perlinger@ntp.org 2284* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2285* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2286 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 2287 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 2288* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 2289 - accept key file only if there are no parsing errors 2290 - fixed size_t/u_int format clash 2291 - fixed wrong use of 'strlcpy' 2292* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2293* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 2294 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2295 - promote use of 'size_t' for values that express a size 2296 - use ptr-to-const for read-only arguments 2297 - make sure SOCKET values are not truncated (win32-specific) 2298 - format string fixes 2299* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2300* [Bug 2967] ntpdate command suffers an assertion failure 2301 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 2302* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2303 lots of clients. perlinger@ntp.org 2304* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2305 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2306* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2307* Unity test cleanup. Harlan Stenn. 2308* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2309* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2310* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2311* Quiet a warning from clang. Harlan Stenn. 2312 2313--- 2314NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 2315 2316Focus: Security, Bug fixes, enhancements. 2317 2318Severity: MEDIUM 2319 2320In addition to bug fixes and enhancements, this release fixes the 2321following 13 low- and medium-severity vulnerabilities: 2322 2323* Incomplete vallen (value length) checks in ntp_crypto.c, leading 2324 to potential crashes or potential code injection/information leakage. 2325 2326 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2327 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2328 and 4.3.0 up to, but not including 4.3.77 2329 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2330 Summary: The fix for CVE-2014-9750 was incomplete in that there were 2331 certain code paths where a packet with particular autokey operations 2332 that contained malicious data was not always being completely 2333 validated. Receipt of these packets can cause ntpd to crash. 2334 Mitigation: 2335 Don't use autokey. 2336 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2337 Page or the NTP Public Services Project Download Page 2338 Monitor your ntpd instances. 2339 Credit: This weakness was discovered by Tenable Network Security. 2340 2341* Clients that receive a KoD should validate the origin timestamp field. 2342 2343 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2344 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2345 and 4.3.0 up to, but not including 4.3.77 2346 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2347 Summary: An ntpd client that honors Kiss-of-Death responses will honor 2348 KoD messages that have been forged by an attacker, causing it to 2349 delay or stop querying its servers for time updates. Also, an 2350 attacker can forge packets that claim to be from the target and 2351 send them to servers often enough that a server that implements 2352 KoD rate limiting will send the target machine a KoD response to 2353 attempt to reduce the rate of incoming packets, or it may also 2354 trigger a firewall block at the server for packets from the target 2355 machine. For either of these attacks to succeed, the attacker must 2356 know what servers the target is communicating with. An attacker 2357 can be anywhere on the Internet and can frequently learn the 2358 identity of the target's time source by sending the target a 2359 time query. 2360 Mitigation: 2361 Implement BCP-38. 2362 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2363 or the NTP Public Services Project Download Page 2364 If you can't upgrade, restrict who can query ntpd to learn who 2365 its servers are, and what IPs are allowed to ask your system 2366 for the time. This mitigation is heavy-handed. 2367 Monitor your ntpd instances. 2368 Note: 2369 4.2.8p4 protects against the first attack. For the second attack, 2370 all we can do is warn when it is happening, which we do in 4.2.8p4. 2371 Credit: This weakness was discovered by Aanchal Malhotra, 2372 Issac E. Cohen, and Sharon Goldberg of Boston University. 2373 2374* configuration directives to change "pidfile" and "driftfile" should 2375 only be allowed locally. 2376 2377 References: Sec 2902 / CVE-2015-5196 2378 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2379 and 4.3.0 up to, but not including 4.3.77 2380 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2381 Summary: If ntpd is configured to allow for remote configuration, 2382 and if the (possibly spoofed) source IP address is allowed to 2383 send remote configuration requests, and if the attacker knows 2384 the remote configuration password, it's possible for an attacker 2385 to use the "pidfile" or "driftfile" directives to potentially 2386 overwrite other files. 2387 Mitigation: 2388 Implement BCP-38. 2389 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2390 Page or the NTP Public Services Project Download Page 2391 If you cannot upgrade, don't enable remote configuration. 2392 If you must enable remote configuration and cannot upgrade, 2393 remote configuration of NTF's ntpd requires: 2394 - an explicitly configured trustedkey, and you should also 2395 configure a controlkey. 2396 - access from a permitted IP. You choose the IPs. 2397 - authentication. Don't disable it. Practice secure key safety. 2398 Monitor your ntpd instances. 2399 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2400 2401* Slow memory leak in CRYPTO_ASSOC 2402 2403 References: Sec 2909 / CVE-2015-7701 2404 Affects: All ntp-4 releases that use autokey up to, but not 2405 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2406 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2407 4.6 otherwise 2408 Summary: If ntpd is configured to use autokey, then an attacker can 2409 send packets to ntpd that will, after several days of ongoing 2410 attack, cause it to run out of memory. 2411 Mitigation: 2412 Don't use autokey. 2413 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2414 Page or the NTP Public Services Project Download Page 2415 Monitor your ntpd instances. 2416 Credit: This weakness was discovered by Tenable Network Security. 2417 2418* mode 7 loop counter underrun 2419 2420 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2421 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2422 and 4.3.0 up to, but not including 4.3.77 2423 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2424 Summary: If ntpd is configured to enable mode 7 packets, and if the 2425 use of mode 7 packets is not properly protected thru the use of 2426 the available mode 7 authentication and restriction mechanisms, 2427 and if the (possibly spoofed) source IP address is allowed to 2428 send mode 7 queries, then an attacker can send a crafted packet 2429 to ntpd that will cause it to crash. 2430 Mitigation: 2431 Implement BCP-38. 2432 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2433 Page or the NTP Public Services Project Download Page. 2434 If you are unable to upgrade: 2435 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2436 If you must enable mode 7: 2437 configure the use of a requestkey to control who can issue 2438 mode 7 requests. 2439 configure restrict noquery to further limit mode 7 requests 2440 to trusted sources. 2441 Monitor your ntpd instances. 2442Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2443 2444* memory corruption in password store 2445 2446 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2447 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2448 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2449 Summary: If ntpd is configured to allow remote configuration, and if 2450 the (possibly spoofed) source IP address is allowed to send 2451 remote configuration requests, and if the attacker knows the 2452 remote configuration password or if ntpd was configured to 2453 disable authentication, then an attacker can send a set of 2454 packets to ntpd that may cause a crash or theoretically 2455 perform a code injection attack. 2456 Mitigation: 2457 Implement BCP-38. 2458 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2459 Page or the NTP Public Services Project Download Page. 2460 If you are unable to upgrade, remote configuration of NTF's 2461 ntpd requires: 2462 an explicitly configured "trusted" key. Only configure 2463 this if you need it. 2464 access from a permitted IP address. You choose the IPs. 2465 authentication. Don't disable it. Practice secure key safety. 2466 Monitor your ntpd instances. 2467 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2468 2469* Infinite loop if extended logging enabled and the logfile and 2470 keyfile are the same. 2471 2472 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2473 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2474 and 4.3.0 up to, but not including 4.3.77 2475 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2476 Summary: If ntpd is configured to allow remote configuration, and if 2477 the (possibly spoofed) source IP address is allowed to send 2478 remote configuration requests, and if the attacker knows the 2479 remote configuration password or if ntpd was configured to 2480 disable authentication, then an attacker can send a set of 2481 packets to ntpd that will cause it to crash and/or create a 2482 potentially huge log file. Specifically, the attacker could 2483 enable extended logging, point the key file at the log file, 2484 and cause what amounts to an infinite loop. 2485 Mitigation: 2486 Implement BCP-38. 2487 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2488 Page or the NTP Public Services Project Download Page. 2489 If you are unable to upgrade, remote configuration of NTF's ntpd 2490 requires: 2491 an explicitly configured "trusted" key. Only configure this 2492 if you need it. 2493 access from a permitted IP address. You choose the IPs. 2494 authentication. Don't disable it. Practice secure key safety. 2495 Monitor your ntpd instances. 2496 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2497 2498* Potential path traversal vulnerability in the config file saving of 2499 ntpd on VMS. 2500 2501 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2502 Affects: All ntp-4 releases running under VMS up to, but not 2503 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2504 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2505 Summary: If ntpd is configured to allow remote configuration, and if 2506 the (possibly spoofed) IP address is allowed to send remote 2507 configuration requests, and if the attacker knows the remote 2508 configuration password or if ntpd was configured to disable 2509 authentication, then an attacker can send a set of packets to 2510 ntpd that may cause ntpd to overwrite files. 2511 Mitigation: 2512 Implement BCP-38. 2513 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2514 Page or the NTP Public Services Project Download Page. 2515 If you are unable to upgrade, remote configuration of NTF's ntpd 2516 requires: 2517 an explicitly configured "trusted" key. Only configure 2518 this if you need it. 2519 access from permitted IP addresses. You choose the IPs. 2520 authentication. Don't disable it. Practice key security safety. 2521 Monitor your ntpd instances. 2522 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2523 2524* ntpq atoascii() potential memory corruption 2525 2526 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2527 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2528 and 4.3.0 up to, but not including 4.3.77 2529 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2530 Summary: If an attacker can figure out the precise moment that ntpq 2531 is listening for data and the port number it is listening on or 2532 if the attacker can provide a malicious instance ntpd that 2533 victims will connect to then an attacker can send a set of 2534 crafted mode 6 response packets that, if received by ntpq, 2535 can cause ntpq to crash. 2536 Mitigation: 2537 Implement BCP-38. 2538 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2539 Page or the NTP Public Services Project Download Page. 2540 If you are unable to upgrade and you run ntpq against a server 2541 and ntpq crashes, try again using raw mode. Build or get a 2542 patched ntpq and see if that fixes the problem. Report new 2543 bugs in ntpq or abusive servers appropriately. 2544 If you use ntpq in scripts, make sure ntpq does what you expect 2545 in your scripts. 2546 Credit: This weakness was discovered by Yves Younan and 2547 Aleksander Nikolich of Cisco Talos. 2548 2549* Invalid length data provided by a custom refclock driver could cause 2550 a buffer overflow. 2551 2552 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2553 Affects: Potentially all ntp-4 releases running up to, but not 2554 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2555 that have custom refclocks 2556 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2557 5.9 unusual worst case 2558 Summary: A negative value for the datalen parameter will overflow a 2559 data buffer. NTF's ntpd driver implementations always set this 2560 value to 0 and are therefore not vulnerable to this weakness. 2561 If you are running a custom refclock driver in ntpd and that 2562 driver supplies a negative value for datalen (no custom driver 2563 of even minimal competence would do this) then ntpd would 2564 overflow a data buffer. It is even hypothetically possible 2565 in this case that instead of simply crashing ntpd the attacker 2566 could effect a code injection attack. 2567 Mitigation: 2568 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2569 Page or the NTP Public Services Project Download Page. 2570 If you are unable to upgrade: 2571 If you are running custom refclock drivers, make sure 2572 the signed datalen value is either zero or positive. 2573 Monitor your ntpd instances. 2574 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2575 2576* Password Length Memory Corruption Vulnerability 2577 2578 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2579 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2580 4.3.0 up to, but not including 4.3.77 2581 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2582 1.7 usual case, 6.8, worst case 2583 Summary: If ntpd is configured to allow remote configuration, and if 2584 the (possibly spoofed) source IP address is allowed to send 2585 remote configuration requests, and if the attacker knows the 2586 remote configuration password or if ntpd was (foolishly) 2587 configured to disable authentication, then an attacker can 2588 send a set of packets to ntpd that may cause it to crash, 2589 with the hypothetical possibility of a small code injection. 2590 Mitigation: 2591 Implement BCP-38. 2592 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2593 Page or the NTP Public Services Project Download Page. 2594 If you are unable to upgrade, remote configuration of NTF's 2595 ntpd requires: 2596 an explicitly configured "trusted" key. Only configure 2597 this if you need it. 2598 access from a permitted IP address. You choose the IPs. 2599 authentication. Don't disable it. Practice secure key safety. 2600 Monitor your ntpd instances. 2601 Credit: This weakness was discovered by Yves Younan and 2602 Aleksander Nikolich of Cisco Talos. 2603 2604* decodenetnum() will ASSERT botch instead of returning FAIL on some 2605 bogus values. 2606 2607 References: Sec 2922 / CVE-2015-7855 2608 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2609 4.3.0 up to, but not including 4.3.77 2610 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2611 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2612 an unusually long data value where a network address is expected, 2613 the decodenetnum() function will abort with an assertion failure 2614 instead of simply returning a failure condition. 2615 Mitigation: 2616 Implement BCP-38. 2617 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2618 Page or the NTP Public Services Project Download Page. 2619 If you are unable to upgrade: 2620 mode 7 is disabled by default. Don't enable it. 2621 Use restrict noquery to limit who can send mode 6 2622 and mode 7 requests. 2623 Configure and use the controlkey and requestkey 2624 authentication directives to limit who can 2625 send mode 6 and mode 7 requests. 2626 Monitor your ntpd instances. 2627 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2628 2629* NAK to the Future: Symmetric association authentication bypass via 2630 crypto-NAK. 2631 2632 References: Sec 2941 / CVE-2015-7871 2633 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2634 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2635 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2636 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2637 from unauthenticated ephemeral symmetric peers by bypassing the 2638 authentication required to mobilize peer associations. This 2639 vulnerability appears to have been introduced in ntp-4.2.5p186 2640 when the code handling mobilization of new passive symmetric 2641 associations (lines 1103-1165) was refactored. 2642 Mitigation: 2643 Implement BCP-38. 2644 Upgrade to 4.2.8p4, or later, from the NTP Project Download 2645 Page or the NTP Public Services Project Download Page. 2646 If you are unable to upgrade: 2647 Apply the patch to the bottom of the "authentic" check 2648 block around line 1136 of ntp_proto.c. 2649 Monitor your ntpd instances. 2650 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2651 2652Backward-Incompatible changes: 2653* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2654 While the general default of 32M is still the case, under Linux 2655 the default value has been changed to -1 (do not lock ntpd into 2656 memory). A value of 0 means "lock ntpd into memory with whatever 2657 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2658 value in it, that value will continue to be used. 2659 2660* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2661 If you've written a script that looks for this case in, say, the 2662 output of ntpq, you probably want to change your regex matches 2663 from 'outlyer' to 'outl[iy]er'. 2664 2665New features in this release: 2666* 'rlimit memlock' now has finer-grained control. A value of -1 means 2667 "don't lock ntpd into memore". This is the default for Linux boxes. 2668 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2669 the value is the number of megabytes of memory to lock. The default 2670 is 32 megabytes. 2671 2672* The old Google Test framework has been replaced with a new framework, 2673 based on http://www.throwtheswitch.org/unity/ . 2674 2675Bug Fixes and Improvements: 2676* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2677 privileges and limiting resources in NTPD removes the need to link 2678 forcefully against 'libgcc_s' which does not always work. J.Perlinger 2679* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2680* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2681* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2682* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2683* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2684* [Bug 2849] Systems with more than one default route may never 2685 synchronize. Brian Utterback. Note that this patch might need to 2686 be reverted once Bug 2043 has been fixed. 2687* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2688* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2689* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2690* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2691* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2692* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2693 be configured for the distribution targets. Harlan Stenn. 2694* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2695* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2696* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2697* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2698* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2699* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2700* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2701* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2702* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2703* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2704* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2705* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2706* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2707* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2708* sntp/tests/ function parameter list cleanup. Damir Tomić. 2709* tests/libntp/ function parameter list cleanup. Damir Tomić. 2710* tests/ntpd/ function parameter list cleanup. Damir Tomić. 2711* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2712* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2713* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 2714* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 2715* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2716 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2717 formatting; first declaration, then code (C90); deleted unnecessary comments; 2718 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2719* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2720 fix formatting, cleanup. Tomasz Flendrich 2721* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2722 Tomasz Flendrich 2723* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2724 fix formatting. Tomasz Flendrich 2725* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2726* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2727* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2728 Tomasz Flendrich 2729* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2730* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2731* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2732* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2733* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2734* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2735* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2736fixed formatting. Tomasz Flendrich 2737* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2738 removed unnecessary comments, cleanup. Tomasz Flendrich 2739* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2740 comments, cleanup. Tomasz Flendrich 2741* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2742 Tomasz Flendrich 2743* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2744* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2745* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2746 Tomasz Flendrich 2747* sntp/tests/kodDatabase.c added consts, deleted empty function, 2748 fixed formatting. Tomasz Flendrich 2749* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2750* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2751 fixed formatting, deleted unused variable. Tomasz Flendrich 2752* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2753 Tomasz Flendrich 2754* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2755 fixed formatting. Tomasz Flendrich 2756* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2757 the order of includes, fixed formatting, removed unnecessary comments. 2758 Tomasz Flendrich 2759* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2760* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2761 made one function do its job, deleted unnecessary prints, fixed formatting. 2762 Tomasz Flendrich 2763* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2764* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2765* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2766* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2767* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2768* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2769* Don't build sntp/libevent/sample/. Harlan Stenn. 2770* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2771* br-flock: --enable-local-libevent. Harlan Stenn. 2772* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2773* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2774* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2775* Code cleanup. Harlan Stenn. 2776* libntp/icom.c: Typo fix. Harlan Stenn. 2777* util/ntptime.c: initialization nit. Harlan Stenn. 2778* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2779* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2780* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2781 Tomasz Flendrich 2782* Changed progname to be const in many files - now it's consistent. Tomasz 2783 Flendrich 2784* Typo fix for GCC warning suppression. Harlan Stenn. 2785* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 2786* Added declarations to all Unity tests, and did minor fixes to them. 2787 Reduced the number of warnings by half. Damir Tomić. 2788* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2789 with the latest Unity updates from Mark. Damir Tomić. 2790* Retire google test - phase I. Harlan Stenn. 2791* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2792* Update the NEWS file. Harlan Stenn. 2793* Autoconf cleanup. Harlan Stenn. 2794* Unit test dist cleanup. Harlan Stenn. 2795* Cleanup various test Makefile.am files. Harlan Stenn. 2796* Pthread autoconf macro cleanup. Harlan Stenn. 2797* Fix progname definition in unity runner scripts. Harlan Stenn. 2798* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2799* Update the patch for bug 2817. Harlan Stenn. 2800* More updates for bug 2817. Harlan Stenn. 2801* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2802* gcc on older HPUX may need +allowdups. Harlan Stenn. 2803* Adding missing MCAST protection. Harlan Stenn. 2804* Disable certain test programs on certain platforms. Harlan Stenn. 2805* Implement --enable-problem-tests (on by default). Harlan Stenn. 2806* build system tweaks. Harlan Stenn. 2807 2808--- 2809NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2810 2811Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2812 2813Severity: MEDIUM 2814 2815Security Fix: 2816 2817* [Sec 2853] Crafted remote config packet can crash some versions of 2818 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2819 2820Under specific circumstances an attacker can send a crafted packet to 2821cause a vulnerable ntpd instance to crash. This requires each of the 2822following to be true: 2823 28241) ntpd set up to allow remote configuration (not allowed by default), and 28252) knowledge of the configuration password, and 28263) access to a computer entrusted to perform remote configuration. 2827 2828This vulnerability is considered low-risk. 2829 2830New features in this release: 2831 2832Optional (disabled by default) support to have ntpd provide smeared 2833leap second time. A specially built and configured ntpd will only 2834offer smeared time in response to client packets. These response 2835packets will also contain a "refid" of 254.a.b.c, where the 24 bits 2836of a, b, and c encode the amount of smear in a 2:22 integer:fraction 2837format. See README.leapsmear and http://bugs.ntp.org/2855 for more 2838information. 2839 2840 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2841 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2842 2843We've imported the Unity test framework, and have begun converting 2844the existing google-test items to this new framework. If you want 2845to write new tests or change old ones, you'll need to have ruby 2846installed. You don't need ruby to run the test suite. 2847 2848Bug Fixes and Improvements: 2849 2850* CID 739725: Fix a rare resource leak in libevent/listener.c. 2851* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2852* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2853* CID 1269537: Clean up a line of dead code in getShmTime(). 2854* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2855* [Bug 2590] autogen-5.18.5. 2856* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2857 of 'limited'. 2858* [Bug 2650] fix includefile processing. 2859* [Bug 2745] ntpd -x steps clock on leap second 2860 Fixed an initial-value problem that caused misbehaviour in absence of 2861 any leapsecond information. 2862 Do leap second stepping only of the step adjustment is beyond the 2863 proper jump distance limit and step correction is allowed at all. 2864* [Bug 2750] build for Win64 2865 Building for 32bit of loopback ppsapi needs def file 2866* [Bug 2776] Improve ntpq's 'help keytype'. 2867* [Bug 2778] Implement "apeers" ntpq command to include associd. 2868* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2869* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2870 interface is ignored as long as this flag is not set since the 2871 interface is not usable (e.g., no link). 2872* [Bug 2794] Clean up kernel clock status reports. 2873* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2874 of incompatible open/fdopen parameters. 2875* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2876* [Bug 2805] ntpd fails to join multicast group. 2877* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2878* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2879 Fix crash during cleanup if GPS device not present and char device. 2880 Increase internal token buffer to parse all JSON data, even SKY. 2881 Defer logging of errors during driver init until the first unit is 2882 started, so the syslog is not cluttered when the driver is not used. 2883 Various improvements, see http://bugs.ntp.org/2808 for details. 2884 Changed libjsmn to a more recent version. 2885* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2886* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2887* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2888* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2889* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2890* [Bug 2824] Convert update-leap to perl. (also see 2769) 2891* [Bug 2825] Quiet file installation in html/ . 2892* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2893 NTPD transfers the current TAI (instead of an announcement) now. 2894 This might still needed improvement. 2895 Update autokey data ASAP when 'sys_tai' changes. 2896 Fix unit test that was broken by changes for autokey update. 2897 Avoid potential signature length issue and use DPRINTF where possible 2898 in ntp_crypto.c. 2899* [Bug 2832] refclock_jjy.c supports the TDC-300. 2900* [Bug 2834] Correct a broken html tag in html/refclock.html 2901* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2902 robust, and require 2 consecutive timestamps to be consistent. 2903* [Bug 2837] Allow a configurable DSCP value. 2904* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2905* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2906* [Bug 2842] Bug in mdoc2man. 2907* [Bug 2843] make check fails on 4.3.36 2908 Fixed compiler warnings about numeric range overflow 2909 (The original topic was fixed in a byplay to bug#2830) 2910* [Bug 2845] Harden memory allocation in ntpd. 2911* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2912* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2913* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2914* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2915* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2916* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2917* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2918* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2919* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2920* html/drivers/driver22.html: typo fix. Harlan Stenn. 2921* refidsmear test cleanup. Tomasz Flendrich. 2922* refidsmear function support and tests. Harlan Stenn. 2923* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2924 something that was only in the 4.2.6 sntp. Harlan Stenn. 2925* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2926 Damir Tomić 2927* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2928 Damir Tomić 2929* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2930 Damir Tomić 2931* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2932* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 2933* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2934 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2935 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2936 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2937 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2938 Damir Tomić 2939* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2940 networking.c, keyFile.c, utilities.cpp, sntptest.h, 2941 fileHandlingTest.h. Damir Tomić 2942* Initial support for experimental leap smear code. Harlan Stenn. 2943* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2944* Report select() debug messages at debug level 3 now. 2945* sntp/scripts/genLocInfo: treat raspbian as debian. 2946* Unity test framework fixes. 2947 ** Requires ruby for changes to tests. 2948* Initial support for PACKAGE_VERSION tests. 2949* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2950* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2951* Add an assert to the ntpq ifstats code. 2952* Clean up the RLIMIT_STACK code. 2953* Improve the ntpq documentation around the controlkey keyid. 2954* ntpq.c cleanup. 2955* Windows port build cleanup. 2956 2957--- 2958NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2959 2960Focus: Security and Bug fixes, enhancements. 2961 2962Severity: MEDIUM 2963 2964In addition to bug fixes and enhancements, this release fixes the 2965following medium-severity vulnerabilities involving private key 2966authentication: 2967 2968* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2969 2970 References: Sec 2779 / CVE-2015-1798 / VU#374268 2971 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2972 including ntp-4.2.8p2 where the installation uses symmetric keys 2973 to authenticate remote associations. 2974 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2975 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2976 Summary: When ntpd is configured to use a symmetric key to authenticate 2977 a remote NTP server/peer, it checks if the NTP message 2978 authentication code (MAC) in received packets is valid, but not if 2979 there actually is any MAC included. Packets without a MAC are 2980 accepted as if they had a valid MAC. This allows a MITM attacker to 2981 send false packets that are accepted by the client/peer without 2982 having to know the symmetric key. The attacker needs to know the 2983 transmit timestamp of the client to match it in the forged reply 2984 and the false reply needs to reach the client before the genuine 2985 reply from the server. The attacker doesn't necessarily need to be 2986 relaying the packets between the client and the server. 2987 2988 Authentication using autokey doesn't have this problem as there is 2989 a check that requires the key ID to be larger than NTP_MAXKEY, 2990 which fails for packets without a MAC. 2991 Mitigation: 2992 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2993 or the NTP Public Services Project Download Page 2994 Configure ntpd with enough time sources and monitor it properly. 2995 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2996 2997* [Sec 2781] Authentication doesn't protect symmetric associations against 2998 DoS attacks. 2999 3000 References: Sec 2781 / CVE-2015-1799 / VU#374268 3001 Affects: All NTP releases starting with at least xntp3.3wy up to but 3002 not including ntp-4.2.8p2 where the installation uses symmetric 3003 key authentication. 3004 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 3005 Note: the CVSS base Score for this issue could be 4.3 or lower, and 3006 it could be higher than 5.4. 3007 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 3008 Summary: An attacker knowing that NTP hosts A and B are peering with 3009 each other (symmetric association) can send a packet to host A 3010 with source address of B which will set the NTP state variables 3011 on A to the values sent by the attacker. Host A will then send 3012 on its next poll to B a packet with originate timestamp that 3013 doesn't match the transmit timestamp of B and the packet will 3014 be dropped. If the attacker does this periodically for both 3015 hosts, they won't be able to synchronize to each other. This is 3016 a known denial-of-service attack, described at 3017 https://www.eecis.udel.edu/~mills/onwire.html . 3018 3019 According to the document the NTP authentication is supposed to 3020 protect symmetric associations against this attack, but that 3021 doesn't seem to be the case. The state variables are updated even 3022 when authentication fails and the peers are sending packets with 3023 originate timestamps that don't match the transmit timestamps on 3024 the receiving side. 3025 3026 This seems to be a very old problem, dating back to at least 3027 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 3028 specifications, so other NTP implementations with support for 3029 symmetric associations and authentication may be vulnerable too. 3030 An update to the NTP RFC to correct this error is in-process. 3031 Mitigation: 3032 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 3033 or the NTP Public Services Project Download Page 3034 Note that for users of autokey, this specific style of MITM attack 3035 is simply a long-known potential problem. 3036 Configure ntpd with appropriate time sources and monitor ntpd. 3037 Alert your staff if problems are detected. 3038 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 3039 3040* New script: update-leap 3041The update-leap script will verify and if necessary, update the 3042leap-second definition file. 3043It requires the following commands in order to work: 3044 3045 wget logger tr sed shasum 3046 3047Some may choose to run this from cron. It needs more portability testing. 3048 3049Bug Fixes and Improvements: 3050 3051* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 3052* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 3053* [Bug 2346] "graceful termination" signals do not do peer cleanup. 3054* [Bug 2728] See if C99-style structure initialization works. 3055* [Bug 2747] Upgrade libevent to 2.1.5-beta. 3056* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 3057* [Bug 2751] jitter.h has stale copies of l_fp macros. 3058* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 3059* [Bug 2757] Quiet compiler warnings. 3060* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 3061* [Bug 2763] Allow different thresholds for forward and backward steps. 3062* [Bug 2766] ntp-keygen output files should not be world-readable. 3063* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 3064* [Bug 2771] nonvolatile value is documented in wrong units. 3065* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 3066* [Bug 2774] Unreasonably verbose printout - leap pending/warning 3067* [Bug 2775] ntp-keygen.c fails to compile under Windows. 3068* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 3069 Removed non-ASCII characters from some copyright comments. 3070 Removed trailing whitespace. 3071 Updated definitions for Meinberg clocks from current Meinberg header files. 3072 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 3073 Account for updated definitions pulled from Meinberg header files. 3074 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 3075 Replaced some constant numbers by defines from ntp_calendar.h 3076 Modified creation of parse-specific variables for Meinberg devices 3077 in gps16x_message(). 3078 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 3079 Modified mbg_tm_str() which now expexts an additional parameter controlling 3080 if the time status shall be printed. 3081* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 3082* [Sec 2781] Authentication doesn't protect symmetric associations against 3083 DoS attacks. 3084* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 3085* [Bug 2789] Quiet compiler warnings from libevent. 3086* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 3087 pause briefly before measuring system clock precision to yield 3088 correct results. 3089* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 3090* Use predefined function types for parse driver functions 3091 used to set up function pointers. 3092 Account for changed prototype of parse_inp_fnc_t functions. 3093 Cast parse conversion results to appropriate types to avoid 3094 compiler warnings. 3095 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 3096 when called with pointers to different types. 3097 3098--- 3099NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 3100 3101Focus: Security and Bug fixes, enhancements. 3102 3103Severity: HIGH 3104 3105In addition to bug fixes and enhancements, this release fixes the 3106following high-severity vulnerabilities: 3107 3108* vallen is not validated in several places in ntp_crypto.c, leading 3109 to a potential information leak or possibly a crash 3110 3111 References: Sec 2671 / CVE-2014-9297 / VU#852879 3112 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 3113 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3114 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 3115 Summary: The vallen packet value is not validated in several code 3116 paths in ntp_crypto.c which can lead to information leakage 3117 or perhaps a crash of the ntpd process. 3118 Mitigation - any of: 3119 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3120 or the NTP Public Services Project Download Page. 3121 Disable Autokey Authentication by removing, or commenting out, 3122 all configuration directives beginning with the "crypto" 3123 keyword in your ntp.conf file. 3124 Credit: This vulnerability was discovered by Stephen Roettger of the 3125 Google Security Team, with additional cases found by Sebastian 3126 Krahmer of the SUSE Security Team and Harlan Stenn of Network 3127 Time Foundation. 3128 3129* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 3130 can be bypassed. 3131 3132 References: Sec 2672 / CVE-2014-9298 / VU#852879 3133 Affects: All NTP4 releases before 4.2.8p1, under at least some 3134 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 3135 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 3136 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 3137 Summary: While available kernels will prevent 127.0.0.1 addresses 3138 from "appearing" on non-localhost IPv4 interfaces, some kernels 3139 do not offer the same protection for ::1 source addresses on 3140 IPv6 interfaces. Since NTP's access control is based on source 3141 address and localhost addresses generally have no restrictions, 3142 an attacker can send malicious control and configuration packets 3143 by spoofing ::1 addresses from the outside. Note Well: This is 3144 not really a bug in NTP, it's a problem with some OSes. If you 3145 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 3146 ACL restrictions on any application can be bypassed! 3147 Mitigation: 3148 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3149 or the NTP Public Services Project Download Page 3150 Install firewall rules to block packets claiming to come from 3151 ::1 from inappropriate network interfaces. 3152 Credit: This vulnerability was discovered by Stephen Roettger of 3153 the Google Security Team. 3154 3155Additionally, over 30 bugfixes and improvements were made to the codebase. 3156See the ChangeLog for more information. 3157 3158--- 3159NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 3160 3161Focus: Security and Bug fixes, enhancements. 3162 3163Severity: HIGH 3164 3165In addition to bug fixes and enhancements, this release fixes the 3166following high-severity vulnerabilities: 3167 3168************************** vv NOTE WELL vv ***************************** 3169 3170The vulnerabilities listed below can be significantly mitigated by 3171following the BCP of putting 3172 3173 restrict default ... noquery 3174 3175in the ntp.conf file. With the exception of: 3176 3177 receive(): missing return on error 3178 References: Sec 2670 / CVE-2014-9296 / VU#852879 3179 3180below (which is a limited-risk vulnerability), none of the recent 3181vulnerabilities listed below can be exploited if the source IP is 3182restricted from sending a 'query'-class packet by your ntp.conf file. 3183 3184************************** ^^ NOTE WELL ^^ ***************************** 3185 3186* Weak default key in config_auth(). 3187 3188 References: [Sec 2665] / CVE-2014-9293 / VU#852879 3189 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3190 Vulnerable Versions: all releases prior to 4.2.7p11 3191 Date Resolved: 28 Jan 2010 3192 3193 Summary: If no 'auth' key is set in the configuration file, ntpd 3194 would generate a random key on the fly. There were two 3195 problems with this: 1) the generated key was 31 bits in size, 3196 and 2) it used the (now weak) ntp_random() function, which was 3197 seeded with a 32-bit value and could only provide 32 bits of 3198 entropy. This was sufficient back in the late 1990s when the 3199 code was written. Not today. 3200 3201 Mitigation - any of: 3202 - Upgrade to 4.2.7p11 or later. 3203 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3204 3205 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3206 of the Google Security Team. 3207 3208* Non-cryptographic random number generator with weak seed used by 3209 ntp-keygen to generate symmetric keys. 3210 3211 References: [Sec 2666] / CVE-2014-9294 / VU#852879 3212 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3213 Vulnerable Versions: All NTP4 releases before 4.2.7p230 3214 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3215 3216 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3217 prepare a random number generator that was of good quality back 3218 in the late 1990s. The random numbers produced was then used to 3219 generate symmetric keys. In ntp-4.2.8 we use a current-technology 3220 cryptographic random number generator, either RAND_bytes from 3221 OpenSSL, or arc4random(). 3222 3223 Mitigation - any of: 3224 - Upgrade to 4.2.7p230 or later. 3225 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3226 3227 Credit: This vulnerability was discovered in ntp-4.2.6 by 3228 Stephen Roettger of the Google Security Team. 3229 3230* Buffer overflow in crypto_recv() 3231 3232 References: Sec 2667 / CVE-2014-9295 / VU#852879 3233 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3234 Versions: All releases before 4.2.8 3235 Date Resolved: Stable (4.2.8) 18 Dec 2014 3236 3237 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3238 file contains a 'crypto pw ...' directive) a remote attacker 3239 can send a carefully crafted packet that can overflow a stack 3240 buffer and potentially allow malicious code to be executed 3241 with the privilege level of the ntpd process. 3242 3243 Mitigation - any of: 3244 - Upgrade to 4.2.8, or later, or 3245 - Disable Autokey Authentication by removing, or commenting out, 3246 all configuration directives beginning with the crypto keyword 3247 in your ntp.conf file. 3248 3249 Credit: This vulnerability was discovered by Stephen Roettger of the 3250 Google Security Team. 3251 3252* Buffer overflow in ctl_putdata() 3253 3254 References: Sec 2668 / CVE-2014-9295 / VU#852879 3255 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3256 Versions: All NTP4 releases before 4.2.8 3257 Date Resolved: Stable (4.2.8) 18 Dec 2014 3258 3259 Summary: A remote attacker can send a carefully crafted packet that 3260 can overflow a stack buffer and potentially allow malicious 3261 code to be executed with the privilege level of the ntpd process. 3262 3263 Mitigation - any of: 3264 - Upgrade to 4.2.8, or later. 3265 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3266 3267 Credit: This vulnerability was discovered by Stephen Roettger of the 3268 Google Security Team. 3269 3270* Buffer overflow in configure() 3271 3272 References: Sec 2669 / CVE-2014-9295 / VU#852879 3273 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3274 Versions: All NTP4 releases before 4.2.8 3275 Date Resolved: Stable (4.2.8) 18 Dec 2014 3276 3277 Summary: A remote attacker can send a carefully crafted packet that 3278 can overflow a stack buffer and potentially allow malicious 3279 code to be executed with the privilege level of the ntpd process. 3280 3281 Mitigation - any of: 3282 - Upgrade to 4.2.8, or later. 3283 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3284 3285 Credit: This vulnerability was discovered by Stephen Roettger of the 3286 Google Security Team. 3287 3288* receive(): missing return on error 3289 3290 References: Sec 2670 / CVE-2014-9296 / VU#852879 3291 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3292 Versions: All NTP4 releases before 4.2.8 3293 Date Resolved: Stable (4.2.8) 18 Dec 2014 3294 3295 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3296 the code path where an error was detected, which meant 3297 processing did not stop when a specific rare error occurred. 3298 We haven't found a way for this bug to affect system integrity. 3299 If there is no way to affect system integrity the base CVSS 3300 score for this bug is 0. If there is one avenue through which 3301 system integrity can be partially affected, the base score 3302 becomes a 5. If system integrity can be partially affected 3303 via all three integrity metrics, the CVSS base score become 7.5. 3304 3305 Mitigation - any of: 3306 - Upgrade to 4.2.8, or later, 3307 - Remove or comment out all configuration directives 3308 beginning with the crypto keyword in your ntp.conf file. 3309 3310 Credit: This vulnerability was discovered by Stephen Roettger of the 3311 Google Security Team. 3312 3313See http://support.ntp.org/security for more information. 3314 3315New features / changes in this release: 3316 3317Important Changes 3318 3319* Internal NTP Era counters 3320 3321The internal counters that track the "era" (range of years) we are in 3322rolls over every 136 years'. The current "era" started at the stroke of 3323midnight on 1 Jan 1900, and ends just before the stroke of midnight on 33241 Jan 2036. 3325In the past, we have used the "midpoint" of the range to decide which 3326era we were in. Given the longevity of some products, it became clear 3327that it would be more functional to "look back" less, and "look forward" 3328more. We now compile a timestamp into the ntpd executable and when we 3329get a timestamp we us the "built-on" to tell us what era we are in. 3330This check "looks back" 10 years, and "looks forward" 126 years. 3331 3332* ntpdc responses disabled by default 3333 3334Dave Hart writes: 3335 3336For a long time, ntpq and its mostly text-based mode 6 (control) 3337protocol have been preferred over ntpdc and its mode 7 (private 3338request) protocol for runtime queries and configuration. There has 3339been a goal of deprecating ntpdc, previously held back by numerous 3340capabilities exposed by ntpdc with no ntpq equivalent. I have been 3341adding commands to ntpq to cover these cases, and I believe I've 3342covered them all, though I've not compared command-by-command 3343recently. 3344 3345As I've said previously, the binary mode 7 protocol involves a lot of 3346hand-rolled structure layout and byte-swapping code in both ntpd and 3347ntpdc which is hard to get right. As ntpd grows and changes, the 3348changes are difficult to expose via ntpdc while maintaining forward 3349and backward compatibility between ntpdc and ntpd. In contrast, 3350ntpq's text-based, label=value approach involves more code reuse and 3351allows compatible changes without extra work in most cases. 3352 3353Mode 7 has always been defined as vendor/implementation-specific while 3354mode 6 is described in RFC 1305 and intended to be open to interoperate 3355with other implementations. There is an early draft of an updated 3356mode 6 description that likely will join the other NTPv4 RFCs 3357eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3358 3359For these reasons, ntpd 4.2.7p230 by default disables processing of 3360ntpdc queries, reducing ntpd's attack surface and functionally 3361deprecating ntpdc. If you are in the habit of using ntpdc for certain 3362operations, please try the ntpq equivalent. If there's no equivalent, 3363please open a bug report at http://bugs.ntp.org./ 3364 3365In addition to the above, over 1100 issues have been resolved between 3366the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3367lists these. 3368 3369--- 3370NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3371 3372Focus: Bug fixes 3373 3374Severity: Medium 3375 3376This is a recommended upgrade. 3377 3378This release updates sys_rootdisp and sys_jitter calculations to match the 3379RFC specification, fixes a potential IPv6 address matching error for the 3380"nic" and "interface" configuration directives, suppresses the creation of 3381extraneous ephemeral associations for certain broadcastclient and 3382multicastclient configurations, cleans up some ntpq display issues, and 3383includes improvements to orphan mode, minor bugs fixes and code clean-ups. 3384 3385New features / changes in this release: 3386 3387ntpd 3388 3389 * Updated "nic" and "interface" IPv6 address handling to prevent 3390 mismatches with localhost [::1] and wildcard [::] which resulted from 3391 using the address/prefix format (e.g. fe80::/64) 3392 * Fix orphan mode stratum incorrectly counting to infinity 3393 * Orphan parent selection metric updated to includes missing ntohl() 3394 * Non-printable stratum 16 refid no longer sent to ntp 3395 * Duplicate ephemeral associations suppressed for broadcastclient and 3396 multicastclient without broadcastdelay 3397 * Exclude undetermined sys_refid from use in loopback TEST12 3398 * Exclude MODE_SERVER responses from KoD rate limiting 3399 * Include root delay in clock_update() sys_rootdisp calculations 3400 * get_systime() updated to exclude sys_residual offset (which only 3401 affected bits "below" sys_tick, the precision threshold) 3402 * sys.peer jitter weighting corrected in sys_jitter calculation 3403 3404ntpq 3405 3406 * -n option extended to include the billboard "server" column 3407 * IPv6 addresses in the local column truncated to prevent overruns 3408 3409--- 3410NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3411 3412Focus: Bug fixes and portability improvements 3413 3414Severity: Medium 3415 3416This is a recommended upgrade. 3417 3418This release includes build infrastructure updates, code 3419clean-ups, minor bug fixes, fixes for a number of minor 3420ref-clock issues, and documentation revisions. 3421 3422Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3423 3424New features / changes in this release: 3425 3426Build system 3427 3428* Fix checking for struct rtattr 3429* Update config.guess and config.sub for AIX 3430* Upgrade required version of autogen and libopts for building 3431 from our source code repository 3432 3433ntpd 3434 3435* Back-ported several fixes for Coverity warnings from ntp-dev 3436* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3437* Allow "logconfig =allall" configuration directive 3438* Bind tentative IPv6 addresses on Linux 3439* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3440* Improved tally bit handling to prevent incorrect ntpq peer status reports 3441* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3442 candidate list unless they are designated a "prefer peer" 3443* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3444 selection during the 'tos orphanwait' period 3445* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3446 drivers 3447* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3448* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3449* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3450 clock slew on Microsoft Windows 3451* Code cleanup in libntpq 3452 3453ntpdc 3454 3455* Fix timerstats reporting 3456 3457ntpdate 3458 3459* Reduce time required to set clock 3460* Allow a timeout greater than 2 seconds 3461 3462sntp 3463 3464* Backward incompatible command-line option change: 3465 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3466 3467Documentation 3468 3469* Update html2man. Fix some tags in the .html files 3470* Distribute ntp-wait.html 3471 3472--- 3473NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3474 3475Focus: Bug fixes and portability improvements 3476 3477Severity: Medium 3478 3479This is a recommended upgrade. 3480 3481This release includes build infrastructure updates, code 3482clean-ups, minor bug fixes, fixes for a number of minor 3483ref-clock issues, and documentation revisions. 3484 3485Portability improvements in this release affect AIX, Atari FreeMiNT, 3486FreeBSD4, Linux and Microsoft Windows. 3487 3488New features / changes in this release: 3489 3490Build system 3491* Use lsb_release to get information about Linux distributions. 3492* 'test' is in /usr/bin (instead of /bin) on some systems. 3493* Basic sanity checks for the ChangeLog file. 3494* Source certain build files with ./filename for systems without . in PATH. 3495* IRIX portability fix. 3496* Use a single copy of the "libopts" code. 3497* autogen/libopts upgrade. 3498* configure.ac m4 quoting cleanup. 3499 3500ntpd 3501* Do not bind to IN6_IFF_ANYCAST addresses. 3502* Log the reason for exiting under Windows. 3503* Multicast fixes for Windows. 3504* Interpolation fixes for Windows. 3505* IPv4 and IPv6 Multicast fixes. 3506* Manycast solicitation fixes and general repairs. 3507* JJY refclock cleanup. 3508* NMEA refclock improvements. 3509* Oncore debug message cleanup. 3510* Palisade refclock now builds under Linux. 3511* Give RAWDCF more baud rates. 3512* Support Truetime Satellite clocks under Windows. 3513* Support Arbiter 1093C Satellite clocks under Windows. 3514* Make sure that the "filegen" configuration command defaults to "enable". 3515* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3516* Prohibit 'includefile' directive in remote configuration command. 3517* Fix 'nic' interface bindings. 3518* Fix the way we link with openssl if openssl is installed in the base 3519 system. 3520 3521ntp-keygen 3522* Fix -V coredump. 3523* OpenSSL version display cleanup. 3524 3525ntpdc 3526* Many counters should be treated as unsigned. 3527 3528ntpdate 3529* Do not ignore replies with equal receive and transmit timestamps. 3530 3531ntpq 3532* libntpq warning cleanup. 3533 3534ntpsnmpd 3535* Correct SNMP type for "precision" and "resolution". 3536* Update the MIB from the draft version to RFC-5907. 3537 3538sntp 3539* Display timezone offset when showing time for sntp in the local 3540 timezone. 3541* Pay proper attention to RATE KoD packets. 3542* Fix a miscalculation of the offset. 3543* Properly parse empty lines in the key file. 3544* Logging cleanup. 3545* Use tv_usec correctly in set_time(). 3546* Documentation cleanup. 3547 3548--- 3549NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3550 3551Focus: Bug fixes and portability improvements 3552 3553Severity: Medium 3554 3555This is a recommended upgrade. 3556 3557This release includes build infrastructure updates, code 3558clean-ups, minor bug fixes, fixes for a number of minor 3559ref-clock issues, improved KOD handling, OpenSSL related 3560updates and documentation revisions. 3561 3562Portability improvements in this release affect Irix, Linux, 3563Mac OS, Microsoft Windows, OpenBSD and QNX6 3564 3565New features / changes in this release: 3566 3567ntpd 3568* Range syntax for the trustedkey configuration directive 3569* Unified IPv4 and IPv6 restrict lists 3570 3571ntpdate 3572* Rate limiting and KOD handling 3573 3574ntpsnmpd 3575* default connection to net-snmpd via a unix-domain socket 3576* command-line 'socket name' option 3577 3578ntpq / ntpdc 3579* support for the "passwd ..." syntax 3580* key-type specific password prompts 3581 3582sntp 3583* MD5 authentication of an ntpd 3584* Broadcast and crypto 3585* OpenSSL support 3586 3587--- 3588NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3589 3590Focus: Bug fixes, portability fixes, and documentation improvements 3591 3592Severity: Medium 3593 3594This is a recommended upgrade. 3595 3596--- 3597NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3598 3599Focus: enhancements and bug fixes. 3600 3601--- 3602NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3603 3604Focus: Security Fixes 3605 3606Severity: HIGH 3607 3608This release fixes the following high-severity vulnerability: 3609 3610* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3611 3612 See http://support.ntp.org/security for more information. 3613 3614 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3615 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3616 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3617 request or a mode 7 error response from an address which is not listed 3618 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3619 reply with a mode 7 error response (and log a message). In this case: 3620 3621 * If an attacker spoofs the source address of ntpd host A in a 3622 mode 7 response packet sent to ntpd host B, both A and B will 3623 continuously send each other error responses, for as long as 3624 those packets get through. 3625 3626 * If an attacker spoofs an address of ntpd host A in a mode 7 3627 response packet sent to ntpd host A, A will respond to itself 3628 endlessly, consuming CPU and logging excessively. 3629 3630 Credit for finding this vulnerability goes to Robin Park and Dmitri 3631 Vinokurov of Alcatel-Lucent. 3632 3633THIS IS A STRONGLY RECOMMENDED UPGRADE. 3634 3635--- 3636ntpd now syncs to refclocks right away. 3637 3638Backward-Incompatible changes: 3639 3640ntpd no longer accepts '-v name' or '-V name' to define internal variables. 3641Use '--var name' or '--dvar name' instead. (Bug 817) 3642 3643--- 3644NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3645 3646Focus: Security and Bug Fixes 3647 3648Severity: HIGH 3649 3650This release fixes the following high-severity vulnerability: 3651 3652* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3653 3654 See http://support.ntp.org/security for more information. 3655 3656 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3657 line) then a carefully crafted packet sent to the machine will cause 3658 a buffer overflow and possible execution of injected code, running 3659 with the privileges of the ntpd process (often root). 3660 3661 Credit for finding this vulnerability goes to Chris Ries of CMU. 3662 3663This release fixes the following low-severity vulnerabilities: 3664 3665* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3666 Credit for finding this vulnerability goes to Geoff Keating of Apple. 3667 3668* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3669 Credit for finding this issue goes to Dave Hart. 3670 3671This release fixes a number of bugs and adds some improvements: 3672 3673* Improved logging 3674* Fix many compiler warnings 3675* Many fixes and improvements for Windows 3676* Adds support for AIX 6.1 3677* Resolves some issues under MacOS X and Solaris 3678 3679THIS IS A STRONGLY RECOMMENDED UPGRADE. 3680 3681--- 3682NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3683 3684Focus: Security Fix 3685 3686Severity: Low 3687 3688This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3689the OpenSSL library relating to the incorrect checking of the return 3690value of EVP_VerifyFinal function. 3691 3692Credit for finding this issue goes to the Google Security Team for 3693finding the original issue with OpenSSL, and to ocert.org for finding 3694the problem in NTP and telling us about it. 3695 3696This is a recommended upgrade. 3697--- 3698NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3699 3700Focus: Minor Bugfixes 3701 3702This release fixes a number of Windows-specific ntpd bugs and 3703platform-independent ntpdate bugs. A logging bugfix has been applied 3704to the ONCORE driver. 3705 3706The "dynamic" keyword and is now obsolete and deferred binding to local 3707interfaces is the new default. The minimum time restriction for the 3708interface update interval has been dropped. 3709 3710A number of minor build system and documentation fixes are included. 3711 3712This is a recommended upgrade for Windows. 3713 3714--- 3715NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3716 3717Focus: Minor Bugfixes 3718 3719This release updates certain copyright information, fixes several display 3720bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3721shutdown in the parse refclock driver, removes some lint from the code, 3722stops accessing certain buffers immediately after they were freed, fixes 3723a problem with non-command-line specification of -6, and allows the loopback 3724interface to share addresses with other interfaces. 3725 3726--- 3727NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3728 3729Focus: Minor Bugfixes 3730 3731This release fixes a bug in Windows that made it difficult to 3732terminate ntpd under windows. 3733This is a recommended upgrade for Windows. 3734 3735--- 3736NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3737 3738Focus: Minor Bugfixes 3739 3740This release fixes a multicast mode authentication problem, 3741an error in NTP packet handling on Windows that could lead to 3742ntpd crashing, and several other minor bugs. Handling of 3743multicast interfaces and logging configuration were improved. 3744The required versions of autogen and libopts were incremented. 3745This is a recommended upgrade for Windows and multicast users. 3746 3747--- 3748NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3749 3750Focus: enhancements and bug fixes. 3751 3752Dynamic interface rescanning was added to simplify the use of ntpd in 3753conjunction with DHCP. GNU AutoGen is used for its command-line options 3754processing. Separate PPS devices are supported for PARSE refclocks, MD5 3755signatures are now provided for the release files. Drivers have been 3756added for some new ref-clocks and have been removed for some older 3757ref-clocks. This release also includes other improvements, documentation 3758and bug fixes. 3759 3760K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3761C support. 3762 3763--- 3764NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3765 3766Focus: enhancements and bug fixes. 3767