1--- 2NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 3 4Focus: Security, Bug fixes, enhancements. 5 6Severity: MEDIUM 7 8When building NTP from source, there is a new configure option 9available, --enable-dynamic-interleave. More information on this below. 10 11Also note that ntp-4.2.8p7 logs more "unexpected events" than previous 12versions of ntp. These events have almost certainly happened in the 13past, it's just that they were silently counted and not logged. With 14the increasing awareness around security, we feel it's better to clearly 15log these events to help detect abusive behavior. This increased 16logging can also help detect other problems, too. 17 18In addition to bug fixes and enhancements, this release fixes the 19following 9 low- and medium-severity vulnerabilities: 20 21* Improve NTP security against buffer comparison timing attacks, 22 AKA: authdecrypt-timing 23 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 24 References: Sec 2879 / CVE-2016-1550 25 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 26 4.3.0 up to, but not including 4.3.92 27 CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 28 CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 29 Summary: Packet authentication tests have been performed using 30 memcmp() or possibly bcmp(), and it is potentially possible 31 for a local or perhaps LAN-based attacker to send a packet with 32 an authentication payload and indirectly observe how much of 33 the digest has matched. 34 Mitigation: 35 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 36 or the NTP Public Services Project Download Page. 37 Properly monitor your ntpd instances. 38 Credit: This weakness was discovered independently by Loganaden 39 Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 40 41* Zero origin timestamp bypass: Additional KoD checks. 42 References: Sec 2945 / Sec 2901 / CVE-2015-8138 43 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 44 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 45 46* peer associations were broken by the fix for NtpBug2899 47 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 48 References: Sec 2952 / CVE-2015-7704 49 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 50 4.3.0 up to, but not including 4.3.92 51 CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 52 Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 53 associations did not address all of the issues. 54 Mitigation: 55 Implement BCP-38. 56 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 57 or the NTP Public Services Project Download Page 58 If you can't upgrade, use "server" associations instead of 59 "peer" associations. 60 Monitor your ntpd instances. 61 Credit: This problem was discovered by Michael Tatarinov. 62 63* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 64 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 65 References: Sec 3007 / CVE-2016-1547 / VU#718152 66 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 67 4.3.0 up to, but not including 4.3.92 68 CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 69 CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 70 Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 71 off-path attacker can cause a preemptable client association to 72 be demobilized by sending a crypto NAK packet to a victim client 73 with a spoofed source address of an existing associated peer. 74 This is true even if authentication is enabled. 75 76 Furthermore, if the attacker keeps sending crypto NAK packets, 77 for example one every second, the victim never has a chance to 78 reestablish the association and synchronize time with that 79 legitimate server. 80 81 For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 82 stringent checks are performed on incoming packets, but there 83 are still ways to exploit this vulnerability in versions before 84 ntp-4.2.8p7. 85 Mitigation: 86 Implement BCP-38. 87 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 88 or the NTP Public Services Project Download Page 89 Properly monitor your =ntpd= instances 90 Credit: This weakness was discovered by Stephen Gray and 91 Matthew Van Gundy of Cisco ASIG. 92 93* ctl_getitem() return value not always checked 94 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 95 References: Sec 3008 / CVE-2016-2519 96 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 97 4.3.0 up to, but not including 4.3.92 98 CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 99 CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 100 Summary: ntpq and ntpdc can be used to store and retrieve information 101 in ntpd. It is possible to store a data value that is larger 102 than the size of the buffer that the ctl_getitem() function of 103 ntpd uses to report the return value. If the length of the 104 requested data value returned by ctl_getitem() is too large, 105 the value NULL is returned instead. There are 2 cases where the 106 return value from ctl_getitem() was not directly checked to make 107 sure it's not NULL, but there are subsequent INSIST() checks 108 that make sure the return value is not NULL. There are no data 109 values ordinarily stored in ntpd that would exceed this buffer 110 length. But if one has permission to store values and one stores 111 a value that is "too large", then ntpd will abort if an attempt 112 is made to read that oversized value. 113 Mitigation: 114 Implement BCP-38. 115 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 116 or the NTP Public Services Project Download Page 117 Properly monitor your ntpd instances. 118 Credit: This weakness was discovered by Yihan Lian of the Cloud 119 Security Team, Qihoo 360. 120 121* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 122 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 123 References: Sec 3009 / CVE-2016-2518 / VU#718152 124 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 125 4.3.0 up to, but not including 4.3.92 126 CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 127 CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 128 Summary: Using a crafted packet to create a peer association with 129 hmode > 7 causes the MATCH_ASSOC() lookup to make an 130 out-of-bounds reference. 131 Mitigation: 132 Implement BCP-38. 133 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 134 or the NTP Public Services Project Download Page 135 Properly monitor your ntpd instances 136 Credit: This weakness was discovered by Yihan Lian of the Cloud 137 Security Team, Qihoo 360. 138 139* remote configuration trustedkey/requestkey/controlkey values are not 140 properly validated 141 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 142 References: Sec 3010 / CVE-2016-2517 / VU#718152 143 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 144 4.3.0 up to, but not including 4.3.92 145 CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 146 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 147 Summary: If ntpd was expressly configured to allow for remote 148 configuration, a malicious user who knows the controlkey for 149 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 150 can create a session with ntpd and then send a crafted packet to 151 ntpd that will change the value of the trustedkey, controlkey, 152 or requestkey to a value that will prevent any subsequent 153 authentication with ntpd until ntpd is restarted. 154 Mitigation: 155 Implement BCP-38. 156 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 157 or the NTP Public Services Project Download Page 158 Properly monitor your =ntpd= instances 159 Credit: This weakness was discovered by Yihan Lian of the Cloud 160 Security Team, Qihoo 360. 161 162* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 163 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 164 References: Sec 3011 / CVE-2016-2516 / VU#718152 165 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 166 4.3.0 up to, but not including 4.3.92 167 CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 168 CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 169 Summary: If ntpd was expressly configured to allow for remote 170 configuration, a malicious user who knows the controlkey for 171 ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 172 can create a session with ntpd and if an existing association is 173 unconfigured using the same IP twice on the unconfig directive 174 line, ntpd will abort. 175 Mitigation: 176 Implement BCP-38. 177 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 178 or the NTP Public Services Project Download Page 179 Properly monitor your ntpd instances 180 Credit: This weakness was discovered by Yihan Lian of the Cloud 181 Security Team, Qihoo 360. 182 183* Refclock impersonation vulnerability 184 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 185 References: Sec 3020 / CVE-2016-1551 186 Affects: On a very limited number of OSes, all NTP releases up to but 187 not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 188 By "very limited number of OSes" we mean no general-purpose OSes 189 have yet been identified that have this vulnerability. 190 CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 191 CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 192 Summary: While most OSes implement martian packet filtering in their 193 network stack, at least regarding 127.0.0.0/8, some will allow 194 packets claiming to be from 127.0.0.0/8 that arrive over a 195 physical network. On these OSes, if ntpd is configured to use a 196 reference clock an attacker can inject packets over the network 197 that look like they are coming from that reference clock. 198 Mitigation: 199 Implement martian packet filtering and BCP-38. 200 Configure ntpd to use an adequate number of time sources. 201 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 202 or the NTP Public Services Project Download Page 203 If you are unable to upgrade and if you are running an OS that 204 has this vulnerability, implement martian packet filters and 205 lobby your OS vendor to fix this problem, or run your 206 refclocks on computers that use OSes that are not vulnerable 207 to these attacks and have your vulnerable machines get their 208 time from protected resources. 209 Properly monitor your ntpd instances. 210 Credit: This weakness was discovered by Matt Street and others of 211 Cisco ASIG. 212 213The following issues were fixed in earlier releases and contain 214improvements in 4.2.8p7: 215 216* Clients that receive a KoD should validate the origin timestamp field. 217 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 218 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 219 Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 220 221* Skeleton key: passive server with trusted key can serve time. 222 References: Sec 2936 / CVE-2015-7974 223 Affects: All ntp-4 releases up to, but not including 4.2.8p7, 224 Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 225 226Two other vulnerabilities have been reported, and the mitigations 227for these are as follows: 228 229* Interleave-pivot 230 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 231 References: Sec 2978 / CVE-2016-1548 232 Affects: All ntp-4 releases. 233 CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 234 CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 235 Summary: It is possible to change the time of an ntpd client or deny 236 service to an ntpd client by forcing it to change from basic 237 client/server mode to interleaved symmetric mode. An attacker 238 can spoof a packet from a legitimate ntpd server with an origin 239 timestamp that matches the peer->dst timestamp recorded for that 240 server. After making this switch, the client will reject all 241 future legitimate server responses. It is possible to force the 242 victim client to move time after the mode has been changed. 243 ntpq gives no indication that the mode has been switched. 244 Mitigation: 245 Implement BCP-38. 246 Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 247 or the NTP Public Services Project Download Page. These 248 versions will not dynamically "flip" into interleave mode 249 unless configured to do so. 250 Properly monitor your ntpd instances. 251 Credit: This weakness was discovered by Miroslav Lichvar of RedHat 252 and separately by Jonathan Gardner of Cisco ASIG. 253 254* Sybil vulnerability: ephemeral association attack 255 Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 256 References: Sec 3012 / CVE-2016-1549 257 Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 258 4.3.0 up to, but not including 4.3.92 259 CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 260 CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 261 Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 262 the feature introduced in ntp-4.2.8p6 allowing an optional 4th 263 field in the ntp.keys file to specify which IPs can serve time, 264 a malicious authenticated peer can create arbitrarily-many 265 ephemeral associations in order to win the clock selection of 266 ntpd and modify a victim's clock. 267 Mitigation: 268 Implement BCP-38. 269 Use the 4th field in the ntp.keys file to specify which IPs 270 can be time servers. 271 Properly monitor your ntpd instances. 272 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 273 274Other fixes: 275 276* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 277 - fixed yet another race condition in the threaded resolver code. 278* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 279* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 280 - integrated patches by Loganaden Velvidron <logan@ntp.org> 281 with some modifications & unit tests 282* [Bug 2960] async name resolution fixes for chroot() environments. 283 Reinhard Max. 284* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 285* [Bug 2995] Fixes to compile on Windows 286* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 287* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 288 - Patch provided by Ch. Weisgerber 289* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 290 - A change related to [Bug 2853] forbids trailing white space in 291 remote config commands. perlinger@ntp.org 292* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 293 - report and patch from Aleksandr Kostikov. 294 - Overhaul of Windows IO completion port handling. perlinger@ntp.org 295* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 296 - fixed memory leak in access list (auth[read]keys.c) 297 - refactored handling of key access lists (auth[read]keys.c) 298 - reduced number of error branches (authreadkeys.c) 299* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 300* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 301* [Bug 3031] ntp broadcastclient unable to synchronize to an server 302 when the time of server changed. perlinger@ntp.org 303 - Check the initial delay calculation and reject/unpeer the broadcast 304 server if the delay exceeds 50ms. Retry again after the next 305 broadcast packet. 306* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 307* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 308* Update html/xleave.html documentation. Harlan Stenn. 309* Update ntp.conf documentation. Harlan Stenn. 310* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 311* Fix typo in html/monopt.html. Harlan Stenn. 312* Add README.pullrequests. Harlan Stenn. 313* Cleanup to include/ntp.h. Harlan Stenn. 314 315New option to 'configure': 316 317While looking in to the issues around Bug 2978, the "interleave pivot" 318issue, it became clear that there are some intricate and unresolved 319issues with interleave operations. We also realized that the interleave 320protocol was never added to the NTPv4 Standard, and it should have been. 321 322Interleave mode was first released in July of 2008, and can be engaged 323in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 324contain the 'xleave' option, which will expressly enable interlave mode 325for that association. Additionally, if a time packet arrives and is 326found inconsistent with normal protocol behavior but has certain 327characteristics that are compatible with interleave mode, NTP will 328dynamically switch to interleave mode. With sufficient knowledge, an 329attacker can send a crafted forged packet to an NTP instance that 330triggers only one side to enter interleaved mode. 331 332To prevent this attack until we can thoroughly document, describe, 333fix, and test the dynamic interleave mode, we've added a new 334'configure' option to the build process: 335 336 --enable-dynamic-interleave 337 338This option controls whether or not NTP will, if conditions are right, 339engage dynamic interleave mode. Dynamic interleave mode is disabled by 340default in ntp-4.2.8p7. 341 342--- 343NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 344 345Focus: Security, Bug fixes, enhancements. 346 347Severity: MEDIUM 348 349In addition to bug fixes and enhancements, this release fixes the 350following 1 low- and 8 medium-severity vulnerabilities: 351 352* Potential Infinite Loop in 'ntpq' 353 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 354 References: Sec 2548 / CVE-2015-8158 355 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 356 4.3.0 up to, but not including 4.3.90 357 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 358 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 359 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 360 The loop's only stopping conditions are receiving a complete and 361 correct response or hitting a small number of error conditions. 362 If the packet contains incorrect values that don't trigger one of 363 the error conditions, the loop continues to receive new packets. 364 Note well, this is an attack against an instance of 'ntpq', not 365 'ntpd', and this attack requires the attacker to do one of the 366 following: 367 * Own a malicious NTP server that the client trusts 368 * Prevent a legitimate NTP server from sending packets to 369 the 'ntpq' client 370 * MITM the 'ntpq' communications between the 'ntpq' client 371 and the NTP server 372 Mitigation: 373 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 374 or the NTP Public Services Project Download Page 375 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 376 377* 0rigin: Zero Origin Timestamp Bypass 378 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 379 References: Sec 2945 / CVE-2015-8138 380 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 381 4.3.0 up to, but not including 4.3.90 382 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 383 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 384 (3.7 - LOW if you score AC:L) 385 Summary: To distinguish legitimate peer responses from forgeries, a 386 client attempts to verify a response packet by ensuring that the 387 origin timestamp in the packet matches the origin timestamp it 388 transmitted in its last request. A logic error exists that 389 allows packets with an origin timestamp of zero to bypass this 390 check whenever there is not an outstanding request to the server. 391 Mitigation: 392 Configure 'ntpd' to get time from multiple sources. 393 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 394 or the NTP Public Services Project Download Page. 395 Monitor your 'ntpd= instances. 396 Credit: This weakness was discovered by Matthey Van Gundy and 397 Jonathan Gardner of Cisco ASIG. 398 399* Stack exhaustion in recursive traversal of restriction list 400 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 401 References: Sec 2940 / CVE-2015-7978 402 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 403 4.3.0 up to, but not including 4.3.90 404 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 405 Summary: An unauthenticated 'ntpdc reslist' command can cause a 406 segmentation fault in ntpd by exhausting the call stack. 407 Mitigation: 408 Implement BCP-38. 409 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 410 or the NTP Public Services Project Download Page. 411 If you are unable to upgrade: 412 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 413 If you must enable mode 7: 414 configure the use of a 'requestkey' to control who can 415 issue mode 7 requests. 416 configure 'restrict noquery' to further limit mode 7 417 requests to trusted sources. 418 Monitor your ntpd instances. 419 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 420 421* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 422 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 423 References: Sec 2942 / CVE-2015-7979 424 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 425 4.3.0 up to, but not including 4.3.90 426 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 427 Summary: An off-path attacker can send broadcast packets with bad 428 authentication (wrong key, mismatched key, incorrect MAC, etc) 429 to broadcast clients. It is observed that the broadcast client 430 tears down the association with the broadcast server upon 431 receiving just one bad packet. 432 Mitigation: 433 Implement BCP-38. 434 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 435 or the NTP Public Services Project Download Page. 436 Monitor your 'ntpd' instances. 437 If this sort of attack is an active problem for you, you have 438 deeper problems to investigate. In this case also consider 439 having smaller NTP broadcast domains. 440 Credit: This weakness was discovered by Aanchal Malhotra of Boston 441 University. 442 443* reslist NULL pointer dereference 444 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 445 References: Sec 2939 / CVE-2015-7977 446 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 447 4.3.0 up to, but not including 4.3.90 448 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 449 Summary: An unauthenticated 'ntpdc reslist' command can cause a 450 segmentation fault in ntpd by causing a NULL pointer dereference. 451 Mitigation: 452 Implement BCP-38. 453 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 454 the NTP Public Services Project Download Page. 455 If you are unable to upgrade: 456 mode 7 is disabled by default. Don't enable it. 457 If you must enable mode 7: 458 configure the use of a 'requestkey' to control who can 459 issue mode 7 requests. 460 configure 'restrict noquery' to further limit mode 7 461 requests to trusted sources. 462 Monitor your ntpd instances. 463 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 464 465* 'ntpq saveconfig' command allows dangerous characters in filenames. 466 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 467 References: Sec 2938 / CVE-2015-7976 468 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 469 4.3.0 up to, but not including 4.3.90 470 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 471 Summary: The ntpq saveconfig command does not do adequate filtering 472 of special characters from the supplied filename. 473 Note well: The ability to use the saveconfig command is controlled 474 by the 'restrict nomodify' directive, and the recommended default 475 configuration is to disable this capability. If the ability to 476 execute a 'saveconfig' is required, it can easily (and should) be 477 limited and restricted to a known small number of IP addresses. 478 Mitigation: 479 Implement BCP-38. 480 use 'restrict default nomodify' in your 'ntp.conf' file. 481 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 482 If you are unable to upgrade: 483 build NTP with 'configure --disable-saveconfig' if you will 484 never need this capability, or 485 use 'restrict default nomodify' in your 'ntp.conf' file. Be 486 careful about what IPs have the ability to send 'modify' 487 requests to 'ntpd'. 488 Monitor your ntpd instances. 489 'saveconfig' requests are logged to syslog - monitor your syslog files. 490 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 491 492* nextvar() missing length check in ntpq 493 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 494 References: Sec 2937 / CVE-2015-7975 495 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 496 4.3.0 up to, but not including 4.3.90 497 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 498 If you score A:C, this becomes 4.0. 499 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 500 Summary: ntpq may call nextvar() which executes a memcpy() into the 501 name buffer without a proper length check against its maximum 502 length of 256 bytes. Note well that we're taking about ntpq here. 503 The usual worst-case effect of this vulnerability is that the 504 specific instance of ntpq will crash and the person or process 505 that did this will have stopped themselves. 506 Mitigation: 507 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 508 or the NTP Public Services Project Download Page. 509 If you are unable to upgrade: 510 If you have scripts that feed input to ntpq make sure there are 511 some sanity checks on the input received from the "outside". 512 This is potentially more dangerous if ntpq is run as root. 513 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 514 515* Skeleton Key: Any trusted key system can serve time 516 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 517 References: Sec 2936 / CVE-2015-7974 518 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 519 4.3.0 up to, but not including 4.3.90 520 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 521 Summary: Symmetric key encryption uses a shared trusted key. The 522 reported title for this issue was "Missing key check allows 523 impersonation between authenticated peers" and the report claimed 524 "A key specified only for one server should only work to 525 authenticate that server, other trusted keys should be refused." 526 Except there has never been any correlation between this trusted 527 key and server v. clients machines and there has never been any 528 way to specify a key only for one server. We have treated this as 529 an enhancement request, and ntp-4.2.8p6 includes other checks and 530 tests to strengthen clients against attacks coming from broadcast 531 servers. 532 Mitigation: 533 Implement BCP-38. 534 If this scenario represents a real or a potential issue for you, 535 upgrade to 4.2.8p6, or later, from the NTP Project Download 536 Page or the NTP Public Services Project Download Page, and 537 use the new field in the ntp.keys file that specifies the list 538 of IPs that are allowed to serve time. Note that this alone 539 will not protect against time packets with forged source IP 540 addresses, however other changes in ntp-4.2.8p6 provide 541 significant mitigation against broadcast attacks. MITM attacks 542 are a different story. 543 If you are unable to upgrade: 544 Don't use broadcast mode if you cannot monitor your client 545 servers. 546 If you choose to use symmetric keys to authenticate time 547 packets in a hostile environment where ephemeral time 548 servers can be created, or if it is expected that malicious 549 time servers will participate in an NTP broadcast domain, 550 limit the number of participating systems that participate 551 in the shared-key group. 552 Monitor your ntpd instances. 553 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 554 555* Deja Vu: Replay attack on authenticated broadcast mode 556 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 557 References: Sec 2935 / CVE-2015-7973 558 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 559 4.3.0 up to, but not including 4.3.90 560 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 561 Summary: If an NTP network is configured for broadcast operations then 562 either a man-in-the-middle attacker or a malicious participant 563 that has the same trusted keys as the victim can replay time packets. 564 Mitigation: 565 Implement BCP-38. 566 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 567 or the NTP Public Services Project Download Page. 568 If you are unable to upgrade: 569 Don't use broadcast mode if you cannot monitor your client servers. 570 Monitor your ntpd instances. 571 Credit: This weakness was discovered by Aanchal Malhotra of Boston 572 University. 573 574Other fixes: 575 576* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 577* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 578 - applied patch by shenpeng11@huawei.com with minor adjustments 579* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 580* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 581* [Bug 2892] Several test cases assume IPv6 capabilities even when 582 IPv6 is disabled in the build. perlinger@ntp.org 583 - Found this already fixed, but validation led to cleanup actions. 584* [Bug 2905] DNS lookups broken. perlinger@ntp.org 585 - added limits to stack consumption, fixed some return code handling 586* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 587 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 588 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 589* [Bug 2980] reduce number of warnings. perlinger@ntp.org 590 - integrated several patches from Havard Eidnes (he@uninett.no) 591* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 592 - implement 'auth_log2()' using integer bithack instead of float calculation 593* Make leapsec_query debug messages less verbose. Harlan Stenn. 594 595--- 596NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 597 598Focus: Security, Bug fixes, enhancements. 599 600Severity: MEDIUM 601 602In addition to bug fixes and enhancements, this release fixes the 603following medium-severity vulnerability: 604 605* Small-step/big-step. Close the panic gate earlier. 606 References: Sec 2956, CVE-2015-5300 607 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 608 4.3.0 up to, but not including 4.3.78 609 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 610 Summary: If ntpd is always started with the -g option, which is 611 common and against long-standing recommendation, and if at the 612 moment ntpd is restarted an attacker can immediately respond to 613 enough requests from enough sources trusted by the target, which 614 is difficult and not common, there is a window of opportunity 615 where the attacker can cause ntpd to set the time to an 616 arbitrary value. Similarly, if an attacker is able to respond 617 to enough requests from enough sources trusted by the target, 618 the attacker can cause ntpd to abort and restart, at which 619 point it can tell the target to set the time to an arbitrary 620 value if and only if ntpd was re-started against long-standing 621 recommendation with the -g flag, or if ntpd was not given the 622 -g flag, the attacker can move the target system's time by at 623 most 900 seconds' time per attack. 624 Mitigation: 625 Configure ntpd to get time from multiple sources. 626 Upgrade to 4.2.8p5, or later, from the NTP Project Download 627 Page or the NTP Public Services Project Download Page 628 As we've long documented, only use the -g option to ntpd in 629 cold-start situations. 630 Monitor your ntpd instances. 631 Credit: This weakness was discovered by Aanchal Malhotra, 632 Isaac E. Cohen, and Sharon Goldberg at Boston University. 633 634 NOTE WELL: The -g flag disables the limit check on the panic_gate 635 in ntpd, which is 900 seconds by default. The bug identified by 636 the researchers at Boston University is that the panic_gate 637 check was only re-enabled after the first change to the system 638 clock that was greater than 128 milliseconds, by default. The 639 correct behavior is that the panic_gate check should be 640 re-enabled after any initial time correction. 641 642 If an attacker is able to inject consistent but erroneous time 643 responses to your systems via the network or "over the air", 644 perhaps by spoofing radio, cellphone, or navigation satellite 645 transmissions, they are in a great position to affect your 646 system's clock. There comes a point where your very best 647 defenses include: 648 649 Configure ntpd to get time from multiple sources. 650 Monitor your ntpd instances. 651 652Other fixes: 653 654* Coverity submission process updated from Coverity 5 to Coverity 7. 655 The NTP codebase has been undergoing regular Coverity scans on an 656 ongoing basis since 2006. As part of our recent upgrade from 657 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 658 the newly-written Unity test programs. These were fixed. 659* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 660* [Bug 2887] stratum -1 config results as showing value 99 661 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 662* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 663* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 664* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 665 - applied patch by Christos Zoulas. perlinger@ntp.org 666* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 667* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 668 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 669 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 670* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 671 - accept key file only if there are no parsing errors 672 - fixed size_t/u_int format clash 673 - fixed wrong use of 'strlcpy' 674* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 675* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 676 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 677 - promote use of 'size_t' for values that express a size 678 - use ptr-to-const for read-only arguments 679 - make sure SOCKET values are not truncated (win32-specific) 680 - format string fixes 681* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 682* [Bug 2967] ntpdate command suffers an assertion failure 683 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 684* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 685 lots of clients. perlinger@ntp.org 686* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 687 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 688* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 689* Unity test cleanup. Harlan Stenn. 690* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 691* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 692* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 693* Quiet a warning from clang. Harlan Stenn. 694 695--- 696NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 697 698Focus: Security, Bug fixes, enhancements. 699 700Severity: MEDIUM 701 702In addition to bug fixes and enhancements, this release fixes the 703following 13 low- and medium-severity vulnerabilities: 704 705* Incomplete vallen (value length) checks in ntp_crypto.c, leading 706 to potential crashes or potential code injection/information leakage. 707 708 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 709 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 710 and 4.3.0 up to, but not including 4.3.77 711 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 712 Summary: The fix for CVE-2014-9750 was incomplete in that there were 713 certain code paths where a packet with particular autokey operations 714 that contained malicious data was not always being completely 715 validated. Receipt of these packets can cause ntpd to crash. 716 Mitigation: 717 Don't use autokey. 718 Upgrade to 4.2.8p4, or later, from the NTP Project Download 719 Page or the NTP Public Services Project Download Page 720 Monitor your ntpd instances. 721 Credit: This weakness was discovered by Tenable Network Security. 722 723* Clients that receive a KoD should validate the origin timestamp field. 724 725 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 726 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 727 and 4.3.0 up to, but not including 4.3.77 728 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 729 Summary: An ntpd client that honors Kiss-of-Death responses will honor 730 KoD messages that have been forged by an attacker, causing it to 731 delay or stop querying its servers for time updates. Also, an 732 attacker can forge packets that claim to be from the target and 733 send them to servers often enough that a server that implements 734 KoD rate limiting will send the target machine a KoD response to 735 attempt to reduce the rate of incoming packets, or it may also 736 trigger a firewall block at the server for packets from the target 737 machine. For either of these attacks to succeed, the attacker must 738 know what servers the target is communicating with. An attacker 739 can be anywhere on the Internet and can frequently learn the 740 identity of the target's time source by sending the target a 741 time query. 742 Mitigation: 743 Implement BCP-38. 744 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 745 or the NTP Public Services Project Download Page 746 If you can't upgrade, restrict who can query ntpd to learn who 747 its servers are, and what IPs are allowed to ask your system 748 for the time. This mitigation is heavy-handed. 749 Monitor your ntpd instances. 750 Note: 751 4.2.8p4 protects against the first attack. For the second attack, 752 all we can do is warn when it is happening, which we do in 4.2.8p4. 753 Credit: This weakness was discovered by Aanchal Malhotra, 754 Issac E. Cohen, and Sharon Goldberg of Boston University. 755 756* configuration directives to change "pidfile" and "driftfile" should 757 only be allowed locally. 758 759 References: Sec 2902 / CVE-2015-5196 760 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 761 and 4.3.0 up to, but not including 4.3.77 762 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 763 Summary: If ntpd is configured to allow for remote configuration, 764 and if the (possibly spoofed) source IP address is allowed to 765 send remote configuration requests, and if the attacker knows 766 the remote configuration password, it's possible for an attacker 767 to use the "pidfile" or "driftfile" directives to potentially 768 overwrite other files. 769 Mitigation: 770 Implement BCP-38. 771 Upgrade to 4.2.8p4, or later, from the NTP Project Download 772 Page or the NTP Public Services Project Download Page 773 If you cannot upgrade, don't enable remote configuration. 774 If you must enable remote configuration and cannot upgrade, 775 remote configuration of NTF's ntpd requires: 776 - an explicitly configured trustedkey, and you should also 777 configure a controlkey. 778 - access from a permitted IP. You choose the IPs. 779 - authentication. Don't disable it. Practice secure key safety. 780 Monitor your ntpd instances. 781 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 782 783* Slow memory leak in CRYPTO_ASSOC 784 785 References: Sec 2909 / CVE-2015-7701 786 Affects: All ntp-4 releases that use autokey up to, but not 787 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 788 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 789 4.6 otherwise 790 Summary: If ntpd is configured to use autokey, then an attacker can 791 send packets to ntpd that will, after several days of ongoing 792 attack, cause it to run out of memory. 793 Mitigation: 794 Don't use autokey. 795 Upgrade to 4.2.8p4, or later, from the NTP Project Download 796 Page or the NTP Public Services Project Download Page 797 Monitor your ntpd instances. 798 Credit: This weakness was discovered by Tenable Network Security. 799 800* mode 7 loop counter underrun 801 802 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 803 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 804 and 4.3.0 up to, but not including 4.3.77 805 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 806 Summary: If ntpd is configured to enable mode 7 packets, and if the 807 use of mode 7 packets is not properly protected thru the use of 808 the available mode 7 authentication and restriction mechanisms, 809 and if the (possibly spoofed) source IP address is allowed to 810 send mode 7 queries, then an attacker can send a crafted packet 811 to ntpd that will cause it to crash. 812 Mitigation: 813 Implement BCP-38. 814 Upgrade to 4.2.8p4, or later, from the NTP Project Download 815 Page or the NTP Public Services Project Download Page. 816 If you are unable to upgrade: 817 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 818 If you must enable mode 7: 819 configure the use of a requestkey to control who can issue 820 mode 7 requests. 821 configure restrict noquery to further limit mode 7 requests 822 to trusted sources. 823 Monitor your ntpd instances. 824Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 825 826* memory corruption in password store 827 828 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 829 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 830 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 831 Summary: If ntpd is configured to allow remote configuration, and if 832 the (possibly spoofed) source IP address is allowed to send 833 remote configuration requests, and if the attacker knows the 834 remote configuration password or if ntpd was configured to 835 disable authentication, then an attacker can send a set of 836 packets to ntpd that may cause a crash or theoretically 837 perform a code injection attack. 838 Mitigation: 839 Implement BCP-38. 840 Upgrade to 4.2.8p4, or later, from the NTP Project Download 841 Page or the NTP Public Services Project Download Page. 842 If you are unable to upgrade, remote configuration of NTF's 843 ntpd requires: 844 an explicitly configured "trusted" key. Only configure 845 this if you need it. 846 access from a permitted IP address. You choose the IPs. 847 authentication. Don't disable it. Practice secure key safety. 848 Monitor your ntpd instances. 849 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 850 851* Infinite loop if extended logging enabled and the logfile and 852 keyfile are the same. 853 854 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 855 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 856 and 4.3.0 up to, but not including 4.3.77 857 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 858 Summary: If ntpd is configured to allow remote configuration, and if 859 the (possibly spoofed) source IP address is allowed to send 860 remote configuration requests, and if the attacker knows the 861 remote configuration password or if ntpd was configured to 862 disable authentication, then an attacker can send a set of 863 packets to ntpd that will cause it to crash and/or create a 864 potentially huge log file. Specifically, the attacker could 865 enable extended logging, point the key file at the log file, 866 and cause what amounts to an infinite loop. 867 Mitigation: 868 Implement BCP-38. 869 Upgrade to 4.2.8p4, or later, from the NTP Project Download 870 Page or the NTP Public Services Project Download Page. 871 If you are unable to upgrade, remote configuration of NTF's ntpd 872 requires: 873 an explicitly configured "trusted" key. Only configure this 874 if you need it. 875 access from a permitted IP address. You choose the IPs. 876 authentication. Don't disable it. Practice secure key safety. 877 Monitor your ntpd instances. 878 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 879 880* Potential path traversal vulnerability in the config file saving of 881 ntpd on VMS. 882 883 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 884 Affects: All ntp-4 releases running under VMS up to, but not 885 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 886 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 887 Summary: If ntpd is configured to allow remote configuration, and if 888 the (possibly spoofed) IP address is allowed to send remote 889 configuration requests, and if the attacker knows the remote 890 configuration password or if ntpd was configured to disable 891 authentication, then an attacker can send a set of packets to 892 ntpd that may cause ntpd to overwrite files. 893 Mitigation: 894 Implement BCP-38. 895 Upgrade to 4.2.8p4, or later, from the NTP Project Download 896 Page or the NTP Public Services Project Download Page. 897 If you are unable to upgrade, remote configuration of NTF's ntpd 898 requires: 899 an explicitly configured "trusted" key. Only configure 900 this if you need it. 901 access from permitted IP addresses. You choose the IPs. 902 authentication. Don't disable it. Practice key security safety. 903 Monitor your ntpd instances. 904 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 905 906* ntpq atoascii() potential memory corruption 907 908 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 909 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 910 and 4.3.0 up to, but not including 4.3.77 911 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 912 Summary: If an attacker can figure out the precise moment that ntpq 913 is listening for data and the port number it is listening on or 914 if the attacker can provide a malicious instance ntpd that 915 victims will connect to then an attacker can send a set of 916 crafted mode 6 response packets that, if received by ntpq, 917 can cause ntpq to crash. 918 Mitigation: 919 Implement BCP-38. 920 Upgrade to 4.2.8p4, or later, from the NTP Project Download 921 Page or the NTP Public Services Project Download Page. 922 If you are unable to upgrade and you run ntpq against a server 923 and ntpq crashes, try again using raw mode. Build or get a 924 patched ntpq and see if that fixes the problem. Report new 925 bugs in ntpq or abusive servers appropriately. 926 If you use ntpq in scripts, make sure ntpq does what you expect 927 in your scripts. 928 Credit: This weakness was discovered by Yves Younan and 929 Aleksander Nikolich of Cisco Talos. 930 931* Invalid length data provided by a custom refclock driver could cause 932 a buffer overflow. 933 934 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 935 Affects: Potentially all ntp-4 releases running up to, but not 936 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 937 that have custom refclocks 938 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 939 5.9 unusual worst case 940 Summary: A negative value for the datalen parameter will overflow a 941 data buffer. NTF's ntpd driver implementations always set this 942 value to 0 and are therefore not vulnerable to this weakness. 943 If you are running a custom refclock driver in ntpd and that 944 driver supplies a negative value for datalen (no custom driver 945 of even minimal competence would do this) then ntpd would 946 overflow a data buffer. It is even hypothetically possible 947 in this case that instead of simply crashing ntpd the attacker 948 could effect a code injection attack. 949 Mitigation: 950 Upgrade to 4.2.8p4, or later, from the NTP Project Download 951 Page or the NTP Public Services Project Download Page. 952 If you are unable to upgrade: 953 If you are running custom refclock drivers, make sure 954 the signed datalen value is either zero or positive. 955 Monitor your ntpd instances. 956 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 957 958* Password Length Memory Corruption Vulnerability 959 960 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 961 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 962 4.3.0 up to, but not including 4.3.77 963 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 964 1.7 usual case, 6.8, worst case 965 Summary: If ntpd is configured to allow remote configuration, and if 966 the (possibly spoofed) source IP address is allowed to send 967 remote configuration requests, and if the attacker knows the 968 remote configuration password or if ntpd was (foolishly) 969 configured to disable authentication, then an attacker can 970 send a set of packets to ntpd that may cause it to crash, 971 with the hypothetical possibility of a small code injection. 972 Mitigation: 973 Implement BCP-38. 974 Upgrade to 4.2.8p4, or later, from the NTP Project Download 975 Page or the NTP Public Services Project Download Page. 976 If you are unable to upgrade, remote configuration of NTF's 977 ntpd requires: 978 an explicitly configured "trusted" key. Only configure 979 this if you need it. 980 access from a permitted IP address. You choose the IPs. 981 authentication. Don't disable it. Practice secure key safety. 982 Monitor your ntpd instances. 983 Credit: This weakness was discovered by Yves Younan and 984 Aleksander Nikolich of Cisco Talos. 985 986* decodenetnum() will ASSERT botch instead of returning FAIL on some 987 bogus values. 988 989 References: Sec 2922 / CVE-2015-7855 990 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 991 4.3.0 up to, but not including 4.3.77 992 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 993 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 994 an unusually long data value where a network address is expected, 995 the decodenetnum() function will abort with an assertion failure 996 instead of simply returning a failure condition. 997 Mitigation: 998 Implement BCP-38. 999 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1000 Page or the NTP Public Services Project Download Page. 1001 If you are unable to upgrade: 1002 mode 7 is disabled by default. Don't enable it. 1003 Use restrict noquery to limit who can send mode 6 1004 and mode 7 requests. 1005 Configure and use the controlkey and requestkey 1006 authentication directives to limit who can 1007 send mode 6 and mode 7 requests. 1008 Monitor your ntpd instances. 1009 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 1010 1011* NAK to the Future: Symmetric association authentication bypass via 1012 crypto-NAK. 1013 1014 References: Sec 2941 / CVE-2015-7871 1015 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 1016 4.2.8p4, and 4.3.0 up to but not including 4.3.77 1017 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 1018 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 1019 from unauthenticated ephemeral symmetric peers by bypassing the 1020 authentication required to mobilize peer associations. This 1021 vulnerability appears to have been introduced in ntp-4.2.5p186 1022 when the code handling mobilization of new passive symmetric 1023 associations (lines 1103-1165) was refactored. 1024 Mitigation: 1025 Implement BCP-38. 1026 Upgrade to 4.2.8p4, or later, from the NTP Project Download 1027 Page or the NTP Public Services Project Download Page. 1028 If you are unable to upgrade: 1029 Apply the patch to the bottom of the "authentic" check 1030 block around line 1136 of ntp_proto.c. 1031 Monitor your ntpd instances. 1032 Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1033 1034Backward-Incompatible changes: 1035* [Bug 2817] Default on Linux is now "rlimit memlock -1". 1036 While the general default of 32M is still the case, under Linux 1037 the default value has been changed to -1 (do not lock ntpd into 1038 memory). A value of 0 means "lock ntpd into memory with whatever 1039 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 1040 value in it, that value will continue to be used. 1041 1042* [Bug 2886] Misspelling: "outlyer" should be "outlier". 1043 If you've written a script that looks for this case in, say, the 1044 output of ntpq, you probably want to change your regex matches 1045 from 'outlyer' to 'outl[iy]er'. 1046 1047New features in this release: 1048* 'rlimit memlock' now has finer-grained control. A value of -1 means 1049 "don't lock ntpd into memore". This is the default for Linux boxes. 1050 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 1051 the value is the number of megabytes of memory to lock. The default 1052 is 32 megabytes. 1053 1054* The old Google Test framework has been replaced with a new framework, 1055 based on http://www.throwtheswitch.org/unity/ . 1056 1057Bug Fixes and Improvements: 1058* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 1059 privileges and limiting resources in NTPD removes the need to link 1060 forcefully against 'libgcc_s' which does not always work. J.Perlinger 1061* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 1062* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 1063* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 1064* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 1065* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 1066* [Bug 2849] Systems with more than one default route may never 1067 synchronize. Brian Utterback. Note that this patch might need to 1068 be reverted once Bug 2043 has been fixed. 1069* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 1070* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 1071* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 1072* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 1073* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 1074* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 1075 be configured for the distribution targets. Harlan Stenn. 1076* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 1077* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 1078* [Bug 2888] streamline calendar functions. perlinger@ntp.org 1079* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 1080* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 1081* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 1082* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 1083* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 1084* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 1085* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 1086* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 1087* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 1088* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 1089* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 1090* sntp/tests/ function parameter list cleanup. Damir Tomić. 1091* tests/libntp/ function parameter list cleanup. Damir Tomić. 1092* tests/ntpd/ function parameter list cleanup. Damir Tomić. 1093* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 1094* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 1095* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 1096* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 1097* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1098 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 1099 formatting; first declaration, then code (C90); deleted unnecessary comments; 1100 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 1101* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 1102 fix formatting, cleanup. Tomasz Flendrich 1103* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 1104 Tomasz Flendrich 1105* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 1106 fix formatting. Tomasz Flendrich 1107* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 1108* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 1109* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 1110 Tomasz Flendrich 1111* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 1112* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 1113* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 1114* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 1115* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 1116* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 1117* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 1118fixed formatting. Tomasz Flendrich 1119* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 1120 removed unnecessary comments, cleanup. Tomasz Flendrich 1121* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 1122 comments, cleanup. Tomasz Flendrich 1123* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 1124 Tomasz Flendrich 1125* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 1126* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 1127* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 1128 Tomasz Flendrich 1129* sntp/tests/kodDatabase.c added consts, deleted empty function, 1130 fixed formatting. Tomasz Flendrich 1131* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 1132* sntp/tests/packetHandling.c is now using proper Unity's assertions, 1133 fixed formatting, deleted unused variable. Tomasz Flendrich 1134* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 1135 Tomasz Flendrich 1136* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 1137 fixed formatting. Tomasz Flendrich 1138* sntp/tests/utilities.c is now using proper Unity's assertions, changed 1139 the order of includes, fixed formatting, removed unnecessary comments. 1140 Tomasz Flendrich 1141* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 1142* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 1143 made one function do its job, deleted unnecessary prints, fixed formatting. 1144 Tomasz Flendrich 1145* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 1146* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 1147* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 1148* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 1149* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 1150* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 1151* Don't build sntp/libevent/sample/. Harlan Stenn. 1152* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 1153* br-flock: --enable-local-libevent. Harlan Stenn. 1154* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 1155* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 1156* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 1157* Code cleanup. Harlan Stenn. 1158* libntp/icom.c: Typo fix. Harlan Stenn. 1159* util/ntptime.c: initialization nit. Harlan Stenn. 1160* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 1161* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 1162* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 1163 Tomasz Flendrich 1164* Changed progname to be const in many files - now it's consistent. Tomasz 1165 Flendrich 1166* Typo fix for GCC warning suppression. Harlan Stenn. 1167* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 1168* Added declarations to all Unity tests, and did minor fixes to them. 1169 Reduced the number of warnings by half. Damir Tomić. 1170* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 1171 with the latest Unity updates from Mark. Damir Tomić. 1172* Retire google test - phase I. Harlan Stenn. 1173* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 1174* Update the NEWS file. Harlan Stenn. 1175* Autoconf cleanup. Harlan Stenn. 1176* Unit test dist cleanup. Harlan Stenn. 1177* Cleanup various test Makefile.am files. Harlan Stenn. 1178* Pthread autoconf macro cleanup. Harlan Stenn. 1179* Fix progname definition in unity runner scripts. Harlan Stenn. 1180* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 1181* Update the patch for bug 2817. Harlan Stenn. 1182* More updates for bug 2817. Harlan Stenn. 1183* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 1184* gcc on older HPUX may need +allowdups. Harlan Stenn. 1185* Adding missing MCAST protection. Harlan Stenn. 1186* Disable certain test programs on certain platforms. Harlan Stenn. 1187* Implement --enable-problem-tests (on by default). Harlan Stenn. 1188* build system tweaks. Harlan Stenn. 1189 1190--- 1191NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 1192 1193Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 1194 1195Severity: MEDIUM 1196 1197Security Fix: 1198 1199* [Sec 2853] Crafted remote config packet can crash some versions of 1200 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 1201 1202Under specific circumstances an attacker can send a crafted packet to 1203cause a vulnerable ntpd instance to crash. This requires each of the 1204following to be true: 1205 12061) ntpd set up to allow remote configuration (not allowed by default), and 12072) knowledge of the configuration password, and 12083) access to a computer entrusted to perform remote configuration. 1209 1210This vulnerability is considered low-risk. 1211 1212New features in this release: 1213 1214Optional (disabled by default) support to have ntpd provide smeared 1215leap second time. A specially built and configured ntpd will only 1216offer smeared time in response to client packets. These response 1217packets will also contain a "refid" of 254.a.b.c, where the 24 bits 1218of a, b, and c encode the amount of smear in a 2:22 integer:fraction 1219format. See README.leapsmear and http://bugs.ntp.org/2855 for more 1220information. 1221 1222 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 1223 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 1224 1225We've imported the Unity test framework, and have begun converting 1226the existing google-test items to this new framework. If you want 1227to write new tests or change old ones, you'll need to have ruby 1228installed. You don't need ruby to run the test suite. 1229 1230Bug Fixes and Improvements: 1231 1232* CID 739725: Fix a rare resource leak in libevent/listener.c. 1233* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 1234* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 1235* CID 1269537: Clean up a line of dead code in getShmTime(). 1236* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 1237* [Bug 2590] autogen-5.18.5. 1238* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 1239 of 'limited'. 1240* [Bug 2650] fix includefile processing. 1241* [Bug 2745] ntpd -x steps clock on leap second 1242 Fixed an initial-value problem that caused misbehaviour in absence of 1243 any leapsecond information. 1244 Do leap second stepping only of the step adjustment is beyond the 1245 proper jump distance limit and step correction is allowed at all. 1246* [Bug 2750] build for Win64 1247 Building for 32bit of loopback ppsapi needs def file 1248* [Bug 2776] Improve ntpq's 'help keytype'. 1249* [Bug 2778] Implement "apeers" ntpq command to include associd. 1250* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 1251* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 1252 interface is ignored as long as this flag is not set since the 1253 interface is not usable (e.g., no link). 1254* [Bug 2794] Clean up kernel clock status reports. 1255* [Bug 2800] refclock_true.c true_debug() can't open debug log because 1256 of incompatible open/fdopen parameters. 1257* [Bug 2804] install-local-data assumes GNU 'find' semantics. 1258* [Bug 2805] ntpd fails to join multicast group. 1259* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 1260* [Bug 2808] GPSD_JSON driver enhancements, step 1. 1261 Fix crash during cleanup if GPS device not present and char device. 1262 Increase internal token buffer to parse all JSON data, even SKY. 1263 Defer logging of errors during driver init until the first unit is 1264 started, so the syslog is not cluttered when the driver is not used. 1265 Various improvements, see http://bugs.ntp.org/2808 for details. 1266 Changed libjsmn to a more recent version. 1267* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 1268* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 1269* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 1270* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 1271* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 1272* [Bug 2824] Convert update-leap to perl. (also see 2769) 1273* [Bug 2825] Quiet file installation in html/ . 1274* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 1275 NTPD transfers the current TAI (instead of an announcement) now. 1276 This might still needed improvement. 1277 Update autokey data ASAP when 'sys_tai' changes. 1278 Fix unit test that was broken by changes for autokey update. 1279 Avoid potential signature length issue and use DPRINTF where possible 1280 in ntp_crypto.c. 1281* [Bug 2832] refclock_jjy.c supports the TDC-300. 1282* [Bug 2834] Correct a broken html tag in html/refclock.html 1283* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 1284 robust, and require 2 consecutive timestamps to be consistent. 1285* [Bug 2837] Allow a configurable DSCP value. 1286* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 1287* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 1288* [Bug 2842] Bug in mdoc2man. 1289* [Bug 2843] make check fails on 4.3.36 1290 Fixed compiler warnings about numeric range overflow 1291 (The original topic was fixed in a byplay to bug#2830) 1292* [Bug 2845] Harden memory allocation in ntpd. 1293* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 1294* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 1295* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 1296* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 1297* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 1298* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 1299* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 1300* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 1301* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 1302* html/drivers/driver22.html: typo fix. Harlan Stenn. 1303* refidsmear test cleanup. Tomasz Flendrich. 1304* refidsmear function support and tests. Harlan Stenn. 1305* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 1306 something that was only in the 4.2.6 sntp. Harlan Stenn. 1307* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 1308 Damir Tomić 1309* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 1310 Damir Tomić 1311* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 1312 Damir Tomić 1313* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 1314* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 1315* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 1316 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1317 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 1318 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 1319 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 1320 Damir Tomić 1321* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 1322 networking.c, keyFile.c, utilities.cpp, sntptest.h, 1323 fileHandlingTest.h. Damir Tomić 1324* Initial support for experimental leap smear code. Harlan Stenn. 1325* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 1326* Report select() debug messages at debug level 3 now. 1327* sntp/scripts/genLocInfo: treat raspbian as debian. 1328* Unity test framework fixes. 1329 ** Requires ruby for changes to tests. 1330* Initial support for PACKAGE_VERSION tests. 1331* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 1332* tests/bug-2803/Makefile.am must distribute bug-2803.h. 1333* Add an assert to the ntpq ifstats code. 1334* Clean up the RLIMIT_STACK code. 1335* Improve the ntpq documentation around the controlkey keyid. 1336* ntpq.c cleanup. 1337* Windows port build cleanup. 1338 1339--- 1340NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 1341 1342Focus: Security and Bug fixes, enhancements. 1343 1344Severity: MEDIUM 1345 1346In addition to bug fixes and enhancements, this release fixes the 1347following medium-severity vulnerabilities involving private key 1348authentication: 1349 1350* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1351 1352 References: Sec 2779 / CVE-2015-1798 / VU#374268 1353 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 1354 including ntp-4.2.8p2 where the installation uses symmetric keys 1355 to authenticate remote associations. 1356 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1357 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1358 Summary: When ntpd is configured to use a symmetric key to authenticate 1359 a remote NTP server/peer, it checks if the NTP message 1360 authentication code (MAC) in received packets is valid, but not if 1361 there actually is any MAC included. Packets without a MAC are 1362 accepted as if they had a valid MAC. This allows a MITM attacker to 1363 send false packets that are accepted by the client/peer without 1364 having to know the symmetric key. The attacker needs to know the 1365 transmit timestamp of the client to match it in the forged reply 1366 and the false reply needs to reach the client before the genuine 1367 reply from the server. The attacker doesn't necessarily need to be 1368 relaying the packets between the client and the server. 1369 1370 Authentication using autokey doesn't have this problem as there is 1371 a check that requires the key ID to be larger than NTP_MAXKEY, 1372 which fails for packets without a MAC. 1373 Mitigation: 1374 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1375 or the NTP Public Services Project Download Page 1376 Configure ntpd with enough time sources and monitor it properly. 1377 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1378 1379* [Sec 2781] Authentication doesn't protect symmetric associations against 1380 DoS attacks. 1381 1382 References: Sec 2781 / CVE-2015-1799 / VU#374268 1383 Affects: All NTP releases starting with at least xntp3.3wy up to but 1384 not including ntp-4.2.8p2 where the installation uses symmetric 1385 key authentication. 1386 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1387 Note: the CVSS base Score for this issue could be 4.3 or lower, and 1388 it could be higher than 5.4. 1389 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1390 Summary: An attacker knowing that NTP hosts A and B are peering with 1391 each other (symmetric association) can send a packet to host A 1392 with source address of B which will set the NTP state variables 1393 on A to the values sent by the attacker. Host A will then send 1394 on its next poll to B a packet with originate timestamp that 1395 doesn't match the transmit timestamp of B and the packet will 1396 be dropped. If the attacker does this periodically for both 1397 hosts, they won't be able to synchronize to each other. This is 1398 a known denial-of-service attack, described at 1399 https://www.eecis.udel.edu/~mills/onwire.html . 1400 1401 According to the document the NTP authentication is supposed to 1402 protect symmetric associations against this attack, but that 1403 doesn't seem to be the case. The state variables are updated even 1404 when authentication fails and the peers are sending packets with 1405 originate timestamps that don't match the transmit timestamps on 1406 the receiving side. 1407 1408 This seems to be a very old problem, dating back to at least 1409 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 1410 specifications, so other NTP implementations with support for 1411 symmetric associations and authentication may be vulnerable too. 1412 An update to the NTP RFC to correct this error is in-process. 1413 Mitigation: 1414 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1415 or the NTP Public Services Project Download Page 1416 Note that for users of autokey, this specific style of MITM attack 1417 is simply a long-known potential problem. 1418 Configure ntpd with appropriate time sources and monitor ntpd. 1419 Alert your staff if problems are detected. 1420 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1421 1422* New script: update-leap 1423The update-leap script will verify and if necessary, update the 1424leap-second definition file. 1425It requires the following commands in order to work: 1426 1427 wget logger tr sed shasum 1428 1429Some may choose to run this from cron. It needs more portability testing. 1430 1431Bug Fixes and Improvements: 1432 1433* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 1434* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 1435* [Bug 2346] "graceful termination" signals do not do peer cleanup. 1436* [Bug 2728] See if C99-style structure initialization works. 1437* [Bug 2747] Upgrade libevent to 2.1.5-beta. 1438* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 1439* [Bug 2751] jitter.h has stale copies of l_fp macros. 1440* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 1441* [Bug 2757] Quiet compiler warnings. 1442* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 1443* [Bug 2763] Allow different thresholds for forward and backward steps. 1444* [Bug 2766] ntp-keygen output files should not be world-readable. 1445* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 1446* [Bug 2771] nonvolatile value is documented in wrong units. 1447* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 1448* [Bug 2774] Unreasonably verbose printout - leap pending/warning 1449* [Bug 2775] ntp-keygen.c fails to compile under Windows. 1450* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 1451 Removed non-ASCII characters from some copyright comments. 1452 Removed trailing whitespace. 1453 Updated definitions for Meinberg clocks from current Meinberg header files. 1454 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 1455 Account for updated definitions pulled from Meinberg header files. 1456 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 1457 Replaced some constant numbers by defines from ntp_calendar.h 1458 Modified creation of parse-specific variables for Meinberg devices 1459 in gps16x_message(). 1460 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 1461 Modified mbg_tm_str() which now expexts an additional parameter controlling 1462 if the time status shall be printed. 1463* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1464* [Sec 2781] Authentication doesn't protect symmetric associations against 1465 DoS attacks. 1466* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 1467* [Bug 2789] Quiet compiler warnings from libevent. 1468* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 1469 pause briefly before measuring system clock precision to yield 1470 correct results. 1471* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 1472* Use predefined function types for parse driver functions 1473 used to set up function pointers. 1474 Account for changed prototype of parse_inp_fnc_t functions. 1475 Cast parse conversion results to appropriate types to avoid 1476 compiler warnings. 1477 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 1478 when called with pointers to different types. 1479 1480--- 1481NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 1482 1483Focus: Security and Bug fixes, enhancements. 1484 1485Severity: HIGH 1486 1487In addition to bug fixes and enhancements, this release fixes the 1488following high-severity vulnerabilities: 1489 1490* vallen is not validated in several places in ntp_crypto.c, leading 1491 to a potential information leak or possibly a crash 1492 1493 References: Sec 2671 / CVE-2014-9297 / VU#852879 1494 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 1495 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1496 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 1497 Summary: The vallen packet value is not validated in several code 1498 paths in ntp_crypto.c which can lead to information leakage 1499 or perhaps a crash of the ntpd process. 1500 Mitigation - any of: 1501 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1502 or the NTP Public Services Project Download Page. 1503 Disable Autokey Authentication by removing, or commenting out, 1504 all configuration directives beginning with the "crypto" 1505 keyword in your ntp.conf file. 1506 Credit: This vulnerability was discovered by Stephen Roettger of the 1507 Google Security Team, with additional cases found by Sebastian 1508 Krahmer of the SUSE Security Team and Harlan Stenn of Network 1509 Time Foundation. 1510 1511* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 1512 can be bypassed. 1513 1514 References: Sec 2672 / CVE-2014-9298 / VU#852879 1515 Affects: All NTP4 releases before 4.2.8p1, under at least some 1516 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 1517 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 1518 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 1519 Summary: While available kernels will prevent 127.0.0.1 addresses 1520 from "appearing" on non-localhost IPv4 interfaces, some kernels 1521 do not offer the same protection for ::1 source addresses on 1522 IPv6 interfaces. Since NTP's access control is based on source 1523 address and localhost addresses generally have no restrictions, 1524 an attacker can send malicious control and configuration packets 1525 by spoofing ::1 addresses from the outside. Note Well: This is 1526 not really a bug in NTP, it's a problem with some OSes. If you 1527 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 1528 ACL restrictions on any application can be bypassed! 1529 Mitigation: 1530 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1531 or the NTP Public Services Project Download Page 1532 Install firewall rules to block packets claiming to come from 1533 ::1 from inappropriate network interfaces. 1534 Credit: This vulnerability was discovered by Stephen Roettger of 1535 the Google Security Team. 1536 1537Additionally, over 30 bugfixes and improvements were made to the codebase. 1538See the ChangeLog for more information. 1539 1540--- 1541NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 1542 1543Focus: Security and Bug fixes, enhancements. 1544 1545Severity: HIGH 1546 1547In addition to bug fixes and enhancements, this release fixes the 1548following high-severity vulnerabilities: 1549 1550************************** vv NOTE WELL vv ***************************** 1551 1552The vulnerabilities listed below can be significantly mitigated by 1553following the BCP of putting 1554 1555 restrict default ... noquery 1556 1557in the ntp.conf file. With the exception of: 1558 1559 receive(): missing return on error 1560 References: Sec 2670 / CVE-2014-9296 / VU#852879 1561 1562below (which is a limited-risk vulnerability), none of the recent 1563vulnerabilities listed below can be exploited if the source IP is 1564restricted from sending a 'query'-class packet by your ntp.conf file. 1565 1566************************** ^^ NOTE WELL ^^ ***************************** 1567 1568* Weak default key in config_auth(). 1569 1570 References: [Sec 2665] / CVE-2014-9293 / VU#852879 1571 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1572 Vulnerable Versions: all releases prior to 4.2.7p11 1573 Date Resolved: 28 Jan 2010 1574 1575 Summary: If no 'auth' key is set in the configuration file, ntpd 1576 would generate a random key on the fly. There were two 1577 problems with this: 1) the generated key was 31 bits in size, 1578 and 2) it used the (now weak) ntp_random() function, which was 1579 seeded with a 32-bit value and could only provide 32 bits of 1580 entropy. This was sufficient back in the late 1990s when the 1581 code was written. Not today. 1582 1583 Mitigation - any of: 1584 - Upgrade to 4.2.7p11 or later. 1585 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1586 1587 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 1588 of the Google Security Team. 1589 1590* Non-cryptographic random number generator with weak seed used by 1591 ntp-keygen to generate symmetric keys. 1592 1593 References: [Sec 2666] / CVE-2014-9294 / VU#852879 1594 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1595 Vulnerable Versions: All NTP4 releases before 4.2.7p230 1596 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 1597 1598 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 1599 prepare a random number generator that was of good quality back 1600 in the late 1990s. The random numbers produced was then used to 1601 generate symmetric keys. In ntp-4.2.8 we use a current-technology 1602 cryptographic random number generator, either RAND_bytes from 1603 OpenSSL, or arc4random(). 1604 1605 Mitigation - any of: 1606 - Upgrade to 4.2.7p230 or later. 1607 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1608 1609 Credit: This vulnerability was discovered in ntp-4.2.6 by 1610 Stephen Roettger of the Google Security Team. 1611 1612* Buffer overflow in crypto_recv() 1613 1614 References: Sec 2667 / CVE-2014-9295 / VU#852879 1615 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1616 Versions: All releases before 4.2.8 1617 Date Resolved: Stable (4.2.8) 18 Dec 2014 1618 1619 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 1620 file contains a 'crypto pw ...' directive) a remote attacker 1621 can send a carefully crafted packet that can overflow a stack 1622 buffer and potentially allow malicious code to be executed 1623 with the privilege level of the ntpd process. 1624 1625 Mitigation - any of: 1626 - Upgrade to 4.2.8, or later, or 1627 - Disable Autokey Authentication by removing, or commenting out, 1628 all configuration directives beginning with the crypto keyword 1629 in your ntp.conf file. 1630 1631 Credit: This vulnerability was discovered by Stephen Roettger of the 1632 Google Security Team. 1633 1634* Buffer overflow in ctl_putdata() 1635 1636 References: Sec 2668 / CVE-2014-9295 / VU#852879 1637 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1638 Versions: All NTP4 releases before 4.2.8 1639 Date Resolved: Stable (4.2.8) 18 Dec 2014 1640 1641 Summary: A remote attacker can send a carefully crafted packet that 1642 can overflow a stack buffer and potentially allow malicious 1643 code to be executed with the privilege level of the ntpd process. 1644 1645 Mitigation - any of: 1646 - Upgrade to 4.2.8, or later. 1647 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1648 1649 Credit: This vulnerability was discovered by Stephen Roettger of the 1650 Google Security Team. 1651 1652* Buffer overflow in configure() 1653 1654 References: Sec 2669 / CVE-2014-9295 / VU#852879 1655 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1656 Versions: All NTP4 releases before 4.2.8 1657 Date Resolved: Stable (4.2.8) 18 Dec 2014 1658 1659 Summary: A remote attacker can send a carefully crafted packet that 1660 can overflow a stack buffer and potentially allow malicious 1661 code to be executed with the privilege level of the ntpd process. 1662 1663 Mitigation - any of: 1664 - Upgrade to 4.2.8, or later. 1665 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1666 1667 Credit: This vulnerability was discovered by Stephen Roettger of the 1668 Google Security Team. 1669 1670* receive(): missing return on error 1671 1672 References: Sec 2670 / CVE-2014-9296 / VU#852879 1673 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 1674 Versions: All NTP4 releases before 4.2.8 1675 Date Resolved: Stable (4.2.8) 18 Dec 2014 1676 1677 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 1678 the code path where an error was detected, which meant 1679 processing did not stop when a specific rare error occurred. 1680 We haven't found a way for this bug to affect system integrity. 1681 If there is no way to affect system integrity the base CVSS 1682 score for this bug is 0. If there is one avenue through which 1683 system integrity can be partially affected, the base score 1684 becomes a 5. If system integrity can be partially affected 1685 via all three integrity metrics, the CVSS base score become 7.5. 1686 1687 Mitigation - any of: 1688 - Upgrade to 4.2.8, or later, 1689 - Remove or comment out all configuration directives 1690 beginning with the crypto keyword in your ntp.conf file. 1691 1692 Credit: This vulnerability was discovered by Stephen Roettger of the 1693 Google Security Team. 1694 1695See http://support.ntp.org/security for more information. 1696 1697New features / changes in this release: 1698 1699Important Changes 1700 1701* Internal NTP Era counters 1702 1703The internal counters that track the "era" (range of years) we are in 1704rolls over every 136 years'. The current "era" started at the stroke of 1705midnight on 1 Jan 1900, and ends just before the stroke of midnight on 17061 Jan 2036. 1707In the past, we have used the "midpoint" of the range to decide which 1708era we were in. Given the longevity of some products, it became clear 1709that it would be more functional to "look back" less, and "look forward" 1710more. We now compile a timestamp into the ntpd executable and when we 1711get a timestamp we us the "built-on" to tell us what era we are in. 1712This check "looks back" 10 years, and "looks forward" 126 years. 1713 1714* ntpdc responses disabled by default 1715 1716Dave Hart writes: 1717 1718For a long time, ntpq and its mostly text-based mode 6 (control) 1719protocol have been preferred over ntpdc and its mode 7 (private 1720request) protocol for runtime queries and configuration. There has 1721been a goal of deprecating ntpdc, previously held back by numerous 1722capabilities exposed by ntpdc with no ntpq equivalent. I have been 1723adding commands to ntpq to cover these cases, and I believe I've 1724covered them all, though I've not compared command-by-command 1725recently. 1726 1727As I've said previously, the binary mode 7 protocol involves a lot of 1728hand-rolled structure layout and byte-swapping code in both ntpd and 1729ntpdc which is hard to get right. As ntpd grows and changes, the 1730changes are difficult to expose via ntpdc while maintaining forward 1731and backward compatibility between ntpdc and ntpd. In contrast, 1732ntpq's text-based, label=value approach involves more code reuse and 1733allows compatible changes without extra work in most cases. 1734 1735Mode 7 has always been defined as vendor/implementation-specific while 1736mode 6 is described in RFC 1305 and intended to be open to interoperate 1737with other implementations. There is an early draft of an updated 1738mode 6 description that likely will join the other NTPv4 RFCs 1739eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 1740 1741For these reasons, ntpd 4.2.7p230 by default disables processing of 1742ntpdc queries, reducing ntpd's attack surface and functionally 1743deprecating ntpdc. If you are in the habit of using ntpdc for certain 1744operations, please try the ntpq equivalent. If there's no equivalent, 1745please open a bug report at http://bugs.ntp.org./ 1746 1747In addition to the above, over 1100 issues have been resolved between 1748the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 1749lists these. 1750 1751--- 1752NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 1753 1754Focus: Bug fixes 1755 1756Severity: Medium 1757 1758This is a recommended upgrade. 1759 1760This release updates sys_rootdisp and sys_jitter calculations to match the 1761RFC specification, fixes a potential IPv6 address matching error for the 1762"nic" and "interface" configuration directives, suppresses the creation of 1763extraneous ephemeral associations for certain broadcastclient and 1764multicastclient configurations, cleans up some ntpq display issues, and 1765includes improvements to orphan mode, minor bugs fixes and code clean-ups. 1766 1767New features / changes in this release: 1768 1769ntpd 1770 1771 * Updated "nic" and "interface" IPv6 address handling to prevent 1772 mismatches with localhost [::1] and wildcard [::] which resulted from 1773 using the address/prefix format (e.g. fe80::/64) 1774 * Fix orphan mode stratum incorrectly counting to infinity 1775 * Orphan parent selection metric updated to includes missing ntohl() 1776 * Non-printable stratum 16 refid no longer sent to ntp 1777 * Duplicate ephemeral associations suppressed for broadcastclient and 1778 multicastclient without broadcastdelay 1779 * Exclude undetermined sys_refid from use in loopback TEST12 1780 * Exclude MODE_SERVER responses from KoD rate limiting 1781 * Include root delay in clock_update() sys_rootdisp calculations 1782 * get_systime() updated to exclude sys_residual offset (which only 1783 affected bits "below" sys_tick, the precision threshold) 1784 * sys.peer jitter weighting corrected in sys_jitter calculation 1785 1786ntpq 1787 1788 * -n option extended to include the billboard "server" column 1789 * IPv6 addresses in the local column truncated to prevent overruns 1790 1791--- 1792NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 1793 1794Focus: Bug fixes and portability improvements 1795 1796Severity: Medium 1797 1798This is a recommended upgrade. 1799 1800This release includes build infrastructure updates, code 1801clean-ups, minor bug fixes, fixes for a number of minor 1802ref-clock issues, and documentation revisions. 1803 1804Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 1805 1806New features / changes in this release: 1807 1808Build system 1809 1810* Fix checking for struct rtattr 1811* Update config.guess and config.sub for AIX 1812* Upgrade required version of autogen and libopts for building 1813 from our source code repository 1814 1815ntpd 1816 1817* Back-ported several fixes for Coverity warnings from ntp-dev 1818* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 1819* Allow "logconfig =allall" configuration directive 1820* Bind tentative IPv6 addresses on Linux 1821* Correct WWVB/Spectracom driver to timestamp CR instead of LF 1822* Improved tally bit handling to prevent incorrect ntpq peer status reports 1823* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 1824 candidate list unless they are designated a "prefer peer" 1825* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 1826 selection during the 'tos orphanwait' period 1827* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 1828 drivers 1829* Improved support of the Parse Refclock trusttime flag in Meinberg mode 1830* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 1831* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 1832 clock slew on Microsoft Windows 1833* Code cleanup in libntpq 1834 1835ntpdc 1836 1837* Fix timerstats reporting 1838 1839ntpdate 1840 1841* Reduce time required to set clock 1842* Allow a timeout greater than 2 seconds 1843 1844sntp 1845 1846* Backward incompatible command-line option change: 1847 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 1848 1849Documentation 1850 1851* Update html2man. Fix some tags in the .html files 1852* Distribute ntp-wait.html 1853 1854--- 1855NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 1856 1857Focus: Bug fixes and portability improvements 1858 1859Severity: Medium 1860 1861This is a recommended upgrade. 1862 1863This release includes build infrastructure updates, code 1864clean-ups, minor bug fixes, fixes for a number of minor 1865ref-clock issues, and documentation revisions. 1866 1867Portability improvements in this release affect AIX, Atari FreeMiNT, 1868FreeBSD4, Linux and Microsoft Windows. 1869 1870New features / changes in this release: 1871 1872Build system 1873* Use lsb_release to get information about Linux distributions. 1874* 'test' is in /usr/bin (instead of /bin) on some systems. 1875* Basic sanity checks for the ChangeLog file. 1876* Source certain build files with ./filename for systems without . in PATH. 1877* IRIX portability fix. 1878* Use a single copy of the "libopts" code. 1879* autogen/libopts upgrade. 1880* configure.ac m4 quoting cleanup. 1881 1882ntpd 1883* Do not bind to IN6_IFF_ANYCAST addresses. 1884* Log the reason for exiting under Windows. 1885* Multicast fixes for Windows. 1886* Interpolation fixes for Windows. 1887* IPv4 and IPv6 Multicast fixes. 1888* Manycast solicitation fixes and general repairs. 1889* JJY refclock cleanup. 1890* NMEA refclock improvements. 1891* Oncore debug message cleanup. 1892* Palisade refclock now builds under Linux. 1893* Give RAWDCF more baud rates. 1894* Support Truetime Satellite clocks under Windows. 1895* Support Arbiter 1093C Satellite clocks under Windows. 1896* Make sure that the "filegen" configuration command defaults to "enable". 1897* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 1898* Prohibit 'includefile' directive in remote configuration command. 1899* Fix 'nic' interface bindings. 1900* Fix the way we link with openssl if openssl is installed in the base 1901 system. 1902 1903ntp-keygen 1904* Fix -V coredump. 1905* OpenSSL version display cleanup. 1906 1907ntpdc 1908* Many counters should be treated as unsigned. 1909 1910ntpdate 1911* Do not ignore replies with equal receive and transmit timestamps. 1912 1913ntpq 1914* libntpq warning cleanup. 1915 1916ntpsnmpd 1917* Correct SNMP type for "precision" and "resolution". 1918* Update the MIB from the draft version to RFC-5907. 1919 1920sntp 1921* Display timezone offset when showing time for sntp in the local 1922 timezone. 1923* Pay proper attention to RATE KoD packets. 1924* Fix a miscalculation of the offset. 1925* Properly parse empty lines in the key file. 1926* Logging cleanup. 1927* Use tv_usec correctly in set_time(). 1928* Documentation cleanup. 1929 1930--- 1931NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 1932 1933Focus: Bug fixes and portability improvements 1934 1935Severity: Medium 1936 1937This is a recommended upgrade. 1938 1939This release includes build infrastructure updates, code 1940clean-ups, minor bug fixes, fixes for a number of minor 1941ref-clock issues, improved KOD handling, OpenSSL related 1942updates and documentation revisions. 1943 1944Portability improvements in this release affect Irix, Linux, 1945Mac OS, Microsoft Windows, OpenBSD and QNX6 1946 1947New features / changes in this release: 1948 1949ntpd 1950* Range syntax for the trustedkey configuration directive 1951* Unified IPv4 and IPv6 restrict lists 1952 1953ntpdate 1954* Rate limiting and KOD handling 1955 1956ntpsnmpd 1957* default connection to net-snmpd via a unix-domain socket 1958* command-line 'socket name' option 1959 1960ntpq / ntpdc 1961* support for the "passwd ..." syntax 1962* key-type specific password prompts 1963 1964sntp 1965* MD5 authentication of an ntpd 1966* Broadcast and crypto 1967* OpenSSL support 1968 1969--- 1970NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 1971 1972Focus: Bug fixes, portability fixes, and documentation improvements 1973 1974Severity: Medium 1975 1976This is a recommended upgrade. 1977 1978--- 1979NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 1980 1981Focus: enhancements and bug fixes. 1982 1983--- 1984NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 1985 1986Focus: Security Fixes 1987 1988Severity: HIGH 1989 1990This release fixes the following high-severity vulnerability: 1991 1992* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 1993 1994 See http://support.ntp.org/security for more information. 1995 1996 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 1997 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 1998 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 1999 request or a mode 7 error response from an address which is not listed 2000 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 2001 reply with a mode 7 error response (and log a message). In this case: 2002 2003 * If an attacker spoofs the source address of ntpd host A in a 2004 mode 7 response packet sent to ntpd host B, both A and B will 2005 continuously send each other error responses, for as long as 2006 those packets get through. 2007 2008 * If an attacker spoofs an address of ntpd host A in a mode 7 2009 response packet sent to ntpd host A, A will respond to itself 2010 endlessly, consuming CPU and logging excessively. 2011 2012 Credit for finding this vulnerability goes to Robin Park and Dmitri 2013 Vinokurov of Alcatel-Lucent. 2014 2015THIS IS A STRONGLY RECOMMENDED UPGRADE. 2016 2017--- 2018ntpd now syncs to refclocks right away. 2019 2020Backward-Incompatible changes: 2021 2022ntpd no longer accepts '-v name' or '-V name' to define internal variables. 2023Use '--var name' or '--dvar name' instead. (Bug 817) 2024 2025--- 2026NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 2027 2028Focus: Security and Bug Fixes 2029 2030Severity: HIGH 2031 2032This release fixes the following high-severity vulnerability: 2033 2034* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 2035 2036 See http://support.ntp.org/security for more information. 2037 2038 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 2039 line) then a carefully crafted packet sent to the machine will cause 2040 a buffer overflow and possible execution of injected code, running 2041 with the privileges of the ntpd process (often root). 2042 2043 Credit for finding this vulnerability goes to Chris Ries of CMU. 2044 2045This release fixes the following low-severity vulnerabilities: 2046 2047* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 2048 Credit for finding this vulnerability goes to Geoff Keating of Apple. 2049 2050* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 2051 Credit for finding this issue goes to Dave Hart. 2052 2053This release fixes a number of bugs and adds some improvements: 2054 2055* Improved logging 2056* Fix many compiler warnings 2057* Many fixes and improvements for Windows 2058* Adds support for AIX 6.1 2059* Resolves some issues under MacOS X and Solaris 2060 2061THIS IS A STRONGLY RECOMMENDED UPGRADE. 2062 2063--- 2064NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 2065 2066Focus: Security Fix 2067 2068Severity: Low 2069 2070This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 2071the OpenSSL library relating to the incorrect checking of the return 2072value of EVP_VerifyFinal function. 2073 2074Credit for finding this issue goes to the Google Security Team for 2075finding the original issue with OpenSSL, and to ocert.org for finding 2076the problem in NTP and telling us about it. 2077 2078This is a recommended upgrade. 2079--- 2080NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 2081 2082Focus: Minor Bugfixes 2083 2084This release fixes a number of Windows-specific ntpd bugs and 2085platform-independent ntpdate bugs. A logging bugfix has been applied 2086to the ONCORE driver. 2087 2088The "dynamic" keyword and is now obsolete and deferred binding to local 2089interfaces is the new default. The minimum time restriction for the 2090interface update interval has been dropped. 2091 2092A number of minor build system and documentation fixes are included. 2093 2094This is a recommended upgrade for Windows. 2095 2096--- 2097NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 2098 2099Focus: Minor Bugfixes 2100 2101This release updates certain copyright information, fixes several display 2102bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 2103shutdown in the parse refclock driver, removes some lint from the code, 2104stops accessing certain buffers immediately after they were freed, fixes 2105a problem with non-command-line specification of -6, and allows the loopback 2106interface to share addresses with other interfaces. 2107 2108--- 2109NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 2110 2111Focus: Minor Bugfixes 2112 2113This release fixes a bug in Windows that made it difficult to 2114terminate ntpd under windows. 2115This is a recommended upgrade for Windows. 2116 2117--- 2118NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 2119 2120Focus: Minor Bugfixes 2121 2122This release fixes a multicast mode authentication problem, 2123an error in NTP packet handling on Windows that could lead to 2124ntpd crashing, and several other minor bugs. Handling of 2125multicast interfaces and logging configuration were improved. 2126The required versions of autogen and libopts were incremented. 2127This is a recommended upgrade for Windows and multicast users. 2128 2129--- 2130NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 2131 2132Focus: enhancements and bug fixes. 2133 2134Dynamic interface rescanning was added to simplify the use of ntpd in 2135conjunction with DHCP. GNU AutoGen is used for its command-line options 2136processing. Separate PPS devices are supported for PARSE refclocks, MD5 2137signatures are now provided for the release files. Drivers have been 2138added for some new ref-clocks and have been removed for some older 2139ref-clocks. This release also includes other improvements, documentation 2140and bug fixes. 2141 2142K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 2143C support. 2144 2145--- 2146NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 2147 2148Focus: enhancements and bug fixes. 2149