1316069Sdelphij-- 2338531SdelphijNTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 3330141Sdelphij 4330141SdelphijNOTE: this NEWS file will be undergoing more revisions. 5330141Sdelphij 6330141SdelphijFocus: Security, Bug fixes, enhancements. 7330141Sdelphij 8330141SdelphijSeverity: MEDIUM 9330141Sdelphij 10338531SdelphijThis release fixes a "hole" in the noepeer capability introduced to ntpd 11338531Sdelphijin ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 12338531Sdelphijntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 13338531Sdelphij 14338531Sdelphij* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 15338531Sdelphij 16338531Sdelphij* [Sec 3012] Fix a hole in the new "noepeer" processing. 17338531Sdelphij 18338531Sdelphij* Bug Fixes: 19338531Sdelphij [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 20338531Sdelphij [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 21338531Sdelphij other TrustedBSD platforms 22338531Sdelphij - applied patch by Ian Lepore <perlinger@ntp.org> 23338531Sdelphij [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 24338531Sdelphij - changed interaction with SCM to signal pending startup 25338531Sdelphij [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 26338531Sdelphij - applied patch by Gerry Garvey 27338531Sdelphij [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 28338531Sdelphij - applied patch by Gerry Garvey 29338531Sdelphij [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 30338531Sdelphij - rework of ntpq 'nextvar()' key/value parsing 31338531Sdelphij [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 32338531Sdelphij - applied patch by Gerry Garvey (with mods) 33338531Sdelphij [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 34338531Sdelphij - applied patch by Gerry Garvey 35338531Sdelphij [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 36338531Sdelphij - applied patch by Gerry Garvey (with mods) 37338531Sdelphij [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 38338531Sdelphij - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 39338531Sdelphij [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 40338531Sdelphij - applied patch by Gerry Garvey 41338531Sdelphij [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 42338531Sdelphij - applied patch by Gerry Garvey 43338531Sdelphij [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 44338531Sdelphij - add #define ENABLE_CMAC support in configure. HStenn. 45338531Sdelphij [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 46338531Sdelphij [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 47338531Sdelphij - patch by Stephen Friedl 48338531Sdelphij [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 49338531Sdelphij - fixed IO redirection and CTRL-C handling in ntq and ntpdc 50338531Sdelphij [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 51338531Sdelphij [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 52338531Sdelphij - initial patch by Hal Murray; also fixed refclock_report() trouble 53338531Sdelphij [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 54338531Sdelphij [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 55338531Sdelphij - According to Brooks Davis, there was only one location <perlinger@ntp.org> 56338531Sdelphij [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 57338531Sdelphij - applied patch by Gerry Garvey 58338531Sdelphij [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 59338531Sdelphij - applied patch by Gerry Garvey 60338531Sdelphij [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 61338531Sdelphij with modifications 62338531Sdelphij New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 63338531Sdelphij [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 64338531Sdelphij - applied patch by Miroslav Lichvar 65338531Sdelphij [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 66338531Sdelphij [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 67338531Sdelphij - integrated patch by Reinhard Max 68338531Sdelphij [Bug 2821] minor build issues <perlinger@ntp.org> 69338531Sdelphij - applied patches by Christos Zoulas, including real bug fixes 70338531Sdelphij html/authopt.html: cleanup, from <stenn@ntp.org> 71338531Sdelphij ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 72338531Sdelphij Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 73338531Sdelphij 74338531Sdelphij-- 75338531SdelphijNTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 76338531Sdelphij 77338531SdelphijFocus: Security, Bug fixes, enhancements. 78338531Sdelphij 79338531SdelphijSeverity: MEDIUM 80338531Sdelphij 81330141SdelphijThis release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 82330141Sdelphijvulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 83330141Sdelphijprovides 65 other non-security fixes and improvements: 84330141Sdelphij 85330141Sdelphij* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 86330141Sdelphij association (LOW/MED) 87330141Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 88330141Sdelphij References: Sec 3454 / CVE-2018-7185 / VU#961909 89330141Sdelphij Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 90330141Sdelphij CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 91330141Sdelphij 2.9 and 6.8. 92330141Sdelphij CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 93330141Sdelphij score between 2.6 and 3.1 94330141Sdelphij Summary: 95330141Sdelphij The NTP Protocol allows for both non-authenticated and 96330141Sdelphij authenticated associations, in client/server, symmetric (peer), 97330141Sdelphij and several broadcast modes. In addition to the basic NTP 98330141Sdelphij operational modes, symmetric mode and broadcast servers can 99330141Sdelphij support an interleaved mode of operation. In ntp-4.2.8p4 a bug 100330141Sdelphij was inadvertently introduced into the protocol engine that 101330141Sdelphij allows a non-authenticated zero-origin (reset) packet to reset 102330141Sdelphij an authenticated interleaved peer association. If an attacker 103330141Sdelphij can send a packet with a zero-origin timestamp and the source 104330141Sdelphij IP address of the "other side" of an interleaved association, 105330141Sdelphij the 'victim' ntpd will reset its association. The attacker must 106330141Sdelphij continue sending these packets in order to maintain the 107330141Sdelphij disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 108330141Sdelphij interleave mode could be entered dynamically. As of ntp-4.2.8p7, 109330141Sdelphij interleaved mode must be explicitly configured/enabled. 110330141Sdelphij Mitigation: 111330141Sdelphij Implement BCP-38. 112330141Sdelphij Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 113330141Sdelphij or the NTP Public Services Project Download Page. 114330141Sdelphij If you are unable to upgrade to 4.2.8p11 or later and have 115330141Sdelphij 'peer HOST xleave' lines in your ntp.conf file, remove the 116330141Sdelphij 'xleave' option. 117330141Sdelphij Have enough sources of time. 118330141Sdelphij Properly monitor your ntpd instances. 119330141Sdelphij If ntpd stops running, auto-restart it without -g . 120330141Sdelphij Credit: 121330141Sdelphij This weakness was discovered by Miroslav Lichvar of Red Hat. 122330141Sdelphij 123330141Sdelphij* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 124330141Sdelphij state (LOW/MED) 125330141Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 126330141Sdelphij References: Sec 3453 / CVE-2018-7184 / VU#961909 127330141Sdelphij Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 128330141Sdelphij CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 129330141Sdelphij Could score between 2.9 and 6.8. 130330141Sdelphij CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 131330141Sdelphij Could score between 2.6 and 6.0. 132330141Sdelphij Summary: 133330141Sdelphij The fix for NtpBug2952 was incomplete, and while it fixed one 134330141Sdelphij problem it created another. Specifically, it drops bad packets 135330141Sdelphij before updating the "received" timestamp. This means a 136330141Sdelphij third-party can inject a packet with a zero-origin timestamp, 137330141Sdelphij meaning the sender wants to reset the association, and the 138330141Sdelphij transmit timestamp in this bogus packet will be saved as the 139330141Sdelphij most recent "received" timestamp. The real remote peer does 140330141Sdelphij not know this value and this will disrupt the association until 141330141Sdelphij the association resets. 142330141Sdelphij Mitigation: 143330141Sdelphij Implement BCP-38. 144330141Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 145330141Sdelphij or the NTP Public Services Project Download Page. 146330141Sdelphij Use authentication with 'peer' mode. 147330141Sdelphij Have enough sources of time. 148330141Sdelphij Properly monitor your ntpd instances. 149330141Sdelphij If ntpd stops running, auto-restart it without -g . 150330141Sdelphij Credit: 151330141Sdelphij This weakness was discovered by Miroslav Lichvar of Red Hat. 152330141Sdelphij 153330141Sdelphij* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 154330141Sdelphij peering (LOW) 155330141Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 156330141Sdelphij References: Sec 3415 / CVE-2018-7170 / VU#961909 157330141Sdelphij Sec 3012 / CVE-2016-1549 / VU#718152 158330141Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 159330141Sdelphij 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 160330141Sdelphij CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 161330141Sdelphij CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 162330141Sdelphij Summary: 163330141Sdelphij ntpd can be vulnerable to Sybil attacks. If a system is set up to 164330141Sdelphij use a trustedkey and if one is not using the feature introduced in 165330141Sdelphij ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 166330141Sdelphij specify which IPs can serve time, a malicious authenticated peer 167330141Sdelphij -- i.e. one where the attacker knows the private symmetric key -- 168330141Sdelphij can create arbitrarily-many ephemeral associations in order to win 169330141Sdelphij the clock selection of ntpd and modify a victim's clock. Three 170330141Sdelphij additional protections are offered in ntp-4.2.8p11. One is the 171330141Sdelphij new 'noepeer' directive, which disables symmetric passive 172330141Sdelphij ephemeral peering. Another is the new 'ippeerlimit' directive, 173330141Sdelphij which limits the number of peers that can be created from an IP. 174330141Sdelphij The third extends the functionality of the 4th field in the 175330141Sdelphij ntp.keys file to include specifying a subnet range. 176330141Sdelphij Mitigation: 177330141Sdelphij Implement BCP-38. 178330141Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 179330141Sdelphij or the NTP Public Services Project Download Page. 180330141Sdelphij Use the 'noepeer' directive to prohibit symmetric passive 181330141Sdelphij ephemeral associations. 182330141Sdelphij Use the 'ippeerlimit' directive to limit the number of peers 183330141Sdelphij that can be created from an IP. 184330141Sdelphij Use the 4th argument in the ntp.keys file to limit the IPs and 185330141Sdelphij subnets that can be time servers. 186330141Sdelphij Have enough sources of time. 187330141Sdelphij Properly monitor your ntpd instances. 188330141Sdelphij If ntpd stops running, auto-restart it without -g . 189330141Sdelphij Credit: 190330141Sdelphij This weakness was reported as Bug 3012 by Matthew Van Gundy of 191330141Sdelphij Cisco ASIG, and separately by Stefan Moser as Bug 3415. 192330141Sdelphij 193330141Sdelphij* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 194330141Sdelphij Date Resolved: 27 Feb 2018 195330141Sdelphij References: Sec 3414 / CVE-2018-7183 / VU#961909 196330141Sdelphij Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 197330141Sdelphij CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 198330141Sdelphij CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 199330141Sdelphij Summary: 200330141Sdelphij ntpq is a monitoring and control program for ntpd. decodearr() 201330141Sdelphij is an internal function of ntpq that is used to -- wait for it -- 202330141Sdelphij decode an array in a response string when formatted data is being 203330141Sdelphij displayed. This is a problem in affected versions of ntpq if a 204330141Sdelphij maliciously-altered ntpd returns an array result that will trip this 205330141Sdelphij bug, or if a bad actor is able to read an ntpq request on its way to 206330141Sdelphij a remote ntpd server and forge and send a response before the remote 207330141Sdelphij ntpd sends its response. It's potentially possible that the 208330141Sdelphij malicious data could become injectable/executable code. 209330141Sdelphij Mitigation: 210330141Sdelphij Implement BCP-38. 211330141Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 212330141Sdelphij or the NTP Public Services Project Download Page. 213330141Sdelphij Credit: 214330141Sdelphij This weakness was discovered by Michael Macnair of Thales e-Security. 215330141Sdelphij 216330141Sdelphij* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 217330141Sdelphij behavior and information leak (Info/Medium) 218330141Sdelphij Date Resolved: 27 Feb 2018 219330141Sdelphij References: Sec 3412 / CVE-2018-7182 / VU#961909 220330141Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 221330141Sdelphij CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 222330141Sdelphij CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 223330141Sdelphij 0.0 if C:N 224330141Sdelphij Summary: 225330141Sdelphij ctl_getitem() is used by ntpd to process incoming mode 6 packets. 226330141Sdelphij A malicious mode 6 packet can be sent to an ntpd instance, and 227330141Sdelphij if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 228330141Sdelphij cause ctl_getitem() to read past the end of its buffer. 229330141Sdelphij Mitigation: 230330141Sdelphij Implement BCP-38. 231330141Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 232330141Sdelphij or the NTP Public Services Project Download Page. 233330141Sdelphij Have enough sources of time. 234330141Sdelphij Properly monitor your ntpd instances. 235330141Sdelphij If ntpd stops running, auto-restart it without -g . 236330141Sdelphij Credit: 237330141Sdelphij This weakness was discovered by Yihan Lian of Qihoo 360. 238330141Sdelphij 239330141Sdelphij* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 240330141Sdelphij Also see Bug 3415, above. 241330141Sdelphij Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 242330141Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 243330141Sdelphij References: Sec 3012 / CVE-2016-1549 / VU#718152 244330141Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 245330141Sdelphij 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 246330141Sdelphij CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 247330141Sdelphij CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 248330141Sdelphij Summary: 249330141Sdelphij ntpd can be vulnerable to Sybil attacks. If a system is set up 250330141Sdelphij to use a trustedkey and if one is not using the feature 251330141Sdelphij introduced in ntp-4.2.8p6 allowing an optional 4th field in the 252330141Sdelphij ntp.keys file to specify which IPs can serve time, a malicious 253330141Sdelphij authenticated peer -- i.e. one where the attacker knows the 254330141Sdelphij private symmetric key -- can create arbitrarily-many ephemeral 255330141Sdelphij associations in order to win the clock selection of ntpd and 256330141Sdelphij modify a victim's clock. Two additional protections are 257330141Sdelphij offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 258330141Sdelphij disables symmetric passive ephemeral peering. The other extends 259330141Sdelphij the functionality of the 4th field in the ntp.keys file to 260330141Sdelphij include specifying a subnet range. 261330141Sdelphij Mitigation: 262330141Sdelphij Implement BCP-38. 263330141Sdelphij Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 264330141Sdelphij the NTP Public Services Project Download Page. 265330141Sdelphij Use the 'noepeer' directive to prohibit symmetric passive 266330141Sdelphij ephemeral associations. 267330141Sdelphij Use the 'ippeerlimit' directive to limit the number of peer 268330141Sdelphij associations from an IP. 269330141Sdelphij Use the 4th argument in the ntp.keys file to limit the IPs 270330141Sdelphij and subnets that can be time servers. 271330141Sdelphij Properly monitor your ntpd instances. 272330141Sdelphij Credit: 273330141Sdelphij This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 274330141Sdelphij 275330141Sdelphij* Bug fixes: 276330141Sdelphij [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 277330141Sdelphij [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 278330141Sdelphij - applied patch by Sean Haugh 279330141Sdelphij [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 280330141Sdelphij [Bug 3450] Dubious error messages from plausibility checks in get_systime() 281330141Sdelphij - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 282330141Sdelphij [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 283330141Sdelphij - refactoring the MAC code, too 284330141Sdelphij [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 285330141Sdelphij [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 286330141Sdelphij - applied patch by ggarvey 287330141Sdelphij [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 288330141Sdelphij - applied patch by ggarvey (with minor mods) 289330141Sdelphij [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 290330141Sdelphij - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 291330141Sdelphij [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 292330141Sdelphij [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 293330141Sdelphij [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 294330141Sdelphij - fixed several issues with hash algos in ntpd, sntp, ntpq, 295330141Sdelphij ntpdc and the test suites <perlinger@ntp.org> 296330141Sdelphij [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 297330141Sdelphij - initial patch by Daniel Pouzzner 298330141Sdelphij [Bug 3423] QNX adjtime() implementation error checking is 299330141Sdelphij wrong <perlinger@ntp.org> 300330141Sdelphij [Bug 3417] ntpq ifstats packet counters can be negative 301330141Sdelphij made IFSTATS counter quantities unsigned <perlinger@ntp.org> 302330141Sdelphij [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 303330141Sdelphij - raised receive buffer size to 1200 <perlinger@ntp.org> 304330141Sdelphij [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 305330141Sdelphij analysis tool. <abe@ntp.org> 306330141Sdelphij [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 307330141Sdelphij [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 308330141Sdelphij - fix/drop assumptions on OpenSSL libs directory layout 309330141Sdelphij [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 310330141Sdelphij - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 311330141Sdelphij [Bug 3398] tests fail with core dump <perlinger@ntp.org> 312330141Sdelphij - patch contributed by Alexander Bluhm 313330141Sdelphij [Bug 3397] ctl_putstr() asserts that data fits in its buffer 314330141Sdelphij rework of formatting & data transfer stuff in 'ntp_control.c' 315330141Sdelphij avoids unecessary buffers and size limitations. <perlinger@ntp.org> 316330141Sdelphij [Bug 3394] Leap second deletion does not work on ntpd clients 317330141Sdelphij - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 318330141Sdelphij [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 319330141Sdelphij - increased mimimum stack size to 32kB <perlinger@ntp.org> 320330141Sdelphij [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 321330141Sdelphij - reverted handling of PPS kernel consumer to 4.2.6 behavior 322330141Sdelphij [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 323330141Sdelphij [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 324330141Sdelphij [Bug 3016] wrong error position reported for bad ":config pool" 325330141Sdelphij - fixed location counter & ntpq output <perlinger@ntp.org> 326330141Sdelphij [Bug 2900] libntp build order problem. HStenn. 327330141Sdelphij [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 328330141Sdelphij [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 329330141Sdelphij perlinger@ntp.org 330330141Sdelphij [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 331330141Sdelphij [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 332330141Sdelphij Use strlcpy() to copy strings, not memcpy(). HStenn. 333330141Sdelphij Typos. HStenn. 334330141Sdelphij test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 335330141Sdelphij refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 336330141Sdelphij Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 337330141Sdelphij Fix trivial warnings from 'make check'. perlinger@ntp.org 338330141Sdelphij Fix bug in the override portion of the compiler hardening macro. HStenn. 339330141Sdelphij record_raw_stats(): Log entire packet. Log writes. HStenn. 340330141Sdelphij AES-128-CMAC support. BInglis, HStenn, JPerlinger. 341330141Sdelphij sntp: tweak key file logging. HStenn. 342330141Sdelphij sntp: pkt_output(): Improve debug output. HStenn. 343330141Sdelphij update-leap: updates from Paul McMath. 344330141Sdelphij When using pkg-config, report --modversion. HStenn. 345330141Sdelphij Clean up libevent configure checks. HStenn. 346330141Sdelphij sntp: show the IP of who sent us a crypto-NAK. HStenn. 347330141Sdelphij Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 348330141Sdelphij authistrustedip() - use it in more places. HStenn, JPerlinger. 349330141Sdelphij New sysstats: sys_lamport, sys_tsrounding. HStenn. 350330141Sdelphij Update ntp.keys .../N documentation. HStenn. 351330141Sdelphij Distribute testconf.yml. HStenn. 352330141Sdelphij Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 353330141Sdelphij Rename the configuration flag fifo variables. HStenn. 354330141Sdelphij Improve saveconfig output. HStenn. 355330141Sdelphij Decode restrict flags on receive() debug output. HStenn. 356330141Sdelphij Decode interface flags on receive() debug output. HStenn. 357330141Sdelphij Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 358330141Sdelphij Update the documentation in ntp.conf.def . HStenn. 359330141Sdelphij restrictions() must return restrict flags and ippeerlimit. HStenn. 360330141Sdelphij Update ntpq peer documentation to describe the 'p' type. HStenn. 361330141Sdelphij Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 362330141Sdelphij Provide dump_restricts() for debugging. HStenn. 363330141Sdelphij Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 364330141Sdelphij 365330141Sdelphij* Other items: 366330141Sdelphij 367330141Sdelphij* update-leap needs the following perl modules: 368330141Sdelphij Net::SSLeay 369330141Sdelphij IO::Socket::SSL 370330141Sdelphij 371330141Sdelphij* New sysstats variables: sys_lamport, sys_tsrounding 372330141SdelphijSee them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 373330141Sdelphijsys_lamport counts the number of observed Lamport violations, while 374330141Sdelphijsys_tsrounding counts observed timestamp rounding events. 375330141Sdelphij 376330141Sdelphij* New ntp.conf items: 377330141Sdelphij 378330141Sdelphij- restrict ... noepeer 379330141Sdelphij- restrict ... ippeerlimit N 380330141Sdelphij 381330141SdelphijThe 'noepeer' directive will disallow all ephemeral/passive peer 382330141Sdelphijrequests. 383330141Sdelphij 384330141SdelphijThe 'ippeerlimit' directive limits the number of time associations 385330141Sdelphijfor each IP in the designated set of addresses. This limit does not 386330141Sdelphijapply to explicitly-configured associations. A value of -1, the current 387330141Sdelphijdefault, means an unlimited number of associations may connect from a 388330141Sdelphijsingle IP. 0 means "none", etc. Ordinarily the only way multiple 389330141Sdelphijassociations would come from the same IP would be if the remote side 390330141Sdelphijwas using a proxy. But a trusted machine might become compromised, 391330141Sdelphijin which case an attacker might spin up multiple authenticated sessions 392330141Sdelphijfrom different ports. This directive should be helpful in this case. 393330141Sdelphij 394330141Sdelphij* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 395330141Sdelphijfield may contain a /subnetbits specification, which identifies the 396330141Sdelphijscope of IPs that may use this key. This IP/subnet restriction can be 397330141Sdelphijused to limit the IPs that may use the key in most all situations where 398330141Sdelphija key is used. 399330141Sdelphij-- 400316069SdelphijNTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 401316069Sdelphij 402316069SdelphijFocus: Security, Bug fixes, enhancements. 403316069Sdelphij 404316069SdelphijSeverity: MEDIUM 405316069Sdelphij 406316069SdelphijThis release fixes 5 medium-, 6 low-, and 4 informational-severity 407316069Sdelphijvulnerabilities, and provides 15 other non-security fixes and improvements: 408316069Sdelphij 409316069Sdelphij* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 410316069Sdelphij Date Resolved: 21 Mar 2017 411316069Sdelphij References: Sec 3389 / CVE-2017-6464 / VU#325339 412316069Sdelphij Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 413316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 414316069Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 415316069Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 416316069Sdelphij Summary: 417316069Sdelphij A vulnerability found in the NTP server makes it possible for an 418316069Sdelphij authenticated remote user to crash ntpd via a malformed mode 419316069Sdelphij configuration directive. 420316069Sdelphij Mitigation: 421316069Sdelphij Implement BCP-38. 422316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 423316069Sdelphij the NTP Public Services Project Download Page 424316069Sdelphij Properly monitor your ntpd instances, and auto-restart 425316069Sdelphij ntpd (without -g) if it stops running. 426316069Sdelphij Credit: 427316069Sdelphij This weakness was discovered by Cure53. 428316069Sdelphij 429316069Sdelphij* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 430316069Sdelphij Date Resolved: 21 Mar 2017 431316069Sdelphij References: Sec 3388 / CVE-2017-6462 / VU#325339 432316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 433316069Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 434316069Sdelphij CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 435316069Sdelphij Summary: 436316069Sdelphij There is a potential for a buffer overflow in the legacy Datum 437316069Sdelphij Programmable Time Server refclock driver. Here the packets are 438316069Sdelphij processed from the /dev/datum device and handled in 439316069Sdelphij datum_pts_receive(). Since an attacker would be required to 440316069Sdelphij somehow control a malicious /dev/datum device, this does not 441316069Sdelphij appear to be a practical attack and renders this issue "Low" in 442316069Sdelphij terms of severity. 443316069Sdelphij Mitigation: 444316069Sdelphij If you have a Datum reference clock installed and think somebody 445316069Sdelphij may maliciously change the device, upgrade to 4.2.8p10, or 446316069Sdelphij later, from the NTP Project Download Page or the NTP Public 447316069Sdelphij Services Project Download Page 448316069Sdelphij Properly monitor your ntpd instances, and auto-restart 449316069Sdelphij ntpd (without -g) if it stops running. 450316069Sdelphij Credit: 451316069Sdelphij This weakness was discovered by Cure53. 452316069Sdelphij 453316069Sdelphij* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 454316069Sdelphij Date Resolved: 21 Mar 2017 455316069Sdelphij References: Sec 3387 / CVE-2017-6463 / VU#325339 456316069Sdelphij Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 457316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 458316069Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 459316069Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 460316069Sdelphij Summary: 461316069Sdelphij A vulnerability found in the NTP server allows an authenticated 462316069Sdelphij remote attacker to crash the daemon by sending an invalid setting 463316069Sdelphij via the :config directive. The unpeer option expects a number or 464316069Sdelphij an address as an argument. In case the value is "0", a 465316069Sdelphij segmentation fault occurs. 466316069Sdelphij Mitigation: 467316069Sdelphij Implement BCP-38. 468316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 469316069Sdelphij or the NTP Public Services Project Download Page 470316069Sdelphij Properly monitor your ntpd instances, and auto-restart 471316069Sdelphij ntpd (without -g) if it stops running. 472316069Sdelphij Credit: 473316069Sdelphij This weakness was discovered by Cure53. 474316069Sdelphij 475316069Sdelphij* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 476316069Sdelphij Date Resolved: 21 Mar 2017 477316069Sdelphij References: Sec 3386 478316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 479316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 480316069Sdelphij CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 481316069Sdelphij CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 482316069Sdelphij Summary: 483316069Sdelphij The NTP Mode 6 monitoring and control client, ntpq, uses the 484316069Sdelphij function ntpq_stripquotes() to remove quotes and escape characters 485316069Sdelphij from a given string. According to the documentation, the function 486316069Sdelphij is supposed to return the number of copied bytes but due to 487316069Sdelphij incorrect pointer usage this value is always zero. Although the 488316069Sdelphij return value of this function is never used in the code, this 489316069Sdelphij flaw could lead to a vulnerability in the future. Since relying 490316069Sdelphij on wrong return values when performing memory operations is a 491316069Sdelphij dangerous practice, it is recommended to return the correct value 492316069Sdelphij in accordance with the documentation pertinent to the code. 493316069Sdelphij Mitigation: 494316069Sdelphij Implement BCP-38. 495316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 496316069Sdelphij or the NTP Public Services Project Download Page 497316069Sdelphij Properly monitor your ntpd instances, and auto-restart 498316069Sdelphij ntpd (without -g) if it stops running. 499316069Sdelphij Credit: 500316069Sdelphij This weakness was discovered by Cure53. 501316069Sdelphij 502316069Sdelphij* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 503316069Sdelphij Date Resolved: 21 Mar 2017 504316069Sdelphij References: Sec 3385 505316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 506316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 507316069Sdelphij Summary: 508316069Sdelphij NTP makes use of several wrappers around the standard heap memory 509316069Sdelphij allocation functions that are provided by libc. This is mainly 510316069Sdelphij done to introduce additional safety checks concentrated on 511316069Sdelphij several goals. First, they seek to ensure that memory is not 512316069Sdelphij accidentally freed, secondly they verify that a correct amount 513316069Sdelphij is always allocated and, thirdly, that allocation failures are 514316069Sdelphij correctly handled. There is an additional implementation for 515316069Sdelphij scenarios where memory for a specific amount of items of the 516316069Sdelphij same size needs to be allocated. The handling can be found in 517316069Sdelphij the oreallocarray() function for which a further number-of-elements 518316069Sdelphij parameter needs to be provided. Although no considerable threat 519316069Sdelphij was identified as tied to a lack of use of this function, it is 520316069Sdelphij recommended to correctly apply oreallocarray() as a preferred 521316069Sdelphij option across all of the locations where it is possible. 522316069Sdelphij Mitigation: 523316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 524316069Sdelphij or the NTP Public Services Project Download Page 525316069Sdelphij Credit: 526316069Sdelphij This weakness was discovered by Cure53. 527316069Sdelphij 528316069Sdelphij* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 529316069Sdelphij PPSAPI ONLY) (Low) 530316069Sdelphij Date Resolved: 21 Mar 2017 531316069Sdelphij References: Sec 3384 / CVE-2017-6455 / VU#325339 532316069Sdelphij Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 533316069Sdelphij not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 534316069Sdelphij including ntp-4.3.94. 535316069Sdelphij CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 536316069Sdelphij CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 537316069Sdelphij Summary: 538316069Sdelphij The Windows NT port has the added capability to preload DLLs 539316069Sdelphij defined in the inherited global local environment variable 540316069Sdelphij PPSAPI_DLLS. The code contained within those libraries is then 541316069Sdelphij called from the NTPD service, usually running with elevated 542316069Sdelphij privileges. Depending on how securely the machine is setup and 543316069Sdelphij configured, if ntpd is configured to use the PPSAPI under Windows 544316069Sdelphij this can easily lead to a code injection. 545316069Sdelphij Mitigation: 546316069Sdelphij Implement BCP-38. 547316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 548316069Sdelphij or the NTP Public Services Project Download Page 549316069Sdelphij Credit: 550316069Sdelphij This weakness was discovered by Cure53. 551316069Sdelphij 552316069Sdelphij* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 553316069Sdelphij installer ONLY) (Low) 554316069Sdelphij Date Resolved: 21 Mar 2017 555316069Sdelphij References: Sec 3383 / CVE-2017-6452 / VU#325339 556316069Sdelphij Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 557316069Sdelphij installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 558316069Sdelphij to, but not including ntp-4.3.94. 559316069Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 560316069Sdelphij CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 561316069Sdelphij Summary: 562316069Sdelphij The Windows installer for NTP calls strcat(), blindly appending 563316069Sdelphij the string passed to the stack buffer in the addSourceToRegistry() 564316069Sdelphij function. The stack buffer is 70 bytes smaller than the buffer 565316069Sdelphij in the calling main() function. Together with the initially 566316069Sdelphij copied Registry path, the combination causes a stack buffer 567316069Sdelphij overflow and effectively overwrites the stack frame. The 568316069Sdelphij passed application path is actually limited to 256 bytes by the 569316069Sdelphij operating system, but this is not sufficient to assure that the 570316069Sdelphij affected stack buffer is consistently protected against 571316069Sdelphij overflowing at all times. 572316069Sdelphij Mitigation: 573316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 574316069Sdelphij or the NTP Public Services Project Download Page 575316069Sdelphij Credit: 576316069Sdelphij This weakness was discovered by Cure53. 577316069Sdelphij 578316069Sdelphij* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 579316069Sdelphij installer ONLY) (Low) 580316069Sdelphij Date Resolved: 21 Mar 2017 581316069Sdelphij References: Sec 3382 / CVE-2017-6459 / VU#325339 582316069Sdelphij Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 583316069Sdelphij installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 584316069Sdelphij up to, but not including ntp-4.3.94. 585316069Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 586316069Sdelphij CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 587316069Sdelphij Summary: 588316069Sdelphij The Windows installer for NTP calls strcpy() with an argument 589316069Sdelphij that specifically contains multiple null bytes. strcpy() only 590316069Sdelphij copies a single terminating null character into the target 591316069Sdelphij buffer instead of copying the required double null bytes in the 592316069Sdelphij addKeysToRegistry() function. As a consequence, a garbage 593316069Sdelphij registry entry can be created. The additional arsize parameter 594316069Sdelphij is erroneously set to contain two null bytes and the following 595316069Sdelphij call to RegSetValueEx() claims to be passing in a multi-string 596316069Sdelphij value, though this may not be true. 597316069Sdelphij Mitigation: 598316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 599316069Sdelphij or the NTP Public Services Project Download Page 600316069Sdelphij Credit: 601316069Sdelphij This weakness was discovered by Cure53. 602316069Sdelphij 603316069Sdelphij* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 604316069Sdelphij References: Sec 3381 605316069Sdelphij Summary: 606316069Sdelphij The report says: Statically included external projects 607316069Sdelphij potentially introduce several problems and the issue of having 608316069Sdelphij extensive amounts of code that is "dead" in the resulting binary 609316069Sdelphij must clearly be pointed out. The unnecessary unused code may or 610316069Sdelphij may not contain bugs and, quite possibly, might be leveraged for 611316069Sdelphij code-gadget-based branch-flow redirection exploits. Analogically, 612316069Sdelphij having source trees statically included as well means a failure 613316069Sdelphij in taking advantage of the free feature for periodical updates. 614316069Sdelphij This solution is offered by the system's Package Manager. The 615316069Sdelphij three libraries identified are libisc, libevent, and libopts. 616316069Sdelphij Resolution: 617316069Sdelphij For libisc, we already only use a portion of the original library. 618316069Sdelphij We've found and fixed bugs in the original implementation (and 619316069Sdelphij offered the patches to ISC), and plan to see what has changed 620316069Sdelphij since we last upgraded the code. libisc is generally not 621316069Sdelphij installed, and when it it we usually only see the static libisc.a 622316069Sdelphij file installed. Until we know for sure that the bugs we've found 623316069Sdelphij and fixed are fixed upstream, we're better off with the copy we 624316069Sdelphij are using. 625316069Sdelphij 626316069Sdelphij Version 1 of libevent was the only production version available 627316069Sdelphij until recently, and we've been requiring version 2 for a long time. 628316069Sdelphij But if the build system has at least version 2 of libevent 629316069Sdelphij installed, we'll use the version that is installed on the system. 630316069Sdelphij Otherwise, we provide a copy of libevent that we know works. 631316069Sdelphij 632316069Sdelphij libopts is provided by GNU AutoGen, and that library and package 633316069Sdelphij undergoes frequent API version updates. The version of autogen 634316069Sdelphij used to generate the tables for the code must match the API 635316069Sdelphij version in libopts. AutoGen can be ... difficult to build and 636316069Sdelphij install, and very few developers really need it. So we have it 637316069Sdelphij on our build and development machines, and we provide the 638316069Sdelphij specific version of the libopts code in the distribution to make 639316069Sdelphij sure that the proper API version of libopts is available. 640316069Sdelphij 641316069Sdelphij As for the point about there being code in these libraries that 642316069Sdelphij NTP doesn't use, OK. But other packages used these libraries as 643316069Sdelphij well, and it is reasonable to assume that other people are paying 644316069Sdelphij attention to security and code quality issues for the overall 645316069Sdelphij libraries. It takes significant resources to analyze and 646316069Sdelphij customize these libraries to only include what we need, and to 647316069Sdelphij date we believe the cost of this effort does not justify the benefit. 648316069Sdelphij Credit: 649316069Sdelphij This issue was discovered by Cure53. 650316069Sdelphij 651316069Sdelphij* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 652316069Sdelphij Date Resolved: 21 Mar 2017 653316069Sdelphij References: Sec 3380 654316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 655316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 656316069Sdelphij CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 657316069Sdelphij CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 658316069Sdelphij Summary: 659316069Sdelphij There is a fencepost error in a "recovery branch" of the code for 660316069Sdelphij the Oncore GPS receiver if the communication link to the ONCORE 661316069Sdelphij is weak / distorted and the decoding doesn't work. 662316069Sdelphij Mitigation: 663316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 664316069Sdelphij the NTP Public Services Project Download Page 665316069Sdelphij Properly monitor your ntpd instances, and auto-restart 666316069Sdelphij ntpd (without -g) if it stops running. 667316069Sdelphij Credit: 668316069Sdelphij This weakness was discovered by Cure53. 669316069Sdelphij 670316069Sdelphij* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 671316069Sdelphij Date Resolved: 21 Mar 2017 672316069Sdelphij References: Sec 3379 / CVE-2017-6458 / VU#325339 673316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 674316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 675316069Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 676316069Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 677316069Sdelphij Summary: 678316069Sdelphij ntpd makes use of different wrappers around ctl_putdata() to 679316069Sdelphij create name/value ntpq (mode 6) response strings. For example, 680316069Sdelphij ctl_putstr() is usually used to send string data (variable names 681316069Sdelphij or string data). The formatting code was missing a length check 682316069Sdelphij for variable names. If somebody explicitly created any unusually 683316069Sdelphij long variable names in ntpd (longer than 200-512 bytes, depending 684316069Sdelphij on the type of variable), then if any of these variables are 685316069Sdelphij added to the response list it would overflow a buffer. 686316069Sdelphij Mitigation: 687316069Sdelphij Implement BCP-38. 688316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 689316069Sdelphij or the NTP Public Services Project Download Page 690316069Sdelphij If you don't want to upgrade, then don't setvar variable names 691316069Sdelphij longer than 200-512 bytes in your ntp.conf file. 692316069Sdelphij Properly monitor your ntpd instances, and auto-restart 693316069Sdelphij ntpd (without -g) if it stops running. 694316069Sdelphij Credit: 695316069Sdelphij This weakness was discovered by Cure53. 696316069Sdelphij 697316069Sdelphij* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 698316069Sdelphij Date Resolved: 21 Mar 2017 699316069Sdelphij References: Sec 3378 / CVE-2017-6451 / VU#325339 700316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 701316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 702316069Sdelphij CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 703316069Sdelphij CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 704316069Sdelphij Summary: 705316069Sdelphij The legacy MX4200 refclock is only built if is specifically 706316069Sdelphij enabled, and furthermore additional code changes are required to 707316069Sdelphij compile and use it. But it uses the libc functions snprintf() 708316069Sdelphij and vsnprintf() incorrectly, which can lead to an out-of-bounds 709316069Sdelphij memory write due to an improper handling of the return value of 710316069Sdelphij snprintf()/vsnprintf(). Since the return value is used as an 711316069Sdelphij iterator and it can be larger than the buffer's size, it is 712316069Sdelphij possible for the iterator to point somewhere outside of the 713316069Sdelphij allocated buffer space. This results in an out-of-bound memory 714316069Sdelphij write. This behavior can be leveraged to overwrite a saved 715316069Sdelphij instruction pointer on the stack and gain control over the 716316069Sdelphij execution flow. During testing it was not possible to identify 717316069Sdelphij any malicious usage for this vulnerability. Specifically, no 718316069Sdelphij way for an attacker to exploit this vulnerability was ultimately 719316069Sdelphij unveiled. However, it has the potential to be exploited, so the 720316069Sdelphij code should be fixed. 721316069Sdelphij Mitigation, if you have a Magnavox MX4200 refclock: 722316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 723316069Sdelphij or the NTP Public Services Project Download Page. 724316069Sdelphij Properly monitor your ntpd instances, and auto-restart 725316069Sdelphij ntpd (without -g) if it stops running. 726316069Sdelphij Credit: 727316069Sdelphij This weakness was discovered by Cure53. 728316069Sdelphij 729316069Sdelphij* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 730316069Sdelphij malicious ntpd (Medium) 731316069Sdelphij Date Resolved: 21 Mar 2017 732316069Sdelphij References: Sec 3377 / CVE-2017-6460 / VU#325339 733316069Sdelphij Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 734316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 735316069Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 736316069Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 737316069Sdelphij Summary: 738316069Sdelphij A stack buffer overflow in ntpq can be triggered by a malicious 739316069Sdelphij ntpd server when ntpq requests the restriction list from the server. 740316069Sdelphij This is due to a missing length check in the reslist() function. 741316069Sdelphij It occurs whenever the function parses the server's response and 742316069Sdelphij encounters a flagstr variable of an excessive length. The string 743316069Sdelphij will be copied into a fixed-size buffer, leading to an overflow on 744316069Sdelphij the function's stack-frame. Note well that this problem requires 745316069Sdelphij a malicious server, and affects ntpq, not ntpd. 746316069Sdelphij Mitigation: 747316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 748316069Sdelphij or the NTP Public Services Project Download Page 749316069Sdelphij If you can't upgrade your version of ntpq then if you want to know 750316069Sdelphij the reslist of an instance of ntpd that you do not control, 751316069Sdelphij know that if the target ntpd is malicious that it can send back 752316069Sdelphij a response that intends to crash your ntpq process. 753316069Sdelphij Credit: 754316069Sdelphij This weakness was discovered by Cure53. 755316069Sdelphij 756316069Sdelphij* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 757316069Sdelphij Date Resolved: 21 Mar 2017 758316069Sdelphij References: Sec 3376 759316069Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 760316069Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 761316069Sdelphij CVSS2: N/A 762316069Sdelphij CVSS3: N/A 763316069Sdelphij Summary: 764316069Sdelphij The build process for NTP has not, by default, provided compile 765316069Sdelphij or link flags to offer "hardened" security options. Package 766316069Sdelphij maintainers have always been able to provide hardening security 767316069Sdelphij flags for their builds. As of ntp-4.2.8p10, the NTP build 768316069Sdelphij system has a way to provide OS-specific hardening flags. Please 769316069Sdelphij note that this is still not a really great solution because it 770316069Sdelphij is specific to NTP builds. It's inefficient to have every 771316069Sdelphij package supply, track and maintain this information for every 772316069Sdelphij target build. It would be much better if there was a common way 773316069Sdelphij for OSes to provide this information in a way that arbitrary 774316069Sdelphij packages could benefit from it. 775316069Sdelphij Mitigation: 776316069Sdelphij Implement BCP-38. 777316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 778316069Sdelphij or the NTP Public Services Project Download Page 779316069Sdelphij Properly monitor your ntpd instances, and auto-restart 780316069Sdelphij ntpd (without -g) if it stops running. 781316069Sdelphij Credit: 782316069Sdelphij This weakness was reported by Cure53. 783316069Sdelphij 784316069Sdelphij* 0rigin DoS (Medium) 785316069Sdelphij Date Resolved: 21 Mar 2017 786316069Sdelphij References: Sec 3361 / CVE-2016-9042 / VU#325339 787316069Sdelphij Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 788316069Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 789316069Sdelphij CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 790316069Sdelphij Summary: 791316069Sdelphij An exploitable denial of service vulnerability exists in the 792316069Sdelphij origin timestamp check functionality of ntpd 4.2.8p9. A specially 793316069Sdelphij crafted unauthenticated network packet can be used to reset the 794316069Sdelphij expected origin timestamp for target peers. Legitimate replies 795316069Sdelphij from targeted peers will fail the origin timestamp check (TEST2) 796316069Sdelphij causing the reply to be dropped and creating a denial of service 797316069Sdelphij condition. This vulnerability can only be exploited if the 798316069Sdelphij attacker can spoof all of the servers. 799316069Sdelphij Mitigation: 800316069Sdelphij Implement BCP-38. 801316069Sdelphij Configure enough servers/peers that an attacker cannot target 802316069Sdelphij all of your time sources. 803316069Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 804316069Sdelphij or the NTP Public Services Project Download Page 805316069Sdelphij Properly monitor your ntpd instances, and auto-restart 806316069Sdelphij ntpd (without -g) if it stops running. 807316069Sdelphij Credit: 808316069Sdelphij This weakness was discovered by Matthew Van Gundy of Cisco. 809316069Sdelphij 810316069SdelphijOther fixes: 811316069Sdelphij 812316069Sdelphij* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 813316069Sdelphij* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 814316069Sdelphij - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 815316069Sdelphij* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 816316069Sdelphij* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 817316069Sdelphij on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 818316069Sdelphij - original patch by Majdi S. Abbas 819316069Sdelphij* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 820316069Sdelphij* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 821316069Sdelphij - initial patch by Christos Zoulas 822316069Sdelphij* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 823316069Sdelphij - move loader API from 'inline' to proper source 824316069Sdelphij - augment pathless dlls with absolute path to NTPD 825316069Sdelphij - use 'msyslog()' instead of 'printf() 'for reporting trouble 826316069Sdelphij* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 827316069Sdelphij - applied patch by Matthew Van Gundy 828316069Sdelphij* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 829316069Sdelphij - applied some of the patches provided by Havard. Not all of them 830316069Sdelphij still match the current code base, and I did not touch libopt. 831316069Sdelphij* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 832316069Sdelphij - applied patch by Reinhard Max. See bugzilla for limitations. 833316069Sdelphij* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 834316069Sdelphij - fixed dependency inversion from [Bug 2837] 835316069Sdelphij* [Bug 2896] Nothing happens if minsane < maxclock < minclock 836316069Sdelphij - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 837316069Sdelphij* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 838316069Sdelphij - applied patch by Miroslav Lichvar for ntp4.2.6 compat 839316069Sdelphij* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 840316069Sdelphij - Fixed these and some more locations of this pattern. 841316069Sdelphij Probably din't get them all, though. <perlinger@ntp.org> 842316069Sdelphij* Update copyright year. 843316069Sdelphij 844316069Sdelphij-- 845316069Sdelphij(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 846316069Sdelphij 847316069Sdelphij* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 848316069Sdelphij - added missed changeset for automatic openssl lib detection 849316069Sdelphij - fixed some minor warning issues 850316069Sdelphij* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 851316069Sdelphij* configure.ac cleanup. stenn@ntp.org 852316069Sdelphij* openssl configure cleanup. stenn@ntp.org 853316069Sdelphij 854316069Sdelphij-- 855309008SdelphijNTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 856309008Sdelphij 857309008SdelphijFocus: Security, Bug fixes, enhancements. 858309008Sdelphij 859309008SdelphijSeverity: HIGH 860309008Sdelphij 861309008SdelphijIn addition to bug fixes and enhancements, this release fixes the 862309008Sdelphijfollowing 1 high- (Windows only), 2 medium-, 2 medium-/low, and 863309008Sdelphij5 low-severity vulnerabilities, and provides 28 other non-security 864309008Sdelphijfixes and improvements: 865309008Sdelphij 866309008Sdelphij* Trap crash 867309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 868309008Sdelphij References: Sec 3119 / CVE-2016-9311 / VU#633847 869309008Sdelphij Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 870309008Sdelphij including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 871309008Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 872309008Sdelphij CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 873309008Sdelphij Summary: 874309008Sdelphij ntpd does not enable trap service by default. If trap service 875309008Sdelphij has been explicitly enabled, an attacker can send a specially 876309008Sdelphij crafted packet to cause a null pointer dereference that will 877309008Sdelphij crash ntpd, resulting in a denial of service. 878309008Sdelphij Mitigation: 879309008Sdelphij Implement BCP-38. 880309008Sdelphij Use "restrict default noquery ..." in your ntp.conf file. Only 881309008Sdelphij allow mode 6 queries from trusted networks and hosts. 882309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 883309008Sdelphij or the NTP Public Services Project Download Page 884309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 885309008Sdelphij (without -g) if it stops running. 886309008Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 887309008Sdelphij 888309008Sdelphij* Mode 6 information disclosure and DDoS vector 889309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 890309008Sdelphij References: Sec 3118 / CVE-2016-9310 / VU#633847 891309008Sdelphij Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 892309008Sdelphij including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 893309008Sdelphij CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 894309008Sdelphij CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 895309008Sdelphij Summary: 896309008Sdelphij An exploitable configuration modification vulnerability exists 897309008Sdelphij in the control mode (mode 6) functionality of ntpd. If, against 898309008Sdelphij long-standing BCP recommendations, "restrict default noquery ..." 899309008Sdelphij is not specified, a specially crafted control mode packet can set 900309008Sdelphij ntpd traps, providing information disclosure and DDoS 901309008Sdelphij amplification, and unset ntpd traps, disabling legitimate 902309008Sdelphij monitoring. A remote, unauthenticated, network attacker can 903309008Sdelphij trigger this vulnerability. 904309008Sdelphij Mitigation: 905309008Sdelphij Implement BCP-38. 906309008Sdelphij Use "restrict default noquery ..." in your ntp.conf file. 907309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 908309008Sdelphij or the NTP Public Services Project Download Page 909309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 910309008Sdelphij (without -g) if it stops running. 911309008Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 912309008Sdelphij 913309008Sdelphij* Broadcast Mode Replay Prevention DoS 914309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 915309008Sdelphij References: Sec 3114 / CVE-2016-7427 / VU#633847 916309008Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 917309008Sdelphij ntp-4.3.90 up to, but not including ntp-4.3.94. 918309008Sdelphij CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 919309008Sdelphij CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 920309008Sdelphij Summary: 921309008Sdelphij The broadcast mode of NTP is expected to only be used in a 922309008Sdelphij trusted network. If the broadcast network is accessible to an 923309008Sdelphij attacker, a potentially exploitable denial of service 924309008Sdelphij vulnerability in ntpd's broadcast mode replay prevention 925309008Sdelphij functionality can be abused. An attacker with access to the NTP 926309008Sdelphij broadcast domain can periodically inject specially crafted 927309008Sdelphij broadcast mode NTP packets into the broadcast domain which, 928309008Sdelphij while being logged by ntpd, can cause ntpd to reject broadcast 929309008Sdelphij mode packets from legitimate NTP broadcast servers. 930309008Sdelphij Mitigation: 931309008Sdelphij Implement BCP-38. 932309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 933309008Sdelphij or the NTP Public Services Project Download Page 934309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 935309008Sdelphij (without -g) if it stops running. 936309008Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 937309008Sdelphij 938309008Sdelphij* Broadcast Mode Poll Interval Enforcement DoS 939309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 940309008Sdelphij References: Sec 3113 / CVE-2016-7428 / VU#633847 941309008Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 942309008Sdelphij ntp-4.3.90 up to, but not including ntp-4.3.94 943309008Sdelphij CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 944309008Sdelphij CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 945309008Sdelphij Summary: 946309008Sdelphij The broadcast mode of NTP is expected to only be used in a 947309008Sdelphij trusted network. If the broadcast network is accessible to an 948309008Sdelphij attacker, a potentially exploitable denial of service 949309008Sdelphij vulnerability in ntpd's broadcast mode poll interval enforcement 950309008Sdelphij functionality can be abused. To limit abuse, ntpd restricts the 951309008Sdelphij rate at which each broadcast association will process incoming 952309008Sdelphij packets. ntpd will reject broadcast mode packets that arrive 953309008Sdelphij before the poll interval specified in the preceding broadcast 954309008Sdelphij packet expires. An attacker with access to the NTP broadcast 955309008Sdelphij domain can send specially crafted broadcast mode NTP packets to 956309008Sdelphij the broadcast domain which, while being logged by ntpd, will 957309008Sdelphij cause ntpd to reject broadcast mode packets from legitimate NTP 958309008Sdelphij broadcast servers. 959309008Sdelphij Mitigation: 960309008Sdelphij Implement BCP-38. 961309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 962309008Sdelphij or the NTP Public Services Project Download Page 963309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 964309008Sdelphij (without -g) if it stops running. 965309008Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 966309008Sdelphij 967309008Sdelphij* Windows: ntpd DoS by oversized UDP packet 968309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 969309008Sdelphij References: Sec 3110 / CVE-2016-9312 / VU#633847 970309008Sdelphij Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 971309008Sdelphij and ntp-4.3.0 up to, but not including ntp-4.3.94. 972309008Sdelphij CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 973309008Sdelphij CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 974309008Sdelphij Summary: 975309008Sdelphij If a vulnerable instance of ntpd on Windows receives a crafted 976309008Sdelphij malicious packet that is "too big", ntpd will stop working. 977309008Sdelphij Mitigation: 978309008Sdelphij Implement BCP-38. 979309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 980309008Sdelphij or the NTP Public Services Project Download Page 981309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 982309008Sdelphij (without -g) if it stops running. 983309008Sdelphij Credit: This weakness was discovered by Robert Pajak of ABB. 984309008Sdelphij 985309008Sdelphij* 0rigin (zero origin) issues 986309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 987309008Sdelphij References: Sec 3102 / CVE-2016-7431 / VU#633847 988309008Sdelphij Affects: ntp-4.2.8p8, and ntp-4.3.93. 989309008Sdelphij CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 990309008Sdelphij CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 991309008Sdelphij Summary: 992309008Sdelphij Zero Origin timestamp problems were fixed by Bug 2945 in 993309008Sdelphij ntp-4.2.8p6. However, subsequent timestamp validation checks 994309008Sdelphij introduced a regression in the handling of some Zero origin 995309008Sdelphij timestamp checks. 996309008Sdelphij Mitigation: 997309008Sdelphij Implement BCP-38. 998309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 999309008Sdelphij or the NTP Public Services Project Download Page 1000309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1001309008Sdelphij (without -g) if it stops running. 1002309008Sdelphij Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1003309008Sdelphij Malhotra of Boston University. 1004309008Sdelphij 1005309008Sdelphij* read_mru_list() does inadequate incoming packet checks 1006309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1007309008Sdelphij References: Sec 3082 / CVE-2016-7434 / VU#633847 1008309008Sdelphij Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1009309008Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 1010309008Sdelphij CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1011309008Sdelphij CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1012309008Sdelphij Summary: 1013309008Sdelphij If ntpd is configured to allow mrulist query requests from a 1014309008Sdelphij server that sends a crafted malicious packet, ntpd will crash 1015309008Sdelphij on receipt of that crafted malicious mrulist query packet. 1016309008Sdelphij Mitigation: 1017309008Sdelphij Only allow mrulist query packets from trusted hosts. 1018309008Sdelphij Implement BCP-38. 1019309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1020309008Sdelphij or the NTP Public Services Project Download Page 1021309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1022309008Sdelphij (without -g) if it stops running. 1023309008Sdelphij Credit: This weakness was discovered by Magnus Stubman. 1024309008Sdelphij 1025309008Sdelphij* Attack on interface selection 1026309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1027309008Sdelphij References: Sec 3072 / CVE-2016-7429 / VU#633847 1028309008Sdelphij Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1029309008Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94 1030309008Sdelphij CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1031309008Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1032309008Sdelphij Summary: 1033309008Sdelphij When ntpd receives a server response on a socket that corresponds 1034309008Sdelphij to a different interface than was used for the request, the peer 1035309008Sdelphij structure is updated to use the interface for new requests. If 1036309008Sdelphij ntpd is running on a host with multiple interfaces in separate 1037309008Sdelphij networks and the operating system doesn't check source address in 1038309008Sdelphij received packets (e.g. rp_filter on Linux is set to 0), an 1039309008Sdelphij attacker that knows the address of the source can send a packet 1040309008Sdelphij with spoofed source address which will cause ntpd to select wrong 1041309008Sdelphij interface for the source and prevent it from sending new requests 1042309008Sdelphij until the list of interfaces is refreshed, which happens on 1043309008Sdelphij routing changes or every 5 minutes by default. If the attack is 1044309008Sdelphij repeated often enough (once per second), ntpd will not be able to 1045309008Sdelphij synchronize with the source. 1046309008Sdelphij Mitigation: 1047309008Sdelphij Implement BCP-38. 1048309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1049309008Sdelphij or the NTP Public Services Project Download Page 1050309008Sdelphij If you are going to configure your OS to disable source address 1051309008Sdelphij checks, also configure your firewall configuration to control 1052309008Sdelphij what interfaces can receive packets from what networks. 1053309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1054309008Sdelphij (without -g) if it stops running. 1055309008Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1056309008Sdelphij 1057309008Sdelphij* Client rate limiting and server responses 1058309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1059309008Sdelphij References: Sec 3071 / CVE-2016-7426 / VU#633847 1060309008Sdelphij Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1061309008Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94 1062309008Sdelphij CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1063309008Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1064309008Sdelphij Summary: 1065309008Sdelphij When ntpd is configured with rate limiting for all associations 1066309008Sdelphij (restrict default limited in ntp.conf), the limits are applied 1067309008Sdelphij also to responses received from its configured sources. An 1068309008Sdelphij attacker who knows the sources (e.g., from an IPv4 refid in 1069309008Sdelphij server response) and knows the system is (mis)configured in this 1070309008Sdelphij way can periodically send packets with spoofed source address to 1071309008Sdelphij keep the rate limiting activated and prevent ntpd from accepting 1072309008Sdelphij valid responses from its sources. 1073309008Sdelphij 1074309008Sdelphij While this blanket rate limiting can be useful to prevent 1075309008Sdelphij brute-force attacks on the origin timestamp, it allows this DoS 1076309008Sdelphij attack. Similarly, it allows the attacker to prevent mobilization 1077309008Sdelphij of ephemeral associations. 1078309008Sdelphij Mitigation: 1079309008Sdelphij Implement BCP-38. 1080309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1081309008Sdelphij or the NTP Public Services Project Download Page 1082309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1083309008Sdelphij (without -g) if it stops running. 1084309008Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1085309008Sdelphij 1086309008Sdelphij* Fix for bug 2085 broke initial sync calculations 1087309008Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1088309008Sdelphij References: Sec 3067 / CVE-2016-7433 / VU#633847 1089309008Sdelphij Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1090309008Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1091309008Sdelphij root-distance calculation in general is incorrect in all versions 1092309008Sdelphij of ntp-4 until this release. 1093309008Sdelphij CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1094309008Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1095309008Sdelphij Summary: 1096309008Sdelphij Bug 2085 described a condition where the root delay was included 1097309008Sdelphij twice, causing the jitter value to be higher than expected. Due 1098309008Sdelphij to a misinterpretation of a small-print variable in The Book, the 1099309008Sdelphij fix for this problem was incorrect, resulting in a root distance 1100309008Sdelphij that did not include the peer dispersion. The calculations and 1101309008Sdelphij formulae have been reviewed and reconciled, and the code has been 1102309008Sdelphij updated accordingly. 1103309008Sdelphij Mitigation: 1104309008Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1105309008Sdelphij or the NTP Public Services Project Download Page 1106309008Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1107309008Sdelphij (without -g) if it stops running. 1108309008Sdelphij Credit: This weakness was discovered independently by Brian Utterback of 1109309008Sdelphij Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1110309008Sdelphij 1111309008SdelphijOther fixes: 1112309008Sdelphij 1113309008Sdelphij* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1114309008Sdelphij* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1115309008Sdelphij* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1116309008Sdelphij - moved retry decision where it belongs. <perlinger@ntp.org> 1117309008Sdelphij* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1118309008Sdelphij using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1119309008Sdelphij* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1120309008Sdelphij* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1121309008Sdelphij - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1122309008Sdelphij* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1123309008Sdelphij - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1124309008Sdelphij - added shim layer for SSL API calls with issues (both directions) 1125309008Sdelphij* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1126309008Sdelphij - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1127309008Sdelphij* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1128309008Sdelphij* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1129309008Sdelphij - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1130309008Sdelphij* [Bug 3067] Root distance calculation needs improvement. HStenn 1131309008Sdelphij* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1132309008Sdelphij - PPS-HACK works again. 1133309008Sdelphij* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1134309008Sdelphij - applied patch by Brian Utterback <brian.utterback@oracle.com> 1135309008Sdelphij* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1136309008Sdelphij* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1137309008Sdelphij <perlinger@ntp.org> 1138309008Sdelphij - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1139309008Sdelphij* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1140309008Sdelphij - Patch provided by Kuramatsu. 1141309008Sdelphij* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1142309008Sdelphij - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1143309008Sdelphij* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1144309008Sdelphij* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1145309008Sdelphij* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1146309008Sdelphij* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1147309008Sdelphij - fixed GPS week expansion to work based on build date. Special thanks 1148309008Sdelphij to Craig Leres for initial patch and testing. 1149309008Sdelphij* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1150309008Sdelphij - fixed Makefile.am <perlinger@ntp.org> 1151309008Sdelphij* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1152309008Sdelphij even if it is very old <perlinger@ntp.org> 1153309008Sdelphij - make sure PPS source is alive before processing samples 1154309008Sdelphij - improve stability close to the 500ms phase jump (phase gate) 1155309008Sdelphij* Fix typos in include/ntp.h. 1156309008Sdelphij* Shim X509_get_signature_nid() if needed 1157309008Sdelphij* git author attribution cleanup 1158309008Sdelphij* bk ignore file cleanup 1159309008Sdelphij* remove locks in Windows IO, use rpc-like thread synchronisation instead 1160309008Sdelphij 1161309008Sdelphij--- 1162301256SdelphijNTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1163301256Sdelphij 1164301256SdelphijFocus: Security, Bug fixes, enhancements. 1165301256Sdelphij 1166301256SdelphijSeverity: HIGH 1167301256Sdelphij 1168301256SdelphijIn addition to bug fixes and enhancements, this release fixes the 1169301256Sdelphijfollowing 1 high- and 4 low-severity vulnerabilities: 1170301256Sdelphij 1171301256Sdelphij* CRYPTO_NAK crash 1172301256Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1173301256Sdelphij References: Sec 3046 / CVE-2016-4957 / VU#321640 1174301256Sdelphij Affects: ntp-4.2.8p7, and ntp-4.3.92. 1175301256Sdelphij CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1176301256Sdelphij CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1177301256Sdelphij Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1178301256Sdelphij could cause ntpd to crash. 1179301256Sdelphij Mitigation: 1180301256Sdelphij Implement BCP-38. 1181301256Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1182301256Sdelphij or the NTP Public Services Project Download Page 1183301256Sdelphij If you cannot upgrade from 4.2.8p7, the only other alternatives 1184301256Sdelphij are to patch your code or filter CRYPTO_NAK packets. 1185301256Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1186301256Sdelphij (without -g) if it stops running. 1187301256Sdelphij Credit: This weakness was discovered by Nicolas Edet of Cisco. 1188301256Sdelphij 1189301256Sdelphij* Bad authentication demobilizes ephemeral associations 1190301256Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1191301256Sdelphij References: Sec 3045 / CVE-2016-4953 / VU#321640 1192301256Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1193301256Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1194301256Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1195301256Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1196301256Sdelphij Summary: An attacker who knows the origin timestamp and can send a 1197301256Sdelphij spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1198301256Sdelphij target before any other response is sent can demobilize that 1199301256Sdelphij association. 1200301256Sdelphij Mitigation: 1201301256Sdelphij Implement BCP-38. 1202301256Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1203301256Sdelphij or the NTP Public Services Project Download Page 1204301256Sdelphij Properly monitor your ntpd instances. 1205301256Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1206301256Sdelphij 1207301256Sdelphij* Processing spoofed server packets 1208301256Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1209301256Sdelphij References: Sec 3044 / CVE-2016-4954 / VU#321640 1210301256Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1211301256Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1212301256Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1213301256Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1214301256Sdelphij Summary: An attacker who is able to spoof packets with correct origin 1215301256Sdelphij timestamps from enough servers before the expected response 1216301256Sdelphij packets arrive at the target machine can affect some peer 1217301256Sdelphij variables and, for example, cause a false leap indication to be set. 1218301256Sdelphij Mitigation: 1219301256Sdelphij Implement BCP-38. 1220301256Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1221301256Sdelphij or the NTP Public Services Project Download Page 1222301256Sdelphij Properly monitor your ntpd instances. 1223301256Sdelphij Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1224301256Sdelphij 1225301256Sdelphij* Autokey association reset 1226301256Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1227301256Sdelphij References: Sec 3043 / CVE-2016-4955 / VU#321640 1228301256Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1229301256Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1230301256Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1231301256Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1232301256Sdelphij Summary: An attacker who is able to spoof a packet with a correct 1233301256Sdelphij origin timestamp before the expected response packet arrives at 1234301256Sdelphij the target machine can send a CRYPTO_NAK or a bad MAC and cause 1235301256Sdelphij the association's peer variables to be cleared. If this can be 1236301256Sdelphij done often enough, it will prevent that association from working. 1237301256Sdelphij Mitigation: 1238301256Sdelphij Implement BCP-38. 1239301256Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1240301256Sdelphij or the NTP Public Services Project Download Page 1241301256Sdelphij Properly monitor your ntpd instances. 1242301256Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1243301256Sdelphij 1244301256Sdelphij* Broadcast interleave 1245301256Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1246301256Sdelphij References: Sec 3042 / CVE-2016-4956 / VU#321640 1247301256Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1248301256Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1249301256Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1250301256Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1251301256Sdelphij Summary: The fix for NtpBug2978 does not cover broadcast associations, 1252301256Sdelphij so broadcast clients can be triggered to flip into interleave mode. 1253301256Sdelphij Mitigation: 1254301256Sdelphij Implement BCP-38. 1255301256Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1256301256Sdelphij or the NTP Public Services Project Download Page 1257301256Sdelphij Properly monitor your ntpd instances. 1258301256Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1259301256Sdelphij 1260301256SdelphijOther fixes: 1261301256Sdelphij* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1262301256Sdelphij - provide build environment 1263301256Sdelphij - 'wint_t' and 'struct timespec' defined by VS2015 1264301256Sdelphij - fixed print()/scanf() format issues 1265301256Sdelphij* [Bug 3052] Add a .gitignore file. Edmund Wong. 1266301256Sdelphij* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1267301256Sdelphij* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1268301256Sdelphij JPerlinger, HStenn. 1269301256Sdelphij* Fix typo in ntp-wait and plot_summary. HStenn. 1270301256Sdelphij* Make sure we have an "author" file for git imports. HStenn. 1271301256Sdelphij* Update the sntp problem tests for MacOS. HStenn. 1272301256Sdelphij 1273301256Sdelphij--- 1274298699SdelphijNTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1275293650Sglebius 1276298699SdelphijFocus: Security, Bug fixes, enhancements. 1277294569Sdelphij 1278298699SdelphijSeverity: MEDIUM 1279298699Sdelphij 1280298699SdelphijWhen building NTP from source, there is a new configure option 1281298699Sdelphijavailable, --enable-dynamic-interleave. More information on this below. 1282298699Sdelphij 1283298699SdelphijAlso note that ntp-4.2.8p7 logs more "unexpected events" than previous 1284298699Sdelphijversions of ntp. These events have almost certainly happened in the 1285298699Sdelphijpast, it's just that they were silently counted and not logged. With 1286298699Sdelphijthe increasing awareness around security, we feel it's better to clearly 1287298699Sdelphijlog these events to help detect abusive behavior. This increased 1288298699Sdelphijlogging can also help detect other problems, too. 1289298699Sdelphij 1290298699SdelphijIn addition to bug fixes and enhancements, this release fixes the 1291298699Sdelphijfollowing 9 low- and medium-severity vulnerabilities: 1292298699Sdelphij 1293298699Sdelphij* Improve NTP security against buffer comparison timing attacks, 1294298699Sdelphij AKA: authdecrypt-timing 1295298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1296298699Sdelphij References: Sec 2879 / CVE-2016-1550 1297298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1298298699Sdelphij 4.3.0 up to, but not including 4.3.92 1299298699Sdelphij CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1300298699Sdelphij CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1301298699Sdelphij Summary: Packet authentication tests have been performed using 1302298699Sdelphij memcmp() or possibly bcmp(), and it is potentially possible 1303298699Sdelphij for a local or perhaps LAN-based attacker to send a packet with 1304298699Sdelphij an authentication payload and indirectly observe how much of 1305298699Sdelphij the digest has matched. 1306298699Sdelphij Mitigation: 1307298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1308298699Sdelphij or the NTP Public Services Project Download Page. 1309298699Sdelphij Properly monitor your ntpd instances. 1310298699Sdelphij Credit: This weakness was discovered independently by Loganaden 1311298699Sdelphij Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1312298699Sdelphij 1313298699Sdelphij* Zero origin timestamp bypass: Additional KoD checks. 1314298699Sdelphij References: Sec 2945 / Sec 2901 / CVE-2015-8138 1315298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1316298699Sdelphij Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1317298699Sdelphij 1318298699Sdelphij* peer associations were broken by the fix for NtpBug2899 1319298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1320298699Sdelphij References: Sec 2952 / CVE-2015-7704 1321298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1322298699Sdelphij 4.3.0 up to, but not including 4.3.92 1323298699Sdelphij CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1324298699Sdelphij Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1325298699Sdelphij associations did not address all of the issues. 1326298699Sdelphij Mitigation: 1327298699Sdelphij Implement BCP-38. 1328298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1329298699Sdelphij or the NTP Public Services Project Download Page 1330298699Sdelphij If you can't upgrade, use "server" associations instead of 1331298699Sdelphij "peer" associations. 1332298699Sdelphij Monitor your ntpd instances. 1333298699Sdelphij Credit: This problem was discovered by Michael Tatarinov. 1334298699Sdelphij 1335298699Sdelphij* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1336298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1337298699Sdelphij References: Sec 3007 / CVE-2016-1547 / VU#718152 1338298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1339298699Sdelphij 4.3.0 up to, but not including 4.3.92 1340298699Sdelphij CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1341298699Sdelphij CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1342298699Sdelphij Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1343298699Sdelphij off-path attacker can cause a preemptable client association to 1344298699Sdelphij be demobilized by sending a crypto NAK packet to a victim client 1345298699Sdelphij with a spoofed source address of an existing associated peer. 1346298699Sdelphij This is true even if authentication is enabled. 1347298699Sdelphij 1348298699Sdelphij Furthermore, if the attacker keeps sending crypto NAK packets, 1349298699Sdelphij for example one every second, the victim never has a chance to 1350298699Sdelphij reestablish the association and synchronize time with that 1351298699Sdelphij legitimate server. 1352298699Sdelphij 1353298699Sdelphij For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1354298699Sdelphij stringent checks are performed on incoming packets, but there 1355298699Sdelphij are still ways to exploit this vulnerability in versions before 1356298699Sdelphij ntp-4.2.8p7. 1357298699Sdelphij Mitigation: 1358298699Sdelphij Implement BCP-38. 1359298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1360298699Sdelphij or the NTP Public Services Project Download Page 1361330141Sdelphij Properly monitor your ntpd instances 1362298699Sdelphij Credit: This weakness was discovered by Stephen Gray and 1363298699Sdelphij Matthew Van Gundy of Cisco ASIG. 1364298699Sdelphij 1365298699Sdelphij* ctl_getitem() return value not always checked 1366298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1367298699Sdelphij References: Sec 3008 / CVE-2016-2519 1368298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1369298699Sdelphij 4.3.0 up to, but not including 4.3.92 1370298699Sdelphij CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1371298699Sdelphij CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1372298699Sdelphij Summary: ntpq and ntpdc can be used to store and retrieve information 1373298699Sdelphij in ntpd. It is possible to store a data value that is larger 1374298699Sdelphij than the size of the buffer that the ctl_getitem() function of 1375298699Sdelphij ntpd uses to report the return value. If the length of the 1376298699Sdelphij requested data value returned by ctl_getitem() is too large, 1377298699Sdelphij the value NULL is returned instead. There are 2 cases where the 1378298699Sdelphij return value from ctl_getitem() was not directly checked to make 1379298699Sdelphij sure it's not NULL, but there are subsequent INSIST() checks 1380298699Sdelphij that make sure the return value is not NULL. There are no data 1381298699Sdelphij values ordinarily stored in ntpd that would exceed this buffer 1382298699Sdelphij length. But if one has permission to store values and one stores 1383298699Sdelphij a value that is "too large", then ntpd will abort if an attempt 1384298699Sdelphij is made to read that oversized value. 1385298699Sdelphij Mitigation: 1386298699Sdelphij Implement BCP-38. 1387298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1388298699Sdelphij or the NTP Public Services Project Download Page 1389298699Sdelphij Properly monitor your ntpd instances. 1390298699Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1391298699Sdelphij Security Team, Qihoo 360. 1392298699Sdelphij 1393298699Sdelphij* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1394298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1395298699Sdelphij References: Sec 3009 / CVE-2016-2518 / VU#718152 1396298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1397298699Sdelphij 4.3.0 up to, but not including 4.3.92 1398298699Sdelphij CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1399298699Sdelphij CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1400298699Sdelphij Summary: Using a crafted packet to create a peer association with 1401298699Sdelphij hmode > 7 causes the MATCH_ASSOC() lookup to make an 1402298699Sdelphij out-of-bounds reference. 1403298699Sdelphij Mitigation: 1404298699Sdelphij Implement BCP-38. 1405298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1406298699Sdelphij or the NTP Public Services Project Download Page 1407298699Sdelphij Properly monitor your ntpd instances 1408298699Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1409298699Sdelphij Security Team, Qihoo 360. 1410298699Sdelphij 1411298699Sdelphij* remote configuration trustedkey/requestkey/controlkey values are not 1412298699Sdelphij properly validated 1413298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1414298699Sdelphij References: Sec 3010 / CVE-2016-2517 / VU#718152 1415298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1416298699Sdelphij 4.3.0 up to, but not including 4.3.92 1417298699Sdelphij CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1418298699Sdelphij CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1419298699Sdelphij Summary: If ntpd was expressly configured to allow for remote 1420298699Sdelphij configuration, a malicious user who knows the controlkey for 1421298699Sdelphij ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1422298699Sdelphij can create a session with ntpd and then send a crafted packet to 1423298699Sdelphij ntpd that will change the value of the trustedkey, controlkey, 1424298699Sdelphij or requestkey to a value that will prevent any subsequent 1425298699Sdelphij authentication with ntpd until ntpd is restarted. 1426298699Sdelphij Mitigation: 1427298699Sdelphij Implement BCP-38. 1428298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1429298699Sdelphij or the NTP Public Services Project Download Page 1430330141Sdelphij Properly monitor your ntpd instances 1431298699Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1432298699Sdelphij Security Team, Qihoo 360. 1433298699Sdelphij 1434298699Sdelphij* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1435298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1436298699Sdelphij References: Sec 3011 / CVE-2016-2516 / VU#718152 1437298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1438298699Sdelphij 4.3.0 up to, but not including 4.3.92 1439298699Sdelphij CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1440298699Sdelphij CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1441298699Sdelphij Summary: If ntpd was expressly configured to allow for remote 1442298699Sdelphij configuration, a malicious user who knows the controlkey for 1443298699Sdelphij ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1444298699Sdelphij can create a session with ntpd and if an existing association is 1445298699Sdelphij unconfigured using the same IP twice on the unconfig directive 1446298699Sdelphij line, ntpd will abort. 1447298699Sdelphij Mitigation: 1448298699Sdelphij Implement BCP-38. 1449298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1450298699Sdelphij or the NTP Public Services Project Download Page 1451298699Sdelphij Properly monitor your ntpd instances 1452298699Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1453298699Sdelphij Security Team, Qihoo 360. 1454298699Sdelphij 1455298699Sdelphij* Refclock impersonation vulnerability 1456298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1457298699Sdelphij References: Sec 3020 / CVE-2016-1551 1458298699Sdelphij Affects: On a very limited number of OSes, all NTP releases up to but 1459298699Sdelphij not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1460298699Sdelphij By "very limited number of OSes" we mean no general-purpose OSes 1461298699Sdelphij have yet been identified that have this vulnerability. 1462298699Sdelphij CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1463298699Sdelphij CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1464298699Sdelphij Summary: While most OSes implement martian packet filtering in their 1465298699Sdelphij network stack, at least regarding 127.0.0.0/8, some will allow 1466298699Sdelphij packets claiming to be from 127.0.0.0/8 that arrive over a 1467298699Sdelphij physical network. On these OSes, if ntpd is configured to use a 1468298699Sdelphij reference clock an attacker can inject packets over the network 1469298699Sdelphij that look like they are coming from that reference clock. 1470298699Sdelphij Mitigation: 1471298699Sdelphij Implement martian packet filtering and BCP-38. 1472298699Sdelphij Configure ntpd to use an adequate number of time sources. 1473298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1474298699Sdelphij or the NTP Public Services Project Download Page 1475298699Sdelphij If you are unable to upgrade and if you are running an OS that 1476298699Sdelphij has this vulnerability, implement martian packet filters and 1477298699Sdelphij lobby your OS vendor to fix this problem, or run your 1478298699Sdelphij refclocks on computers that use OSes that are not vulnerable 1479298699Sdelphij to these attacks and have your vulnerable machines get their 1480298699Sdelphij time from protected resources. 1481298699Sdelphij Properly monitor your ntpd instances. 1482298699Sdelphij Credit: This weakness was discovered by Matt Street and others of 1483298699Sdelphij Cisco ASIG. 1484298699Sdelphij 1485298699SdelphijThe following issues were fixed in earlier releases and contain 1486298699Sdelphijimprovements in 4.2.8p7: 1487298699Sdelphij 1488298699Sdelphij* Clients that receive a KoD should validate the origin timestamp field. 1489298699Sdelphij References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1490298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1491298699Sdelphij Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1492298699Sdelphij 1493298699Sdelphij* Skeleton key: passive server with trusted key can serve time. 1494298699Sdelphij References: Sec 2936 / CVE-2015-7974 1495298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1496298699Sdelphij Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1497298699Sdelphij 1498298699SdelphijTwo other vulnerabilities have been reported, and the mitigations 1499298699Sdelphijfor these are as follows: 1500298699Sdelphij 1501298699Sdelphij* Interleave-pivot 1502298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1503298699Sdelphij References: Sec 2978 / CVE-2016-1548 1504298699Sdelphij Affects: All ntp-4 releases. 1505298699Sdelphij CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1506298699Sdelphij CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1507298699Sdelphij Summary: It is possible to change the time of an ntpd client or deny 1508298699Sdelphij service to an ntpd client by forcing it to change from basic 1509298699Sdelphij client/server mode to interleaved symmetric mode. An attacker 1510298699Sdelphij can spoof a packet from a legitimate ntpd server with an origin 1511298699Sdelphij timestamp that matches the peer->dst timestamp recorded for that 1512298699Sdelphij server. After making this switch, the client will reject all 1513298699Sdelphij future legitimate server responses. It is possible to force the 1514298699Sdelphij victim client to move time after the mode has been changed. 1515298699Sdelphij ntpq gives no indication that the mode has been switched. 1516298699Sdelphij Mitigation: 1517298699Sdelphij Implement BCP-38. 1518298699Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1519298699Sdelphij or the NTP Public Services Project Download Page. These 1520298699Sdelphij versions will not dynamically "flip" into interleave mode 1521298699Sdelphij unless configured to do so. 1522298699Sdelphij Properly monitor your ntpd instances. 1523298699Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1524298699Sdelphij and separately by Jonathan Gardner of Cisco ASIG. 1525298699Sdelphij 1526298699Sdelphij* Sybil vulnerability: ephemeral association attack 1527298699Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1528298699Sdelphij References: Sec 3012 / CVE-2016-1549 1529298699Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1530298699Sdelphij 4.3.0 up to, but not including 4.3.92 1531298699Sdelphij CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1532298699Sdelphij CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1533298699Sdelphij Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1534298699Sdelphij the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1535298699Sdelphij field in the ntp.keys file to specify which IPs can serve time, 1536298699Sdelphij a malicious authenticated peer can create arbitrarily-many 1537298699Sdelphij ephemeral associations in order to win the clock selection of 1538298699Sdelphij ntpd and modify a victim's clock. 1539298699Sdelphij Mitigation: 1540298699Sdelphij Implement BCP-38. 1541298699Sdelphij Use the 4th field in the ntp.keys file to specify which IPs 1542298699Sdelphij can be time servers. 1543298699Sdelphij Properly monitor your ntpd instances. 1544298699Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1545298699Sdelphij 1546298699SdelphijOther fixes: 1547298699Sdelphij 1548298699Sdelphij* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1549298699Sdelphij - fixed yet another race condition in the threaded resolver code. 1550298699Sdelphij* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1551298699Sdelphij* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1552298699Sdelphij - integrated patches by Loganaden Velvidron <logan@ntp.org> 1553298699Sdelphij with some modifications & unit tests 1554298699Sdelphij* [Bug 2960] async name resolution fixes for chroot() environments. 1555298699Sdelphij Reinhard Max. 1556298699Sdelphij* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1557298699Sdelphij* [Bug 2995] Fixes to compile on Windows 1558298699Sdelphij* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1559298699Sdelphij* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1560298699Sdelphij - Patch provided by Ch. Weisgerber 1561298699Sdelphij* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1562298699Sdelphij - A change related to [Bug 2853] forbids trailing white space in 1563298699Sdelphij remote config commands. perlinger@ntp.org 1564298699Sdelphij* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1565298699Sdelphij - report and patch from Aleksandr Kostikov. 1566298699Sdelphij - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1567298699Sdelphij* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1568298699Sdelphij - fixed memory leak in access list (auth[read]keys.c) 1569298699Sdelphij - refactored handling of key access lists (auth[read]keys.c) 1570298699Sdelphij - reduced number of error branches (authreadkeys.c) 1571298699Sdelphij* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1572298699Sdelphij* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1573298699Sdelphij* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1574298699Sdelphij when the time of server changed. perlinger@ntp.org 1575298699Sdelphij - Check the initial delay calculation and reject/unpeer the broadcast 1576298699Sdelphij server if the delay exceeds 50ms. Retry again after the next 1577298699Sdelphij broadcast packet. 1578298699Sdelphij* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1579298699Sdelphij* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1580298699Sdelphij* Update html/xleave.html documentation. Harlan Stenn. 1581298699Sdelphij* Update ntp.conf documentation. Harlan Stenn. 1582298699Sdelphij* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1583298699Sdelphij* Fix typo in html/monopt.html. Harlan Stenn. 1584298699Sdelphij* Add README.pullrequests. Harlan Stenn. 1585298699Sdelphij* Cleanup to include/ntp.h. Harlan Stenn. 1586298699Sdelphij 1587298699SdelphijNew option to 'configure': 1588298699Sdelphij 1589298699SdelphijWhile looking in to the issues around Bug 2978, the "interleave pivot" 1590298699Sdelphijissue, it became clear that there are some intricate and unresolved 1591298699Sdelphijissues with interleave operations. We also realized that the interleave 1592298699Sdelphijprotocol was never added to the NTPv4 Standard, and it should have been. 1593298699Sdelphij 1594298699SdelphijInterleave mode was first released in July of 2008, and can be engaged 1595298699Sdelphijin two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1596298699Sdelphijcontain the 'xleave' option, which will expressly enable interlave mode 1597298699Sdelphijfor that association. Additionally, if a time packet arrives and is 1598298699Sdelphijfound inconsistent with normal protocol behavior but has certain 1599298699Sdelphijcharacteristics that are compatible with interleave mode, NTP will 1600298699Sdelphijdynamically switch to interleave mode. With sufficient knowledge, an 1601298699Sdelphijattacker can send a crafted forged packet to an NTP instance that 1602298699Sdelphijtriggers only one side to enter interleaved mode. 1603298699Sdelphij 1604298699SdelphijTo prevent this attack until we can thoroughly document, describe, 1605298699Sdelphijfix, and test the dynamic interleave mode, we've added a new 1606298699Sdelphij'configure' option to the build process: 1607298699Sdelphij 1608298699Sdelphij --enable-dynamic-interleave 1609298699Sdelphij 1610298699SdelphijThis option controls whether or not NTP will, if conditions are right, 1611298699Sdelphijengage dynamic interleave mode. Dynamic interleave mode is disabled by 1612298699Sdelphijdefault in ntp-4.2.8p7. 1613298699Sdelphij 1614298699Sdelphij--- 1615298699SdelphijNTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1616298699Sdelphij 1617294569SdelphijFocus: Security, Bug fixes, enhancements. 1618294569Sdelphij 1619294569SdelphijSeverity: MEDIUM 1620294569Sdelphij 1621294569SdelphijIn addition to bug fixes and enhancements, this release fixes the 1622298699Sdelphijfollowing 1 low- and 8 medium-severity vulnerabilities: 1623294569Sdelphij 1624294569Sdelphij* Potential Infinite Loop in 'ntpq' 1625294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1626294569Sdelphij References: Sec 2548 / CVE-2015-8158 1627294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1628294569Sdelphij 4.3.0 up to, but not including 4.3.90 1629294569Sdelphij CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1630294569Sdelphij CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1631294569Sdelphij Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1632294569Sdelphij The loop's only stopping conditions are receiving a complete and 1633294569Sdelphij correct response or hitting a small number of error conditions. 1634294569Sdelphij If the packet contains incorrect values that don't trigger one of 1635294569Sdelphij the error conditions, the loop continues to receive new packets. 1636294569Sdelphij Note well, this is an attack against an instance of 'ntpq', not 1637294569Sdelphij 'ntpd', and this attack requires the attacker to do one of the 1638294569Sdelphij following: 1639294569Sdelphij * Own a malicious NTP server that the client trusts 1640294569Sdelphij * Prevent a legitimate NTP server from sending packets to 1641294569Sdelphij the 'ntpq' client 1642294569Sdelphij * MITM the 'ntpq' communications between the 'ntpq' client 1643294569Sdelphij and the NTP server 1644294569Sdelphij Mitigation: 1645294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1646294569Sdelphij or the NTP Public Services Project Download Page 1647294569Sdelphij Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1648294569Sdelphij 1649294569Sdelphij* 0rigin: Zero Origin Timestamp Bypass 1650294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1651294569Sdelphij References: Sec 2945 / CVE-2015-8138 1652294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1653294569Sdelphij 4.3.0 up to, but not including 4.3.90 1654294569Sdelphij CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1655294569Sdelphij CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1656294569Sdelphij (3.7 - LOW if you score AC:L) 1657294569Sdelphij Summary: To distinguish legitimate peer responses from forgeries, a 1658294569Sdelphij client attempts to verify a response packet by ensuring that the 1659294569Sdelphij origin timestamp in the packet matches the origin timestamp it 1660294569Sdelphij transmitted in its last request. A logic error exists that 1661294569Sdelphij allows packets with an origin timestamp of zero to bypass this 1662294569Sdelphij check whenever there is not an outstanding request to the server. 1663294569Sdelphij Mitigation: 1664294569Sdelphij Configure 'ntpd' to get time from multiple sources. 1665294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1666294569Sdelphij or the NTP Public Services Project Download Page. 1667330141Sdelphij Monitor your 'ntpd' instances. 1668298699Sdelphij Credit: This weakness was discovered by Matthey Van Gundy and 1669298699Sdelphij Jonathan Gardner of Cisco ASIG. 1670294569Sdelphij 1671294569Sdelphij* Stack exhaustion in recursive traversal of restriction list 1672294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1673294569Sdelphij References: Sec 2940 / CVE-2015-7978 1674294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1675294569Sdelphij 4.3.0 up to, but not including 4.3.90 1676294569Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1677294569Sdelphij Summary: An unauthenticated 'ntpdc reslist' command can cause a 1678294569Sdelphij segmentation fault in ntpd by exhausting the call stack. 1679294569Sdelphij Mitigation: 1680294569Sdelphij Implement BCP-38. 1681294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1682294569Sdelphij or the NTP Public Services Project Download Page. 1683294569Sdelphij If you are unable to upgrade: 1684294569Sdelphij In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1685294569Sdelphij If you must enable mode 7: 1686294569Sdelphij configure the use of a 'requestkey' to control who can 1687294569Sdelphij issue mode 7 requests. 1688294569Sdelphij configure 'restrict noquery' to further limit mode 7 1689294569Sdelphij requests to trusted sources. 1690294569Sdelphij Monitor your ntpd instances. 1691294569Sdelphij Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1692294569Sdelphij 1693294569Sdelphij* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1694294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1695294569Sdelphij References: Sec 2942 / CVE-2015-7979 1696294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1697294569Sdelphij 4.3.0 up to, but not including 4.3.90 1698294569Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1699294569Sdelphij Summary: An off-path attacker can send broadcast packets with bad 1700294569Sdelphij authentication (wrong key, mismatched key, incorrect MAC, etc) 1701294569Sdelphij to broadcast clients. It is observed that the broadcast client 1702294569Sdelphij tears down the association with the broadcast server upon 1703294569Sdelphij receiving just one bad packet. 1704294569Sdelphij Mitigation: 1705294569Sdelphij Implement BCP-38. 1706294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1707294569Sdelphij or the NTP Public Services Project Download Page. 1708294569Sdelphij Monitor your 'ntpd' instances. 1709294569Sdelphij If this sort of attack is an active problem for you, you have 1710294569Sdelphij deeper problems to investigate. In this case also consider 1711294569Sdelphij having smaller NTP broadcast domains. 1712294569Sdelphij Credit: This weakness was discovered by Aanchal Malhotra of Boston 1713294569Sdelphij University. 1714294569Sdelphij 1715294569Sdelphij* reslist NULL pointer dereference 1716294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1717294569Sdelphij References: Sec 2939 / CVE-2015-7977 1718294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1719294569Sdelphij 4.3.0 up to, but not including 4.3.90 1720294569Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1721294569Sdelphij Summary: An unauthenticated 'ntpdc reslist' command can cause a 1722294569Sdelphij segmentation fault in ntpd by causing a NULL pointer dereference. 1723294569Sdelphij Mitigation: 1724294569Sdelphij Implement BCP-38. 1725294569Sdelphij Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1726294569Sdelphij the NTP Public Services Project Download Page. 1727294569Sdelphij If you are unable to upgrade: 1728294569Sdelphij mode 7 is disabled by default. Don't enable it. 1729294569Sdelphij If you must enable mode 7: 1730294569Sdelphij configure the use of a 'requestkey' to control who can 1731294569Sdelphij issue mode 7 requests. 1732294569Sdelphij configure 'restrict noquery' to further limit mode 7 1733294569Sdelphij requests to trusted sources. 1734294569Sdelphij Monitor your ntpd instances. 1735294569Sdelphij Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1736294569Sdelphij 1737294569Sdelphij* 'ntpq saveconfig' command allows dangerous characters in filenames. 1738294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1739294569Sdelphij References: Sec 2938 / CVE-2015-7976 1740294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1741294569Sdelphij 4.3.0 up to, but not including 4.3.90 1742294569Sdelphij CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1743294569Sdelphij Summary: The ntpq saveconfig command does not do adequate filtering 1744294569Sdelphij of special characters from the supplied filename. 1745294569Sdelphij Note well: The ability to use the saveconfig command is controlled 1746294569Sdelphij by the 'restrict nomodify' directive, and the recommended default 1747294569Sdelphij configuration is to disable this capability. If the ability to 1748294569Sdelphij execute a 'saveconfig' is required, it can easily (and should) be 1749294569Sdelphij limited and restricted to a known small number of IP addresses. 1750294569Sdelphij Mitigation: 1751294569Sdelphij Implement BCP-38. 1752294569Sdelphij use 'restrict default nomodify' in your 'ntp.conf' file. 1753294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1754294569Sdelphij If you are unable to upgrade: 1755294569Sdelphij build NTP with 'configure --disable-saveconfig' if you will 1756294569Sdelphij never need this capability, or 1757294569Sdelphij use 'restrict default nomodify' in your 'ntp.conf' file. Be 1758294569Sdelphij careful about what IPs have the ability to send 'modify' 1759294569Sdelphij requests to 'ntpd'. 1760294569Sdelphij Monitor your ntpd instances. 1761294569Sdelphij 'saveconfig' requests are logged to syslog - monitor your syslog files. 1762294569Sdelphij Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1763294569Sdelphij 1764294569Sdelphij* nextvar() missing length check in ntpq 1765294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1766294569Sdelphij References: Sec 2937 / CVE-2015-7975 1767294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1768294569Sdelphij 4.3.0 up to, but not including 4.3.90 1769294569Sdelphij CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1770294569Sdelphij If you score A:C, this becomes 4.0. 1771294569Sdelphij CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1772294569Sdelphij Summary: ntpq may call nextvar() which executes a memcpy() into the 1773294569Sdelphij name buffer without a proper length check against its maximum 1774294569Sdelphij length of 256 bytes. Note well that we're taking about ntpq here. 1775294569Sdelphij The usual worst-case effect of this vulnerability is that the 1776294569Sdelphij specific instance of ntpq will crash and the person or process 1777294569Sdelphij that did this will have stopped themselves. 1778294569Sdelphij Mitigation: 1779294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1780294569Sdelphij or the NTP Public Services Project Download Page. 1781294569Sdelphij If you are unable to upgrade: 1782294569Sdelphij If you have scripts that feed input to ntpq make sure there are 1783294569Sdelphij some sanity checks on the input received from the "outside". 1784294569Sdelphij This is potentially more dangerous if ntpq is run as root. 1785294569Sdelphij Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1786294569Sdelphij 1787294569Sdelphij* Skeleton Key: Any trusted key system can serve time 1788294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1789294569Sdelphij References: Sec 2936 / CVE-2015-7974 1790294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1791294569Sdelphij 4.3.0 up to, but not including 4.3.90 1792294569Sdelphij CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1793294569Sdelphij Summary: Symmetric key encryption uses a shared trusted key. The 1794294569Sdelphij reported title for this issue was "Missing key check allows 1795294569Sdelphij impersonation between authenticated peers" and the report claimed 1796294569Sdelphij "A key specified only for one server should only work to 1797294569Sdelphij authenticate that server, other trusted keys should be refused." 1798294569Sdelphij Except there has never been any correlation between this trusted 1799294569Sdelphij key and server v. clients machines and there has never been any 1800294569Sdelphij way to specify a key only for one server. We have treated this as 1801294569Sdelphij an enhancement request, and ntp-4.2.8p6 includes other checks and 1802294569Sdelphij tests to strengthen clients against attacks coming from broadcast 1803294569Sdelphij servers. 1804294569Sdelphij Mitigation: 1805294569Sdelphij Implement BCP-38. 1806294569Sdelphij If this scenario represents a real or a potential issue for you, 1807294569Sdelphij upgrade to 4.2.8p6, or later, from the NTP Project Download 1808294569Sdelphij Page or the NTP Public Services Project Download Page, and 1809294569Sdelphij use the new field in the ntp.keys file that specifies the list 1810294569Sdelphij of IPs that are allowed to serve time. Note that this alone 1811294569Sdelphij will not protect against time packets with forged source IP 1812294569Sdelphij addresses, however other changes in ntp-4.2.8p6 provide 1813294569Sdelphij significant mitigation against broadcast attacks. MITM attacks 1814294569Sdelphij are a different story. 1815294569Sdelphij If you are unable to upgrade: 1816294569Sdelphij Don't use broadcast mode if you cannot monitor your client 1817294569Sdelphij servers. 1818294569Sdelphij If you choose to use symmetric keys to authenticate time 1819294569Sdelphij packets in a hostile environment where ephemeral time 1820294569Sdelphij servers can be created, or if it is expected that malicious 1821294569Sdelphij time servers will participate in an NTP broadcast domain, 1822294569Sdelphij limit the number of participating systems that participate 1823294569Sdelphij in the shared-key group. 1824294569Sdelphij Monitor your ntpd instances. 1825294569Sdelphij Credit: This weakness was discovered by Matt Street of Cisco ASIG. 1826294569Sdelphij 1827294569Sdelphij* Deja Vu: Replay attack on authenticated broadcast mode 1828294569Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1829294569Sdelphij References: Sec 2935 / CVE-2015-7973 1830294569Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1831294569Sdelphij 4.3.0 up to, but not including 4.3.90 1832294569Sdelphij CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 1833294569Sdelphij Summary: If an NTP network is configured for broadcast operations then 1834294569Sdelphij either a man-in-the-middle attacker or a malicious participant 1835294569Sdelphij that has the same trusted keys as the victim can replay time packets. 1836294569Sdelphij Mitigation: 1837294569Sdelphij Implement BCP-38. 1838294569Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1839294569Sdelphij or the NTP Public Services Project Download Page. 1840294569Sdelphij If you are unable to upgrade: 1841294569Sdelphij Don't use broadcast mode if you cannot monitor your client servers. 1842294569Sdelphij Monitor your ntpd instances. 1843294569Sdelphij Credit: This weakness was discovered by Aanchal Malhotra of Boston 1844294569Sdelphij University. 1845294569Sdelphij 1846294569SdelphijOther fixes: 1847294569Sdelphij 1848294569Sdelphij* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 1849294569Sdelphij* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 1850294569Sdelphij - applied patch by shenpeng11@huawei.com with minor adjustments 1851294569Sdelphij* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 1852294569Sdelphij* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 1853294569Sdelphij* [Bug 2892] Several test cases assume IPv6 capabilities even when 1854294569Sdelphij IPv6 is disabled in the build. perlinger@ntp.org 1855294569Sdelphij - Found this already fixed, but validation led to cleanup actions. 1856294569Sdelphij* [Bug 2905] DNS lookups broken. perlinger@ntp.org 1857294569Sdelphij - added limits to stack consumption, fixed some return code handling 1858294569Sdelphij* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1859294569Sdelphij - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1860294569Sdelphij - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 1861294569Sdelphij* [Bug 2980] reduce number of warnings. perlinger@ntp.org 1862294569Sdelphij - integrated several patches from Havard Eidnes (he@uninett.no) 1863294569Sdelphij* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 1864294569Sdelphij - implement 'auth_log2()' using integer bithack instead of float calculation 1865294569Sdelphij* Make leapsec_query debug messages less verbose. Harlan Stenn. 1866294569Sdelphij 1867294569Sdelphij--- 1868298699SdelphijNTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 1869294569Sdelphij 1870293650SglebiusFocus: Security, Bug fixes, enhancements. 1871293650Sglebius 1872293650SglebiusSeverity: MEDIUM 1873293650Sglebius 1874293650SglebiusIn addition to bug fixes and enhancements, this release fixes the 1875293650Sglebiusfollowing medium-severity vulnerability: 1876293650Sglebius 1877293650Sglebius* Small-step/big-step. Close the panic gate earlier. 1878293650Sglebius References: Sec 2956, CVE-2015-5300 1879293650Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1880293650Sglebius 4.3.0 up to, but not including 4.3.78 1881293650Sglebius CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1882293650Sglebius Summary: If ntpd is always started with the -g option, which is 1883293650Sglebius common and against long-standing recommendation, and if at the 1884293650Sglebius moment ntpd is restarted an attacker can immediately respond to 1885293650Sglebius enough requests from enough sources trusted by the target, which 1886293650Sglebius is difficult and not common, there is a window of opportunity 1887293650Sglebius where the attacker can cause ntpd to set the time to an 1888293650Sglebius arbitrary value. Similarly, if an attacker is able to respond 1889293650Sglebius to enough requests from enough sources trusted by the target, 1890293650Sglebius the attacker can cause ntpd to abort and restart, at which 1891293650Sglebius point it can tell the target to set the time to an arbitrary 1892293650Sglebius value if and only if ntpd was re-started against long-standing 1893293650Sglebius recommendation with the -g flag, or if ntpd was not given the 1894293650Sglebius -g flag, the attacker can move the target system's time by at 1895293650Sglebius most 900 seconds' time per attack. 1896293650Sglebius Mitigation: 1897293650Sglebius Configure ntpd to get time from multiple sources. 1898293650Sglebius Upgrade to 4.2.8p5, or later, from the NTP Project Download 1899293650Sglebius Page or the NTP Public Services Project Download Page 1900293650Sglebius As we've long documented, only use the -g option to ntpd in 1901293650Sglebius cold-start situations. 1902293650Sglebius Monitor your ntpd instances. 1903293650Sglebius Credit: This weakness was discovered by Aanchal Malhotra, 1904293650Sglebius Isaac E. Cohen, and Sharon Goldberg at Boston University. 1905293650Sglebius 1906293650Sglebius NOTE WELL: The -g flag disables the limit check on the panic_gate 1907293650Sglebius in ntpd, which is 900 seconds by default. The bug identified by 1908293650Sglebius the researchers at Boston University is that the panic_gate 1909293650Sglebius check was only re-enabled after the first change to the system 1910293650Sglebius clock that was greater than 128 milliseconds, by default. The 1911293650Sglebius correct behavior is that the panic_gate check should be 1912293650Sglebius re-enabled after any initial time correction. 1913293650Sglebius 1914293650Sglebius If an attacker is able to inject consistent but erroneous time 1915293650Sglebius responses to your systems via the network or "over the air", 1916293650Sglebius perhaps by spoofing radio, cellphone, or navigation satellite 1917293650Sglebius transmissions, they are in a great position to affect your 1918293650Sglebius system's clock. There comes a point where your very best 1919293650Sglebius defenses include: 1920293650Sglebius 1921293650Sglebius Configure ntpd to get time from multiple sources. 1922293650Sglebius Monitor your ntpd instances. 1923293650Sglebius 1924293650SglebiusOther fixes: 1925293650Sglebius 1926293650Sglebius* Coverity submission process updated from Coverity 5 to Coverity 7. 1927293650Sglebius The NTP codebase has been undergoing regular Coverity scans on an 1928293650Sglebius ongoing basis since 2006. As part of our recent upgrade from 1929293650Sglebius Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1930293650Sglebius the newly-written Unity test programs. These were fixed. 1931293650Sglebius* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 1932293650Sglebius* [Bug 2887] stratum -1 config results as showing value 99 1933293650Sglebius - fudge stratum should only accept values [0..16]. perlinger@ntp.org 1934293650Sglebius* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1935293650Sglebius* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1936293650Sglebius* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1937293650Sglebius - applied patch by Christos Zoulas. perlinger@ntp.org 1938293650Sglebius* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1939293650Sglebius* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1940293650Sglebius - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 1941293650Sglebius - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 1942293650Sglebius* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 1943293650Sglebius - accept key file only if there are no parsing errors 1944293650Sglebius - fixed size_t/u_int format clash 1945293650Sglebius - fixed wrong use of 'strlcpy' 1946293650Sglebius* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1947293650Sglebius* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 1948293650Sglebius - fixed several other warnings (cast-alignment, missing const, missing prototypes) 1949293650Sglebius - promote use of 'size_t' for values that express a size 1950293650Sglebius - use ptr-to-const for read-only arguments 1951293650Sglebius - make sure SOCKET values are not truncated (win32-specific) 1952293650Sglebius - format string fixes 1953293650Sglebius* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 1954293650Sglebius* [Bug 2967] ntpdate command suffers an assertion failure 1955293650Sglebius - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 1956293650Sglebius* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 1957293650Sglebius lots of clients. perlinger@ntp.org 1958293650Sglebius* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1959293650Sglebius - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1960293650Sglebius* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 1961293650Sglebius* Unity test cleanup. Harlan Stenn. 1962293650Sglebius* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 1963293650Sglebius* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 1964293650Sglebius* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 1965293650Sglebius* Quiet a warning from clang. Harlan Stenn. 1966293650Sglebius 1967293650Sglebius--- 1968298699SdelphijNTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 1969289997Sglebius 1970293650SglebiusFocus: Security, Bug fixes, enhancements. 1971289997Sglebius 1972289997SglebiusSeverity: MEDIUM 1973289997Sglebius 1974289997SglebiusIn addition to bug fixes and enhancements, this release fixes the 1975289997Sglebiusfollowing 13 low- and medium-severity vulnerabilities: 1976289997Sglebius 1977289997Sglebius* Incomplete vallen (value length) checks in ntp_crypto.c, leading 1978289997Sglebius to potential crashes or potential code injection/information leakage. 1979289997Sglebius 1980289997Sglebius References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 1981289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1982289997Sglebius and 4.3.0 up to, but not including 4.3.77 1983289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1984289997Sglebius Summary: The fix for CVE-2014-9750 was incomplete in that there were 1985289997Sglebius certain code paths where a packet with particular autokey operations 1986289997Sglebius that contained malicious data was not always being completely 1987289997Sglebius validated. Receipt of these packets can cause ntpd to crash. 1988289997Sglebius Mitigation: 1989289997Sglebius Don't use autokey. 1990289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 1991289997Sglebius Page or the NTP Public Services Project Download Page 1992289997Sglebius Monitor your ntpd instances. 1993289997Sglebius Credit: This weakness was discovered by Tenable Network Security. 1994289997Sglebius 1995289997Sglebius* Clients that receive a KoD should validate the origin timestamp field. 1996289997Sglebius 1997289997Sglebius References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1998289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1999289997Sglebius and 4.3.0 up to, but not including 4.3.77 2000289997Sglebius CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2001289997Sglebius Summary: An ntpd client that honors Kiss-of-Death responses will honor 2002289997Sglebius KoD messages that have been forged by an attacker, causing it to 2003289997Sglebius delay or stop querying its servers for time updates. Also, an 2004289997Sglebius attacker can forge packets that claim to be from the target and 2005289997Sglebius send them to servers often enough that a server that implements 2006289997Sglebius KoD rate limiting will send the target machine a KoD response to 2007289997Sglebius attempt to reduce the rate of incoming packets, or it may also 2008289997Sglebius trigger a firewall block at the server for packets from the target 2009289997Sglebius machine. For either of these attacks to succeed, the attacker must 2010289997Sglebius know what servers the target is communicating with. An attacker 2011289997Sglebius can be anywhere on the Internet and can frequently learn the 2012289997Sglebius identity of the target's time source by sending the target a 2013289997Sglebius time query. 2014289997Sglebius Mitigation: 2015289997Sglebius Implement BCP-38. 2016289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2017289997Sglebius or the NTP Public Services Project Download Page 2018289997Sglebius If you can't upgrade, restrict who can query ntpd to learn who 2019289997Sglebius its servers are, and what IPs are allowed to ask your system 2020289997Sglebius for the time. This mitigation is heavy-handed. 2021289997Sglebius Monitor your ntpd instances. 2022289997Sglebius Note: 2023289997Sglebius 4.2.8p4 protects against the first attack. For the second attack, 2024289997Sglebius all we can do is warn when it is happening, which we do in 4.2.8p4. 2025289997Sglebius Credit: This weakness was discovered by Aanchal Malhotra, 2026289997Sglebius Issac E. Cohen, and Sharon Goldberg of Boston University. 2027289997Sglebius 2028289997Sglebius* configuration directives to change "pidfile" and "driftfile" should 2029289997Sglebius only be allowed locally. 2030289997Sglebius 2031289997Sglebius References: Sec 2902 / CVE-2015-5196 2032289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2033289997Sglebius and 4.3.0 up to, but not including 4.3.77 2034289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2035289997Sglebius Summary: If ntpd is configured to allow for remote configuration, 2036289997Sglebius and if the (possibly spoofed) source IP address is allowed to 2037289997Sglebius send remote configuration requests, and if the attacker knows 2038289997Sglebius the remote configuration password, it's possible for an attacker 2039289997Sglebius to use the "pidfile" or "driftfile" directives to potentially 2040289997Sglebius overwrite other files. 2041289997Sglebius Mitigation: 2042289997Sglebius Implement BCP-38. 2043289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2044289997Sglebius Page or the NTP Public Services Project Download Page 2045289997Sglebius If you cannot upgrade, don't enable remote configuration. 2046289997Sglebius If you must enable remote configuration and cannot upgrade, 2047289997Sglebius remote configuration of NTF's ntpd requires: 2048289997Sglebius - an explicitly configured trustedkey, and you should also 2049289997Sglebius configure a controlkey. 2050289997Sglebius - access from a permitted IP. You choose the IPs. 2051289997Sglebius - authentication. Don't disable it. Practice secure key safety. 2052289997Sglebius Monitor your ntpd instances. 2053289997Sglebius Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2054289997Sglebius 2055289997Sglebius* Slow memory leak in CRYPTO_ASSOC 2056289997Sglebius 2057289997Sglebius References: Sec 2909 / CVE-2015-7701 2058289997Sglebius Affects: All ntp-4 releases that use autokey up to, but not 2059289997Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2060289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2061289997Sglebius 4.6 otherwise 2062289997Sglebius Summary: If ntpd is configured to use autokey, then an attacker can 2063289997Sglebius send packets to ntpd that will, after several days of ongoing 2064289997Sglebius attack, cause it to run out of memory. 2065289997Sglebius Mitigation: 2066289997Sglebius Don't use autokey. 2067289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2068289997Sglebius Page or the NTP Public Services Project Download Page 2069289997Sglebius Monitor your ntpd instances. 2070289997Sglebius Credit: This weakness was discovered by Tenable Network Security. 2071289997Sglebius 2072289997Sglebius* mode 7 loop counter underrun 2073289997Sglebius 2074289997Sglebius References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2075289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2076289997Sglebius and 4.3.0 up to, but not including 4.3.77 2077289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2078289997Sglebius Summary: If ntpd is configured to enable mode 7 packets, and if the 2079289997Sglebius use of mode 7 packets is not properly protected thru the use of 2080289997Sglebius the available mode 7 authentication and restriction mechanisms, 2081289997Sglebius and if the (possibly spoofed) source IP address is allowed to 2082289997Sglebius send mode 7 queries, then an attacker can send a crafted packet 2083289997Sglebius to ntpd that will cause it to crash. 2084289997Sglebius Mitigation: 2085289997Sglebius Implement BCP-38. 2086289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2087289997Sglebius Page or the NTP Public Services Project Download Page. 2088289997Sglebius If you are unable to upgrade: 2089289997Sglebius In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2090289997Sglebius If you must enable mode 7: 2091289997Sglebius configure the use of a requestkey to control who can issue 2092289997Sglebius mode 7 requests. 2093289997Sglebius configure restrict noquery to further limit mode 7 requests 2094289997Sglebius to trusted sources. 2095289997Sglebius Monitor your ntpd instances. 2096289997SglebiusCredit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2097289997Sglebius 2098289997Sglebius* memory corruption in password store 2099289997Sglebius 2100289997Sglebius References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2101289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2102289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2103289997Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2104289997Sglebius the (possibly spoofed) source IP address is allowed to send 2105289997Sglebius remote configuration requests, and if the attacker knows the 2106289997Sglebius remote configuration password or if ntpd was configured to 2107289997Sglebius disable authentication, then an attacker can send a set of 2108289997Sglebius packets to ntpd that may cause a crash or theoretically 2109289997Sglebius perform a code injection attack. 2110289997Sglebius Mitigation: 2111289997Sglebius Implement BCP-38. 2112289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2113289997Sglebius Page or the NTP Public Services Project Download Page. 2114289997Sglebius If you are unable to upgrade, remote configuration of NTF's 2115289997Sglebius ntpd requires: 2116289997Sglebius an explicitly configured "trusted" key. Only configure 2117289997Sglebius this if you need it. 2118289997Sglebius access from a permitted IP address. You choose the IPs. 2119289997Sglebius authentication. Don't disable it. Practice secure key safety. 2120289997Sglebius Monitor your ntpd instances. 2121289997Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2122289997Sglebius 2123289997Sglebius* Infinite loop if extended logging enabled and the logfile and 2124289997Sglebius keyfile are the same. 2125289997Sglebius 2126289997Sglebius References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2127289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2128289997Sglebius and 4.3.0 up to, but not including 4.3.77 2129289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2130289997Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2131289997Sglebius the (possibly spoofed) source IP address is allowed to send 2132289997Sglebius remote configuration requests, and if the attacker knows the 2133289997Sglebius remote configuration password or if ntpd was configured to 2134289997Sglebius disable authentication, then an attacker can send a set of 2135289997Sglebius packets to ntpd that will cause it to crash and/or create a 2136289997Sglebius potentially huge log file. Specifically, the attacker could 2137289997Sglebius enable extended logging, point the key file at the log file, 2138289997Sglebius and cause what amounts to an infinite loop. 2139289997Sglebius Mitigation: 2140289997Sglebius Implement BCP-38. 2141289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2142289997Sglebius Page or the NTP Public Services Project Download Page. 2143289997Sglebius If you are unable to upgrade, remote configuration of NTF's ntpd 2144289997Sglebius requires: 2145289997Sglebius an explicitly configured "trusted" key. Only configure this 2146289997Sglebius if you need it. 2147289997Sglebius access from a permitted IP address. You choose the IPs. 2148289997Sglebius authentication. Don't disable it. Practice secure key safety. 2149289997Sglebius Monitor your ntpd instances. 2150289997Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2151289997Sglebius 2152289997Sglebius* Potential path traversal vulnerability in the config file saving of 2153289997Sglebius ntpd on VMS. 2154289997Sglebius 2155289997Sglebius References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2156289997Sglebius Affects: All ntp-4 releases running under VMS up to, but not 2157289997Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2158289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2159289997Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2160289997Sglebius the (possibly spoofed) IP address is allowed to send remote 2161289997Sglebius configuration requests, and if the attacker knows the remote 2162289997Sglebius configuration password or if ntpd was configured to disable 2163289997Sglebius authentication, then an attacker can send a set of packets to 2164289997Sglebius ntpd that may cause ntpd to overwrite files. 2165289997Sglebius Mitigation: 2166289997Sglebius Implement BCP-38. 2167289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2168289997Sglebius Page or the NTP Public Services Project Download Page. 2169289997Sglebius If you are unable to upgrade, remote configuration of NTF's ntpd 2170289997Sglebius requires: 2171289997Sglebius an explicitly configured "trusted" key. Only configure 2172289997Sglebius this if you need it. 2173289997Sglebius access from permitted IP addresses. You choose the IPs. 2174289997Sglebius authentication. Don't disable it. Practice key security safety. 2175289997Sglebius Monitor your ntpd instances. 2176289997Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2177289997Sglebius 2178289997Sglebius* ntpq atoascii() potential memory corruption 2179289997Sglebius 2180289997Sglebius References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2181289997Sglebius Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2182289997Sglebius and 4.3.0 up to, but not including 4.3.77 2183289997Sglebius CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2184289997Sglebius Summary: If an attacker can figure out the precise moment that ntpq 2185289997Sglebius is listening for data and the port number it is listening on or 2186289997Sglebius if the attacker can provide a malicious instance ntpd that 2187289997Sglebius victims will connect to then an attacker can send a set of 2188289997Sglebius crafted mode 6 response packets that, if received by ntpq, 2189289997Sglebius can cause ntpq to crash. 2190289997Sglebius Mitigation: 2191289997Sglebius Implement BCP-38. 2192289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2193289997Sglebius Page or the NTP Public Services Project Download Page. 2194289997Sglebius If you are unable to upgrade and you run ntpq against a server 2195289997Sglebius and ntpq crashes, try again using raw mode. Build or get a 2196289997Sglebius patched ntpq and see if that fixes the problem. Report new 2197289997Sglebius bugs in ntpq or abusive servers appropriately. 2198289997Sglebius If you use ntpq in scripts, make sure ntpq does what you expect 2199289997Sglebius in your scripts. 2200289997Sglebius Credit: This weakness was discovered by Yves Younan and 2201289997Sglebius Aleksander Nikolich of Cisco Talos. 2202289997Sglebius 2203289997Sglebius* Invalid length data provided by a custom refclock driver could cause 2204289997Sglebius a buffer overflow. 2205289997Sglebius 2206289997Sglebius References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2207289997Sglebius Affects: Potentially all ntp-4 releases running up to, but not 2208289997Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2209289997Sglebius that have custom refclocks 2210289997Sglebius CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2211289997Sglebius 5.9 unusual worst case 2212289997Sglebius Summary: A negative value for the datalen parameter will overflow a 2213289997Sglebius data buffer. NTF's ntpd driver implementations always set this 2214289997Sglebius value to 0 and are therefore not vulnerable to this weakness. 2215289997Sglebius If you are running a custom refclock driver in ntpd and that 2216289997Sglebius driver supplies a negative value for datalen (no custom driver 2217289997Sglebius of even minimal competence would do this) then ntpd would 2218289997Sglebius overflow a data buffer. It is even hypothetically possible 2219289997Sglebius in this case that instead of simply crashing ntpd the attacker 2220289997Sglebius could effect a code injection attack. 2221289997Sglebius Mitigation: 2222289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2223289997Sglebius Page or the NTP Public Services Project Download Page. 2224289997Sglebius If you are unable to upgrade: 2225289997Sglebius If you are running custom refclock drivers, make sure 2226289997Sglebius the signed datalen value is either zero or positive. 2227289997Sglebius Monitor your ntpd instances. 2228289997Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2229289997Sglebius 2230289997Sglebius* Password Length Memory Corruption Vulnerability 2231289997Sglebius 2232289997Sglebius References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2233289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2234289997Sglebius 4.3.0 up to, but not including 4.3.77 2235289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2236289997Sglebius 1.7 usual case, 6.8, worst case 2237289997Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2238289997Sglebius the (possibly spoofed) source IP address is allowed to send 2239289997Sglebius remote configuration requests, and if the attacker knows the 2240289997Sglebius remote configuration password or if ntpd was (foolishly) 2241289997Sglebius configured to disable authentication, then an attacker can 2242289997Sglebius send a set of packets to ntpd that may cause it to crash, 2243289997Sglebius with the hypothetical possibility of a small code injection. 2244289997Sglebius Mitigation: 2245289997Sglebius Implement BCP-38. 2246289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2247289997Sglebius Page or the NTP Public Services Project Download Page. 2248289997Sglebius If you are unable to upgrade, remote configuration of NTF's 2249289997Sglebius ntpd requires: 2250289997Sglebius an explicitly configured "trusted" key. Only configure 2251289997Sglebius this if you need it. 2252289997Sglebius access from a permitted IP address. You choose the IPs. 2253289997Sglebius authentication. Don't disable it. Practice secure key safety. 2254289997Sglebius Monitor your ntpd instances. 2255289997Sglebius Credit: This weakness was discovered by Yves Younan and 2256289997Sglebius Aleksander Nikolich of Cisco Talos. 2257289997Sglebius 2258289997Sglebius* decodenetnum() will ASSERT botch instead of returning FAIL on some 2259289997Sglebius bogus values. 2260289997Sglebius 2261289997Sglebius References: Sec 2922 / CVE-2015-7855 2262289997Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2263289997Sglebius 4.3.0 up to, but not including 4.3.77 2264289997Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2265289997Sglebius Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2266289997Sglebius an unusually long data value where a network address is expected, 2267289997Sglebius the decodenetnum() function will abort with an assertion failure 2268289997Sglebius instead of simply returning a failure condition. 2269289997Sglebius Mitigation: 2270289997Sglebius Implement BCP-38. 2271289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2272289997Sglebius Page or the NTP Public Services Project Download Page. 2273289997Sglebius If you are unable to upgrade: 2274289997Sglebius mode 7 is disabled by default. Don't enable it. 2275289997Sglebius Use restrict noquery to limit who can send mode 6 2276289997Sglebius and mode 7 requests. 2277289997Sglebius Configure and use the controlkey and requestkey 2278289997Sglebius authentication directives to limit who can 2279289997Sglebius send mode 6 and mode 7 requests. 2280289997Sglebius Monitor your ntpd instances. 2281289997Sglebius Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2282289997Sglebius 2283289997Sglebius* NAK to the Future: Symmetric association authentication bypass via 2284289997Sglebius crypto-NAK. 2285289997Sglebius 2286289997Sglebius References: Sec 2941 / CVE-2015-7871 2287289997Sglebius Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2288289997Sglebius 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2289289997Sglebius CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2290289997Sglebius Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2291289997Sglebius from unauthenticated ephemeral symmetric peers by bypassing the 2292289997Sglebius authentication required to mobilize peer associations. This 2293289997Sglebius vulnerability appears to have been introduced in ntp-4.2.5p186 2294289997Sglebius when the code handling mobilization of new passive symmetric 2295289997Sglebius associations (lines 1103-1165) was refactored. 2296289997Sglebius Mitigation: 2297289997Sglebius Implement BCP-38. 2298289997Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2299289997Sglebius Page or the NTP Public Services Project Download Page. 2300289997Sglebius If you are unable to upgrade: 2301289997Sglebius Apply the patch to the bottom of the "authentic" check 2302289997Sglebius block around line 1136 of ntp_proto.c. 2303289997Sglebius Monitor your ntpd instances. 2304298699Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2305289997Sglebius 2306289997SglebiusBackward-Incompatible changes: 2307289997Sglebius* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2308293650Sglebius While the general default of 32M is still the case, under Linux 2309293650Sglebius the default value has been changed to -1 (do not lock ntpd into 2310289997Sglebius memory). A value of 0 means "lock ntpd into memory with whatever 2311289997Sglebius memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2312289997Sglebius value in it, that value will continue to be used. 2313289997Sglebius 2314289997Sglebius* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2315289997Sglebius If you've written a script that looks for this case in, say, the 2316289997Sglebius output of ntpq, you probably want to change your regex matches 2317289997Sglebius from 'outlyer' to 'outl[iy]er'. 2318289997Sglebius 2319289997SglebiusNew features in this release: 2320289997Sglebius* 'rlimit memlock' now has finer-grained control. A value of -1 means 2321289997Sglebius "don't lock ntpd into memore". This is the default for Linux boxes. 2322289997Sglebius A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2323289997Sglebius the value is the number of megabytes of memory to lock. The default 2324289997Sglebius is 32 megabytes. 2325289997Sglebius 2326289997Sglebius* The old Google Test framework has been replaced with a new framework, 2327289997Sglebius based on http://www.throwtheswitch.org/unity/ . 2328289997Sglebius 2329289997SglebiusBug Fixes and Improvements: 2330289997Sglebius* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2331289997Sglebius privileges and limiting resources in NTPD removes the need to link 2332289997Sglebius forcefully against 'libgcc_s' which does not always work. J.Perlinger 2333289997Sglebius* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2334289997Sglebius* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2335289997Sglebius* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2336289997Sglebius* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2337289997Sglebius* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2338289997Sglebius* [Bug 2849] Systems with more than one default route may never 2339289997Sglebius synchronize. Brian Utterback. Note that this patch might need to 2340289997Sglebius be reverted once Bug 2043 has been fixed. 2341289997Sglebius* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2342289997Sglebius* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2343289997Sglebius* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2344289997Sglebius* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2345289997Sglebius* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2346289997Sglebius* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2347289997Sglebius be configured for the distribution targets. Harlan Stenn. 2348289997Sglebius* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2349289997Sglebius* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2350289997Sglebius* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2351289997Sglebius* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2352289997Sglebius* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2353289997Sglebius* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2354289997Sglebius* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2355289997Sglebius* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2356289997Sglebius* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2357289997Sglebius* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2358289997Sglebius* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2359289997Sglebius* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2360289997Sglebius* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2361289997Sglebius* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2362289997Sglebius* sntp/tests/ function parameter list cleanup. Damir Tomi��. 2363289997Sglebius* tests/libntp/ function parameter list cleanup. Damir Tomi��. 2364289997Sglebius* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 2365289997Sglebius* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2366289997Sglebius* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2367289997Sglebius* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 2368289997Sglebius* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 2369289997Sglebius* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2370289997Sglebius caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2371289997Sglebius formatting; first declaration, then code (C90); deleted unnecessary comments; 2372289997Sglebius changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2373289997Sglebius* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2374289997Sglebius fix formatting, cleanup. Tomasz Flendrich 2375289997Sglebius* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2376289997Sglebius Tomasz Flendrich 2377289997Sglebius* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2378289997Sglebius fix formatting. Tomasz Flendrich 2379289997Sglebius* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2380289997Sglebius* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2381289997Sglebius* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2382289997Sglebius Tomasz Flendrich 2383289997Sglebius* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2384289997Sglebius* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2385289997Sglebius* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2386289997Sglebius* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2387289997Sglebius* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2388289997Sglebius* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2389289997Sglebius* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2390289997Sglebiusfixed formatting. Tomasz Flendrich 2391289997Sglebius* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2392289997Sglebius removed unnecessary comments, cleanup. Tomasz Flendrich 2393289997Sglebius* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2394289997Sglebius comments, cleanup. Tomasz Flendrich 2395289997Sglebius* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2396289997Sglebius Tomasz Flendrich 2397289997Sglebius* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2398289997Sglebius* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2399289997Sglebius* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2400289997Sglebius Tomasz Flendrich 2401289997Sglebius* sntp/tests/kodDatabase.c added consts, deleted empty function, 2402289997Sglebius fixed formatting. Tomasz Flendrich 2403289997Sglebius* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2404289997Sglebius* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2405289997Sglebius fixed formatting, deleted unused variable. Tomasz Flendrich 2406289997Sglebius* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2407289997Sglebius Tomasz Flendrich 2408289997Sglebius* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2409289997Sglebius fixed formatting. Tomasz Flendrich 2410289997Sglebius* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2411289997Sglebius the order of includes, fixed formatting, removed unnecessary comments. 2412289997Sglebius Tomasz Flendrich 2413289997Sglebius* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2414289997Sglebius* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2415289997Sglebius made one function do its job, deleted unnecessary prints, fixed formatting. 2416289997Sglebius Tomasz Flendrich 2417289997Sglebius* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2418289997Sglebius* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2419289997Sglebius* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2420289997Sglebius* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2421289997Sglebius* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2422289997Sglebius* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2423289997Sglebius* Don't build sntp/libevent/sample/. Harlan Stenn. 2424289997Sglebius* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2425289997Sglebius* br-flock: --enable-local-libevent. Harlan Stenn. 2426289997Sglebius* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2427289997Sglebius* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2428289997Sglebius* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2429289997Sglebius* Code cleanup. Harlan Stenn. 2430289997Sglebius* libntp/icom.c: Typo fix. Harlan Stenn. 2431289997Sglebius* util/ntptime.c: initialization nit. Harlan Stenn. 2432289997Sglebius* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2433289997Sglebius* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2434289997Sglebius* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2435289997Sglebius Tomasz Flendrich 2436289997Sglebius* Changed progname to be const in many files - now it's consistent. Tomasz 2437289997Sglebius Flendrich 2438289997Sglebius* Typo fix for GCC warning suppression. Harlan Stenn. 2439289997Sglebius* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 2440289997Sglebius* Added declarations to all Unity tests, and did minor fixes to them. 2441289997Sglebius Reduced the number of warnings by half. Damir Tomi��. 2442289997Sglebius* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2443289997Sglebius with the latest Unity updates from Mark. Damir Tomi��. 2444289997Sglebius* Retire google test - phase I. Harlan Stenn. 2445289997Sglebius* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2446289997Sglebius* Update the NEWS file. Harlan Stenn. 2447289997Sglebius* Autoconf cleanup. Harlan Stenn. 2448289997Sglebius* Unit test dist cleanup. Harlan Stenn. 2449289997Sglebius* Cleanup various test Makefile.am files. Harlan Stenn. 2450289997Sglebius* Pthread autoconf macro cleanup. Harlan Stenn. 2451289997Sglebius* Fix progname definition in unity runner scripts. Harlan Stenn. 2452289997Sglebius* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2453289997Sglebius* Update the patch for bug 2817. Harlan Stenn. 2454289997Sglebius* More updates for bug 2817. Harlan Stenn. 2455289997Sglebius* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2456289997Sglebius* gcc on older HPUX may need +allowdups. Harlan Stenn. 2457289997Sglebius* Adding missing MCAST protection. Harlan Stenn. 2458289997Sglebius* Disable certain test programs on certain platforms. Harlan Stenn. 2459289997Sglebius* Implement --enable-problem-tests (on by default). Harlan Stenn. 2460289997Sglebius* build system tweaks. Harlan Stenn. 2461289997Sglebius 2462289997Sglebius--- 2463285612SdelphijNTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2464285612Sdelphij 2465285612SdelphijFocus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2466285612Sdelphij 2467285612SdelphijSeverity: MEDIUM 2468285612Sdelphij 2469285612SdelphijSecurity Fix: 2470285612Sdelphij 2471285612Sdelphij* [Sec 2853] Crafted remote config packet can crash some versions of 2472285612Sdelphij ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2473285612Sdelphij 2474285612SdelphijUnder specific circumstances an attacker can send a crafted packet to 2475285612Sdelphijcause a vulnerable ntpd instance to crash. This requires each of the 2476285612Sdelphijfollowing to be true: 2477285612Sdelphij 2478285612Sdelphij1) ntpd set up to allow remote configuration (not allowed by default), and 2479285612Sdelphij2) knowledge of the configuration password, and 2480285612Sdelphij3) access to a computer entrusted to perform remote configuration. 2481285612Sdelphij 2482285612SdelphijThis vulnerability is considered low-risk. 2483285612Sdelphij 2484285612SdelphijNew features in this release: 2485285612Sdelphij 2486285612SdelphijOptional (disabled by default) support to have ntpd provide smeared 2487285612Sdelphijleap second time. A specially built and configured ntpd will only 2488285612Sdelphijoffer smeared time in response to client packets. These response 2489285612Sdelphijpackets will also contain a "refid" of 254.a.b.c, where the 24 bits 2490285612Sdelphijof a, b, and c encode the amount of smear in a 2:22 integer:fraction 2491285612Sdelphijformat. See README.leapsmear and http://bugs.ntp.org/2855 for more 2492285612Sdelphijinformation. 2493285612Sdelphij 2494285612Sdelphij *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2495285612Sdelphij *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2496285612Sdelphij 2497285612SdelphijWe've imported the Unity test framework, and have begun converting 2498285612Sdelphijthe existing google-test items to this new framework. If you want 2499285612Sdelphijto write new tests or change old ones, you'll need to have ruby 2500285612Sdelphijinstalled. You don't need ruby to run the test suite. 2501285612Sdelphij 2502285612SdelphijBug Fixes and Improvements: 2503285612Sdelphij 2504285612Sdelphij* CID 739725: Fix a rare resource leak in libevent/listener.c. 2505285612Sdelphij* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2506285612Sdelphij* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2507285612Sdelphij* CID 1269537: Clean up a line of dead code in getShmTime(). 2508285612Sdelphij* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2509285612Sdelphij* [Bug 2590] autogen-5.18.5. 2510285612Sdelphij* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2511285612Sdelphij of 'limited'. 2512285612Sdelphij* [Bug 2650] fix includefile processing. 2513285612Sdelphij* [Bug 2745] ntpd -x steps clock on leap second 2514285612Sdelphij Fixed an initial-value problem that caused misbehaviour in absence of 2515285612Sdelphij any leapsecond information. 2516285612Sdelphij Do leap second stepping only of the step adjustment is beyond the 2517285612Sdelphij proper jump distance limit and step correction is allowed at all. 2518285612Sdelphij* [Bug 2750] build for Win64 2519285612Sdelphij Building for 32bit of loopback ppsapi needs def file 2520285612Sdelphij* [Bug 2776] Improve ntpq's 'help keytype'. 2521285612Sdelphij* [Bug 2778] Implement "apeers" ntpq command to include associd. 2522285612Sdelphij* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2523285612Sdelphij* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2524285612Sdelphij interface is ignored as long as this flag is not set since the 2525285612Sdelphij interface is not usable (e.g., no link). 2526285612Sdelphij* [Bug 2794] Clean up kernel clock status reports. 2527285612Sdelphij* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2528285612Sdelphij of incompatible open/fdopen parameters. 2529285612Sdelphij* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2530285612Sdelphij* [Bug 2805] ntpd fails to join multicast group. 2531285612Sdelphij* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2532285612Sdelphij* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2533285612Sdelphij Fix crash during cleanup if GPS device not present and char device. 2534285612Sdelphij Increase internal token buffer to parse all JSON data, even SKY. 2535285612Sdelphij Defer logging of errors during driver init until the first unit is 2536285612Sdelphij started, so the syslog is not cluttered when the driver is not used. 2537285612Sdelphij Various improvements, see http://bugs.ntp.org/2808 for details. 2538285612Sdelphij Changed libjsmn to a more recent version. 2539285612Sdelphij* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2540285612Sdelphij* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2541285612Sdelphij* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2542285612Sdelphij* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2543285612Sdelphij* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2544285612Sdelphij* [Bug 2824] Convert update-leap to perl. (also see 2769) 2545285612Sdelphij* [Bug 2825] Quiet file installation in html/ . 2546285612Sdelphij* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2547285612Sdelphij NTPD transfers the current TAI (instead of an announcement) now. 2548285612Sdelphij This might still needed improvement. 2549285612Sdelphij Update autokey data ASAP when 'sys_tai' changes. 2550285612Sdelphij Fix unit test that was broken by changes for autokey update. 2551285612Sdelphij Avoid potential signature length issue and use DPRINTF where possible 2552285612Sdelphij in ntp_crypto.c. 2553285612Sdelphij* [Bug 2832] refclock_jjy.c supports the TDC-300. 2554285612Sdelphij* [Bug 2834] Correct a broken html tag in html/refclock.html 2555285612Sdelphij* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2556285612Sdelphij robust, and require 2 consecutive timestamps to be consistent. 2557285612Sdelphij* [Bug 2837] Allow a configurable DSCP value. 2558285612Sdelphij* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2559285612Sdelphij* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2560285612Sdelphij* [Bug 2842] Bug in mdoc2man. 2561285612Sdelphij* [Bug 2843] make check fails on 4.3.36 2562285612Sdelphij Fixed compiler warnings about numeric range overflow 2563285612Sdelphij (The original topic was fixed in a byplay to bug#2830) 2564285612Sdelphij* [Bug 2845] Harden memory allocation in ntpd. 2565285612Sdelphij* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2566285612Sdelphij* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2567285612Sdelphij* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2568285612Sdelphij* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2569285612Sdelphij* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2570285612Sdelphij* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2571285612Sdelphij* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2572285612Sdelphij* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2573285612Sdelphij* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2574285612Sdelphij* html/drivers/driver22.html: typo fix. Harlan Stenn. 2575285612Sdelphij* refidsmear test cleanup. Tomasz Flendrich. 2576285612Sdelphij* refidsmear function support and tests. Harlan Stenn. 2577285612Sdelphij* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2578285612Sdelphij something that was only in the 4.2.6 sntp. Harlan Stenn. 2579285612Sdelphij* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2580285612Sdelphij Damir Tomi�� 2581285612Sdelphij* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2582285612Sdelphij Damir Tomi�� 2583285612Sdelphij* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2584285612Sdelphij Damir Tomi�� 2585285612Sdelphij* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2586285612Sdelphij* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 2587285612Sdelphij* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2588285612Sdelphij atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2589285612Sdelphij calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2590285612Sdelphij numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2591285612Sdelphij timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2592285612Sdelphij Damir Tomi�� 2593285612Sdelphij* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2594285612Sdelphij networking.c, keyFile.c, utilities.cpp, sntptest.h, 2595285612Sdelphij fileHandlingTest.h. Damir Tomi�� 2596285612Sdelphij* Initial support for experimental leap smear code. Harlan Stenn. 2597285612Sdelphij* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2598285612Sdelphij* Report select() debug messages at debug level 3 now. 2599285612Sdelphij* sntp/scripts/genLocInfo: treat raspbian as debian. 2600285612Sdelphij* Unity test framework fixes. 2601285612Sdelphij ** Requires ruby for changes to tests. 2602285612Sdelphij* Initial support for PACKAGE_VERSION tests. 2603285612Sdelphij* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2604285612Sdelphij* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2605285612Sdelphij* Add an assert to the ntpq ifstats code. 2606285612Sdelphij* Clean up the RLIMIT_STACK code. 2607285612Sdelphij* Improve the ntpq documentation around the controlkey keyid. 2608285612Sdelphij* ntpq.c cleanup. 2609285612Sdelphij* Windows port build cleanup. 2610285612Sdelphij 2611285612Sdelphij--- 2612285612SdelphijNTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2613285612Sdelphij 2614285612SdelphijFocus: Security and Bug fixes, enhancements. 2615285612Sdelphij 2616285612SdelphijSeverity: MEDIUM 2617285612Sdelphij 2618285612SdelphijIn addition to bug fixes and enhancements, this release fixes the 2619285612Sdelphijfollowing medium-severity vulnerabilities involving private key 2620285612Sdelphijauthentication: 2621285612Sdelphij 2622285612Sdelphij* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2623285612Sdelphij 2624285612Sdelphij References: Sec 2779 / CVE-2015-1798 / VU#374268 2625285612Sdelphij Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2626285612Sdelphij including ntp-4.2.8p2 where the installation uses symmetric keys 2627285612Sdelphij to authenticate remote associations. 2628285612Sdelphij CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2629285612Sdelphij Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2630285612Sdelphij Summary: When ntpd is configured to use a symmetric key to authenticate 2631285612Sdelphij a remote NTP server/peer, it checks if the NTP message 2632285612Sdelphij authentication code (MAC) in received packets is valid, but not if 2633285612Sdelphij there actually is any MAC included. Packets without a MAC are 2634285612Sdelphij accepted as if they had a valid MAC. This allows a MITM attacker to 2635285612Sdelphij send false packets that are accepted by the client/peer without 2636285612Sdelphij having to know the symmetric key. The attacker needs to know the 2637285612Sdelphij transmit timestamp of the client to match it in the forged reply 2638285612Sdelphij and the false reply needs to reach the client before the genuine 2639285612Sdelphij reply from the server. The attacker doesn't necessarily need to be 2640285612Sdelphij relaying the packets between the client and the server. 2641285612Sdelphij 2642285612Sdelphij Authentication using autokey doesn't have this problem as there is 2643285612Sdelphij a check that requires the key ID to be larger than NTP_MAXKEY, 2644285612Sdelphij which fails for packets without a MAC. 2645285612Sdelphij Mitigation: 2646285612Sdelphij Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2647285612Sdelphij or the NTP Public Services Project Download Page 2648285612Sdelphij Configure ntpd with enough time sources and monitor it properly. 2649285612Sdelphij Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2650285612Sdelphij 2651285612Sdelphij* [Sec 2781] Authentication doesn't protect symmetric associations against 2652285612Sdelphij DoS attacks. 2653285612Sdelphij 2654285612Sdelphij References: Sec 2781 / CVE-2015-1799 / VU#374268 2655285612Sdelphij Affects: All NTP releases starting with at least xntp3.3wy up to but 2656285612Sdelphij not including ntp-4.2.8p2 where the installation uses symmetric 2657285612Sdelphij key authentication. 2658285612Sdelphij CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2659285612Sdelphij Note: the CVSS base Score for this issue could be 4.3 or lower, and 2660285612Sdelphij it could be higher than 5.4. 2661285612Sdelphij Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2662285612Sdelphij Summary: An attacker knowing that NTP hosts A and B are peering with 2663285612Sdelphij each other (symmetric association) can send a packet to host A 2664285612Sdelphij with source address of B which will set the NTP state variables 2665285612Sdelphij on A to the values sent by the attacker. Host A will then send 2666285612Sdelphij on its next poll to B a packet with originate timestamp that 2667285612Sdelphij doesn't match the transmit timestamp of B and the packet will 2668285612Sdelphij be dropped. If the attacker does this periodically for both 2669285612Sdelphij hosts, they won't be able to synchronize to each other. This is 2670285612Sdelphij a known denial-of-service attack, described at 2671285612Sdelphij https://www.eecis.udel.edu/~mills/onwire.html . 2672285612Sdelphij 2673285612Sdelphij According to the document the NTP authentication is supposed to 2674285612Sdelphij protect symmetric associations against this attack, but that 2675285612Sdelphij doesn't seem to be the case. The state variables are updated even 2676285612Sdelphij when authentication fails and the peers are sending packets with 2677285612Sdelphij originate timestamps that don't match the transmit timestamps on 2678285612Sdelphij the receiving side. 2679285612Sdelphij 2680285612Sdelphij This seems to be a very old problem, dating back to at least 2681285612Sdelphij xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2682285612Sdelphij specifications, so other NTP implementations with support for 2683285612Sdelphij symmetric associations and authentication may be vulnerable too. 2684285612Sdelphij An update to the NTP RFC to correct this error is in-process. 2685285612Sdelphij Mitigation: 2686285612Sdelphij Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2687285612Sdelphij or the NTP Public Services Project Download Page 2688285612Sdelphij Note that for users of autokey, this specific style of MITM attack 2689285612Sdelphij is simply a long-known potential problem. 2690285612Sdelphij Configure ntpd with appropriate time sources and monitor ntpd. 2691285612Sdelphij Alert your staff if problems are detected. 2692285612Sdelphij Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2693285612Sdelphij 2694285612Sdelphij* New script: update-leap 2695285612SdelphijThe update-leap script will verify and if necessary, update the 2696285612Sdelphijleap-second definition file. 2697285612SdelphijIt requires the following commands in order to work: 2698285612Sdelphij 2699285612Sdelphij wget logger tr sed shasum 2700285612Sdelphij 2701285612SdelphijSome may choose to run this from cron. It needs more portability testing. 2702285612Sdelphij 2703285612SdelphijBug Fixes and Improvements: 2704285612Sdelphij 2705285612Sdelphij* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2706285612Sdelphij* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2707285612Sdelphij* [Bug 2346] "graceful termination" signals do not do peer cleanup. 2708285612Sdelphij* [Bug 2728] See if C99-style structure initialization works. 2709285612Sdelphij* [Bug 2747] Upgrade libevent to 2.1.5-beta. 2710285612Sdelphij* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2711285612Sdelphij* [Bug 2751] jitter.h has stale copies of l_fp macros. 2712285612Sdelphij* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2713285612Sdelphij* [Bug 2757] Quiet compiler warnings. 2714285612Sdelphij* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2715285612Sdelphij* [Bug 2763] Allow different thresholds for forward and backward steps. 2716285612Sdelphij* [Bug 2766] ntp-keygen output files should not be world-readable. 2717285612Sdelphij* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2718285612Sdelphij* [Bug 2771] nonvolatile value is documented in wrong units. 2719285612Sdelphij* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2720285612Sdelphij* [Bug 2774] Unreasonably verbose printout - leap pending/warning 2721285612Sdelphij* [Bug 2775] ntp-keygen.c fails to compile under Windows. 2722285612Sdelphij* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2723285612Sdelphij Removed non-ASCII characters from some copyright comments. 2724285612Sdelphij Removed trailing whitespace. 2725285612Sdelphij Updated definitions for Meinberg clocks from current Meinberg header files. 2726285612Sdelphij Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2727285612Sdelphij Account for updated definitions pulled from Meinberg header files. 2728285612Sdelphij Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2729285612Sdelphij Replaced some constant numbers by defines from ntp_calendar.h 2730285612Sdelphij Modified creation of parse-specific variables for Meinberg devices 2731285612Sdelphij in gps16x_message(). 2732285612Sdelphij Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2733285612Sdelphij Modified mbg_tm_str() which now expexts an additional parameter controlling 2734285612Sdelphij if the time status shall be printed. 2735285612Sdelphij* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2736285612Sdelphij* [Sec 2781] Authentication doesn't protect symmetric associations against 2737285612Sdelphij DoS attacks. 2738285612Sdelphij* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2739285612Sdelphij* [Bug 2789] Quiet compiler warnings from libevent. 2740285612Sdelphij* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2741285612Sdelphij pause briefly before measuring system clock precision to yield 2742285612Sdelphij correct results. 2743285612Sdelphij* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2744285612Sdelphij* Use predefined function types for parse driver functions 2745285612Sdelphij used to set up function pointers. 2746285612Sdelphij Account for changed prototype of parse_inp_fnc_t functions. 2747285612Sdelphij Cast parse conversion results to appropriate types to avoid 2748285612Sdelphij compiler warnings. 2749285612Sdelphij Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2750285612Sdelphij when called with pointers to different types. 2751285612Sdelphij 2752285612Sdelphij--- 2753285612SdelphijNTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 2754285612Sdelphij 2755285612SdelphijFocus: Security and Bug fixes, enhancements. 2756285612Sdelphij 2757285612SdelphijSeverity: HIGH 2758285612Sdelphij 2759285612SdelphijIn addition to bug fixes and enhancements, this release fixes the 2760285612Sdelphijfollowing high-severity vulnerabilities: 2761285612Sdelphij 2762285612Sdelphij* vallen is not validated in several places in ntp_crypto.c, leading 2763285612Sdelphij to a potential information leak or possibly a crash 2764285612Sdelphij 2765285612Sdelphij References: Sec 2671 / CVE-2014-9297 / VU#852879 2766285612Sdelphij Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2767285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2768285612Sdelphij Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2769285612Sdelphij Summary: The vallen packet value is not validated in several code 2770285612Sdelphij paths in ntp_crypto.c which can lead to information leakage 2771285612Sdelphij or perhaps a crash of the ntpd process. 2772285612Sdelphij Mitigation - any of: 2773285612Sdelphij Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2774285612Sdelphij or the NTP Public Services Project Download Page. 2775285612Sdelphij Disable Autokey Authentication by removing, or commenting out, 2776285612Sdelphij all configuration directives beginning with the "crypto" 2777285612Sdelphij keyword in your ntp.conf file. 2778285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of the 2779285612Sdelphij Google Security Team, with additional cases found by Sebastian 2780285612Sdelphij Krahmer of the SUSE Security Team and Harlan Stenn of Network 2781285612Sdelphij Time Foundation. 2782285612Sdelphij 2783285612Sdelphij* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2784285612Sdelphij can be bypassed. 2785285612Sdelphij 2786285612Sdelphij References: Sec 2672 / CVE-2014-9298 / VU#852879 2787285612Sdelphij Affects: All NTP4 releases before 4.2.8p1, under at least some 2788285612Sdelphij versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2789285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2790285612Sdelphij Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2791285612Sdelphij Summary: While available kernels will prevent 127.0.0.1 addresses 2792285612Sdelphij from "appearing" on non-localhost IPv4 interfaces, some kernels 2793285612Sdelphij do not offer the same protection for ::1 source addresses on 2794285612Sdelphij IPv6 interfaces. Since NTP's access control is based on source 2795285612Sdelphij address and localhost addresses generally have no restrictions, 2796285612Sdelphij an attacker can send malicious control and configuration packets 2797285612Sdelphij by spoofing ::1 addresses from the outside. Note Well: This is 2798285612Sdelphij not really a bug in NTP, it's a problem with some OSes. If you 2799285612Sdelphij have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2800285612Sdelphij ACL restrictions on any application can be bypassed! 2801285612Sdelphij Mitigation: 2802285612Sdelphij Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2803285612Sdelphij or the NTP Public Services Project Download Page 2804285612Sdelphij Install firewall rules to block packets claiming to come from 2805285612Sdelphij ::1 from inappropriate network interfaces. 2806285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of 2807285612Sdelphij the Google Security Team. 2808285612Sdelphij 2809285612SdelphijAdditionally, over 30 bugfixes and improvements were made to the codebase. 2810285612SdelphijSee the ChangeLog for more information. 2811285612Sdelphij 2812285612Sdelphij--- 2813285612SdelphijNTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 2814285612Sdelphij 2815285612SdelphijFocus: Security and Bug fixes, enhancements. 2816285612Sdelphij 2817285612SdelphijSeverity: HIGH 2818285612Sdelphij 2819285612SdelphijIn addition to bug fixes and enhancements, this release fixes the 2820285612Sdelphijfollowing high-severity vulnerabilities: 2821285612Sdelphij 2822285612Sdelphij************************** vv NOTE WELL vv ***************************** 2823285612Sdelphij 2824285612SdelphijThe vulnerabilities listed below can be significantly mitigated by 2825285612Sdelphijfollowing the BCP of putting 2826285612Sdelphij 2827285612Sdelphij restrict default ... noquery 2828285612Sdelphij 2829285612Sdelphijin the ntp.conf file. With the exception of: 2830285612Sdelphij 2831285612Sdelphij receive(): missing return on error 2832285612Sdelphij References: Sec 2670 / CVE-2014-9296 / VU#852879 2833285612Sdelphij 2834285612Sdelphijbelow (which is a limited-risk vulnerability), none of the recent 2835285612Sdelphijvulnerabilities listed below can be exploited if the source IP is 2836285612Sdelphijrestricted from sending a 'query'-class packet by your ntp.conf file. 2837285612Sdelphij 2838285612Sdelphij************************** ^^ NOTE WELL ^^ ***************************** 2839285612Sdelphij 2840285612Sdelphij* Weak default key in config_auth(). 2841285612Sdelphij 2842285612Sdelphij References: [Sec 2665] / CVE-2014-9293 / VU#852879 2843285612Sdelphij CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2844285612Sdelphij Vulnerable Versions: all releases prior to 4.2.7p11 2845285612Sdelphij Date Resolved: 28 Jan 2010 2846285612Sdelphij 2847285612Sdelphij Summary: If no 'auth' key is set in the configuration file, ntpd 2848285612Sdelphij would generate a random key on the fly. There were two 2849285612Sdelphij problems with this: 1) the generated key was 31 bits in size, 2850285612Sdelphij and 2) it used the (now weak) ntp_random() function, which was 2851285612Sdelphij seeded with a 32-bit value and could only provide 32 bits of 2852285612Sdelphij entropy. This was sufficient back in the late 1990s when the 2853285612Sdelphij code was written. Not today. 2854285612Sdelphij 2855285612Sdelphij Mitigation - any of: 2856285612Sdelphij - Upgrade to 4.2.7p11 or later. 2857285612Sdelphij - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2858285612Sdelphij 2859285612Sdelphij Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2860285612Sdelphij of the Google Security Team. 2861285612Sdelphij 2862285612Sdelphij* Non-cryptographic random number generator with weak seed used by 2863285612Sdelphij ntp-keygen to generate symmetric keys. 2864285612Sdelphij 2865285612Sdelphij References: [Sec 2666] / CVE-2014-9294 / VU#852879 2866285612Sdelphij CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2867285612Sdelphij Vulnerable Versions: All NTP4 releases before 4.2.7p230 2868285612Sdelphij Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2869285612Sdelphij 2870285612Sdelphij Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2871285612Sdelphij prepare a random number generator that was of good quality back 2872285612Sdelphij in the late 1990s. The random numbers produced was then used to 2873285612Sdelphij generate symmetric keys. In ntp-4.2.8 we use a current-technology 2874285612Sdelphij cryptographic random number generator, either RAND_bytes from 2875285612Sdelphij OpenSSL, or arc4random(). 2876285612Sdelphij 2877285612Sdelphij Mitigation - any of: 2878285612Sdelphij - Upgrade to 4.2.7p230 or later. 2879285612Sdelphij - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2880285612Sdelphij 2881285612Sdelphij Credit: This vulnerability was discovered in ntp-4.2.6 by 2882285612Sdelphij Stephen Roettger of the Google Security Team. 2883285612Sdelphij 2884285612Sdelphij* Buffer overflow in crypto_recv() 2885285612Sdelphij 2886285612Sdelphij References: Sec 2667 / CVE-2014-9295 / VU#852879 2887285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2888285612Sdelphij Versions: All releases before 4.2.8 2889285612Sdelphij Date Resolved: Stable (4.2.8) 18 Dec 2014 2890285612Sdelphij 2891285612Sdelphij Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2892285612Sdelphij file contains a 'crypto pw ...' directive) a remote attacker 2893285612Sdelphij can send a carefully crafted packet that can overflow a stack 2894285612Sdelphij buffer and potentially allow malicious code to be executed 2895285612Sdelphij with the privilege level of the ntpd process. 2896285612Sdelphij 2897285612Sdelphij Mitigation - any of: 2898285612Sdelphij - Upgrade to 4.2.8, or later, or 2899285612Sdelphij - Disable Autokey Authentication by removing, or commenting out, 2900285612Sdelphij all configuration directives beginning with the crypto keyword 2901285612Sdelphij in your ntp.conf file. 2902285612Sdelphij 2903285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of the 2904285612Sdelphij Google Security Team. 2905285612Sdelphij 2906285612Sdelphij* Buffer overflow in ctl_putdata() 2907285612Sdelphij 2908285612Sdelphij References: Sec 2668 / CVE-2014-9295 / VU#852879 2909285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2910285612Sdelphij Versions: All NTP4 releases before 4.2.8 2911285612Sdelphij Date Resolved: Stable (4.2.8) 18 Dec 2014 2912285612Sdelphij 2913285612Sdelphij Summary: A remote attacker can send a carefully crafted packet that 2914285612Sdelphij can overflow a stack buffer and potentially allow malicious 2915285612Sdelphij code to be executed with the privilege level of the ntpd process. 2916285612Sdelphij 2917285612Sdelphij Mitigation - any of: 2918285612Sdelphij - Upgrade to 4.2.8, or later. 2919285612Sdelphij - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2920285612Sdelphij 2921285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of the 2922285612Sdelphij Google Security Team. 2923285612Sdelphij 2924285612Sdelphij* Buffer overflow in configure() 2925285612Sdelphij 2926285612Sdelphij References: Sec 2669 / CVE-2014-9295 / VU#852879 2927285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2928285612Sdelphij Versions: All NTP4 releases before 4.2.8 2929285612Sdelphij Date Resolved: Stable (4.2.8) 18 Dec 2014 2930285612Sdelphij 2931285612Sdelphij Summary: A remote attacker can send a carefully crafted packet that 2932285612Sdelphij can overflow a stack buffer and potentially allow malicious 2933285612Sdelphij code to be executed with the privilege level of the ntpd process. 2934285612Sdelphij 2935285612Sdelphij Mitigation - any of: 2936285612Sdelphij - Upgrade to 4.2.8, or later. 2937285612Sdelphij - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2938285612Sdelphij 2939285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of the 2940285612Sdelphij Google Security Team. 2941285612Sdelphij 2942285612Sdelphij* receive(): missing return on error 2943285612Sdelphij 2944285612Sdelphij References: Sec 2670 / CVE-2014-9296 / VU#852879 2945285612Sdelphij CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2946285612Sdelphij Versions: All NTP4 releases before 4.2.8 2947285612Sdelphij Date Resolved: Stable (4.2.8) 18 Dec 2014 2948285612Sdelphij 2949285612Sdelphij Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 2950285612Sdelphij the code path where an error was detected, which meant 2951285612Sdelphij processing did not stop when a specific rare error occurred. 2952285612Sdelphij We haven't found a way for this bug to affect system integrity. 2953285612Sdelphij If there is no way to affect system integrity the base CVSS 2954285612Sdelphij score for this bug is 0. If there is one avenue through which 2955285612Sdelphij system integrity can be partially affected, the base score 2956285612Sdelphij becomes a 5. If system integrity can be partially affected 2957285612Sdelphij via all three integrity metrics, the CVSS base score become 7.5. 2958285612Sdelphij 2959285612Sdelphij Mitigation - any of: 2960285612Sdelphij - Upgrade to 4.2.8, or later, 2961285612Sdelphij - Remove or comment out all configuration directives 2962285612Sdelphij beginning with the crypto keyword in your ntp.conf file. 2963285612Sdelphij 2964285612Sdelphij Credit: This vulnerability was discovered by Stephen Roettger of the 2965285612Sdelphij Google Security Team. 2966285612Sdelphij 2967285612SdelphijSee http://support.ntp.org/security for more information. 2968285612Sdelphij 2969285612SdelphijNew features / changes in this release: 2970285612Sdelphij 2971285612SdelphijImportant Changes 2972285612Sdelphij 2973285612Sdelphij* Internal NTP Era counters 2974285612Sdelphij 2975285612SdelphijThe internal counters that track the "era" (range of years) we are in 2976285612Sdelphijrolls over every 136 years'. The current "era" started at the stroke of 2977285612Sdelphijmidnight on 1 Jan 1900, and ends just before the stroke of midnight on 2978285612Sdelphij1 Jan 2036. 2979285612SdelphijIn the past, we have used the "midpoint" of the range to decide which 2980285612Sdelphijera we were in. Given the longevity of some products, it became clear 2981285612Sdelphijthat it would be more functional to "look back" less, and "look forward" 2982285612Sdelphijmore. We now compile a timestamp into the ntpd executable and when we 2983285612Sdelphijget a timestamp we us the "built-on" to tell us what era we are in. 2984285612SdelphijThis check "looks back" 10 years, and "looks forward" 126 years. 2985285612Sdelphij 2986285612Sdelphij* ntpdc responses disabled by default 2987285612Sdelphij 2988285612SdelphijDave Hart writes: 2989285612Sdelphij 2990285612SdelphijFor a long time, ntpq and its mostly text-based mode 6 (control) 2991285612Sdelphijprotocol have been preferred over ntpdc and its mode 7 (private 2992285612Sdelphijrequest) protocol for runtime queries and configuration. There has 2993285612Sdelphijbeen a goal of deprecating ntpdc, previously held back by numerous 2994285612Sdelphijcapabilities exposed by ntpdc with no ntpq equivalent. I have been 2995285612Sdelphijadding commands to ntpq to cover these cases, and I believe I've 2996285612Sdelphijcovered them all, though I've not compared command-by-command 2997285612Sdelphijrecently. 2998285612Sdelphij 2999285612SdelphijAs I've said previously, the binary mode 7 protocol involves a lot of 3000285612Sdelphijhand-rolled structure layout and byte-swapping code in both ntpd and 3001285612Sdelphijntpdc which is hard to get right. As ntpd grows and changes, the 3002285612Sdelphijchanges are difficult to expose via ntpdc while maintaining forward 3003285612Sdelphijand backward compatibility between ntpdc and ntpd. In contrast, 3004285612Sdelphijntpq's text-based, label=value approach involves more code reuse and 3005285612Sdelphijallows compatible changes without extra work in most cases. 3006285612Sdelphij 3007285612SdelphijMode 7 has always been defined as vendor/implementation-specific while 3008285612Sdelphijmode 6 is described in RFC 1305 and intended to be open to interoperate 3009285612Sdelphijwith other implementations. There is an early draft of an updated 3010285612Sdelphijmode 6 description that likely will join the other NTPv4 RFCs 3011285612Sdelphijeventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3012285612Sdelphij 3013285612SdelphijFor these reasons, ntpd 4.2.7p230 by default disables processing of 3014285612Sdelphijntpdc queries, reducing ntpd's attack surface and functionally 3015285612Sdelphijdeprecating ntpdc. If you are in the habit of using ntpdc for certain 3016285612Sdelphijoperations, please try the ntpq equivalent. If there's no equivalent, 3017285612Sdelphijplease open a bug report at http://bugs.ntp.org./ 3018285612Sdelphij 3019285612SdelphijIn addition to the above, over 1100 issues have been resolved between 3020285612Sdelphijthe 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3021285612Sdelphijlists these. 3022285612Sdelphij 3023285612Sdelphij--- 3024285612SdelphijNTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3025285612Sdelphij 3026285612SdelphijFocus: Bug fixes 3027285612Sdelphij 3028285612SdelphijSeverity: Medium 3029285612Sdelphij 3030285612SdelphijThis is a recommended upgrade. 3031285612Sdelphij 3032285612SdelphijThis release updates sys_rootdisp and sys_jitter calculations to match the 3033285612SdelphijRFC specification, fixes a potential IPv6 address matching error for the 3034285612Sdelphij"nic" and "interface" configuration directives, suppresses the creation of 3035285612Sdelphijextraneous ephemeral associations for certain broadcastclient and 3036285612Sdelphijmulticastclient configurations, cleans up some ntpq display issues, and 3037285612Sdelphijincludes improvements to orphan mode, minor bugs fixes and code clean-ups. 3038285612Sdelphij 3039285612SdelphijNew features / changes in this release: 3040285612Sdelphij 3041285612Sdelphijntpd 3042285612Sdelphij 3043285612Sdelphij * Updated "nic" and "interface" IPv6 address handling to prevent 3044285612Sdelphij mismatches with localhost [::1] and wildcard [::] which resulted from 3045285612Sdelphij using the address/prefix format (e.g. fe80::/64) 3046285612Sdelphij * Fix orphan mode stratum incorrectly counting to infinity 3047285612Sdelphij * Orphan parent selection metric updated to includes missing ntohl() 3048285612Sdelphij * Non-printable stratum 16 refid no longer sent to ntp 3049285612Sdelphij * Duplicate ephemeral associations suppressed for broadcastclient and 3050285612Sdelphij multicastclient without broadcastdelay 3051285612Sdelphij * Exclude undetermined sys_refid from use in loopback TEST12 3052285612Sdelphij * Exclude MODE_SERVER responses from KoD rate limiting 3053285612Sdelphij * Include root delay in clock_update() sys_rootdisp calculations 3054285612Sdelphij * get_systime() updated to exclude sys_residual offset (which only 3055285612Sdelphij affected bits "below" sys_tick, the precision threshold) 3056285612Sdelphij * sys.peer jitter weighting corrected in sys_jitter calculation 3057285612Sdelphij 3058285612Sdelphijntpq 3059285612Sdelphij 3060285612Sdelphij * -n option extended to include the billboard "server" column 3061285612Sdelphij * IPv6 addresses in the local column truncated to prevent overruns 3062285612Sdelphij 3063285612Sdelphij--- 3064285612SdelphijNTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3065285612Sdelphij 3066285612SdelphijFocus: Bug fixes and portability improvements 3067285612Sdelphij 3068285612SdelphijSeverity: Medium 3069285612Sdelphij 3070285612SdelphijThis is a recommended upgrade. 3071285612Sdelphij 3072285612SdelphijThis release includes build infrastructure updates, code 3073285612Sdelphijclean-ups, minor bug fixes, fixes for a number of minor 3074285612Sdelphijref-clock issues, and documentation revisions. 3075285612Sdelphij 3076285612SdelphijPortability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3077285612Sdelphij 3078285612SdelphijNew features / changes in this release: 3079285612Sdelphij 3080285612SdelphijBuild system 3081285612Sdelphij 3082285612Sdelphij* Fix checking for struct rtattr 3083285612Sdelphij* Update config.guess and config.sub for AIX 3084285612Sdelphij* Upgrade required version of autogen and libopts for building 3085285612Sdelphij from our source code repository 3086285612Sdelphij 3087285612Sdelphijntpd 3088285612Sdelphij 3089285612Sdelphij* Back-ported several fixes for Coverity warnings from ntp-dev 3090285612Sdelphij* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3091285612Sdelphij* Allow "logconfig =allall" configuration directive 3092285612Sdelphij* Bind tentative IPv6 addresses on Linux 3093285612Sdelphij* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3094285612Sdelphij* Improved tally bit handling to prevent incorrect ntpq peer status reports 3095285612Sdelphij* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3096285612Sdelphij candidate list unless they are designated a "prefer peer" 3097285612Sdelphij* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3098285612Sdelphij selection during the 'tos orphanwait' period 3099285612Sdelphij* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3100285612Sdelphij drivers 3101285612Sdelphij* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3102285612Sdelphij* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3103285612Sdelphij* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3104285612Sdelphij clock slew on Microsoft Windows 3105285612Sdelphij* Code cleanup in libntpq 3106285612Sdelphij 3107285612Sdelphijntpdc 3108285612Sdelphij 3109285612Sdelphij* Fix timerstats reporting 3110285612Sdelphij 3111285612Sdelphijntpdate 3112285612Sdelphij 3113285612Sdelphij* Reduce time required to set clock 3114285612Sdelphij* Allow a timeout greater than 2 seconds 3115285612Sdelphij 3116285612Sdelphijsntp 3117285612Sdelphij 3118285612Sdelphij* Backward incompatible command-line option change: 3119285612Sdelphij -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3120285612Sdelphij 3121285612SdelphijDocumentation 3122285612Sdelphij 3123285612Sdelphij* Update html2man. Fix some tags in the .html files 3124285612Sdelphij* Distribute ntp-wait.html 3125285612Sdelphij 3126285612Sdelphij--- 3127285612SdelphijNTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3128285612Sdelphij 3129285612SdelphijFocus: Bug fixes and portability improvements 3130285612Sdelphij 3131285612SdelphijSeverity: Medium 3132285612Sdelphij 3133285612SdelphijThis is a recommended upgrade. 3134285612Sdelphij 3135285612SdelphijThis release includes build infrastructure updates, code 3136285612Sdelphijclean-ups, minor bug fixes, fixes for a number of minor 3137285612Sdelphijref-clock issues, and documentation revisions. 3138285612Sdelphij 3139285612SdelphijPortability improvements in this release affect AIX, Atari FreeMiNT, 3140285612SdelphijFreeBSD4, Linux and Microsoft Windows. 3141285612Sdelphij 3142285612SdelphijNew features / changes in this release: 3143285612Sdelphij 3144285612SdelphijBuild system 3145285612Sdelphij* Use lsb_release to get information about Linux distributions. 3146285612Sdelphij* 'test' is in /usr/bin (instead of /bin) on some systems. 3147285612Sdelphij* Basic sanity checks for the ChangeLog file. 3148285612Sdelphij* Source certain build files with ./filename for systems without . in PATH. 3149285612Sdelphij* IRIX portability fix. 3150285612Sdelphij* Use a single copy of the "libopts" code. 3151285612Sdelphij* autogen/libopts upgrade. 3152285612Sdelphij* configure.ac m4 quoting cleanup. 3153285612Sdelphij 3154285612Sdelphijntpd 3155285612Sdelphij* Do not bind to IN6_IFF_ANYCAST addresses. 3156285612Sdelphij* Log the reason for exiting under Windows. 3157285612Sdelphij* Multicast fixes for Windows. 3158285612Sdelphij* Interpolation fixes for Windows. 3159285612Sdelphij* IPv4 and IPv6 Multicast fixes. 3160285612Sdelphij* Manycast solicitation fixes and general repairs. 3161285612Sdelphij* JJY refclock cleanup. 3162285612Sdelphij* NMEA refclock improvements. 3163285612Sdelphij* Oncore debug message cleanup. 3164285612Sdelphij* Palisade refclock now builds under Linux. 3165285612Sdelphij* Give RAWDCF more baud rates. 3166285612Sdelphij* Support Truetime Satellite clocks under Windows. 3167285612Sdelphij* Support Arbiter 1093C Satellite clocks under Windows. 3168285612Sdelphij* Make sure that the "filegen" configuration command defaults to "enable". 3169285612Sdelphij* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3170285612Sdelphij* Prohibit 'includefile' directive in remote configuration command. 3171285612Sdelphij* Fix 'nic' interface bindings. 3172285612Sdelphij* Fix the way we link with openssl if openssl is installed in the base 3173285612Sdelphij system. 3174285612Sdelphij 3175285612Sdelphijntp-keygen 3176285612Sdelphij* Fix -V coredump. 3177285612Sdelphij* OpenSSL version display cleanup. 3178285612Sdelphij 3179285612Sdelphijntpdc 3180285612Sdelphij* Many counters should be treated as unsigned. 3181285612Sdelphij 3182285612Sdelphijntpdate 3183285612Sdelphij* Do not ignore replies with equal receive and transmit timestamps. 3184285612Sdelphij 3185285612Sdelphijntpq 3186285612Sdelphij* libntpq warning cleanup. 3187285612Sdelphij 3188285612Sdelphijntpsnmpd 3189285612Sdelphij* Correct SNMP type for "precision" and "resolution". 3190285612Sdelphij* Update the MIB from the draft version to RFC-5907. 3191285612Sdelphij 3192285612Sdelphijsntp 3193285612Sdelphij* Display timezone offset when showing time for sntp in the local 3194285612Sdelphij timezone. 3195285612Sdelphij* Pay proper attention to RATE KoD packets. 3196285612Sdelphij* Fix a miscalculation of the offset. 3197285612Sdelphij* Properly parse empty lines in the key file. 3198285612Sdelphij* Logging cleanup. 3199285612Sdelphij* Use tv_usec correctly in set_time(). 3200285612Sdelphij* Documentation cleanup. 3201285612Sdelphij 3202285612Sdelphij--- 3203285612SdelphijNTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3204285612Sdelphij 3205285612SdelphijFocus: Bug fixes and portability improvements 3206285612Sdelphij 3207285612SdelphijSeverity: Medium 3208285612Sdelphij 3209285612SdelphijThis is a recommended upgrade. 3210285612Sdelphij 3211285612SdelphijThis release includes build infrastructure updates, code 3212285612Sdelphijclean-ups, minor bug fixes, fixes for a number of minor 3213285612Sdelphijref-clock issues, improved KOD handling, OpenSSL related 3214285612Sdelphijupdates and documentation revisions. 3215285612Sdelphij 3216285612SdelphijPortability improvements in this release affect Irix, Linux, 3217285612SdelphijMac OS, Microsoft Windows, OpenBSD and QNX6 3218285612Sdelphij 3219285612SdelphijNew features / changes in this release: 3220285612Sdelphij 3221285612Sdelphijntpd 3222285612Sdelphij* Range syntax for the trustedkey configuration directive 3223285612Sdelphij* Unified IPv4 and IPv6 restrict lists 3224285612Sdelphij 3225285612Sdelphijntpdate 3226285612Sdelphij* Rate limiting and KOD handling 3227285612Sdelphij 3228285612Sdelphijntpsnmpd 3229285612Sdelphij* default connection to net-snmpd via a unix-domain socket 3230285612Sdelphij* command-line 'socket name' option 3231285612Sdelphij 3232285612Sdelphijntpq / ntpdc 3233285612Sdelphij* support for the "passwd ..." syntax 3234285612Sdelphij* key-type specific password prompts 3235285612Sdelphij 3236285612Sdelphijsntp 3237285612Sdelphij* MD5 authentication of an ntpd 3238285612Sdelphij* Broadcast and crypto 3239285612Sdelphij* OpenSSL support 3240285612Sdelphij 3241285612Sdelphij--- 3242285612SdelphijNTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3243285612Sdelphij 3244285612SdelphijFocus: Bug fixes, portability fixes, and documentation improvements 3245285612Sdelphij 3246285612SdelphijSeverity: Medium 3247285612Sdelphij 3248285612SdelphijThis is a recommended upgrade. 3249285612Sdelphij 3250285612Sdelphij--- 3251285612SdelphijNTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3252285612Sdelphij 3253285612SdelphijFocus: enhancements and bug fixes. 3254285612Sdelphij 3255285612Sdelphij--- 3256200576SrobertoNTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3257200576Sroberto 3258200576SrobertoFocus: Security Fixes 3259200576Sroberto 3260200576SrobertoSeverity: HIGH 3261200576Sroberto 3262200576SrobertoThis release fixes the following high-severity vulnerability: 3263200576Sroberto 3264200576Sroberto* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3265200576Sroberto 3266200576Sroberto See http://support.ntp.org/security for more information. 3267200576Sroberto 3268200576Sroberto NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3269200576Sroberto In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3270200576Sroberto transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3271200576Sroberto request or a mode 7 error response from an address which is not listed 3272200576Sroberto in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3273200576Sroberto reply with a mode 7 error response (and log a message). In this case: 3274200576Sroberto 3275200576Sroberto * If an attacker spoofs the source address of ntpd host A in a 3276200576Sroberto mode 7 response packet sent to ntpd host B, both A and B will 3277200576Sroberto continuously send each other error responses, for as long as 3278200576Sroberto those packets get through. 3279200576Sroberto 3280200576Sroberto * If an attacker spoofs an address of ntpd host A in a mode 7 3281200576Sroberto response packet sent to ntpd host A, A will respond to itself 3282200576Sroberto endlessly, consuming CPU and logging excessively. 3283200576Sroberto 3284200576Sroberto Credit for finding this vulnerability goes to Robin Park and Dmitri 3285200576Sroberto Vinokurov of Alcatel-Lucent. 3286200576Sroberto 3287200576SrobertoTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3288200576Sroberto 3289200576Sroberto--- 3290285612Sdelphijntpd now syncs to refclocks right away. 3291285612Sdelphij 3292285612SdelphijBackward-Incompatible changes: 3293285612Sdelphij 3294285612Sdelphijntpd no longer accepts '-v name' or '-V name' to define internal variables. 3295285612SdelphijUse '--var name' or '--dvar name' instead. (Bug 817) 3296285612Sdelphij 3297285612Sdelphij--- 3298200576SrobertoNTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3299200576Sroberto 3300200576SrobertoFocus: Security and Bug Fixes 3301200576Sroberto 3302200576SrobertoSeverity: HIGH 3303200576Sroberto 3304200576SrobertoThis release fixes the following high-severity vulnerability: 3305200576Sroberto 3306200576Sroberto* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3307200576Sroberto 3308200576Sroberto See http://support.ntp.org/security for more information. 3309200576Sroberto 3310200576Sroberto If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3311200576Sroberto line) then a carefully crafted packet sent to the machine will cause 3312200576Sroberto a buffer overflow and possible execution of injected code, running 3313200576Sroberto with the privileges of the ntpd process (often root). 3314200576Sroberto 3315200576Sroberto Credit for finding this vulnerability goes to Chris Ries of CMU. 3316200576Sroberto 3317200576SrobertoThis release fixes the following low-severity vulnerabilities: 3318200576Sroberto 3319200576Sroberto* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3320200576Sroberto Credit for finding this vulnerability goes to Geoff Keating of Apple. 3321200576Sroberto 3322200576Sroberto* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3323200576Sroberto Credit for finding this issue goes to Dave Hart. 3324200576Sroberto 3325200576SrobertoThis release fixes a number of bugs and adds some improvements: 3326200576Sroberto 3327200576Sroberto* Improved logging 3328200576Sroberto* Fix many compiler warnings 3329200576Sroberto* Many fixes and improvements for Windows 3330200576Sroberto* Adds support for AIX 6.1 3331200576Sroberto* Resolves some issues under MacOS X and Solaris 3332200576Sroberto 3333200576SrobertoTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3334200576Sroberto 3335200576Sroberto--- 3336200576SrobertoNTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3337200576Sroberto 3338200576SrobertoFocus: Security Fix 3339200576Sroberto 3340200576SrobertoSeverity: Low 3341200576Sroberto 3342200576SrobertoThis release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3343200576Srobertothe OpenSSL library relating to the incorrect checking of the return 3344200576Srobertovalue of EVP_VerifyFinal function. 3345200576Sroberto 3346200576SrobertoCredit for finding this issue goes to the Google Security Team for 3347200576Srobertofinding the original issue with OpenSSL, and to ocert.org for finding 3348200576Srobertothe problem in NTP and telling us about it. 3349200576Sroberto 3350200576SrobertoThis is a recommended upgrade. 3351200576Sroberto--- 3352182007SrobertoNTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3353182007Sroberto 3354182007SrobertoFocus: Minor Bugfixes 3355182007Sroberto 3356182007SrobertoThis release fixes a number of Windows-specific ntpd bugs and 3357182007Srobertoplatform-independent ntpdate bugs. A logging bugfix has been applied 3358182007Srobertoto the ONCORE driver. 3359182007Sroberto 3360182007SrobertoThe "dynamic" keyword and is now obsolete and deferred binding to local 3361182007Srobertointerfaces is the new default. The minimum time restriction for the 3362182007Srobertointerface update interval has been dropped. 3363182007Sroberto 3364182007SrobertoA number of minor build system and documentation fixes are included. 3365182007Sroberto 3366182007SrobertoThis is a recommended upgrade for Windows. 3367182007Sroberto 3368182007Sroberto--- 3369182007SrobertoNTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3370182007Sroberto 3371182007SrobertoFocus: Minor Bugfixes 3372182007Sroberto 3373182007SrobertoThis release updates certain copyright information, fixes several display 3374182007Srobertobugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3375182007Srobertoshutdown in the parse refclock driver, removes some lint from the code, 3376182007Srobertostops accessing certain buffers immediately after they were freed, fixes 3377182007Srobertoa problem with non-command-line specification of -6, and allows the loopback 3378182007Srobertointerface to share addresses with other interfaces. 3379182007Sroberto 3380182007Sroberto--- 3381182007SrobertoNTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3382182007Sroberto 3383182007SrobertoFocus: Minor Bugfixes 3384182007Sroberto 3385182007SrobertoThis release fixes a bug in Windows that made it difficult to 3386182007Srobertoterminate ntpd under windows. 3387182007SrobertoThis is a recommended upgrade for Windows. 3388182007Sroberto 3389182007Sroberto--- 3390182007SrobertoNTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3391182007Sroberto 3392182007SrobertoFocus: Minor Bugfixes 3393182007Sroberto 3394182007SrobertoThis release fixes a multicast mode authentication problem, 3395182007Srobertoan error in NTP packet handling on Windows that could lead to 3396182007Srobertontpd crashing, and several other minor bugs. Handling of 3397182007Srobertomulticast interfaces and logging configuration were improved. 3398182007SrobertoThe required versions of autogen and libopts were incremented. 3399182007SrobertoThis is a recommended upgrade for Windows and multicast users. 3400182007Sroberto 3401182007Sroberto--- 3402182007SrobertoNTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3403182007Sroberto 3404182007SrobertoFocus: enhancements and bug fixes. 3405182007Sroberto 3406182007SrobertoDynamic interface rescanning was added to simplify the use of ntpd in 3407182007Srobertoconjunction with DHCP. GNU AutoGen is used for its command-line options 3408182007Srobertoprocessing. Separate PPS devices are supported for PARSE refclocks, MD5 3409182007Srobertosignatures are now provided for the release files. Drivers have been 3410182007Srobertoadded for some new ref-clocks and have been removed for some older 3411182007Srobertoref-clocks. This release also includes other improvements, documentation 3412182007Srobertoand bug fixes. 3413182007Sroberto 3414182007SrobertoK&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3415182007SrobertoC support. 3416182007Sroberto 3417182007Sroberto--- 3418182007SrobertoNTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3419182007Sroberto 3420182007SrobertoFocus: enhancements and bug fixes. 3421