1344884Scy--- 2362716ScyNTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23) 3362716Scy 4362716ScyFocus: Security, Bug fixes 5362716Scy 6362716ScySeverity: MEDIUM 7362716Scy 8362716ScyThis release fixes one vulnerability: Associations that use CMAC 9362716Scyauthentication between ntpd from versions 4.2.8p11/4.3.97 and 10362716Scy4.2.8p14/4.3.100 will leak a small amount of memory for each packet. 11362716ScyEventually, ntpd will run out of memory and abort. 12362716Scy 13362716ScyIt also fixes 13 other bugs. 14362716Scy 15362716Scy* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org> 16362716Scy* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 17362716Scy - Thanks to Sylar Tao 18362716Scy* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org> 19362716Scy - rewrite 'decodenetnum()' in terms of inet_pton 20362716Scy* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 21362716Scy - limit number of receive buffers, with an iron reserve for refclocks 22362716Scy* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org> 23362716Scy* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org> 24362716Scy* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org> 25362716Scy - integrated patch from Charles Claggett 26362716Scy* [Bug 3659] Move definition of psl[] from ntp_config.h to 27362716Scy ntp_config.h <perlinger@ntp.org> 28362716Scy* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org> 29362716Scy* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org> 30362716Scy - fix by Gerry garvey 31362716Scy* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org> 32362716Scy - thanks to Gerry Garvey 33362716Scy* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org> 34362716Scy - patch by Gerry Garvey 35362716Scy* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org> 36362716Scy* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org> 37362716Scy - applied patch by Takao Abe 38362716Scy 39362716Scy--- 40358659ScyNTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03) 41358659Scy 42358659ScyFocus: Security, Bug fixes, enhancements. 43358659Scy 44358659ScySeverity: MEDIUM 45358659Scy 46358659ScyThis release fixes three vulnerabilities: a bug that causes causes an ntpd 47358659Scyinstance that is explicitly configured to override the default and allow 48358659Scyntpdc (mode 7) connections to be made to a server to read some uninitialized 49358659Scymemory; fixes the case where an unmonitored ntpd using an unauthenticated 50358659Scyassociation to its servers may be susceptible to a forged packet DoS attack; 51358659Scyand fixes an attack against a client instance that uses a single 52358659Scyunauthenticated time source. It also fixes 46 other bugs and addresses 53358659Scy4 other issues. 54358659Scy 55358659Scy* [Sec 3610] process_control() should bail earlier on short packets. stenn@ 56358659Scy - Reported by Philippe Antoine 57358659Scy* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org> 58358659Scy - Reported by Miroslav Lichvar 59358659Scy* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org> 60358659Scy - Reported by Miroslav Lichvar 61358659Scy* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 62358659Scy* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org> 63358659Scy* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org> 64358659Scy* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 65358659Scy* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 66358659Scy - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org> 67358659Scy* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org> 68358659Scy - integrated patch by Cy Schubert 69358659Scy* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org> 70358659Scy - applied patch by Gerry Garvey 71358659Scy* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org> 72358659Scy - applied patch by Gerry Garvey 73358659Scy* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org> 74358659Scy - integrated patch by Richard Steedman 75358659Scy* [Bug 3615] accelerate refclock startup <perlinger@ntp.org> 76358659Scy* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org> 77358659Scy - Reported by Martin Burnicki 78358659Scy* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org> 79358659Scy - Reported by Philippe Antoine 80358659Scy* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org> 81358659Scy - officially document new "trust date" mode bit for NMEA driver 82358659Scy - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 83358659Scy* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org> 84358659Scy - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 85358659Scy* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org> 86358659Scy - removed ffs() and fls() prototypes as per Brian Utterback 87358659Scy* [Bug 3604] Wrong param byte order passing into record_raw_stats() in 88358659Scy ntp_io.c <perlinger@ntp.org> 89358659Scy - fixed byte and paramter order as suggested by wei6410@sina.com 90358659Scy* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org> 91358659Scy* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org> 92358659Scy - added padding as suggested by John Paul Adrian Glaubitz 93358659Scy* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org> 94358659Scy* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org> 95358659Scy* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org> 96358659Scy* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org> 97358659Scy - stdout+stderr are set to line buffered during test setup now 98358659Scy* [Bug 3583] synchronization error <perlinger@ntp.org> 99358659Scy - set clock to base date if system time is before that limit 100358659Scy* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org> 101358659Scy* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org> 102358659Scy - Reported by Paulo Neves 103358659Scy* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org> 104358659Scy - also updates for refclock_nmea.c and refclock_jupiter.c 105358659Scy* [Bug 3576] New GPS date function API <perlinger@ntp.org> 106358659Scy* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org> 107358659Scy* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org> 108358659Scy* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org> 109358659Scy - sidekick: service port resolution in 'ntpdate' 110358659Scy* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org> 111358659Scy - applied patch by Douglas Royds 112358659Scy* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org> 113358659Scy* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org> 114358659Scy - applied patch by Gerry Garvey 115358659Scy* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org> 116358659Scy - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 117358659Scy - fix wrong cond-compile tests in unit tests 118358659Scy* [Bug 3517] Reducing build noise <perlinger@ntp.org> 119358659Scy* [Bug 3516] Require tooling from this decade <perlinger@ntp.org> 120358659Scy - patch by Philipp Prindeville 121358659Scy* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org> 122358659Scy - patch by Philipp Prindeville 123358659Scy* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org> 124358659Scy - patch by Philipp Prindeville 125358659Scy* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org> 126358659Scy - partial application of patch by Philipp Prindeville 127358659Scy* [Bug 3491] Signed values of LFP datatypes should always display a sign 128358659Scy - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org> 129358659Scy* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org> 130358659Scy - applied (modified) patch by Richard Steedman 131358659Scy* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org> 132358659Scy - applied patch by Gerry Garvey (with minor formatting changes) 133358659Scy* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org> 134358659Scy - applied patch by Miroslav Lichvar 135358659Scy* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 136358659Scy <perlinger@ntp.org> 137358659Scy* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 138358659Scy is specified with -u <perlinger@ntp.org> 139358659Scy - monitor daemon child startup & propagate exit codes 140358659Scy* [Bug 1433] runtime check whether the kernel really supports capabilities 141358659Scy - (modified) patch by Kurt Roeckx <perlinger@ntp.org> 142358659Scy* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org> 143358659Scy* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org> 144358659Scy* Startup log improvements. <stenn@ntp.org> 145358659Scy* Update the copyright year. 146358659Scy 147358659Scy--- 148344884ScyNTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 149344884Scy 150344884ScyFocus: Security, Bug fixes, enhancements. 151344884Scy 152344884ScySeverity: MEDIUM 153344884Scy 154344884ScyThis release fixes a bug that allows an attacker with access to an 155344884Scyexplicitly trusted source to send a crafted malicious mode 6 (ntpq) 156344884Scypacket that can trigger a NULL pointer dereference, crashing ntpd. 157344884ScyIt also provides 17 other bugfixes and 1 other improvement: 158344884Scy 159344884Scy* [Sec 3565] Crafted null dereference attack in authenticated 160344884Scy mode 6 packet <perlinger@ntp.org> 161344884Scy - reported by Magnus Stubman 162344884Scy* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 163344884Scy - applied patch by Ian Lepore 164344884Scy* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 165344884Scy - isolate and fix linux/windows specific code issue 166344884Scy* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 167344884Scy - provide better function for incremental string formatting 168344884Scy* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 169344884Scy - applied patch by Gerry Garvey 170344884Scy* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 171344884Scy - original finding by Gerry Garvey, additional cleanup needed 172344884Scy* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 173344884Scy - patch by Christous Zoulas 174344884Scy* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 175344884Scy - finding by Chen Jiabin, plus another one by me 176344884Scy* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 177344884Scy - applied patch by Maciej Szmigiero 178344884Scy* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 179344884Scy - applied patch by Andre Charbonneau 180344884Scy* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 181344884Scy - applied patch by Baruch Siach 182344884Scy* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 183344884Scy - applied patch by Baruch Siach 184344884Scy* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 185344884Scy - refactored handling of GPS era based on 'tos basedate' for 186344884Scy parse (TSIP) and JUPITER clocks 187344884Scy* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 188344884Scy - patch by Daniel J. Luke; this does not fix a potential linker 189344884Scy regression issue on MacOS. 190344884Scy* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 191344884Scy anomaly <perlinger@ntp.org>, reported by GGarvey. 192344884Scy - --enable-bug3527-fix support by HStenn 193344884Scy* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 194344884Scy - applied patch by Gerry Garvey 195344884Scy* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 196344884Scy - added missing check, reported by Reinhard Max <perlinger@ntp.org> 197344884Scy* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 198344884Scy - this is a variant of [bug 3558] and should be fixed with it 199344884Scy* Implement 'configure --disable-signalled-io' 200344884Scy 201316068Sdelphij-- 202338530SdelphijNTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 203330106Sdelphij 204330106SdelphijFocus: Security, Bug fixes, enhancements. 205330106Sdelphij 206330106SdelphijSeverity: MEDIUM 207330106Sdelphij 208338530SdelphijThis release fixes a "hole" in the noepeer capability introduced to ntpd 209338530Sdelphijin ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 210338530Sdelphijntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 211338530Sdelphij 212338530Sdelphij* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 213338530Sdelphij 214338530Sdelphij* [Sec 3012] Fix a hole in the new "noepeer" processing. 215338530Sdelphij 216338530Sdelphij* Bug Fixes: 217338530Sdelphij [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 218338530Sdelphij [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 219338530Sdelphij other TrustedBSD platforms 220338530Sdelphij - applied patch by Ian Lepore <perlinger@ntp.org> 221338530Sdelphij [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 222338530Sdelphij - changed interaction with SCM to signal pending startup 223338530Sdelphij [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 224338530Sdelphij - applied patch by Gerry Garvey 225338530Sdelphij [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 226338530Sdelphij - applied patch by Gerry Garvey 227338530Sdelphij [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 228338530Sdelphij - rework of ntpq 'nextvar()' key/value parsing 229338530Sdelphij [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 230338530Sdelphij - applied patch by Gerry Garvey (with mods) 231338530Sdelphij [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 232338530Sdelphij - applied patch by Gerry Garvey 233338530Sdelphij [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 234338530Sdelphij - applied patch by Gerry Garvey (with mods) 235338530Sdelphij [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 236338530Sdelphij - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 237338530Sdelphij [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 238338530Sdelphij - applied patch by Gerry Garvey 239338530Sdelphij [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 240338530Sdelphij - applied patch by Gerry Garvey 241338530Sdelphij [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 242338530Sdelphij - add #define ENABLE_CMAC support in configure. HStenn. 243338530Sdelphij [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 244338530Sdelphij [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 245338530Sdelphij - patch by Stephen Friedl 246338530Sdelphij [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 247338530Sdelphij - fixed IO redirection and CTRL-C handling in ntq and ntpdc 248338530Sdelphij [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 249338530Sdelphij [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 250338530Sdelphij - initial patch by Hal Murray; also fixed refclock_report() trouble 251338530Sdelphij [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 252338530Sdelphij [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 253338530Sdelphij - According to Brooks Davis, there was only one location <perlinger@ntp.org> 254338530Sdelphij [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 255338530Sdelphij - applied patch by Gerry Garvey 256338530Sdelphij [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 257338530Sdelphij - applied patch by Gerry Garvey 258338530Sdelphij [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 259338530Sdelphij with modifications 260338530Sdelphij New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 261338530Sdelphij [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 262338530Sdelphij - applied patch by Miroslav Lichvar 263338530Sdelphij [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 264338530Sdelphij [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 265338530Sdelphij - integrated patch by Reinhard Max 266338530Sdelphij [Bug 2821] minor build issues <perlinger@ntp.org> 267338530Sdelphij - applied patches by Christos Zoulas, including real bug fixes 268338530Sdelphij html/authopt.html: cleanup, from <stenn@ntp.org> 269338530Sdelphij ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 270338530Sdelphij Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 271338530Sdelphij 272338530Sdelphij-- 273338530SdelphijNTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 274338530Sdelphij 275338530SdelphijFocus: Security, Bug fixes, enhancements. 276338530Sdelphij 277338530SdelphijSeverity: MEDIUM 278338530Sdelphij 279330106SdelphijThis release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 280330106Sdelphijvulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 281330106Sdelphijprovides 65 other non-security fixes and improvements: 282330106Sdelphij 283330106Sdelphij* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 284330106Sdelphij association (LOW/MED) 285330106Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 286330106Sdelphij References: Sec 3454 / CVE-2018-7185 / VU#961909 287330106Sdelphij Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 288330106Sdelphij CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 289330106Sdelphij 2.9 and 6.8. 290330106Sdelphij CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 291330106Sdelphij score between 2.6 and 3.1 292330106Sdelphij Summary: 293330106Sdelphij The NTP Protocol allows for both non-authenticated and 294330106Sdelphij authenticated associations, in client/server, symmetric (peer), 295330106Sdelphij and several broadcast modes. In addition to the basic NTP 296330106Sdelphij operational modes, symmetric mode and broadcast servers can 297330106Sdelphij support an interleaved mode of operation. In ntp-4.2.8p4 a bug 298330106Sdelphij was inadvertently introduced into the protocol engine that 299330106Sdelphij allows a non-authenticated zero-origin (reset) packet to reset 300330106Sdelphij an authenticated interleaved peer association. If an attacker 301330106Sdelphij can send a packet with a zero-origin timestamp and the source 302330106Sdelphij IP address of the "other side" of an interleaved association, 303330106Sdelphij the 'victim' ntpd will reset its association. The attacker must 304330106Sdelphij continue sending these packets in order to maintain the 305330106Sdelphij disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 306330106Sdelphij interleave mode could be entered dynamically. As of ntp-4.2.8p7, 307330106Sdelphij interleaved mode must be explicitly configured/enabled. 308330106Sdelphij Mitigation: 309330106Sdelphij Implement BCP-38. 310330106Sdelphij Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 311330106Sdelphij or the NTP Public Services Project Download Page. 312330106Sdelphij If you are unable to upgrade to 4.2.8p11 or later and have 313330106Sdelphij 'peer HOST xleave' lines in your ntp.conf file, remove the 314330106Sdelphij 'xleave' option. 315330106Sdelphij Have enough sources of time. 316330106Sdelphij Properly monitor your ntpd instances. 317330106Sdelphij If ntpd stops running, auto-restart it without -g . 318330106Sdelphij Credit: 319330106Sdelphij This weakness was discovered by Miroslav Lichvar of Red Hat. 320330106Sdelphij 321330106Sdelphij* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 322330106Sdelphij state (LOW/MED) 323330106Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 324330106Sdelphij References: Sec 3453 / CVE-2018-7184 / VU#961909 325330106Sdelphij Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 326330106Sdelphij CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 327330106Sdelphij Could score between 2.9 and 6.8. 328330106Sdelphij CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 329330106Sdelphij Could score between 2.6 and 6.0. 330330106Sdelphij Summary: 331330106Sdelphij The fix for NtpBug2952 was incomplete, and while it fixed one 332330106Sdelphij problem it created another. Specifically, it drops bad packets 333330106Sdelphij before updating the "received" timestamp. This means a 334330106Sdelphij third-party can inject a packet with a zero-origin timestamp, 335330106Sdelphij meaning the sender wants to reset the association, and the 336330106Sdelphij transmit timestamp in this bogus packet will be saved as the 337330106Sdelphij most recent "received" timestamp. The real remote peer does 338330106Sdelphij not know this value and this will disrupt the association until 339330106Sdelphij the association resets. 340330106Sdelphij Mitigation: 341330106Sdelphij Implement BCP-38. 342330106Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 343330106Sdelphij or the NTP Public Services Project Download Page. 344330106Sdelphij Use authentication with 'peer' mode. 345330106Sdelphij Have enough sources of time. 346330106Sdelphij Properly monitor your ntpd instances. 347330106Sdelphij If ntpd stops running, auto-restart it without -g . 348330106Sdelphij Credit: 349330106Sdelphij This weakness was discovered by Miroslav Lichvar of Red Hat. 350330106Sdelphij 351330106Sdelphij* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 352330106Sdelphij peering (LOW) 353330106Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 354330106Sdelphij References: Sec 3415 / CVE-2018-7170 / VU#961909 355330106Sdelphij Sec 3012 / CVE-2016-1549 / VU#718152 356330106Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 357330106Sdelphij 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 358330106Sdelphij CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 359330106Sdelphij CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 360330106Sdelphij Summary: 361330106Sdelphij ntpd can be vulnerable to Sybil attacks. If a system is set up to 362330106Sdelphij use a trustedkey and if one is not using the feature introduced in 363330106Sdelphij ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 364330106Sdelphij specify which IPs can serve time, a malicious authenticated peer 365330106Sdelphij -- i.e. one where the attacker knows the private symmetric key -- 366330106Sdelphij can create arbitrarily-many ephemeral associations in order to win 367330106Sdelphij the clock selection of ntpd and modify a victim's clock. Three 368330106Sdelphij additional protections are offered in ntp-4.2.8p11. One is the 369330106Sdelphij new 'noepeer' directive, which disables symmetric passive 370330106Sdelphij ephemeral peering. Another is the new 'ippeerlimit' directive, 371330106Sdelphij which limits the number of peers that can be created from an IP. 372330106Sdelphij The third extends the functionality of the 4th field in the 373330106Sdelphij ntp.keys file to include specifying a subnet range. 374330106Sdelphij Mitigation: 375330106Sdelphij Implement BCP-38. 376330106Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 377330106Sdelphij or the NTP Public Services Project Download Page. 378330106Sdelphij Use the 'noepeer' directive to prohibit symmetric passive 379330106Sdelphij ephemeral associations. 380330106Sdelphij Use the 'ippeerlimit' directive to limit the number of peers 381330106Sdelphij that can be created from an IP. 382330106Sdelphij Use the 4th argument in the ntp.keys file to limit the IPs and 383330106Sdelphij subnets that can be time servers. 384330106Sdelphij Have enough sources of time. 385330106Sdelphij Properly monitor your ntpd instances. 386330106Sdelphij If ntpd stops running, auto-restart it without -g . 387330106Sdelphij Credit: 388330106Sdelphij This weakness was reported as Bug 3012 by Matthew Van Gundy of 389330106Sdelphij Cisco ASIG, and separately by Stefan Moser as Bug 3415. 390330106Sdelphij 391330106Sdelphij* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 392330106Sdelphij Date Resolved: 27 Feb 2018 393330106Sdelphij References: Sec 3414 / CVE-2018-7183 / VU#961909 394330106Sdelphij Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 395330106Sdelphij CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 396330106Sdelphij CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 397330106Sdelphij Summary: 398330106Sdelphij ntpq is a monitoring and control program for ntpd. decodearr() 399330106Sdelphij is an internal function of ntpq that is used to -- wait for it -- 400330106Sdelphij decode an array in a response string when formatted data is being 401330106Sdelphij displayed. This is a problem in affected versions of ntpq if a 402330106Sdelphij maliciously-altered ntpd returns an array result that will trip this 403330106Sdelphij bug, or if a bad actor is able to read an ntpq request on its way to 404330106Sdelphij a remote ntpd server and forge and send a response before the remote 405330106Sdelphij ntpd sends its response. It's potentially possible that the 406330106Sdelphij malicious data could become injectable/executable code. 407330106Sdelphij Mitigation: 408330106Sdelphij Implement BCP-38. 409330106Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 410330106Sdelphij or the NTP Public Services Project Download Page. 411330106Sdelphij Credit: 412330106Sdelphij This weakness was discovered by Michael Macnair of Thales e-Security. 413330106Sdelphij 414330106Sdelphij* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 415330106Sdelphij behavior and information leak (Info/Medium) 416330106Sdelphij Date Resolved: 27 Feb 2018 417330106Sdelphij References: Sec 3412 / CVE-2018-7182 / VU#961909 418330106Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 419330106Sdelphij CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 420330106Sdelphij CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 421330106Sdelphij 0.0 if C:N 422330106Sdelphij Summary: 423330106Sdelphij ctl_getitem() is used by ntpd to process incoming mode 6 packets. 424330106Sdelphij A malicious mode 6 packet can be sent to an ntpd instance, and 425330106Sdelphij if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 426330106Sdelphij cause ctl_getitem() to read past the end of its buffer. 427330106Sdelphij Mitigation: 428330106Sdelphij Implement BCP-38. 429330106Sdelphij Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 430330106Sdelphij or the NTP Public Services Project Download Page. 431330106Sdelphij Have enough sources of time. 432330106Sdelphij Properly monitor your ntpd instances. 433330106Sdelphij If ntpd stops running, auto-restart it without -g . 434330106Sdelphij Credit: 435330106Sdelphij This weakness was discovered by Yihan Lian of Qihoo 360. 436330106Sdelphij 437330106Sdelphij* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 438330106Sdelphij Also see Bug 3415, above. 439330106Sdelphij Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 440330106Sdelphij Date Resolved: Stable (4.2.8p11) 27 Feb 2018 441330106Sdelphij References: Sec 3012 / CVE-2016-1549 / VU#718152 442330106Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 443330106Sdelphij 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 444330106Sdelphij CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 445330106Sdelphij CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 446330106Sdelphij Summary: 447330106Sdelphij ntpd can be vulnerable to Sybil attacks. If a system is set up 448330106Sdelphij to use a trustedkey and if one is not using the feature 449330106Sdelphij introduced in ntp-4.2.8p6 allowing an optional 4th field in the 450330106Sdelphij ntp.keys file to specify which IPs can serve time, a malicious 451330106Sdelphij authenticated peer -- i.e. one where the attacker knows the 452330106Sdelphij private symmetric key -- can create arbitrarily-many ephemeral 453330106Sdelphij associations in order to win the clock selection of ntpd and 454330106Sdelphij modify a victim's clock. Two additional protections are 455330106Sdelphij offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 456330106Sdelphij disables symmetric passive ephemeral peering. The other extends 457330106Sdelphij the functionality of the 4th field in the ntp.keys file to 458330106Sdelphij include specifying a subnet range. 459330106Sdelphij Mitigation: 460330106Sdelphij Implement BCP-38. 461330106Sdelphij Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 462330106Sdelphij the NTP Public Services Project Download Page. 463330106Sdelphij Use the 'noepeer' directive to prohibit symmetric passive 464330106Sdelphij ephemeral associations. 465330106Sdelphij Use the 'ippeerlimit' directive to limit the number of peer 466330106Sdelphij associations from an IP. 467330106Sdelphij Use the 4th argument in the ntp.keys file to limit the IPs 468330106Sdelphij and subnets that can be time servers. 469330106Sdelphij Properly monitor your ntpd instances. 470330106Sdelphij Credit: 471330106Sdelphij This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 472330106Sdelphij 473330106Sdelphij* Bug fixes: 474330106Sdelphij [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 475330106Sdelphij [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 476330106Sdelphij - applied patch by Sean Haugh 477330106Sdelphij [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 478330106Sdelphij [Bug 3450] Dubious error messages from plausibility checks in get_systime() 479330106Sdelphij - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 480330106Sdelphij [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 481330106Sdelphij - refactoring the MAC code, too 482330106Sdelphij [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 483330106Sdelphij [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 484330106Sdelphij - applied patch by ggarvey 485330106Sdelphij [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 486330106Sdelphij - applied patch by ggarvey (with minor mods) 487330106Sdelphij [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 488330106Sdelphij - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 489330106Sdelphij [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 490330106Sdelphij [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 491330106Sdelphij [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 492330106Sdelphij - fixed several issues with hash algos in ntpd, sntp, ntpq, 493330106Sdelphij ntpdc and the test suites <perlinger@ntp.org> 494330106Sdelphij [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 495330106Sdelphij - initial patch by Daniel Pouzzner 496330106Sdelphij [Bug 3423] QNX adjtime() implementation error checking is 497330106Sdelphij wrong <perlinger@ntp.org> 498330106Sdelphij [Bug 3417] ntpq ifstats packet counters can be negative 499330106Sdelphij made IFSTATS counter quantities unsigned <perlinger@ntp.org> 500330106Sdelphij [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 501330106Sdelphij - raised receive buffer size to 1200 <perlinger@ntp.org> 502330106Sdelphij [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 503330106Sdelphij analysis tool. <abe@ntp.org> 504330106Sdelphij [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 505330106Sdelphij [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 506330106Sdelphij - fix/drop assumptions on OpenSSL libs directory layout 507330106Sdelphij [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 508330106Sdelphij - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 509330106Sdelphij [Bug 3398] tests fail with core dump <perlinger@ntp.org> 510330106Sdelphij - patch contributed by Alexander Bluhm 511330106Sdelphij [Bug 3397] ctl_putstr() asserts that data fits in its buffer 512330106Sdelphij rework of formatting & data transfer stuff in 'ntp_control.c' 513330106Sdelphij avoids unecessary buffers and size limitations. <perlinger@ntp.org> 514330106Sdelphij [Bug 3394] Leap second deletion does not work on ntpd clients 515330106Sdelphij - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 516330106Sdelphij [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 517330106Sdelphij - increased mimimum stack size to 32kB <perlinger@ntp.org> 518330106Sdelphij [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 519330106Sdelphij - reverted handling of PPS kernel consumer to 4.2.6 behavior 520330106Sdelphij [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 521330106Sdelphij [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 522330106Sdelphij [Bug 3016] wrong error position reported for bad ":config pool" 523330106Sdelphij - fixed location counter & ntpq output <perlinger@ntp.org> 524330106Sdelphij [Bug 2900] libntp build order problem. HStenn. 525330106Sdelphij [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 526330106Sdelphij [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 527330106Sdelphij perlinger@ntp.org 528330106Sdelphij [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 529330106Sdelphij [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 530330106Sdelphij Use strlcpy() to copy strings, not memcpy(). HStenn. 531330106Sdelphij Typos. HStenn. 532330106Sdelphij test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 533330106Sdelphij refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 534330106Sdelphij Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 535330106Sdelphij Fix trivial warnings from 'make check'. perlinger@ntp.org 536330106Sdelphij Fix bug in the override portion of the compiler hardening macro. HStenn. 537330106Sdelphij record_raw_stats(): Log entire packet. Log writes. HStenn. 538330106Sdelphij AES-128-CMAC support. BInglis, HStenn, JPerlinger. 539330106Sdelphij sntp: tweak key file logging. HStenn. 540330106Sdelphij sntp: pkt_output(): Improve debug output. HStenn. 541330106Sdelphij update-leap: updates from Paul McMath. 542330106Sdelphij When using pkg-config, report --modversion. HStenn. 543330106Sdelphij Clean up libevent configure checks. HStenn. 544330106Sdelphij sntp: show the IP of who sent us a crypto-NAK. HStenn. 545330106Sdelphij Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 546330106Sdelphij authistrustedip() - use it in more places. HStenn, JPerlinger. 547330106Sdelphij New sysstats: sys_lamport, sys_tsrounding. HStenn. 548330106Sdelphij Update ntp.keys .../N documentation. HStenn. 549330106Sdelphij Distribute testconf.yml. HStenn. 550330106Sdelphij Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 551330106Sdelphij Rename the configuration flag fifo variables. HStenn. 552330106Sdelphij Improve saveconfig output. HStenn. 553330106Sdelphij Decode restrict flags on receive() debug output. HStenn. 554330106Sdelphij Decode interface flags on receive() debug output. HStenn. 555330106Sdelphij Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 556330106Sdelphij Update the documentation in ntp.conf.def . HStenn. 557330106Sdelphij restrictions() must return restrict flags and ippeerlimit. HStenn. 558330106Sdelphij Update ntpq peer documentation to describe the 'p' type. HStenn. 559330106Sdelphij Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 560330106Sdelphij Provide dump_restricts() for debugging. HStenn. 561330106Sdelphij Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 562330106Sdelphij 563330106Sdelphij* Other items: 564330106Sdelphij 565330106Sdelphij* update-leap needs the following perl modules: 566330106Sdelphij Net::SSLeay 567330106Sdelphij IO::Socket::SSL 568330106Sdelphij 569330106Sdelphij* New sysstats variables: sys_lamport, sys_tsrounding 570330106SdelphijSee them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 571330106Sdelphijsys_lamport counts the number of observed Lamport violations, while 572330106Sdelphijsys_tsrounding counts observed timestamp rounding events. 573330106Sdelphij 574330106Sdelphij* New ntp.conf items: 575330106Sdelphij 576330106Sdelphij- restrict ... noepeer 577330106Sdelphij- restrict ... ippeerlimit N 578330106Sdelphij 579330106SdelphijThe 'noepeer' directive will disallow all ephemeral/passive peer 580330106Sdelphijrequests. 581330106Sdelphij 582330106SdelphijThe 'ippeerlimit' directive limits the number of time associations 583330106Sdelphijfor each IP in the designated set of addresses. This limit does not 584330106Sdelphijapply to explicitly-configured associations. A value of -1, the current 585330106Sdelphijdefault, means an unlimited number of associations may connect from a 586330106Sdelphijsingle IP. 0 means "none", etc. Ordinarily the only way multiple 587330106Sdelphijassociations would come from the same IP would be if the remote side 588330106Sdelphijwas using a proxy. But a trusted machine might become compromised, 589330106Sdelphijin which case an attacker might spin up multiple authenticated sessions 590330106Sdelphijfrom different ports. This directive should be helpful in this case. 591330106Sdelphij 592330106Sdelphij* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 593330106Sdelphijfield may contain a /subnetbits specification, which identifies the 594330106Sdelphijscope of IPs that may use this key. This IP/subnet restriction can be 595330106Sdelphijused to limit the IPs that may use the key in most all situations where 596330106Sdelphija key is used. 597330106Sdelphij-- 598316068SdelphijNTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 599316068Sdelphij 600316068SdelphijFocus: Security, Bug fixes, enhancements. 601316068Sdelphij 602316068SdelphijSeverity: MEDIUM 603316068Sdelphij 604316068SdelphijThis release fixes 5 medium-, 6 low-, and 4 informational-severity 605316068Sdelphijvulnerabilities, and provides 15 other non-security fixes and improvements: 606316068Sdelphij 607316068Sdelphij* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 608316068Sdelphij Date Resolved: 21 Mar 2017 609316068Sdelphij References: Sec 3389 / CVE-2017-6464 / VU#325339 610316068Sdelphij Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 611316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 612316068Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 613316068Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 614316068Sdelphij Summary: 615316068Sdelphij A vulnerability found in the NTP server makes it possible for an 616316068Sdelphij authenticated remote user to crash ntpd via a malformed mode 617316068Sdelphij configuration directive. 618316068Sdelphij Mitigation: 619316068Sdelphij Implement BCP-38. 620316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 621316068Sdelphij the NTP Public Services Project Download Page 622316068Sdelphij Properly monitor your ntpd instances, and auto-restart 623316068Sdelphij ntpd (without -g) if it stops running. 624316068Sdelphij Credit: 625316068Sdelphij This weakness was discovered by Cure53. 626316068Sdelphij 627316068Sdelphij* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 628316068Sdelphij Date Resolved: 21 Mar 2017 629316068Sdelphij References: Sec 3388 / CVE-2017-6462 / VU#325339 630316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 631316068Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 632316068Sdelphij CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 633316068Sdelphij Summary: 634316068Sdelphij There is a potential for a buffer overflow in the legacy Datum 635316068Sdelphij Programmable Time Server refclock driver. Here the packets are 636316068Sdelphij processed from the /dev/datum device and handled in 637316068Sdelphij datum_pts_receive(). Since an attacker would be required to 638316068Sdelphij somehow control a malicious /dev/datum device, this does not 639316068Sdelphij appear to be a practical attack and renders this issue "Low" in 640316068Sdelphij terms of severity. 641316068Sdelphij Mitigation: 642316068Sdelphij If you have a Datum reference clock installed and think somebody 643316068Sdelphij may maliciously change the device, upgrade to 4.2.8p10, or 644316068Sdelphij later, from the NTP Project Download Page or the NTP Public 645316068Sdelphij Services Project Download Page 646316068Sdelphij Properly monitor your ntpd instances, and auto-restart 647316068Sdelphij ntpd (without -g) if it stops running. 648316068Sdelphij Credit: 649316068Sdelphij This weakness was discovered by Cure53. 650316068Sdelphij 651316068Sdelphij* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 652316068Sdelphij Date Resolved: 21 Mar 2017 653316068Sdelphij References: Sec 3387 / CVE-2017-6463 / VU#325339 654316068Sdelphij Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 655316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 656316068Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 657316068Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 658316068Sdelphij Summary: 659316068Sdelphij A vulnerability found in the NTP server allows an authenticated 660316068Sdelphij remote attacker to crash the daemon by sending an invalid setting 661316068Sdelphij via the :config directive. The unpeer option expects a number or 662316068Sdelphij an address as an argument. In case the value is "0", a 663316068Sdelphij segmentation fault occurs. 664316068Sdelphij Mitigation: 665316068Sdelphij Implement BCP-38. 666316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 667316068Sdelphij or the NTP Public Services Project Download Page 668316068Sdelphij Properly monitor your ntpd instances, and auto-restart 669316068Sdelphij ntpd (without -g) if it stops running. 670316068Sdelphij Credit: 671316068Sdelphij This weakness was discovered by Cure53. 672316068Sdelphij 673316068Sdelphij* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 674316068Sdelphij Date Resolved: 21 Mar 2017 675316068Sdelphij References: Sec 3386 676316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 677316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 678316068Sdelphij CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 679316068Sdelphij CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 680316068Sdelphij Summary: 681316068Sdelphij The NTP Mode 6 monitoring and control client, ntpq, uses the 682316068Sdelphij function ntpq_stripquotes() to remove quotes and escape characters 683316068Sdelphij from a given string. According to the documentation, the function 684316068Sdelphij is supposed to return the number of copied bytes but due to 685316068Sdelphij incorrect pointer usage this value is always zero. Although the 686316068Sdelphij return value of this function is never used in the code, this 687316068Sdelphij flaw could lead to a vulnerability in the future. Since relying 688316068Sdelphij on wrong return values when performing memory operations is a 689316068Sdelphij dangerous practice, it is recommended to return the correct value 690316068Sdelphij in accordance with the documentation pertinent to the code. 691316068Sdelphij Mitigation: 692316068Sdelphij Implement BCP-38. 693316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 694316068Sdelphij or the NTP Public Services Project Download Page 695316068Sdelphij Properly monitor your ntpd instances, and auto-restart 696316068Sdelphij ntpd (without -g) if it stops running. 697316068Sdelphij Credit: 698316068Sdelphij This weakness was discovered by Cure53. 699316068Sdelphij 700316068Sdelphij* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 701316068Sdelphij Date Resolved: 21 Mar 2017 702316068Sdelphij References: Sec 3385 703316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 704316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 705316068Sdelphij Summary: 706316068Sdelphij NTP makes use of several wrappers around the standard heap memory 707316068Sdelphij allocation functions that are provided by libc. This is mainly 708316068Sdelphij done to introduce additional safety checks concentrated on 709316068Sdelphij several goals. First, they seek to ensure that memory is not 710316068Sdelphij accidentally freed, secondly they verify that a correct amount 711316068Sdelphij is always allocated and, thirdly, that allocation failures are 712316068Sdelphij correctly handled. There is an additional implementation for 713316068Sdelphij scenarios where memory for a specific amount of items of the 714316068Sdelphij same size needs to be allocated. The handling can be found in 715316068Sdelphij the oreallocarray() function for which a further number-of-elements 716316068Sdelphij parameter needs to be provided. Although no considerable threat 717316068Sdelphij was identified as tied to a lack of use of this function, it is 718316068Sdelphij recommended to correctly apply oreallocarray() as a preferred 719316068Sdelphij option across all of the locations where it is possible. 720316068Sdelphij Mitigation: 721316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 722316068Sdelphij or the NTP Public Services Project Download Page 723316068Sdelphij Credit: 724316068Sdelphij This weakness was discovered by Cure53. 725316068Sdelphij 726316068Sdelphij* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 727316068Sdelphij PPSAPI ONLY) (Low) 728316068Sdelphij Date Resolved: 21 Mar 2017 729316068Sdelphij References: Sec 3384 / CVE-2017-6455 / VU#325339 730316068Sdelphij Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 731316068Sdelphij not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 732316068Sdelphij including ntp-4.3.94. 733316068Sdelphij CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 734316068Sdelphij CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 735316068Sdelphij Summary: 736316068Sdelphij The Windows NT port has the added capability to preload DLLs 737316068Sdelphij defined in the inherited global local environment variable 738316068Sdelphij PPSAPI_DLLS. The code contained within those libraries is then 739316068Sdelphij called from the NTPD service, usually running with elevated 740316068Sdelphij privileges. Depending on how securely the machine is setup and 741316068Sdelphij configured, if ntpd is configured to use the PPSAPI under Windows 742316068Sdelphij this can easily lead to a code injection. 743316068Sdelphij Mitigation: 744316068Sdelphij Implement BCP-38. 745316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 746316068Sdelphij or the NTP Public Services Project Download Page 747316068Sdelphij Credit: 748316068Sdelphij This weakness was discovered by Cure53. 749316068Sdelphij 750316068Sdelphij* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 751316068Sdelphij installer ONLY) (Low) 752316068Sdelphij Date Resolved: 21 Mar 2017 753316068Sdelphij References: Sec 3383 / CVE-2017-6452 / VU#325339 754316068Sdelphij Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 755316068Sdelphij installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 756316068Sdelphij to, but not including ntp-4.3.94. 757316068Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 758316068Sdelphij CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 759316068Sdelphij Summary: 760316068Sdelphij The Windows installer for NTP calls strcat(), blindly appending 761316068Sdelphij the string passed to the stack buffer in the addSourceToRegistry() 762316068Sdelphij function. The stack buffer is 70 bytes smaller than the buffer 763316068Sdelphij in the calling main() function. Together with the initially 764316068Sdelphij copied Registry path, the combination causes a stack buffer 765316068Sdelphij overflow and effectively overwrites the stack frame. The 766316068Sdelphij passed application path is actually limited to 256 bytes by the 767316068Sdelphij operating system, but this is not sufficient to assure that the 768316068Sdelphij affected stack buffer is consistently protected against 769316068Sdelphij overflowing at all times. 770316068Sdelphij Mitigation: 771316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 772316068Sdelphij or the NTP Public Services Project Download Page 773316068Sdelphij Credit: 774316068Sdelphij This weakness was discovered by Cure53. 775316068Sdelphij 776316068Sdelphij* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 777316068Sdelphij installer ONLY) (Low) 778316068Sdelphij Date Resolved: 21 Mar 2017 779316068Sdelphij References: Sec 3382 / CVE-2017-6459 / VU#325339 780316068Sdelphij Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 781316068Sdelphij installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 782316068Sdelphij up to, but not including ntp-4.3.94. 783316068Sdelphij CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 784316068Sdelphij CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 785316068Sdelphij Summary: 786316068Sdelphij The Windows installer for NTP calls strcpy() with an argument 787316068Sdelphij that specifically contains multiple null bytes. strcpy() only 788316068Sdelphij copies a single terminating null character into the target 789316068Sdelphij buffer instead of copying the required double null bytes in the 790316068Sdelphij addKeysToRegistry() function. As a consequence, a garbage 791316068Sdelphij registry entry can be created. The additional arsize parameter 792316068Sdelphij is erroneously set to contain two null bytes and the following 793316068Sdelphij call to RegSetValueEx() claims to be passing in a multi-string 794316068Sdelphij value, though this may not be true. 795316068Sdelphij Mitigation: 796316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 797316068Sdelphij or the NTP Public Services Project Download Page 798316068Sdelphij Credit: 799316068Sdelphij This weakness was discovered by Cure53. 800316068Sdelphij 801316068Sdelphij* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 802316068Sdelphij References: Sec 3381 803316068Sdelphij Summary: 804316068Sdelphij The report says: Statically included external projects 805316068Sdelphij potentially introduce several problems and the issue of having 806316068Sdelphij extensive amounts of code that is "dead" in the resulting binary 807316068Sdelphij must clearly be pointed out. The unnecessary unused code may or 808316068Sdelphij may not contain bugs and, quite possibly, might be leveraged for 809316068Sdelphij code-gadget-based branch-flow redirection exploits. Analogically, 810316068Sdelphij having source trees statically included as well means a failure 811316068Sdelphij in taking advantage of the free feature for periodical updates. 812316068Sdelphij This solution is offered by the system's Package Manager. The 813316068Sdelphij three libraries identified are libisc, libevent, and libopts. 814316068Sdelphij Resolution: 815316068Sdelphij For libisc, we already only use a portion of the original library. 816316068Sdelphij We've found and fixed bugs in the original implementation (and 817316068Sdelphij offered the patches to ISC), and plan to see what has changed 818316068Sdelphij since we last upgraded the code. libisc is generally not 819316068Sdelphij installed, and when it it we usually only see the static libisc.a 820316068Sdelphij file installed. Until we know for sure that the bugs we've found 821316068Sdelphij and fixed are fixed upstream, we're better off with the copy we 822316068Sdelphij are using. 823316068Sdelphij 824316068Sdelphij Version 1 of libevent was the only production version available 825316068Sdelphij until recently, and we've been requiring version 2 for a long time. 826316068Sdelphij But if the build system has at least version 2 of libevent 827316068Sdelphij installed, we'll use the version that is installed on the system. 828316068Sdelphij Otherwise, we provide a copy of libevent that we know works. 829316068Sdelphij 830316068Sdelphij libopts is provided by GNU AutoGen, and that library and package 831316068Sdelphij undergoes frequent API version updates. The version of autogen 832316068Sdelphij used to generate the tables for the code must match the API 833316068Sdelphij version in libopts. AutoGen can be ... difficult to build and 834316068Sdelphij install, and very few developers really need it. So we have it 835316068Sdelphij on our build and development machines, and we provide the 836316068Sdelphij specific version of the libopts code in the distribution to make 837316068Sdelphij sure that the proper API version of libopts is available. 838316068Sdelphij 839316068Sdelphij As for the point about there being code in these libraries that 840316068Sdelphij NTP doesn't use, OK. But other packages used these libraries as 841316068Sdelphij well, and it is reasonable to assume that other people are paying 842316068Sdelphij attention to security and code quality issues for the overall 843316068Sdelphij libraries. It takes significant resources to analyze and 844316068Sdelphij customize these libraries to only include what we need, and to 845316068Sdelphij date we believe the cost of this effort does not justify the benefit. 846316068Sdelphij Credit: 847316068Sdelphij This issue was discovered by Cure53. 848316068Sdelphij 849316068Sdelphij* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 850316068Sdelphij Date Resolved: 21 Mar 2017 851316068Sdelphij References: Sec 3380 852316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 853316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 854316068Sdelphij CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 855316068Sdelphij CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 856316068Sdelphij Summary: 857316068Sdelphij There is a fencepost error in a "recovery branch" of the code for 858316068Sdelphij the Oncore GPS receiver if the communication link to the ONCORE 859316068Sdelphij is weak / distorted and the decoding doesn't work. 860316068Sdelphij Mitigation: 861316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 862316068Sdelphij the NTP Public Services Project Download Page 863316068Sdelphij Properly monitor your ntpd instances, and auto-restart 864316068Sdelphij ntpd (without -g) if it stops running. 865316068Sdelphij Credit: 866316068Sdelphij This weakness was discovered by Cure53. 867316068Sdelphij 868316068Sdelphij* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 869316068Sdelphij Date Resolved: 21 Mar 2017 870316068Sdelphij References: Sec 3379 / CVE-2017-6458 / VU#325339 871316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 872316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 873316068Sdelphij CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 874316068Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 875316068Sdelphij Summary: 876316068Sdelphij ntpd makes use of different wrappers around ctl_putdata() to 877316068Sdelphij create name/value ntpq (mode 6) response strings. For example, 878316068Sdelphij ctl_putstr() is usually used to send string data (variable names 879316068Sdelphij or string data). The formatting code was missing a length check 880316068Sdelphij for variable names. If somebody explicitly created any unusually 881316068Sdelphij long variable names in ntpd (longer than 200-512 bytes, depending 882316068Sdelphij on the type of variable), then if any of these variables are 883316068Sdelphij added to the response list it would overflow a buffer. 884316068Sdelphij Mitigation: 885316068Sdelphij Implement BCP-38. 886316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 887316068Sdelphij or the NTP Public Services Project Download Page 888316068Sdelphij If you don't want to upgrade, then don't setvar variable names 889316068Sdelphij longer than 200-512 bytes in your ntp.conf file. 890316068Sdelphij Properly monitor your ntpd instances, and auto-restart 891316068Sdelphij ntpd (without -g) if it stops running. 892316068Sdelphij Credit: 893316068Sdelphij This weakness was discovered by Cure53. 894316068Sdelphij 895316068Sdelphij* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 896316068Sdelphij Date Resolved: 21 Mar 2017 897316068Sdelphij References: Sec 3378 / CVE-2017-6451 / VU#325339 898316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 899316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 900316068Sdelphij CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 901316068Sdelphij CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 902316068Sdelphij Summary: 903316068Sdelphij The legacy MX4200 refclock is only built if is specifically 904316068Sdelphij enabled, and furthermore additional code changes are required to 905316068Sdelphij compile and use it. But it uses the libc functions snprintf() 906316068Sdelphij and vsnprintf() incorrectly, which can lead to an out-of-bounds 907316068Sdelphij memory write due to an improper handling of the return value of 908316068Sdelphij snprintf()/vsnprintf(). Since the return value is used as an 909316068Sdelphij iterator and it can be larger than the buffer's size, it is 910316068Sdelphij possible for the iterator to point somewhere outside of the 911316068Sdelphij allocated buffer space. This results in an out-of-bound memory 912316068Sdelphij write. This behavior can be leveraged to overwrite a saved 913316068Sdelphij instruction pointer on the stack and gain control over the 914316068Sdelphij execution flow. During testing it was not possible to identify 915316068Sdelphij any malicious usage for this vulnerability. Specifically, no 916316068Sdelphij way for an attacker to exploit this vulnerability was ultimately 917316068Sdelphij unveiled. However, it has the potential to be exploited, so the 918316068Sdelphij code should be fixed. 919316068Sdelphij Mitigation, if you have a Magnavox MX4200 refclock: 920316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 921316068Sdelphij or the NTP Public Services Project Download Page. 922316068Sdelphij Properly monitor your ntpd instances, and auto-restart 923316068Sdelphij ntpd (without -g) if it stops running. 924316068Sdelphij Credit: 925316068Sdelphij This weakness was discovered by Cure53. 926316068Sdelphij 927316068Sdelphij* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 928316068Sdelphij malicious ntpd (Medium) 929316068Sdelphij Date Resolved: 21 Mar 2017 930316068Sdelphij References: Sec 3377 / CVE-2017-6460 / VU#325339 931316068Sdelphij Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 932316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 933316068Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 934316068Sdelphij CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 935316068Sdelphij Summary: 936316068Sdelphij A stack buffer overflow in ntpq can be triggered by a malicious 937316068Sdelphij ntpd server when ntpq requests the restriction list from the server. 938316068Sdelphij This is due to a missing length check in the reslist() function. 939316068Sdelphij It occurs whenever the function parses the server's response and 940316068Sdelphij encounters a flagstr variable of an excessive length. The string 941316068Sdelphij will be copied into a fixed-size buffer, leading to an overflow on 942316068Sdelphij the function's stack-frame. Note well that this problem requires 943316068Sdelphij a malicious server, and affects ntpq, not ntpd. 944316068Sdelphij Mitigation: 945316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 946316068Sdelphij or the NTP Public Services Project Download Page 947316068Sdelphij If you can't upgrade your version of ntpq then if you want to know 948316068Sdelphij the reslist of an instance of ntpd that you do not control, 949316068Sdelphij know that if the target ntpd is malicious that it can send back 950316068Sdelphij a response that intends to crash your ntpq process. 951316068Sdelphij Credit: 952316068Sdelphij This weakness was discovered by Cure53. 953316068Sdelphij 954316068Sdelphij* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 955316068Sdelphij Date Resolved: 21 Mar 2017 956316068Sdelphij References: Sec 3376 957316068Sdelphij Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 958316068Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 959316068Sdelphij CVSS2: N/A 960316068Sdelphij CVSS3: N/A 961316068Sdelphij Summary: 962316068Sdelphij The build process for NTP has not, by default, provided compile 963316068Sdelphij or link flags to offer "hardened" security options. Package 964316068Sdelphij maintainers have always been able to provide hardening security 965316068Sdelphij flags for their builds. As of ntp-4.2.8p10, the NTP build 966316068Sdelphij system has a way to provide OS-specific hardening flags. Please 967316068Sdelphij note that this is still not a really great solution because it 968316068Sdelphij is specific to NTP builds. It's inefficient to have every 969316068Sdelphij package supply, track and maintain this information for every 970316068Sdelphij target build. It would be much better if there was a common way 971316068Sdelphij for OSes to provide this information in a way that arbitrary 972316068Sdelphij packages could benefit from it. 973316068Sdelphij Mitigation: 974316068Sdelphij Implement BCP-38. 975316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 976316068Sdelphij or the NTP Public Services Project Download Page 977316068Sdelphij Properly monitor your ntpd instances, and auto-restart 978316068Sdelphij ntpd (without -g) if it stops running. 979316068Sdelphij Credit: 980316068Sdelphij This weakness was reported by Cure53. 981316068Sdelphij 982316068Sdelphij* 0rigin DoS (Medium) 983316068Sdelphij Date Resolved: 21 Mar 2017 984316068Sdelphij References: Sec 3361 / CVE-2016-9042 / VU#325339 985316068Sdelphij Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 986316068Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 987316068Sdelphij CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 988316068Sdelphij Summary: 989316068Sdelphij An exploitable denial of service vulnerability exists in the 990316068Sdelphij origin timestamp check functionality of ntpd 4.2.8p9. A specially 991316068Sdelphij crafted unauthenticated network packet can be used to reset the 992316068Sdelphij expected origin timestamp for target peers. Legitimate replies 993316068Sdelphij from targeted peers will fail the origin timestamp check (TEST2) 994316068Sdelphij causing the reply to be dropped and creating a denial of service 995316068Sdelphij condition. This vulnerability can only be exploited if the 996316068Sdelphij attacker can spoof all of the servers. 997316068Sdelphij Mitigation: 998316068Sdelphij Implement BCP-38. 999316068Sdelphij Configure enough servers/peers that an attacker cannot target 1000316068Sdelphij all of your time sources. 1001316068Sdelphij Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1002316068Sdelphij or the NTP Public Services Project Download Page 1003316068Sdelphij Properly monitor your ntpd instances, and auto-restart 1004316068Sdelphij ntpd (without -g) if it stops running. 1005316068Sdelphij Credit: 1006316068Sdelphij This weakness was discovered by Matthew Van Gundy of Cisco. 1007316068Sdelphij 1008316068SdelphijOther fixes: 1009316068Sdelphij 1010316068Sdelphij* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 1011316068Sdelphij* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1012316068Sdelphij - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 1013316068Sdelphij* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 1014316068Sdelphij* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1015316068Sdelphij on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 1016316068Sdelphij - original patch by Majdi S. Abbas 1017316068Sdelphij* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 1018316068Sdelphij* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 1019316068Sdelphij - initial patch by Christos Zoulas 1020316068Sdelphij* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 1021316068Sdelphij - move loader API from 'inline' to proper source 1022316068Sdelphij - augment pathless dlls with absolute path to NTPD 1023316068Sdelphij - use 'msyslog()' instead of 'printf() 'for reporting trouble 1024316068Sdelphij* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 1025316068Sdelphij - applied patch by Matthew Van Gundy 1026316068Sdelphij* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 1027316068Sdelphij - applied some of the patches provided by Havard. Not all of them 1028316068Sdelphij still match the current code base, and I did not touch libopt. 1029316068Sdelphij* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 1030316068Sdelphij - applied patch by Reinhard Max. See bugzilla for limitations. 1031316068Sdelphij* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 1032316068Sdelphij - fixed dependency inversion from [Bug 2837] 1033316068Sdelphij* [Bug 2896] Nothing happens if minsane < maxclock < minclock 1034316068Sdelphij - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 1035316068Sdelphij* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 1036316068Sdelphij - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1037316068Sdelphij* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1038316068Sdelphij - Fixed these and some more locations of this pattern. 1039316068Sdelphij Probably din't get them all, though. <perlinger@ntp.org> 1040316068Sdelphij* Update copyright year. 1041316068Sdelphij 1042316068Sdelphij-- 1043316068Sdelphij(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 1044316068Sdelphij 1045316068Sdelphij* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 1046316068Sdelphij - added missed changeset for automatic openssl lib detection 1047316068Sdelphij - fixed some minor warning issues 1048316068Sdelphij* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 1049316068Sdelphij* configure.ac cleanup. stenn@ntp.org 1050316068Sdelphij* openssl configure cleanup. stenn@ntp.org 1051316068Sdelphij 1052316068Sdelphij-- 1053309007SdelphijNTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 1054309007Sdelphij 1055309007SdelphijFocus: Security, Bug fixes, enhancements. 1056309007Sdelphij 1057309007SdelphijSeverity: HIGH 1058309007Sdelphij 1059309007SdelphijIn addition to bug fixes and enhancements, this release fixes the 1060309007Sdelphijfollowing 1 high- (Windows only), 2 medium-, 2 medium-/low, and 1061309007Sdelphij5 low-severity vulnerabilities, and provides 28 other non-security 1062309007Sdelphijfixes and improvements: 1063309007Sdelphij 1064309007Sdelphij* Trap crash 1065309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1066309007Sdelphij References: Sec 3119 / CVE-2016-9311 / VU#633847 1067309007Sdelphij Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1068309007Sdelphij including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1069309007Sdelphij CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1070309007Sdelphij CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1071309007Sdelphij Summary: 1072309007Sdelphij ntpd does not enable trap service by default. If trap service 1073309007Sdelphij has been explicitly enabled, an attacker can send a specially 1074309007Sdelphij crafted packet to cause a null pointer dereference that will 1075309007Sdelphij crash ntpd, resulting in a denial of service. 1076309007Sdelphij Mitigation: 1077309007Sdelphij Implement BCP-38. 1078309007Sdelphij Use "restrict default noquery ..." in your ntp.conf file. Only 1079309007Sdelphij allow mode 6 queries from trusted networks and hosts. 1080309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1081309007Sdelphij or the NTP Public Services Project Download Page 1082309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1083309007Sdelphij (without -g) if it stops running. 1084309007Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1085309007Sdelphij 1086309007Sdelphij* Mode 6 information disclosure and DDoS vector 1087309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1088309007Sdelphij References: Sec 3118 / CVE-2016-9310 / VU#633847 1089309007Sdelphij Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1090309007Sdelphij including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1091309007Sdelphij CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1092309007Sdelphij CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1093309007Sdelphij Summary: 1094309007Sdelphij An exploitable configuration modification vulnerability exists 1095309007Sdelphij in the control mode (mode 6) functionality of ntpd. If, against 1096309007Sdelphij long-standing BCP recommendations, "restrict default noquery ..." 1097309007Sdelphij is not specified, a specially crafted control mode packet can set 1098309007Sdelphij ntpd traps, providing information disclosure and DDoS 1099309007Sdelphij amplification, and unset ntpd traps, disabling legitimate 1100309007Sdelphij monitoring. A remote, unauthenticated, network attacker can 1101309007Sdelphij trigger this vulnerability. 1102309007Sdelphij Mitigation: 1103309007Sdelphij Implement BCP-38. 1104309007Sdelphij Use "restrict default noquery ..." in your ntp.conf file. 1105309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1106309007Sdelphij or the NTP Public Services Project Download Page 1107309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1108309007Sdelphij (without -g) if it stops running. 1109309007Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1110309007Sdelphij 1111309007Sdelphij* Broadcast Mode Replay Prevention DoS 1112309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1113309007Sdelphij References: Sec 3114 / CVE-2016-7427 / VU#633847 1114309007Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1115309007Sdelphij ntp-4.3.90 up to, but not including ntp-4.3.94. 1116309007Sdelphij CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1117309007Sdelphij CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1118309007Sdelphij Summary: 1119309007Sdelphij The broadcast mode of NTP is expected to only be used in a 1120309007Sdelphij trusted network. If the broadcast network is accessible to an 1121309007Sdelphij attacker, a potentially exploitable denial of service 1122309007Sdelphij vulnerability in ntpd's broadcast mode replay prevention 1123309007Sdelphij functionality can be abused. An attacker with access to the NTP 1124309007Sdelphij broadcast domain can periodically inject specially crafted 1125309007Sdelphij broadcast mode NTP packets into the broadcast domain which, 1126309007Sdelphij while being logged by ntpd, can cause ntpd to reject broadcast 1127309007Sdelphij mode packets from legitimate NTP broadcast servers. 1128309007Sdelphij Mitigation: 1129309007Sdelphij Implement BCP-38. 1130309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1131309007Sdelphij or the NTP Public Services Project Download Page 1132309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1133309007Sdelphij (without -g) if it stops running. 1134309007Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1135309007Sdelphij 1136309007Sdelphij* Broadcast Mode Poll Interval Enforcement DoS 1137309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1138309007Sdelphij References: Sec 3113 / CVE-2016-7428 / VU#633847 1139309007Sdelphij Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1140309007Sdelphij ntp-4.3.90 up to, but not including ntp-4.3.94 1141309007Sdelphij CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1142309007Sdelphij CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1143309007Sdelphij Summary: 1144309007Sdelphij The broadcast mode of NTP is expected to only be used in a 1145309007Sdelphij trusted network. If the broadcast network is accessible to an 1146309007Sdelphij attacker, a potentially exploitable denial of service 1147309007Sdelphij vulnerability in ntpd's broadcast mode poll interval enforcement 1148309007Sdelphij functionality can be abused. To limit abuse, ntpd restricts the 1149309007Sdelphij rate at which each broadcast association will process incoming 1150309007Sdelphij packets. ntpd will reject broadcast mode packets that arrive 1151309007Sdelphij before the poll interval specified in the preceding broadcast 1152309007Sdelphij packet expires. An attacker with access to the NTP broadcast 1153309007Sdelphij domain can send specially crafted broadcast mode NTP packets to 1154309007Sdelphij the broadcast domain which, while being logged by ntpd, will 1155309007Sdelphij cause ntpd to reject broadcast mode packets from legitimate NTP 1156309007Sdelphij broadcast servers. 1157309007Sdelphij Mitigation: 1158309007Sdelphij Implement BCP-38. 1159309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1160309007Sdelphij or the NTP Public Services Project Download Page 1161309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1162309007Sdelphij (without -g) if it stops running. 1163309007Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1164309007Sdelphij 1165309007Sdelphij* Windows: ntpd DoS by oversized UDP packet 1166309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1167309007Sdelphij References: Sec 3110 / CVE-2016-9312 / VU#633847 1168309007Sdelphij Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1169309007Sdelphij and ntp-4.3.0 up to, but not including ntp-4.3.94. 1170309007Sdelphij CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1171309007Sdelphij CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1172309007Sdelphij Summary: 1173309007Sdelphij If a vulnerable instance of ntpd on Windows receives a crafted 1174309007Sdelphij malicious packet that is "too big", ntpd will stop working. 1175309007Sdelphij Mitigation: 1176309007Sdelphij Implement BCP-38. 1177309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1178309007Sdelphij or the NTP Public Services Project Download Page 1179309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1180309007Sdelphij (without -g) if it stops running. 1181309007Sdelphij Credit: This weakness was discovered by Robert Pajak of ABB. 1182309007Sdelphij 1183309007Sdelphij* 0rigin (zero origin) issues 1184309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1185309007Sdelphij References: Sec 3102 / CVE-2016-7431 / VU#633847 1186309007Sdelphij Affects: ntp-4.2.8p8, and ntp-4.3.93. 1187309007Sdelphij CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1188309007Sdelphij CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1189309007Sdelphij Summary: 1190309007Sdelphij Zero Origin timestamp problems were fixed by Bug 2945 in 1191309007Sdelphij ntp-4.2.8p6. However, subsequent timestamp validation checks 1192309007Sdelphij introduced a regression in the handling of some Zero origin 1193309007Sdelphij timestamp checks. 1194309007Sdelphij Mitigation: 1195309007Sdelphij Implement BCP-38. 1196309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1197309007Sdelphij or the NTP Public Services Project Download Page 1198309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1199309007Sdelphij (without -g) if it stops running. 1200309007Sdelphij Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1201309007Sdelphij Malhotra of Boston University. 1202309007Sdelphij 1203309007Sdelphij* read_mru_list() does inadequate incoming packet checks 1204309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1205309007Sdelphij References: Sec 3082 / CVE-2016-7434 / VU#633847 1206309007Sdelphij Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1207309007Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. 1208309007Sdelphij CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1209309007Sdelphij CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1210309007Sdelphij Summary: 1211309007Sdelphij If ntpd is configured to allow mrulist query requests from a 1212309007Sdelphij server that sends a crafted malicious packet, ntpd will crash 1213309007Sdelphij on receipt of that crafted malicious mrulist query packet. 1214309007Sdelphij Mitigation: 1215309007Sdelphij Only allow mrulist query packets from trusted hosts. 1216309007Sdelphij Implement BCP-38. 1217309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1218309007Sdelphij or the NTP Public Services Project Download Page 1219309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1220309007Sdelphij (without -g) if it stops running. 1221309007Sdelphij Credit: This weakness was discovered by Magnus Stubman. 1222309007Sdelphij 1223309007Sdelphij* Attack on interface selection 1224309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1225309007Sdelphij References: Sec 3072 / CVE-2016-7429 / VU#633847 1226309007Sdelphij Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1227309007Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94 1228309007Sdelphij CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1229309007Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1230309007Sdelphij Summary: 1231309007Sdelphij When ntpd receives a server response on a socket that corresponds 1232309007Sdelphij to a different interface than was used for the request, the peer 1233309007Sdelphij structure is updated to use the interface for new requests. If 1234309007Sdelphij ntpd is running on a host with multiple interfaces in separate 1235309007Sdelphij networks and the operating system doesn't check source address in 1236309007Sdelphij received packets (e.g. rp_filter on Linux is set to 0), an 1237309007Sdelphij attacker that knows the address of the source can send a packet 1238309007Sdelphij with spoofed source address which will cause ntpd to select wrong 1239309007Sdelphij interface for the source and prevent it from sending new requests 1240309007Sdelphij until the list of interfaces is refreshed, which happens on 1241309007Sdelphij routing changes or every 5 minutes by default. If the attack is 1242309007Sdelphij repeated often enough (once per second), ntpd will not be able to 1243309007Sdelphij synchronize with the source. 1244309007Sdelphij Mitigation: 1245309007Sdelphij Implement BCP-38. 1246309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1247309007Sdelphij or the NTP Public Services Project Download Page 1248309007Sdelphij If you are going to configure your OS to disable source address 1249309007Sdelphij checks, also configure your firewall configuration to control 1250309007Sdelphij what interfaces can receive packets from what networks. 1251309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1252309007Sdelphij (without -g) if it stops running. 1253309007Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1254309007Sdelphij 1255309007Sdelphij* Client rate limiting and server responses 1256309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1257309007Sdelphij References: Sec 3071 / CVE-2016-7426 / VU#633847 1258309007Sdelphij Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1259309007Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94 1260309007Sdelphij CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1261309007Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1262309007Sdelphij Summary: 1263309007Sdelphij When ntpd is configured with rate limiting for all associations 1264309007Sdelphij (restrict default limited in ntp.conf), the limits are applied 1265309007Sdelphij also to responses received from its configured sources. An 1266309007Sdelphij attacker who knows the sources (e.g., from an IPv4 refid in 1267309007Sdelphij server response) and knows the system is (mis)configured in this 1268309007Sdelphij way can periodically send packets with spoofed source address to 1269309007Sdelphij keep the rate limiting activated and prevent ntpd from accepting 1270309007Sdelphij valid responses from its sources. 1271309007Sdelphij 1272309007Sdelphij While this blanket rate limiting can be useful to prevent 1273309007Sdelphij brute-force attacks on the origin timestamp, it allows this DoS 1274309007Sdelphij attack. Similarly, it allows the attacker to prevent mobilization 1275309007Sdelphij of ephemeral associations. 1276309007Sdelphij Mitigation: 1277309007Sdelphij Implement BCP-38. 1278309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1279309007Sdelphij or the NTP Public Services Project Download Page 1280309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1281309007Sdelphij (without -g) if it stops running. 1282309007Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1283309007Sdelphij 1284309007Sdelphij* Fix for bug 2085 broke initial sync calculations 1285309007Sdelphij Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1286309007Sdelphij References: Sec 3067 / CVE-2016-7433 / VU#633847 1287309007Sdelphij Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1288309007Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1289309007Sdelphij root-distance calculation in general is incorrect in all versions 1290309007Sdelphij of ntp-4 until this release. 1291309007Sdelphij CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1292309007Sdelphij CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1293309007Sdelphij Summary: 1294309007Sdelphij Bug 2085 described a condition where the root delay was included 1295309007Sdelphij twice, causing the jitter value to be higher than expected. Due 1296309007Sdelphij to a misinterpretation of a small-print variable in The Book, the 1297309007Sdelphij fix for this problem was incorrect, resulting in a root distance 1298309007Sdelphij that did not include the peer dispersion. The calculations and 1299309007Sdelphij formulae have been reviewed and reconciled, and the code has been 1300309007Sdelphij updated accordingly. 1301309007Sdelphij Mitigation: 1302309007Sdelphij Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1303309007Sdelphij or the NTP Public Services Project Download Page 1304309007Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1305309007Sdelphij (without -g) if it stops running. 1306309007Sdelphij Credit: This weakness was discovered independently by Brian Utterback of 1307309007Sdelphij Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1308309007Sdelphij 1309309007SdelphijOther fixes: 1310309007Sdelphij 1311309007Sdelphij* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1312309007Sdelphij* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1313309007Sdelphij* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1314309007Sdelphij - moved retry decision where it belongs. <perlinger@ntp.org> 1315309007Sdelphij* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1316309007Sdelphij using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1317309007Sdelphij* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1318309007Sdelphij* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1319309007Sdelphij - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1320309007Sdelphij* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1321309007Sdelphij - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1322309007Sdelphij - added shim layer for SSL API calls with issues (both directions) 1323309007Sdelphij* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1324309007Sdelphij - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1325309007Sdelphij* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1326309007Sdelphij* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1327309007Sdelphij - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1328309007Sdelphij* [Bug 3067] Root distance calculation needs improvement. HStenn 1329309007Sdelphij* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1330309007Sdelphij - PPS-HACK works again. 1331309007Sdelphij* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1332309007Sdelphij - applied patch by Brian Utterback <brian.utterback@oracle.com> 1333309007Sdelphij* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1334309007Sdelphij* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1335309007Sdelphij <perlinger@ntp.org> 1336309007Sdelphij - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1337309007Sdelphij* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1338309007Sdelphij - Patch provided by Kuramatsu. 1339309007Sdelphij* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1340309007Sdelphij - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1341309007Sdelphij* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1342309007Sdelphij* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1343309007Sdelphij* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1344309007Sdelphij* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1345309007Sdelphij - fixed GPS week expansion to work based on build date. Special thanks 1346309007Sdelphij to Craig Leres for initial patch and testing. 1347309007Sdelphij* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1348309007Sdelphij - fixed Makefile.am <perlinger@ntp.org> 1349309007Sdelphij* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1350309007Sdelphij even if it is very old <perlinger@ntp.org> 1351309007Sdelphij - make sure PPS source is alive before processing samples 1352309007Sdelphij - improve stability close to the 500ms phase jump (phase gate) 1353309007Sdelphij* Fix typos in include/ntp.h. 1354309007Sdelphij* Shim X509_get_signature_nid() if needed 1355309007Sdelphij* git author attribution cleanup 1356309007Sdelphij* bk ignore file cleanup 1357309007Sdelphij* remove locks in Windows IO, use rpc-like thread synchronisation instead 1358309007Sdelphij 1359309007Sdelphij--- 1360301247SdelphijNTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1361301247Sdelphij 1362301247SdelphijFocus: Security, Bug fixes, enhancements. 1363301247Sdelphij 1364301247SdelphijSeverity: HIGH 1365301247Sdelphij 1366301247SdelphijIn addition to bug fixes and enhancements, this release fixes the 1367301247Sdelphijfollowing 1 high- and 4 low-severity vulnerabilities: 1368301247Sdelphij 1369301247Sdelphij* CRYPTO_NAK crash 1370301247Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1371301247Sdelphij References: Sec 3046 / CVE-2016-4957 / VU#321640 1372301247Sdelphij Affects: ntp-4.2.8p7, and ntp-4.3.92. 1373301247Sdelphij CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1374301247Sdelphij CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1375301247Sdelphij Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1376301247Sdelphij could cause ntpd to crash. 1377301247Sdelphij Mitigation: 1378301247Sdelphij Implement BCP-38. 1379301247Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1380301247Sdelphij or the NTP Public Services Project Download Page 1381301247Sdelphij If you cannot upgrade from 4.2.8p7, the only other alternatives 1382301247Sdelphij are to patch your code or filter CRYPTO_NAK packets. 1383301247Sdelphij Properly monitor your ntpd instances, and auto-restart ntpd 1384301247Sdelphij (without -g) if it stops running. 1385301247Sdelphij Credit: This weakness was discovered by Nicolas Edet of Cisco. 1386301247Sdelphij 1387301247Sdelphij* Bad authentication demobilizes ephemeral associations 1388301247Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1389301247Sdelphij References: Sec 3045 / CVE-2016-4953 / VU#321640 1390301247Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1391301247Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1392301247Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1393301247Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1394301247Sdelphij Summary: An attacker who knows the origin timestamp and can send a 1395301247Sdelphij spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1396301247Sdelphij target before any other response is sent can demobilize that 1397301247Sdelphij association. 1398301247Sdelphij Mitigation: 1399301247Sdelphij Implement BCP-38. 1400301247Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1401301247Sdelphij or the NTP Public Services Project Download Page 1402301247Sdelphij Properly monitor your ntpd instances. 1403301247Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1404301247Sdelphij 1405301247Sdelphij* Processing spoofed server packets 1406301247Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1407301247Sdelphij References: Sec 3044 / CVE-2016-4954 / VU#321640 1408301247Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1409301247Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1410301247Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1411301247Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1412301247Sdelphij Summary: An attacker who is able to spoof packets with correct origin 1413301247Sdelphij timestamps from enough servers before the expected response 1414301247Sdelphij packets arrive at the target machine can affect some peer 1415301247Sdelphij variables and, for example, cause a false leap indication to be set. 1416301247Sdelphij Mitigation: 1417301247Sdelphij Implement BCP-38. 1418301247Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1419301247Sdelphij or the NTP Public Services Project Download Page 1420301247Sdelphij Properly monitor your ntpd instances. 1421301247Sdelphij Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1422301247Sdelphij 1423301247Sdelphij* Autokey association reset 1424301247Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1425301247Sdelphij References: Sec 3043 / CVE-2016-4955 / VU#321640 1426301247Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1427301247Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1428301247Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1429301247Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1430301247Sdelphij Summary: An attacker who is able to spoof a packet with a correct 1431301247Sdelphij origin timestamp before the expected response packet arrives at 1432301247Sdelphij the target machine can send a CRYPTO_NAK or a bad MAC and cause 1433301247Sdelphij the association's peer variables to be cleared. If this can be 1434301247Sdelphij done often enough, it will prevent that association from working. 1435301247Sdelphij Mitigation: 1436301247Sdelphij Implement BCP-38. 1437301247Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1438301247Sdelphij or the NTP Public Services Project Download Page 1439301247Sdelphij Properly monitor your ntpd instances. 1440301247Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1441301247Sdelphij 1442301247Sdelphij* Broadcast interleave 1443301247Sdelphij Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1444301247Sdelphij References: Sec 3042 / CVE-2016-4956 / VU#321640 1445301247Sdelphij Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1446301247Sdelphij ntp-4.3.0 up to, but not including ntp-4.3.93. 1447301247Sdelphij CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1448301247Sdelphij CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1449301247Sdelphij Summary: The fix for NtpBug2978 does not cover broadcast associations, 1450301247Sdelphij so broadcast clients can be triggered to flip into interleave mode. 1451301247Sdelphij Mitigation: 1452301247Sdelphij Implement BCP-38. 1453301247Sdelphij Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1454301247Sdelphij or the NTP Public Services Project Download Page 1455301247Sdelphij Properly monitor your ntpd instances. 1456301247Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1457301247Sdelphij 1458301247SdelphijOther fixes: 1459301247Sdelphij* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1460301247Sdelphij - provide build environment 1461301247Sdelphij - 'wint_t' and 'struct timespec' defined by VS2015 1462301247Sdelphij - fixed print()/scanf() format issues 1463301247Sdelphij* [Bug 3052] Add a .gitignore file. Edmund Wong. 1464301247Sdelphij* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1465301247Sdelphij* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1466301247Sdelphij JPerlinger, HStenn. 1467301247Sdelphij* Fix typo in ntp-wait and plot_summary. HStenn. 1468301247Sdelphij* Make sure we have an "author" file for git imports. HStenn. 1469301247Sdelphij* Update the sntp problem tests for MacOS. HStenn. 1470301247Sdelphij 1471301247Sdelphij--- 1472298695SdelphijNTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 1473293423Sdelphij 1474298695SdelphijFocus: Security, Bug fixes, enhancements. 1475294554Sdelphij 1476298695SdelphijSeverity: MEDIUM 1477298695Sdelphij 1478298695SdelphijWhen building NTP from source, there is a new configure option 1479298695Sdelphijavailable, --enable-dynamic-interleave. More information on this below. 1480298695Sdelphij 1481298695SdelphijAlso note that ntp-4.2.8p7 logs more "unexpected events" than previous 1482298695Sdelphijversions of ntp. These events have almost certainly happened in the 1483298695Sdelphijpast, it's just that they were silently counted and not logged. With 1484298695Sdelphijthe increasing awareness around security, we feel it's better to clearly 1485298695Sdelphijlog these events to help detect abusive behavior. This increased 1486298695Sdelphijlogging can also help detect other problems, too. 1487298695Sdelphij 1488298695SdelphijIn addition to bug fixes and enhancements, this release fixes the 1489298695Sdelphijfollowing 9 low- and medium-severity vulnerabilities: 1490298695Sdelphij 1491298695Sdelphij* Improve NTP security against buffer comparison timing attacks, 1492298695Sdelphij AKA: authdecrypt-timing 1493298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1494298695Sdelphij References: Sec 2879 / CVE-2016-1550 1495298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1496298695Sdelphij 4.3.0 up to, but not including 4.3.92 1497298695Sdelphij CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 1498298695Sdelphij CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1499298695Sdelphij Summary: Packet authentication tests have been performed using 1500298695Sdelphij memcmp() or possibly bcmp(), and it is potentially possible 1501298695Sdelphij for a local or perhaps LAN-based attacker to send a packet with 1502298695Sdelphij an authentication payload and indirectly observe how much of 1503298695Sdelphij the digest has matched. 1504298695Sdelphij Mitigation: 1505298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1506298695Sdelphij or the NTP Public Services Project Download Page. 1507298695Sdelphij Properly monitor your ntpd instances. 1508298695Sdelphij Credit: This weakness was discovered independently by Loganaden 1509298695Sdelphij Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 1510298695Sdelphij 1511298695Sdelphij* Zero origin timestamp bypass: Additional KoD checks. 1512298695Sdelphij References: Sec 2945 / Sec 2901 / CVE-2015-8138 1513298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1514298695Sdelphij Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 1515298695Sdelphij 1516298695Sdelphij* peer associations were broken by the fix for NtpBug2899 1517298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1518298695Sdelphij References: Sec 2952 / CVE-2015-7704 1519298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1520298695Sdelphij 4.3.0 up to, but not including 4.3.92 1521298695Sdelphij CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1522298695Sdelphij Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 1523298695Sdelphij associations did not address all of the issues. 1524298695Sdelphij Mitigation: 1525298695Sdelphij Implement BCP-38. 1526298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1527298695Sdelphij or the NTP Public Services Project Download Page 1528298695Sdelphij If you can't upgrade, use "server" associations instead of 1529298695Sdelphij "peer" associations. 1530298695Sdelphij Monitor your ntpd instances. 1531298695Sdelphij Credit: This problem was discovered by Michael Tatarinov. 1532298695Sdelphij 1533298695Sdelphij* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 1534298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1535298695Sdelphij References: Sec 3007 / CVE-2016-1547 / VU#718152 1536298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1537298695Sdelphij 4.3.0 up to, but not including 4.3.92 1538298695Sdelphij CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 1539298695Sdelphij CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1540298695Sdelphij Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 1541298695Sdelphij off-path attacker can cause a preemptable client association to 1542298695Sdelphij be demobilized by sending a crypto NAK packet to a victim client 1543298695Sdelphij with a spoofed source address of an existing associated peer. 1544298695Sdelphij This is true even if authentication is enabled. 1545298695Sdelphij 1546298695Sdelphij Furthermore, if the attacker keeps sending crypto NAK packets, 1547298695Sdelphij for example one every second, the victim never has a chance to 1548298695Sdelphij reestablish the association and synchronize time with that 1549298695Sdelphij legitimate server. 1550298695Sdelphij 1551298695Sdelphij For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 1552298695Sdelphij stringent checks are performed on incoming packets, but there 1553298695Sdelphij are still ways to exploit this vulnerability in versions before 1554298695Sdelphij ntp-4.2.8p7. 1555298695Sdelphij Mitigation: 1556298695Sdelphij Implement BCP-38. 1557298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1558298695Sdelphij or the NTP Public Services Project Download Page 1559330106Sdelphij Properly monitor your ntpd instances 1560298695Sdelphij Credit: This weakness was discovered by Stephen Gray and 1561298695Sdelphij Matthew Van Gundy of Cisco ASIG. 1562298695Sdelphij 1563298695Sdelphij* ctl_getitem() return value not always checked 1564298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1565298695Sdelphij References: Sec 3008 / CVE-2016-2519 1566298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1567298695Sdelphij 4.3.0 up to, but not including 4.3.92 1568298695Sdelphij CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1569298695Sdelphij CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1570298695Sdelphij Summary: ntpq and ntpdc can be used to store and retrieve information 1571298695Sdelphij in ntpd. It is possible to store a data value that is larger 1572298695Sdelphij than the size of the buffer that the ctl_getitem() function of 1573298695Sdelphij ntpd uses to report the return value. If the length of the 1574298695Sdelphij requested data value returned by ctl_getitem() is too large, 1575298695Sdelphij the value NULL is returned instead. There are 2 cases where the 1576298695Sdelphij return value from ctl_getitem() was not directly checked to make 1577298695Sdelphij sure it's not NULL, but there are subsequent INSIST() checks 1578298695Sdelphij that make sure the return value is not NULL. There are no data 1579298695Sdelphij values ordinarily stored in ntpd that would exceed this buffer 1580298695Sdelphij length. But if one has permission to store values and one stores 1581298695Sdelphij a value that is "too large", then ntpd will abort if an attempt 1582298695Sdelphij is made to read that oversized value. 1583298695Sdelphij Mitigation: 1584298695Sdelphij Implement BCP-38. 1585298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1586298695Sdelphij or the NTP Public Services Project Download Page 1587298695Sdelphij Properly monitor your ntpd instances. 1588298695Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1589298695Sdelphij Security Team, Qihoo 360. 1590298695Sdelphij 1591298695Sdelphij* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 1592298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1593298695Sdelphij References: Sec 3009 / CVE-2016-2518 / VU#718152 1594298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1595298695Sdelphij 4.3.0 up to, but not including 4.3.92 1596298695Sdelphij CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 1597298695Sdelphij CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1598298695Sdelphij Summary: Using a crafted packet to create a peer association with 1599298695Sdelphij hmode > 7 causes the MATCH_ASSOC() lookup to make an 1600298695Sdelphij out-of-bounds reference. 1601298695Sdelphij Mitigation: 1602298695Sdelphij Implement BCP-38. 1603298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1604298695Sdelphij or the NTP Public Services Project Download Page 1605298695Sdelphij Properly monitor your ntpd instances 1606298695Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1607298695Sdelphij Security Team, Qihoo 360. 1608298695Sdelphij 1609298695Sdelphij* remote configuration trustedkey/requestkey/controlkey values are not 1610298695Sdelphij properly validated 1611298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1612298695Sdelphij References: Sec 3010 / CVE-2016-2517 / VU#718152 1613298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1614298695Sdelphij 4.3.0 up to, but not including 4.3.92 1615298695Sdelphij CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1616298695Sdelphij CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1617298695Sdelphij Summary: If ntpd was expressly configured to allow for remote 1618298695Sdelphij configuration, a malicious user who knows the controlkey for 1619298695Sdelphij ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1620298695Sdelphij can create a session with ntpd and then send a crafted packet to 1621298695Sdelphij ntpd that will change the value of the trustedkey, controlkey, 1622298695Sdelphij or requestkey to a value that will prevent any subsequent 1623298695Sdelphij authentication with ntpd until ntpd is restarted. 1624298695Sdelphij Mitigation: 1625298695Sdelphij Implement BCP-38. 1626298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1627298695Sdelphij or the NTP Public Services Project Download Page 1628330106Sdelphij Properly monitor your ntpd instances 1629298695Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1630298695Sdelphij Security Team, Qihoo 360. 1631298695Sdelphij 1632298695Sdelphij* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 1633298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1634298695Sdelphij References: Sec 3011 / CVE-2016-2516 / VU#718152 1635298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1636298695Sdelphij 4.3.0 up to, but not including 4.3.92 1637298695Sdelphij CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 1638298695Sdelphij CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1639298695Sdelphij Summary: If ntpd was expressly configured to allow for remote 1640298695Sdelphij configuration, a malicious user who knows the controlkey for 1641298695Sdelphij ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 1642298695Sdelphij can create a session with ntpd and if an existing association is 1643298695Sdelphij unconfigured using the same IP twice on the unconfig directive 1644298695Sdelphij line, ntpd will abort. 1645298695Sdelphij Mitigation: 1646298695Sdelphij Implement BCP-38. 1647298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1648298695Sdelphij or the NTP Public Services Project Download Page 1649298695Sdelphij Properly monitor your ntpd instances 1650298695Sdelphij Credit: This weakness was discovered by Yihan Lian of the Cloud 1651298695Sdelphij Security Team, Qihoo 360. 1652298695Sdelphij 1653298695Sdelphij* Refclock impersonation vulnerability 1654298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1655298695Sdelphij References: Sec 3020 / CVE-2016-1551 1656298695Sdelphij Affects: On a very limited number of OSes, all NTP releases up to but 1657298695Sdelphij not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 1658298695Sdelphij By "very limited number of OSes" we mean no general-purpose OSes 1659298695Sdelphij have yet been identified that have this vulnerability. 1660298695Sdelphij CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 1661298695Sdelphij CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 1662298695Sdelphij Summary: While most OSes implement martian packet filtering in their 1663298695Sdelphij network stack, at least regarding 127.0.0.0/8, some will allow 1664298695Sdelphij packets claiming to be from 127.0.0.0/8 that arrive over a 1665298695Sdelphij physical network. On these OSes, if ntpd is configured to use a 1666298695Sdelphij reference clock an attacker can inject packets over the network 1667298695Sdelphij that look like they are coming from that reference clock. 1668298695Sdelphij Mitigation: 1669298695Sdelphij Implement martian packet filtering and BCP-38. 1670298695Sdelphij Configure ntpd to use an adequate number of time sources. 1671298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1672298695Sdelphij or the NTP Public Services Project Download Page 1673298695Sdelphij If you are unable to upgrade and if you are running an OS that 1674298695Sdelphij has this vulnerability, implement martian packet filters and 1675298695Sdelphij lobby your OS vendor to fix this problem, or run your 1676298695Sdelphij refclocks on computers that use OSes that are not vulnerable 1677298695Sdelphij to these attacks and have your vulnerable machines get their 1678298695Sdelphij time from protected resources. 1679298695Sdelphij Properly monitor your ntpd instances. 1680298695Sdelphij Credit: This weakness was discovered by Matt Street and others of 1681298695Sdelphij Cisco ASIG. 1682298695Sdelphij 1683298695SdelphijThe following issues were fixed in earlier releases and contain 1684298695Sdelphijimprovements in 4.2.8p7: 1685298695Sdelphij 1686298695Sdelphij* Clients that receive a KoD should validate the origin timestamp field. 1687298695Sdelphij References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1688298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1689298695Sdelphij Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 1690298695Sdelphij 1691298695Sdelphij* Skeleton key: passive server with trusted key can serve time. 1692298695Sdelphij References: Sec 2936 / CVE-2015-7974 1693298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, 1694298695Sdelphij Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 1695298695Sdelphij 1696298695SdelphijTwo other vulnerabilities have been reported, and the mitigations 1697298695Sdelphijfor these are as follows: 1698298695Sdelphij 1699298695Sdelphij* Interleave-pivot 1700298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1701298695Sdelphij References: Sec 2978 / CVE-2016-1548 1702298695Sdelphij Affects: All ntp-4 releases. 1703298695Sdelphij CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 1704298695Sdelphij CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 1705298695Sdelphij Summary: It is possible to change the time of an ntpd client or deny 1706298695Sdelphij service to an ntpd client by forcing it to change from basic 1707298695Sdelphij client/server mode to interleaved symmetric mode. An attacker 1708298695Sdelphij can spoof a packet from a legitimate ntpd server with an origin 1709298695Sdelphij timestamp that matches the peer->dst timestamp recorded for that 1710298695Sdelphij server. After making this switch, the client will reject all 1711298695Sdelphij future legitimate server responses. It is possible to force the 1712298695Sdelphij victim client to move time after the mode has been changed. 1713298695Sdelphij ntpq gives no indication that the mode has been switched. 1714298695Sdelphij Mitigation: 1715298695Sdelphij Implement BCP-38. 1716298695Sdelphij Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 1717298695Sdelphij or the NTP Public Services Project Download Page. These 1718298695Sdelphij versions will not dynamically "flip" into interleave mode 1719298695Sdelphij unless configured to do so. 1720298695Sdelphij Properly monitor your ntpd instances. 1721298695Sdelphij Credit: This weakness was discovered by Miroslav Lichvar of RedHat 1722298695Sdelphij and separately by Jonathan Gardner of Cisco ASIG. 1723298695Sdelphij 1724298695Sdelphij* Sybil vulnerability: ephemeral association attack 1725298695Sdelphij Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 1726298695Sdelphij References: Sec 3012 / CVE-2016-1549 1727298695Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 1728298695Sdelphij 4.3.0 up to, but not including 4.3.92 1729298695Sdelphij CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 1730298695Sdelphij CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1731298695Sdelphij Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 1732298695Sdelphij the feature introduced in ntp-4.2.8p6 allowing an optional 4th 1733298695Sdelphij field in the ntp.keys file to specify which IPs can serve time, 1734298695Sdelphij a malicious authenticated peer can create arbitrarily-many 1735298695Sdelphij ephemeral associations in order to win the clock selection of 1736298695Sdelphij ntpd and modify a victim's clock. 1737298695Sdelphij Mitigation: 1738298695Sdelphij Implement BCP-38. 1739298695Sdelphij Use the 4th field in the ntp.keys file to specify which IPs 1740298695Sdelphij can be time servers. 1741298695Sdelphij Properly monitor your ntpd instances. 1742298695Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1743298695Sdelphij 1744298695SdelphijOther fixes: 1745298695Sdelphij 1746298695Sdelphij* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 1747298695Sdelphij - fixed yet another race condition in the threaded resolver code. 1748298695Sdelphij* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 1749298695Sdelphij* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 1750298695Sdelphij - integrated patches by Loganaden Velvidron <logan@ntp.org> 1751298695Sdelphij with some modifications & unit tests 1752298695Sdelphij* [Bug 2960] async name resolution fixes for chroot() environments. 1753298695Sdelphij Reinhard Max. 1754298695Sdelphij* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 1755298695Sdelphij* [Bug 2995] Fixes to compile on Windows 1756298695Sdelphij* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 1757298695Sdelphij* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 1758298695Sdelphij - Patch provided by Ch. Weisgerber 1759298695Sdelphij* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 1760298695Sdelphij - A change related to [Bug 2853] forbids trailing white space in 1761298695Sdelphij remote config commands. perlinger@ntp.org 1762298695Sdelphij* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 1763298695Sdelphij - report and patch from Aleksandr Kostikov. 1764298695Sdelphij - Overhaul of Windows IO completion port handling. perlinger@ntp.org 1765298695Sdelphij* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 1766298695Sdelphij - fixed memory leak in access list (auth[read]keys.c) 1767298695Sdelphij - refactored handling of key access lists (auth[read]keys.c) 1768298695Sdelphij - reduced number of error branches (authreadkeys.c) 1769298695Sdelphij* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 1770298695Sdelphij* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 1771298695Sdelphij* [Bug 3031] ntp broadcastclient unable to synchronize to an server 1772298695Sdelphij when the time of server changed. perlinger@ntp.org 1773298695Sdelphij - Check the initial delay calculation and reject/unpeer the broadcast 1774298695Sdelphij server if the delay exceeds 50ms. Retry again after the next 1775298695Sdelphij broadcast packet. 1776298695Sdelphij* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 1777298695Sdelphij* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 1778298695Sdelphij* Update html/xleave.html documentation. Harlan Stenn. 1779298695Sdelphij* Update ntp.conf documentation. Harlan Stenn. 1780298695Sdelphij* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 1781298695Sdelphij* Fix typo in html/monopt.html. Harlan Stenn. 1782298695Sdelphij* Add README.pullrequests. Harlan Stenn. 1783298695Sdelphij* Cleanup to include/ntp.h. Harlan Stenn. 1784298695Sdelphij 1785298695SdelphijNew option to 'configure': 1786298695Sdelphij 1787298695SdelphijWhile looking in to the issues around Bug 2978, the "interleave pivot" 1788298695Sdelphijissue, it became clear that there are some intricate and unresolved 1789298695Sdelphijissues with interleave operations. We also realized that the interleave 1790298695Sdelphijprotocol was never added to the NTPv4 Standard, and it should have been. 1791298695Sdelphij 1792298695SdelphijInterleave mode was first released in July of 2008, and can be engaged 1793298695Sdelphijin two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 1794298695Sdelphijcontain the 'xleave' option, which will expressly enable interlave mode 1795298695Sdelphijfor that association. Additionally, if a time packet arrives and is 1796298695Sdelphijfound inconsistent with normal protocol behavior but has certain 1797298695Sdelphijcharacteristics that are compatible with interleave mode, NTP will 1798298695Sdelphijdynamically switch to interleave mode. With sufficient knowledge, an 1799298695Sdelphijattacker can send a crafted forged packet to an NTP instance that 1800298695Sdelphijtriggers only one side to enter interleaved mode. 1801298695Sdelphij 1802298695SdelphijTo prevent this attack until we can thoroughly document, describe, 1803298695Sdelphijfix, and test the dynamic interleave mode, we've added a new 1804298695Sdelphij'configure' option to the build process: 1805298695Sdelphij 1806298695Sdelphij --enable-dynamic-interleave 1807298695Sdelphij 1808298695SdelphijThis option controls whether or not NTP will, if conditions are right, 1809298695Sdelphijengage dynamic interleave mode. Dynamic interleave mode is disabled by 1810298695Sdelphijdefault in ntp-4.2.8p7. 1811298695Sdelphij 1812298695Sdelphij--- 1813298695SdelphijNTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 1814298695Sdelphij 1815294554SdelphijFocus: Security, Bug fixes, enhancements. 1816294554Sdelphij 1817294554SdelphijSeverity: MEDIUM 1818294554Sdelphij 1819294554SdelphijIn addition to bug fixes and enhancements, this release fixes the 1820298695Sdelphijfollowing 1 low- and 8 medium-severity vulnerabilities: 1821294554Sdelphij 1822294554Sdelphij* Potential Infinite Loop in 'ntpq' 1823294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1824294554Sdelphij References: Sec 2548 / CVE-2015-8158 1825294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1826294554Sdelphij 4.3.0 up to, but not including 4.3.90 1827294554Sdelphij CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1828294554Sdelphij CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1829294554Sdelphij Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 1830294554Sdelphij The loop's only stopping conditions are receiving a complete and 1831294554Sdelphij correct response or hitting a small number of error conditions. 1832294554Sdelphij If the packet contains incorrect values that don't trigger one of 1833294554Sdelphij the error conditions, the loop continues to receive new packets. 1834294554Sdelphij Note well, this is an attack against an instance of 'ntpq', not 1835294554Sdelphij 'ntpd', and this attack requires the attacker to do one of the 1836294554Sdelphij following: 1837294554Sdelphij * Own a malicious NTP server that the client trusts 1838294554Sdelphij * Prevent a legitimate NTP server from sending packets to 1839294554Sdelphij the 'ntpq' client 1840294554Sdelphij * MITM the 'ntpq' communications between the 'ntpq' client 1841294554Sdelphij and the NTP server 1842294554Sdelphij Mitigation: 1843294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1844294554Sdelphij or the NTP Public Services Project Download Page 1845294554Sdelphij Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1846294554Sdelphij 1847294554Sdelphij* 0rigin: Zero Origin Timestamp Bypass 1848294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1849294554Sdelphij References: Sec 2945 / CVE-2015-8138 1850294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1851294554Sdelphij 4.3.0 up to, but not including 4.3.90 1852294554Sdelphij CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 1853294554Sdelphij CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 1854294554Sdelphij (3.7 - LOW if you score AC:L) 1855294554Sdelphij Summary: To distinguish legitimate peer responses from forgeries, a 1856294554Sdelphij client attempts to verify a response packet by ensuring that the 1857294554Sdelphij origin timestamp in the packet matches the origin timestamp it 1858294554Sdelphij transmitted in its last request. A logic error exists that 1859294554Sdelphij allows packets with an origin timestamp of zero to bypass this 1860294554Sdelphij check whenever there is not an outstanding request to the server. 1861294554Sdelphij Mitigation: 1862294554Sdelphij Configure 'ntpd' to get time from multiple sources. 1863294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1864294554Sdelphij or the NTP Public Services Project Download Page. 1865330106Sdelphij Monitor your 'ntpd' instances. 1866298695Sdelphij Credit: This weakness was discovered by Matthey Van Gundy and 1867298695Sdelphij Jonathan Gardner of Cisco ASIG. 1868294554Sdelphij 1869294554Sdelphij* Stack exhaustion in recursive traversal of restriction list 1870294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016 1871294554Sdelphij References: Sec 2940 / CVE-2015-7978 1872294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1873294554Sdelphij 4.3.0 up to, but not including 4.3.90 1874294554Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1875294554Sdelphij Summary: An unauthenticated 'ntpdc reslist' command can cause a 1876294554Sdelphij segmentation fault in ntpd by exhausting the call stack. 1877294554Sdelphij Mitigation: 1878294554Sdelphij Implement BCP-38. 1879294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1880294554Sdelphij or the NTP Public Services Project Download Page. 1881294554Sdelphij If you are unable to upgrade: 1882294554Sdelphij In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1883294554Sdelphij If you must enable mode 7: 1884294554Sdelphij configure the use of a 'requestkey' to control who can 1885294554Sdelphij issue mode 7 requests. 1886294554Sdelphij configure 'restrict noquery' to further limit mode 7 1887294554Sdelphij requests to trusted sources. 1888294554Sdelphij Monitor your ntpd instances. 1889294554Sdelphij Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 1890294554Sdelphij 1891294554Sdelphij* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 1892294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1893294554Sdelphij References: Sec 2942 / CVE-2015-7979 1894294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1895294554Sdelphij 4.3.0 up to, but not including 4.3.90 1896294554Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 1897294554Sdelphij Summary: An off-path attacker can send broadcast packets with bad 1898294554Sdelphij authentication (wrong key, mismatched key, incorrect MAC, etc) 1899294554Sdelphij to broadcast clients. It is observed that the broadcast client 1900294554Sdelphij tears down the association with the broadcast server upon 1901294554Sdelphij receiving just one bad packet. 1902294554Sdelphij Mitigation: 1903294554Sdelphij Implement BCP-38. 1904294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1905294554Sdelphij or the NTP Public Services Project Download Page. 1906294554Sdelphij Monitor your 'ntpd' instances. 1907294554Sdelphij If this sort of attack is an active problem for you, you have 1908294554Sdelphij deeper problems to investigate. In this case also consider 1909294554Sdelphij having smaller NTP broadcast domains. 1910294554Sdelphij Credit: This weakness was discovered by Aanchal Malhotra of Boston 1911294554Sdelphij University. 1912294554Sdelphij 1913294554Sdelphij* reslist NULL pointer dereference 1914294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1915294554Sdelphij References: Sec 2939 / CVE-2015-7977 1916294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1917294554Sdelphij 4.3.0 up to, but not including 4.3.90 1918294554Sdelphij CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 1919294554Sdelphij Summary: An unauthenticated 'ntpdc reslist' command can cause a 1920294554Sdelphij segmentation fault in ntpd by causing a NULL pointer dereference. 1921294554Sdelphij Mitigation: 1922294554Sdelphij Implement BCP-38. 1923294554Sdelphij Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 1924294554Sdelphij the NTP Public Services Project Download Page. 1925294554Sdelphij If you are unable to upgrade: 1926294554Sdelphij mode 7 is disabled by default. Don't enable it. 1927294554Sdelphij If you must enable mode 7: 1928294554Sdelphij configure the use of a 'requestkey' to control who can 1929294554Sdelphij issue mode 7 requests. 1930294554Sdelphij configure 'restrict noquery' to further limit mode 7 1931294554Sdelphij requests to trusted sources. 1932294554Sdelphij Monitor your ntpd instances. 1933294554Sdelphij Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 1934294554Sdelphij 1935294554Sdelphij* 'ntpq saveconfig' command allows dangerous characters in filenames. 1936294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1937294554Sdelphij References: Sec 2938 / CVE-2015-7976 1938294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1939294554Sdelphij 4.3.0 up to, but not including 4.3.90 1940294554Sdelphij CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 1941294554Sdelphij Summary: The ntpq saveconfig command does not do adequate filtering 1942294554Sdelphij of special characters from the supplied filename. 1943294554Sdelphij Note well: The ability to use the saveconfig command is controlled 1944294554Sdelphij by the 'restrict nomodify' directive, and the recommended default 1945294554Sdelphij configuration is to disable this capability. If the ability to 1946294554Sdelphij execute a 'saveconfig' is required, it can easily (and should) be 1947294554Sdelphij limited and restricted to a known small number of IP addresses. 1948294554Sdelphij Mitigation: 1949294554Sdelphij Implement BCP-38. 1950294554Sdelphij use 'restrict default nomodify' in your 'ntp.conf' file. 1951294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 1952294554Sdelphij If you are unable to upgrade: 1953294554Sdelphij build NTP with 'configure --disable-saveconfig' if you will 1954294554Sdelphij never need this capability, or 1955294554Sdelphij use 'restrict default nomodify' in your 'ntp.conf' file. Be 1956294554Sdelphij careful about what IPs have the ability to send 'modify' 1957294554Sdelphij requests to 'ntpd'. 1958294554Sdelphij Monitor your ntpd instances. 1959294554Sdelphij 'saveconfig' requests are logged to syslog - monitor your syslog files. 1960294554Sdelphij Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 1961294554Sdelphij 1962294554Sdelphij* nextvar() missing length check in ntpq 1963294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1964294554Sdelphij References: Sec 2937 / CVE-2015-7975 1965294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1966294554Sdelphij 4.3.0 up to, but not including 4.3.90 1967294554Sdelphij CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 1968294554Sdelphij If you score A:C, this becomes 4.0. 1969294554Sdelphij CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 1970294554Sdelphij Summary: ntpq may call nextvar() which executes a memcpy() into the 1971294554Sdelphij name buffer without a proper length check against its maximum 1972294554Sdelphij length of 256 bytes. Note well that we're taking about ntpq here. 1973294554Sdelphij The usual worst-case effect of this vulnerability is that the 1974294554Sdelphij specific instance of ntpq will crash and the person or process 1975294554Sdelphij that did this will have stopped themselves. 1976294554Sdelphij Mitigation: 1977294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 1978294554Sdelphij or the NTP Public Services Project Download Page. 1979294554Sdelphij If you are unable to upgrade: 1980294554Sdelphij If you have scripts that feed input to ntpq make sure there are 1981294554Sdelphij some sanity checks on the input received from the "outside". 1982294554Sdelphij This is potentially more dangerous if ntpq is run as root. 1983294554Sdelphij Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 1984294554Sdelphij 1985294554Sdelphij* Skeleton Key: Any trusted key system can serve time 1986294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 1987294554Sdelphij References: Sec 2936 / CVE-2015-7974 1988294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 1989294554Sdelphij 4.3.0 up to, but not including 4.3.90 1990294554Sdelphij CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 1991294554Sdelphij Summary: Symmetric key encryption uses a shared trusted key. The 1992294554Sdelphij reported title for this issue was "Missing key check allows 1993294554Sdelphij impersonation between authenticated peers" and the report claimed 1994294554Sdelphij "A key specified only for one server should only work to 1995294554Sdelphij authenticate that server, other trusted keys should be refused." 1996294554Sdelphij Except there has never been any correlation between this trusted 1997294554Sdelphij key and server v. clients machines and there has never been any 1998294554Sdelphij way to specify a key only for one server. We have treated this as 1999294554Sdelphij an enhancement request, and ntp-4.2.8p6 includes other checks and 2000294554Sdelphij tests to strengthen clients against attacks coming from broadcast 2001294554Sdelphij servers. 2002294554Sdelphij Mitigation: 2003294554Sdelphij Implement BCP-38. 2004294554Sdelphij If this scenario represents a real or a potential issue for you, 2005294554Sdelphij upgrade to 4.2.8p6, or later, from the NTP Project Download 2006294554Sdelphij Page or the NTP Public Services Project Download Page, and 2007294554Sdelphij use the new field in the ntp.keys file that specifies the list 2008294554Sdelphij of IPs that are allowed to serve time. Note that this alone 2009294554Sdelphij will not protect against time packets with forged source IP 2010294554Sdelphij addresses, however other changes in ntp-4.2.8p6 provide 2011294554Sdelphij significant mitigation against broadcast attacks. MITM attacks 2012294554Sdelphij are a different story. 2013294554Sdelphij If you are unable to upgrade: 2014294554Sdelphij Don't use broadcast mode if you cannot monitor your client 2015294554Sdelphij servers. 2016294554Sdelphij If you choose to use symmetric keys to authenticate time 2017294554Sdelphij packets in a hostile environment where ephemeral time 2018294554Sdelphij servers can be created, or if it is expected that malicious 2019294554Sdelphij time servers will participate in an NTP broadcast domain, 2020294554Sdelphij limit the number of participating systems that participate 2021294554Sdelphij in the shared-key group. 2022294554Sdelphij Monitor your ntpd instances. 2023294554Sdelphij Credit: This weakness was discovered by Matt Street of Cisco ASIG. 2024294554Sdelphij 2025294554Sdelphij* Deja Vu: Replay attack on authenticated broadcast mode 2026294554Sdelphij Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 2027294554Sdelphij References: Sec 2935 / CVE-2015-7973 2028294554Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 2029294554Sdelphij 4.3.0 up to, but not including 4.3.90 2030294554Sdelphij CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 2031294554Sdelphij Summary: If an NTP network is configured for broadcast operations then 2032294554Sdelphij either a man-in-the-middle attacker or a malicious participant 2033294554Sdelphij that has the same trusted keys as the victim can replay time packets. 2034294554Sdelphij Mitigation: 2035294554Sdelphij Implement BCP-38. 2036294554Sdelphij Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 2037294554Sdelphij or the NTP Public Services Project Download Page. 2038294554Sdelphij If you are unable to upgrade: 2039294554Sdelphij Don't use broadcast mode if you cannot monitor your client servers. 2040294554Sdelphij Monitor your ntpd instances. 2041294554Sdelphij Credit: This weakness was discovered by Aanchal Malhotra of Boston 2042294554Sdelphij University. 2043294554Sdelphij 2044294554SdelphijOther fixes: 2045294554Sdelphij 2046294554Sdelphij* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 2047294554Sdelphij* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 2048294554Sdelphij - applied patch by shenpeng11@huawei.com with minor adjustments 2049294554Sdelphij* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 2050294554Sdelphij* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 2051294554Sdelphij* [Bug 2892] Several test cases assume IPv6 capabilities even when 2052294554Sdelphij IPv6 is disabled in the build. perlinger@ntp.org 2053294554Sdelphij - Found this already fixed, but validation led to cleanup actions. 2054294554Sdelphij* [Bug 2905] DNS lookups broken. perlinger@ntp.org 2055294554Sdelphij - added limits to stack consumption, fixed some return code handling 2056294554Sdelphij* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2057294554Sdelphij - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2058294554Sdelphij - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 2059294554Sdelphij* [Bug 2980] reduce number of warnings. perlinger@ntp.org 2060294554Sdelphij - integrated several patches from Havard Eidnes (he@uninett.no) 2061294554Sdelphij* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 2062294554Sdelphij - implement 'auth_log2()' using integer bithack instead of float calculation 2063294554Sdelphij* Make leapsec_query debug messages less verbose. Harlan Stenn. 2064294554Sdelphij 2065294554Sdelphij--- 2066298695SdelphijNTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 2067294554Sdelphij 2068293423SdelphijFocus: Security, Bug fixes, enhancements. 2069293423Sdelphij 2070293423SdelphijSeverity: MEDIUM 2071293423Sdelphij 2072293423SdelphijIn addition to bug fixes and enhancements, this release fixes the 2073293423Sdelphijfollowing medium-severity vulnerability: 2074293423Sdelphij 2075293423Sdelphij* Small-step/big-step. Close the panic gate earlier. 2076293423Sdelphij References: Sec 2956, CVE-2015-5300 2077293423Sdelphij Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 2078293423Sdelphij 4.3.0 up to, but not including 4.3.78 2079293423Sdelphij CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 2080293423Sdelphij Summary: If ntpd is always started with the -g option, which is 2081293423Sdelphij common and against long-standing recommendation, and if at the 2082293423Sdelphij moment ntpd is restarted an attacker can immediately respond to 2083293423Sdelphij enough requests from enough sources trusted by the target, which 2084293423Sdelphij is difficult and not common, there is a window of opportunity 2085293423Sdelphij where the attacker can cause ntpd to set the time to an 2086293423Sdelphij arbitrary value. Similarly, if an attacker is able to respond 2087293423Sdelphij to enough requests from enough sources trusted by the target, 2088293423Sdelphij the attacker can cause ntpd to abort and restart, at which 2089293423Sdelphij point it can tell the target to set the time to an arbitrary 2090293423Sdelphij value if and only if ntpd was re-started against long-standing 2091293423Sdelphij recommendation with the -g flag, or if ntpd was not given the 2092293423Sdelphij -g flag, the attacker can move the target system's time by at 2093293423Sdelphij most 900 seconds' time per attack. 2094293423Sdelphij Mitigation: 2095293423Sdelphij Configure ntpd to get time from multiple sources. 2096293423Sdelphij Upgrade to 4.2.8p5, or later, from the NTP Project Download 2097293423Sdelphij Page or the NTP Public Services Project Download Page 2098293423Sdelphij As we've long documented, only use the -g option to ntpd in 2099293423Sdelphij cold-start situations. 2100293423Sdelphij Monitor your ntpd instances. 2101293423Sdelphij Credit: This weakness was discovered by Aanchal Malhotra, 2102293423Sdelphij Isaac E. Cohen, and Sharon Goldberg at Boston University. 2103293423Sdelphij 2104293423Sdelphij NOTE WELL: The -g flag disables the limit check on the panic_gate 2105293423Sdelphij in ntpd, which is 900 seconds by default. The bug identified by 2106293423Sdelphij the researchers at Boston University is that the panic_gate 2107293423Sdelphij check was only re-enabled after the first change to the system 2108293423Sdelphij clock that was greater than 128 milliseconds, by default. The 2109293423Sdelphij correct behavior is that the panic_gate check should be 2110293423Sdelphij re-enabled after any initial time correction. 2111293423Sdelphij 2112293423Sdelphij If an attacker is able to inject consistent but erroneous time 2113293423Sdelphij responses to your systems via the network or "over the air", 2114293423Sdelphij perhaps by spoofing radio, cellphone, or navigation satellite 2115293423Sdelphij transmissions, they are in a great position to affect your 2116293423Sdelphij system's clock. There comes a point where your very best 2117293423Sdelphij defenses include: 2118293423Sdelphij 2119293423Sdelphij Configure ntpd to get time from multiple sources. 2120293423Sdelphij Monitor your ntpd instances. 2121293423Sdelphij 2122293423SdelphijOther fixes: 2123293423Sdelphij 2124293423Sdelphij* Coverity submission process updated from Coverity 5 to Coverity 7. 2125293423Sdelphij The NTP codebase has been undergoing regular Coverity scans on an 2126293423Sdelphij ongoing basis since 2006. As part of our recent upgrade from 2127293423Sdelphij Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 2128293423Sdelphij the newly-written Unity test programs. These were fixed. 2129293423Sdelphij* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 2130293423Sdelphij* [Bug 2887] stratum -1 config results as showing value 99 2131293423Sdelphij - fudge stratum should only accept values [0..16]. perlinger@ntp.org 2132293423Sdelphij* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 2133293423Sdelphij* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 2134293423Sdelphij* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 2135293423Sdelphij - applied patch by Christos Zoulas. perlinger@ntp.org 2136293423Sdelphij* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 2137293423Sdelphij* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 2138293423Sdelphij - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 2139293423Sdelphij - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 2140293423Sdelphij* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 2141293423Sdelphij - accept key file only if there are no parsing errors 2142293423Sdelphij - fixed size_t/u_int format clash 2143293423Sdelphij - fixed wrong use of 'strlcpy' 2144293423Sdelphij* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 2145293423Sdelphij* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 2146293423Sdelphij - fixed several other warnings (cast-alignment, missing const, missing prototypes) 2147293423Sdelphij - promote use of 'size_t' for values that express a size 2148293423Sdelphij - use ptr-to-const for read-only arguments 2149293423Sdelphij - make sure SOCKET values are not truncated (win32-specific) 2150293423Sdelphij - format string fixes 2151293423Sdelphij* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 2152293423Sdelphij* [Bug 2967] ntpdate command suffers an assertion failure 2153293423Sdelphij - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 2154293423Sdelphij* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 2155293423Sdelphij lots of clients. perlinger@ntp.org 2156293423Sdelphij* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 2157293423Sdelphij - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 2158293423Sdelphij* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 2159293423Sdelphij* Unity test cleanup. Harlan Stenn. 2160293423Sdelphij* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 2161293423Sdelphij* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 2162293423Sdelphij* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 2163293423Sdelphij* Quiet a warning from clang. Harlan Stenn. 2164293423Sdelphij 2165293423Sdelphij--- 2166298695SdelphijNTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 2167289764Sglebius 2168293423SdelphijFocus: Security, Bug fixes, enhancements. 2169289764Sglebius 2170289764SglebiusSeverity: MEDIUM 2171289764Sglebius 2172289764SglebiusIn addition to bug fixes and enhancements, this release fixes the 2173289764Sglebiusfollowing 13 low- and medium-severity vulnerabilities: 2174289764Sglebius 2175289764Sglebius* Incomplete vallen (value length) checks in ntp_crypto.c, leading 2176289764Sglebius to potential crashes or potential code injection/information leakage. 2177289764Sglebius 2178289764Sglebius References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 2179289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2180289764Sglebius and 4.3.0 up to, but not including 4.3.77 2181289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2182289764Sglebius Summary: The fix for CVE-2014-9750 was incomplete in that there were 2183289764Sglebius certain code paths where a packet with particular autokey operations 2184289764Sglebius that contained malicious data was not always being completely 2185289764Sglebius validated. Receipt of these packets can cause ntpd to crash. 2186289764Sglebius Mitigation: 2187289764Sglebius Don't use autokey. 2188289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2189289764Sglebius Page or the NTP Public Services Project Download Page 2190289764Sglebius Monitor your ntpd instances. 2191289764Sglebius Credit: This weakness was discovered by Tenable Network Security. 2192289764Sglebius 2193289764Sglebius* Clients that receive a KoD should validate the origin timestamp field. 2194289764Sglebius 2195289764Sglebius References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 2196289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2197289764Sglebius and 4.3.0 up to, but not including 4.3.77 2198289764Sglebius CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 2199289764Sglebius Summary: An ntpd client that honors Kiss-of-Death responses will honor 2200289764Sglebius KoD messages that have been forged by an attacker, causing it to 2201289764Sglebius delay or stop querying its servers for time updates. Also, an 2202289764Sglebius attacker can forge packets that claim to be from the target and 2203289764Sglebius send them to servers often enough that a server that implements 2204289764Sglebius KoD rate limiting will send the target machine a KoD response to 2205289764Sglebius attempt to reduce the rate of incoming packets, or it may also 2206289764Sglebius trigger a firewall block at the server for packets from the target 2207289764Sglebius machine. For either of these attacks to succeed, the attacker must 2208289764Sglebius know what servers the target is communicating with. An attacker 2209289764Sglebius can be anywhere on the Internet and can frequently learn the 2210289764Sglebius identity of the target's time source by sending the target a 2211289764Sglebius time query. 2212289764Sglebius Mitigation: 2213289764Sglebius Implement BCP-38. 2214289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 2215289764Sglebius or the NTP Public Services Project Download Page 2216289764Sglebius If you can't upgrade, restrict who can query ntpd to learn who 2217289764Sglebius its servers are, and what IPs are allowed to ask your system 2218289764Sglebius for the time. This mitigation is heavy-handed. 2219289764Sglebius Monitor your ntpd instances. 2220289764Sglebius Note: 2221289764Sglebius 4.2.8p4 protects against the first attack. For the second attack, 2222289764Sglebius all we can do is warn when it is happening, which we do in 4.2.8p4. 2223289764Sglebius Credit: This weakness was discovered by Aanchal Malhotra, 2224289764Sglebius Issac E. Cohen, and Sharon Goldberg of Boston University. 2225289764Sglebius 2226289764Sglebius* configuration directives to change "pidfile" and "driftfile" should 2227289764Sglebius only be allowed locally. 2228289764Sglebius 2229289764Sglebius References: Sec 2902 / CVE-2015-5196 2230289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2231289764Sglebius and 4.3.0 up to, but not including 4.3.77 2232289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 2233289764Sglebius Summary: If ntpd is configured to allow for remote configuration, 2234289764Sglebius and if the (possibly spoofed) source IP address is allowed to 2235289764Sglebius send remote configuration requests, and if the attacker knows 2236289764Sglebius the remote configuration password, it's possible for an attacker 2237289764Sglebius to use the "pidfile" or "driftfile" directives to potentially 2238289764Sglebius overwrite other files. 2239289764Sglebius Mitigation: 2240289764Sglebius Implement BCP-38. 2241289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2242289764Sglebius Page or the NTP Public Services Project Download Page 2243289764Sglebius If you cannot upgrade, don't enable remote configuration. 2244289764Sglebius If you must enable remote configuration and cannot upgrade, 2245289764Sglebius remote configuration of NTF's ntpd requires: 2246289764Sglebius - an explicitly configured trustedkey, and you should also 2247289764Sglebius configure a controlkey. 2248289764Sglebius - access from a permitted IP. You choose the IPs. 2249289764Sglebius - authentication. Don't disable it. Practice secure key safety. 2250289764Sglebius Monitor your ntpd instances. 2251289764Sglebius Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 2252289764Sglebius 2253289764Sglebius* Slow memory leak in CRYPTO_ASSOC 2254289764Sglebius 2255289764Sglebius References: Sec 2909 / CVE-2015-7701 2256289764Sglebius Affects: All ntp-4 releases that use autokey up to, but not 2257289764Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2258289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 2259289764Sglebius 4.6 otherwise 2260289764Sglebius Summary: If ntpd is configured to use autokey, then an attacker can 2261289764Sglebius send packets to ntpd that will, after several days of ongoing 2262289764Sglebius attack, cause it to run out of memory. 2263289764Sglebius Mitigation: 2264289764Sglebius Don't use autokey. 2265289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2266289764Sglebius Page or the NTP Public Services Project Download Page 2267289764Sglebius Monitor your ntpd instances. 2268289764Sglebius Credit: This weakness was discovered by Tenable Network Security. 2269289764Sglebius 2270289764Sglebius* mode 7 loop counter underrun 2271289764Sglebius 2272289764Sglebius References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 2273289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2274289764Sglebius and 4.3.0 up to, but not including 4.3.77 2275289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 2276289764Sglebius Summary: If ntpd is configured to enable mode 7 packets, and if the 2277289764Sglebius use of mode 7 packets is not properly protected thru the use of 2278289764Sglebius the available mode 7 authentication and restriction mechanisms, 2279289764Sglebius and if the (possibly spoofed) source IP address is allowed to 2280289764Sglebius send mode 7 queries, then an attacker can send a crafted packet 2281289764Sglebius to ntpd that will cause it to crash. 2282289764Sglebius Mitigation: 2283289764Sglebius Implement BCP-38. 2284289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2285289764Sglebius Page or the NTP Public Services Project Download Page. 2286289764Sglebius If you are unable to upgrade: 2287289764Sglebius In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 2288289764Sglebius If you must enable mode 7: 2289289764Sglebius configure the use of a requestkey to control who can issue 2290289764Sglebius mode 7 requests. 2291289764Sglebius configure restrict noquery to further limit mode 7 requests 2292289764Sglebius to trusted sources. 2293289764Sglebius Monitor your ntpd instances. 2294289764SglebiusCredit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 2295289764Sglebius 2296289764Sglebius* memory corruption in password store 2297289764Sglebius 2298289764Sglebius References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 2299289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2300289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 2301289764Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2302289764Sglebius the (possibly spoofed) source IP address is allowed to send 2303289764Sglebius remote configuration requests, and if the attacker knows the 2304289764Sglebius remote configuration password or if ntpd was configured to 2305289764Sglebius disable authentication, then an attacker can send a set of 2306289764Sglebius packets to ntpd that may cause a crash or theoretically 2307289764Sglebius perform a code injection attack. 2308289764Sglebius Mitigation: 2309289764Sglebius Implement BCP-38. 2310289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2311289764Sglebius Page or the NTP Public Services Project Download Page. 2312289764Sglebius If you are unable to upgrade, remote configuration of NTF's 2313289764Sglebius ntpd requires: 2314289764Sglebius an explicitly configured "trusted" key. Only configure 2315289764Sglebius this if you need it. 2316289764Sglebius access from a permitted IP address. You choose the IPs. 2317289764Sglebius authentication. Don't disable it. Practice secure key safety. 2318289764Sglebius Monitor your ntpd instances. 2319289764Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2320289764Sglebius 2321289764Sglebius* Infinite loop if extended logging enabled and the logfile and 2322289764Sglebius keyfile are the same. 2323289764Sglebius 2324289764Sglebius References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 2325289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, 2326289764Sglebius and 4.3.0 up to, but not including 4.3.77 2327289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2328289764Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2329289764Sglebius the (possibly spoofed) source IP address is allowed to send 2330289764Sglebius remote configuration requests, and if the attacker knows the 2331289764Sglebius remote configuration password or if ntpd was configured to 2332289764Sglebius disable authentication, then an attacker can send a set of 2333289764Sglebius packets to ntpd that will cause it to crash and/or create a 2334289764Sglebius potentially huge log file. Specifically, the attacker could 2335289764Sglebius enable extended logging, point the key file at the log file, 2336289764Sglebius and cause what amounts to an infinite loop. 2337289764Sglebius Mitigation: 2338289764Sglebius Implement BCP-38. 2339289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2340289764Sglebius Page or the NTP Public Services Project Download Page. 2341289764Sglebius If you are unable to upgrade, remote configuration of NTF's ntpd 2342289764Sglebius requires: 2343289764Sglebius an explicitly configured "trusted" key. Only configure this 2344289764Sglebius if you need it. 2345289764Sglebius access from a permitted IP address. You choose the IPs. 2346289764Sglebius authentication. Don't disable it. Practice secure key safety. 2347289764Sglebius Monitor your ntpd instances. 2348289764Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2349289764Sglebius 2350289764Sglebius* Potential path traversal vulnerability in the config file saving of 2351289764Sglebius ntpd on VMS. 2352289764Sglebius 2353289764Sglebius References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 2354289764Sglebius Affects: All ntp-4 releases running under VMS up to, but not 2355289764Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2356289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 2357289764Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2358289764Sglebius the (possibly spoofed) IP address is allowed to send remote 2359289764Sglebius configuration requests, and if the attacker knows the remote 2360289764Sglebius configuration password or if ntpd was configured to disable 2361289764Sglebius authentication, then an attacker can send a set of packets to 2362289764Sglebius ntpd that may cause ntpd to overwrite files. 2363289764Sglebius Mitigation: 2364289764Sglebius Implement BCP-38. 2365289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2366289764Sglebius Page or the NTP Public Services Project Download Page. 2367289764Sglebius If you are unable to upgrade, remote configuration of NTF's ntpd 2368289764Sglebius requires: 2369289764Sglebius an explicitly configured "trusted" key. Only configure 2370289764Sglebius this if you need it. 2371289764Sglebius access from permitted IP addresses. You choose the IPs. 2372289764Sglebius authentication. Don't disable it. Practice key security safety. 2373289764Sglebius Monitor your ntpd instances. 2374289764Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2375289764Sglebius 2376289764Sglebius* ntpq atoascii() potential memory corruption 2377289764Sglebius 2378289764Sglebius References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 2379289764Sglebius Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 2380289764Sglebius and 4.3.0 up to, but not including 4.3.77 2381289764Sglebius CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 2382289764Sglebius Summary: If an attacker can figure out the precise moment that ntpq 2383289764Sglebius is listening for data and the port number it is listening on or 2384289764Sglebius if the attacker can provide a malicious instance ntpd that 2385289764Sglebius victims will connect to then an attacker can send a set of 2386289764Sglebius crafted mode 6 response packets that, if received by ntpq, 2387289764Sglebius can cause ntpq to crash. 2388289764Sglebius Mitigation: 2389289764Sglebius Implement BCP-38. 2390289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2391289764Sglebius Page or the NTP Public Services Project Download Page. 2392289764Sglebius If you are unable to upgrade and you run ntpq against a server 2393289764Sglebius and ntpq crashes, try again using raw mode. Build or get a 2394289764Sglebius patched ntpq and see if that fixes the problem. Report new 2395289764Sglebius bugs in ntpq or abusive servers appropriately. 2396289764Sglebius If you use ntpq in scripts, make sure ntpq does what you expect 2397289764Sglebius in your scripts. 2398289764Sglebius Credit: This weakness was discovered by Yves Younan and 2399289764Sglebius Aleksander Nikolich of Cisco Talos. 2400289764Sglebius 2401289764Sglebius* Invalid length data provided by a custom refclock driver could cause 2402289764Sglebius a buffer overflow. 2403289764Sglebius 2404289764Sglebius References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 2405289764Sglebius Affects: Potentially all ntp-4 releases running up to, but not 2406289764Sglebius including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 2407289764Sglebius that have custom refclocks 2408289764Sglebius CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 2409289764Sglebius 5.9 unusual worst case 2410289764Sglebius Summary: A negative value for the datalen parameter will overflow a 2411289764Sglebius data buffer. NTF's ntpd driver implementations always set this 2412289764Sglebius value to 0 and are therefore not vulnerable to this weakness. 2413289764Sglebius If you are running a custom refclock driver in ntpd and that 2414289764Sglebius driver supplies a negative value for datalen (no custom driver 2415289764Sglebius of even minimal competence would do this) then ntpd would 2416289764Sglebius overflow a data buffer. It is even hypothetically possible 2417289764Sglebius in this case that instead of simply crashing ntpd the attacker 2418289764Sglebius could effect a code injection attack. 2419289764Sglebius Mitigation: 2420289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2421289764Sglebius Page or the NTP Public Services Project Download Page. 2422289764Sglebius If you are unable to upgrade: 2423289764Sglebius If you are running custom refclock drivers, make sure 2424289764Sglebius the signed datalen value is either zero or positive. 2425289764Sglebius Monitor your ntpd instances. 2426289764Sglebius Credit: This weakness was discovered by Yves Younan of Cisco Talos. 2427289764Sglebius 2428289764Sglebius* Password Length Memory Corruption Vulnerability 2429289764Sglebius 2430289764Sglebius References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 2431289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2432289764Sglebius 4.3.0 up to, but not including 4.3.77 2433289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 2434289764Sglebius 1.7 usual case, 6.8, worst case 2435289764Sglebius Summary: If ntpd is configured to allow remote configuration, and if 2436289764Sglebius the (possibly spoofed) source IP address is allowed to send 2437289764Sglebius remote configuration requests, and if the attacker knows the 2438289764Sglebius remote configuration password or if ntpd was (foolishly) 2439289764Sglebius configured to disable authentication, then an attacker can 2440289764Sglebius send a set of packets to ntpd that may cause it to crash, 2441289764Sglebius with the hypothetical possibility of a small code injection. 2442289764Sglebius Mitigation: 2443289764Sglebius Implement BCP-38. 2444289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2445289764Sglebius Page or the NTP Public Services Project Download Page. 2446289764Sglebius If you are unable to upgrade, remote configuration of NTF's 2447289764Sglebius ntpd requires: 2448289764Sglebius an explicitly configured "trusted" key. Only configure 2449289764Sglebius this if you need it. 2450289764Sglebius access from a permitted IP address. You choose the IPs. 2451289764Sglebius authentication. Don't disable it. Practice secure key safety. 2452289764Sglebius Monitor your ntpd instances. 2453289764Sglebius Credit: This weakness was discovered by Yves Younan and 2454289764Sglebius Aleksander Nikolich of Cisco Talos. 2455289764Sglebius 2456289764Sglebius* decodenetnum() will ASSERT botch instead of returning FAIL on some 2457289764Sglebius bogus values. 2458289764Sglebius 2459289764Sglebius References: Sec 2922 / CVE-2015-7855 2460289764Sglebius Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 2461289764Sglebius 4.3.0 up to, but not including 4.3.77 2462289764Sglebius CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 2463289764Sglebius Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 2464289764Sglebius an unusually long data value where a network address is expected, 2465289764Sglebius the decodenetnum() function will abort with an assertion failure 2466289764Sglebius instead of simply returning a failure condition. 2467289764Sglebius Mitigation: 2468289764Sglebius Implement BCP-38. 2469289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2470289764Sglebius Page or the NTP Public Services Project Download Page. 2471289764Sglebius If you are unable to upgrade: 2472289764Sglebius mode 7 is disabled by default. Don't enable it. 2473289764Sglebius Use restrict noquery to limit who can send mode 6 2474289764Sglebius and mode 7 requests. 2475289764Sglebius Configure and use the controlkey and requestkey 2476289764Sglebius authentication directives to limit who can 2477289764Sglebius send mode 6 and mode 7 requests. 2478289764Sglebius Monitor your ntpd instances. 2479289764Sglebius Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 2480289764Sglebius 2481289764Sglebius* NAK to the Future: Symmetric association authentication bypass via 2482289764Sglebius crypto-NAK. 2483289764Sglebius 2484289764Sglebius References: Sec 2941 / CVE-2015-7871 2485289764Sglebius Affects: All ntp-4 releases between 4.2.5p186 up to but not including 2486289764Sglebius 4.2.8p4, and 4.3.0 up to but not including 4.3.77 2487289764Sglebius CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 2488289764Sglebius Summary: Crypto-NAK packets can be used to cause ntpd to accept time 2489289764Sglebius from unauthenticated ephemeral symmetric peers by bypassing the 2490289764Sglebius authentication required to mobilize peer associations. This 2491289764Sglebius vulnerability appears to have been introduced in ntp-4.2.5p186 2492289764Sglebius when the code handling mobilization of new passive symmetric 2493289764Sglebius associations (lines 1103-1165) was refactored. 2494289764Sglebius Mitigation: 2495289764Sglebius Implement BCP-38. 2496289764Sglebius Upgrade to 4.2.8p4, or later, from the NTP Project Download 2497289764Sglebius Page or the NTP Public Services Project Download Page. 2498289764Sglebius If you are unable to upgrade: 2499289764Sglebius Apply the patch to the bottom of the "authentic" check 2500289764Sglebius block around line 1136 of ntp_proto.c. 2501289764Sglebius Monitor your ntpd instances. 2502298695Sdelphij Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 2503289764Sglebius 2504289764SglebiusBackward-Incompatible changes: 2505289764Sglebius* [Bug 2817] Default on Linux is now "rlimit memlock -1". 2506293423Sdelphij While the general default of 32M is still the case, under Linux 2507293423Sdelphij the default value has been changed to -1 (do not lock ntpd into 2508289764Sglebius memory). A value of 0 means "lock ntpd into memory with whatever 2509289764Sglebius memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 2510289764Sglebius value in it, that value will continue to be used. 2511289764Sglebius 2512289764Sglebius* [Bug 2886] Misspelling: "outlyer" should be "outlier". 2513289764Sglebius If you've written a script that looks for this case in, say, the 2514289764Sglebius output of ntpq, you probably want to change your regex matches 2515289764Sglebius from 'outlyer' to 'outl[iy]er'. 2516289764Sglebius 2517289764SglebiusNew features in this release: 2518289764Sglebius* 'rlimit memlock' now has finer-grained control. A value of -1 means 2519289764Sglebius "don't lock ntpd into memore". This is the default for Linux boxes. 2520289764Sglebius A value of 0 means "lock ntpd into memory" with no limits. Otherwise 2521289764Sglebius the value is the number of megabytes of memory to lock. The default 2522289764Sglebius is 32 megabytes. 2523289764Sglebius 2524289764Sglebius* The old Google Test framework has been replaced with a new framework, 2525289764Sglebius based on http://www.throwtheswitch.org/unity/ . 2526289764Sglebius 2527289764SglebiusBug Fixes and Improvements: 2528289764Sglebius* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 2529289764Sglebius privileges and limiting resources in NTPD removes the need to link 2530289764Sglebius forcefully against 'libgcc_s' which does not always work. J.Perlinger 2531289764Sglebius* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 2532289764Sglebius* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 2533289764Sglebius* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 2534289764Sglebius* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 2535289764Sglebius* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 2536289764Sglebius* [Bug 2849] Systems with more than one default route may never 2537289764Sglebius synchronize. Brian Utterback. Note that this patch might need to 2538289764Sglebius be reverted once Bug 2043 has been fixed. 2539289764Sglebius* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 2540289764Sglebius* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 2541289764Sglebius* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 2542289764Sglebius* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 2543289764Sglebius* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 2544289764Sglebius* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 2545289764Sglebius be configured for the distribution targets. Harlan Stenn. 2546289764Sglebius* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 2547289764Sglebius* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 2548289764Sglebius* [Bug 2888] streamline calendar functions. perlinger@ntp.org 2549289764Sglebius* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 2550289764Sglebius* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 2551289764Sglebius* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 2552289764Sglebius* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 2553289764Sglebius* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 2554289764Sglebius* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 2555289764Sglebius* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 2556289764Sglebius* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 2557289764Sglebius* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 2558289764Sglebius* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 2559289764Sglebius* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 2560289764Sglebius* sntp/tests/ function parameter list cleanup. Damir Tomi��. 2561289764Sglebius* tests/libntp/ function parameter list cleanup. Damir Tomi��. 2562289764Sglebius* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 2563289764Sglebius* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 2564289764Sglebius* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 2565289764Sglebius* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 2566289764Sglebius* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 2567289764Sglebius* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2568289764Sglebius caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 2569289764Sglebius formatting; first declaration, then code (C90); deleted unnecessary comments; 2570289764Sglebius changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 2571289764Sglebius* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 2572289764Sglebius fix formatting, cleanup. Tomasz Flendrich 2573289764Sglebius* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 2574289764Sglebius Tomasz Flendrich 2575289764Sglebius* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 2576289764Sglebius fix formatting. Tomasz Flendrich 2577289764Sglebius* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 2578289764Sglebius* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 2579289764Sglebius* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 2580289764Sglebius Tomasz Flendrich 2581289764Sglebius* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 2582289764Sglebius* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 2583289764Sglebius* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 2584289764Sglebius* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 2585289764Sglebius* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 2586289764Sglebius* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 2587289764Sglebius* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 2588289764Sglebiusfixed formatting. Tomasz Flendrich 2589289764Sglebius* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 2590289764Sglebius removed unnecessary comments, cleanup. Tomasz Flendrich 2591289764Sglebius* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 2592289764Sglebius comments, cleanup. Tomasz Flendrich 2593289764Sglebius* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 2594289764Sglebius Tomasz Flendrich 2595289764Sglebius* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 2596289764Sglebius* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 2597289764Sglebius* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 2598289764Sglebius Tomasz Flendrich 2599289764Sglebius* sntp/tests/kodDatabase.c added consts, deleted empty function, 2600289764Sglebius fixed formatting. Tomasz Flendrich 2601289764Sglebius* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 2602289764Sglebius* sntp/tests/packetHandling.c is now using proper Unity's assertions, 2603289764Sglebius fixed formatting, deleted unused variable. Tomasz Flendrich 2604289764Sglebius* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 2605289764Sglebius Tomasz Flendrich 2606289764Sglebius* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 2607289764Sglebius fixed formatting. Tomasz Flendrich 2608289764Sglebius* sntp/tests/utilities.c is now using proper Unity's assertions, changed 2609289764Sglebius the order of includes, fixed formatting, removed unnecessary comments. 2610289764Sglebius Tomasz Flendrich 2611289764Sglebius* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 2612289764Sglebius* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 2613289764Sglebius made one function do its job, deleted unnecessary prints, fixed formatting. 2614289764Sglebius Tomasz Flendrich 2615289764Sglebius* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 2616289764Sglebius* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 2617289764Sglebius* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 2618289764Sglebius* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 2619289764Sglebius* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 2620289764Sglebius* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 2621289764Sglebius* Don't build sntp/libevent/sample/. Harlan Stenn. 2622289764Sglebius* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 2623289764Sglebius* br-flock: --enable-local-libevent. Harlan Stenn. 2624289764Sglebius* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 2625289764Sglebius* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 2626289764Sglebius* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 2627289764Sglebius* Code cleanup. Harlan Stenn. 2628289764Sglebius* libntp/icom.c: Typo fix. Harlan Stenn. 2629289764Sglebius* util/ntptime.c: initialization nit. Harlan Stenn. 2630289764Sglebius* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 2631289764Sglebius* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 2632289764Sglebius* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 2633289764Sglebius Tomasz Flendrich 2634289764Sglebius* Changed progname to be const in many files - now it's consistent. Tomasz 2635289764Sglebius Flendrich 2636289764Sglebius* Typo fix for GCC warning suppression. Harlan Stenn. 2637289764Sglebius* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 2638289764Sglebius* Added declarations to all Unity tests, and did minor fixes to them. 2639289764Sglebius Reduced the number of warnings by half. Damir Tomi��. 2640289764Sglebius* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 2641289764Sglebius with the latest Unity updates from Mark. Damir Tomi��. 2642289764Sglebius* Retire google test - phase I. Harlan Stenn. 2643289764Sglebius* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 2644289764Sglebius* Update the NEWS file. Harlan Stenn. 2645289764Sglebius* Autoconf cleanup. Harlan Stenn. 2646289764Sglebius* Unit test dist cleanup. Harlan Stenn. 2647289764Sglebius* Cleanup various test Makefile.am files. Harlan Stenn. 2648289764Sglebius* Pthread autoconf macro cleanup. Harlan Stenn. 2649289764Sglebius* Fix progname definition in unity runner scripts. Harlan Stenn. 2650289764Sglebius* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 2651289764Sglebius* Update the patch for bug 2817. Harlan Stenn. 2652289764Sglebius* More updates for bug 2817. Harlan Stenn. 2653289764Sglebius* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 2654289764Sglebius* gcc on older HPUX may need +allowdups. Harlan Stenn. 2655289764Sglebius* Adding missing MCAST protection. Harlan Stenn. 2656289764Sglebius* Disable certain test programs on certain platforms. Harlan Stenn. 2657289764Sglebius* Implement --enable-problem-tests (on by default). Harlan Stenn. 2658289764Sglebius* build system tweaks. Harlan Stenn. 2659289764Sglebius 2660289764Sglebius--- 2661285169ScyNTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2662282408Scy 2663285169ScyFocus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2664285169Scy 2665285169ScySeverity: MEDIUM 2666285169Scy 2667285169ScySecurity Fix: 2668285169Scy 2669285169Scy* [Sec 2853] Crafted remote config packet can crash some versions of 2670285169Scy ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2671285169Scy 2672285169ScyUnder specific circumstances an attacker can send a crafted packet to 2673285169Scycause a vulnerable ntpd instance to crash. This requires each of the 2674285169Scyfollowing to be true: 2675285169Scy 2676285169Scy1) ntpd set up to allow remote configuration (not allowed by default), and 2677285169Scy2) knowledge of the configuration password, and 2678285169Scy3) access to a computer entrusted to perform remote configuration. 2679285169Scy 2680285169ScyThis vulnerability is considered low-risk. 2681285169Scy 2682285169ScyNew features in this release: 2683285169Scy 2684285169ScyOptional (disabled by default) support to have ntpd provide smeared 2685285169Scyleap second time. A specially built and configured ntpd will only 2686285169Scyoffer smeared time in response to client packets. These response 2687285169Scypackets will also contain a "refid" of 254.a.b.c, where the 24 bits 2688285169Scyof a, b, and c encode the amount of smear in a 2:22 integer:fraction 2689285169Scyformat. See README.leapsmear and http://bugs.ntp.org/2855 for more 2690285169Scyinformation. 2691285169Scy 2692285169Scy *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2693285169Scy *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2694285169Scy 2695285169ScyWe've imported the Unity test framework, and have begun converting 2696285169Scythe existing google-test items to this new framework. If you want 2697285169Scyto write new tests or change old ones, you'll need to have ruby 2698285169Scyinstalled. You don't need ruby to run the test suite. 2699285169Scy 2700285169ScyBug Fixes and Improvements: 2701285169Scy 2702285169Scy* CID 739725: Fix a rare resource leak in libevent/listener.c. 2703285169Scy* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2704285169Scy* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2705285169Scy* CID 1269537: Clean up a line of dead code in getShmTime(). 2706285169Scy* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2707285169Scy* [Bug 2590] autogen-5.18.5. 2708285169Scy* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2709285169Scy of 'limited'. 2710285169Scy* [Bug 2650] fix includefile processing. 2711285169Scy* [Bug 2745] ntpd -x steps clock on leap second 2712285169Scy Fixed an initial-value problem that caused misbehaviour in absence of 2713285169Scy any leapsecond information. 2714285169Scy Do leap second stepping only of the step adjustment is beyond the 2715285169Scy proper jump distance limit and step correction is allowed at all. 2716285169Scy* [Bug 2750] build for Win64 2717285169Scy Building for 32bit of loopback ppsapi needs def file 2718285169Scy* [Bug 2776] Improve ntpq's 'help keytype'. 2719285169Scy* [Bug 2778] Implement "apeers" ntpq command to include associd. 2720285169Scy* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2721285169Scy* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2722285169Scy interface is ignored as long as this flag is not set since the 2723285169Scy interface is not usable (e.g., no link). 2724285169Scy* [Bug 2794] Clean up kernel clock status reports. 2725285169Scy* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2726285169Scy of incompatible open/fdopen parameters. 2727285169Scy* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2728285169Scy* [Bug 2805] ntpd fails to join multicast group. 2729285169Scy* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2730285169Scy* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2731285169Scy Fix crash during cleanup if GPS device not present and char device. 2732285169Scy Increase internal token buffer to parse all JSON data, even SKY. 2733285169Scy Defer logging of errors during driver init until the first unit is 2734285169Scy started, so the syslog is not cluttered when the driver is not used. 2735285169Scy Various improvements, see http://bugs.ntp.org/2808 for details. 2736285169Scy Changed libjsmn to a more recent version. 2737285169Scy* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2738285169Scy* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2739285169Scy* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2740285169Scy* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2741285169Scy* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2742285169Scy* [Bug 2824] Convert update-leap to perl. (also see 2769) 2743285169Scy* [Bug 2825] Quiet file installation in html/ . 2744285169Scy* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2745285169Scy NTPD transfers the current TAI (instead of an announcement) now. 2746285169Scy This might still needed improvement. 2747285169Scy Update autokey data ASAP when 'sys_tai' changes. 2748285169Scy Fix unit test that was broken by changes for autokey update. 2749285169Scy Avoid potential signature length issue and use DPRINTF where possible 2750285169Scy in ntp_crypto.c. 2751285169Scy* [Bug 2832] refclock_jjy.c supports the TDC-300. 2752285169Scy* [Bug 2834] Correct a broken html tag in html/refclock.html 2753285169Scy* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2754285169Scy robust, and require 2 consecutive timestamps to be consistent. 2755285169Scy* [Bug 2837] Allow a configurable DSCP value. 2756285169Scy* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2757285169Scy* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2758285169Scy* [Bug 2842] Bug in mdoc2man. 2759285169Scy* [Bug 2843] make check fails on 4.3.36 2760285169Scy Fixed compiler warnings about numeric range overflow 2761285169Scy (The original topic was fixed in a byplay to bug#2830) 2762285169Scy* [Bug 2845] Harden memory allocation in ntpd. 2763285169Scy* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2764285169Scy* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2765285169Scy* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2766285169Scy* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2767285169Scy* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2768285169Scy* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2769285169Scy* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2770285169Scy* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2771285169Scy* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2772285169Scy* html/drivers/driver22.html: typo fix. Harlan Stenn. 2773285169Scy* refidsmear test cleanup. Tomasz Flendrich. 2774285169Scy* refidsmear function support and tests. Harlan Stenn. 2775285169Scy* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2776285169Scy something that was only in the 4.2.6 sntp. Harlan Stenn. 2777285169Scy* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2778285169Scy Damir Tomi�� 2779285169Scy* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2780285169Scy Damir Tomi�� 2781285169Scy* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2782285169Scy Damir Tomi�� 2783285169Scy* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2784285169Scy* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 2785285169Scy* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2786285169Scy atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2787285169Scy calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2788285169Scy numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2789285169Scy timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2790285169Scy Damir Tomi�� 2791285169Scy* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2792285169Scy networking.c, keyFile.c, utilities.cpp, sntptest.h, 2793285169Scy fileHandlingTest.h. Damir Tomi�� 2794285169Scy* Initial support for experimental leap smear code. Harlan Stenn. 2795285169Scy* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2796285169Scy* Report select() debug messages at debug level 3 now. 2797285169Scy* sntp/scripts/genLocInfo: treat raspbian as debian. 2798285169Scy* Unity test framework fixes. 2799285169Scy ** Requires ruby for changes to tests. 2800285169Scy* Initial support for PACKAGE_VERSION tests. 2801285169Scy* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2802285169Scy* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2803285169Scy* Add an assert to the ntpq ifstats code. 2804285169Scy* Clean up the RLIMIT_STACK code. 2805285169Scy* Improve the ntpq documentation around the controlkey keyid. 2806285169Scy* ntpq.c cleanup. 2807285169Scy* Windows port build cleanup. 2808285169Scy 2809285169Scy--- 2810285169ScyNTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2811285169Scy 2812282408ScyFocus: Security and Bug fixes, enhancements. 2813282408Scy 2814282408ScySeverity: MEDIUM 2815282408Scy 2816282408ScyIn addition to bug fixes and enhancements, this release fixes the 2817282408Scyfollowing medium-severity vulnerabilities involving private key 2818282408Scyauthentication: 2819282408Scy 2820282408Scy* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2821282408Scy 2822282408Scy References: Sec 2779 / CVE-2015-1798 / VU#374268 2823282408Scy Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2824282408Scy including ntp-4.2.8p2 where the installation uses symmetric keys 2825282408Scy to authenticate remote associations. 2826282408Scy CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2827282408Scy Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2828282408Scy Summary: When ntpd is configured to use a symmetric key to authenticate 2829282408Scy a remote NTP server/peer, it checks if the NTP message 2830282408Scy authentication code (MAC) in received packets is valid, but not if 2831282408Scy there actually is any MAC included. Packets without a MAC are 2832282408Scy accepted as if they had a valid MAC. This allows a MITM attacker to 2833282408Scy send false packets that are accepted by the client/peer without 2834282408Scy having to know the symmetric key. The attacker needs to know the 2835282408Scy transmit timestamp of the client to match it in the forged reply 2836282408Scy and the false reply needs to reach the client before the genuine 2837282408Scy reply from the server. The attacker doesn't necessarily need to be 2838282408Scy relaying the packets between the client and the server. 2839282408Scy 2840282408Scy Authentication using autokey doesn't have this problem as there is 2841282408Scy a check that requires the key ID to be larger than NTP_MAXKEY, 2842282408Scy which fails for packets without a MAC. 2843282408Scy Mitigation: 2844282408Scy Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2845282408Scy or the NTP Public Services Project Download Page 2846282408Scy Configure ntpd with enough time sources and monitor it properly. 2847282408Scy Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2848282408Scy 2849282408Scy* [Sec 2781] Authentication doesn't protect symmetric associations against 2850282408Scy DoS attacks. 2851282408Scy 2852282408Scy References: Sec 2781 / CVE-2015-1799 / VU#374268 2853282408Scy Affects: All NTP releases starting with at least xntp3.3wy up to but 2854282408Scy not including ntp-4.2.8p2 where the installation uses symmetric 2855282408Scy key authentication. 2856282408Scy CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2857282408Scy Note: the CVSS base Score for this issue could be 4.3 or lower, and 2858282408Scy it could be higher than 5.4. 2859282408Scy Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2860282408Scy Summary: An attacker knowing that NTP hosts A and B are peering with 2861282408Scy each other (symmetric association) can send a packet to host A 2862282408Scy with source address of B which will set the NTP state variables 2863282408Scy on A to the values sent by the attacker. Host A will then send 2864282408Scy on its next poll to B a packet with originate timestamp that 2865282408Scy doesn't match the transmit timestamp of B and the packet will 2866282408Scy be dropped. If the attacker does this periodically for both 2867282408Scy hosts, they won't be able to synchronize to each other. This is 2868282408Scy a known denial-of-service attack, described at 2869282408Scy https://www.eecis.udel.edu/~mills/onwire.html . 2870282408Scy 2871282408Scy According to the document the NTP authentication is supposed to 2872282408Scy protect symmetric associations against this attack, but that 2873282408Scy doesn't seem to be the case. The state variables are updated even 2874282408Scy when authentication fails and the peers are sending packets with 2875282408Scy originate timestamps that don't match the transmit timestamps on 2876282408Scy the receiving side. 2877282408Scy 2878282408Scy This seems to be a very old problem, dating back to at least 2879282408Scy xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 2880282408Scy specifications, so other NTP implementations with support for 2881282408Scy symmetric associations and authentication may be vulnerable too. 2882282408Scy An update to the NTP RFC to correct this error is in-process. 2883282408Scy Mitigation: 2884282408Scy Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2885282408Scy or the NTP Public Services Project Download Page 2886282408Scy Note that for users of autokey, this specific style of MITM attack 2887282408Scy is simply a long-known potential problem. 2888282408Scy Configure ntpd with appropriate time sources and monitor ntpd. 2889282408Scy Alert your staff if problems are detected. 2890282408Scy Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2891282408Scy 2892282408Scy* New script: update-leap 2893282408ScyThe update-leap script will verify and if necessary, update the 2894282408Scyleap-second definition file. 2895282408ScyIt requires the following commands in order to work: 2896282408Scy 2897282408Scy wget logger tr sed shasum 2898282408Scy 2899282408ScySome may choose to run this from cron. It needs more portability testing. 2900282408Scy 2901282408ScyBug Fixes and Improvements: 2902282408Scy 2903282408Scy* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 2904282408Scy* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 2905282408Scy* [Bug 2346] "graceful termination" signals do not do peer cleanup. 2906282408Scy* [Bug 2728] See if C99-style structure initialization works. 2907282408Scy* [Bug 2747] Upgrade libevent to 2.1.5-beta. 2908282408Scy* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 2909282408Scy* [Bug 2751] jitter.h has stale copies of l_fp macros. 2910282408Scy* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 2911282408Scy* [Bug 2757] Quiet compiler warnings. 2912282408Scy* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 2913282408Scy* [Bug 2763] Allow different thresholds for forward and backward steps. 2914282408Scy* [Bug 2766] ntp-keygen output files should not be world-readable. 2915282408Scy* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 2916282408Scy* [Bug 2771] nonvolatile value is documented in wrong units. 2917282408Scy* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 2918282408Scy* [Bug 2774] Unreasonably verbose printout - leap pending/warning 2919282408Scy* [Bug 2775] ntp-keygen.c fails to compile under Windows. 2920282408Scy* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 2921282408Scy Removed non-ASCII characters from some copyright comments. 2922282408Scy Removed trailing whitespace. 2923282408Scy Updated definitions for Meinberg clocks from current Meinberg header files. 2924282408Scy Now use C99 fixed-width types and avoid non-ASCII characters in comments. 2925282408Scy Account for updated definitions pulled from Meinberg header files. 2926282408Scy Updated comments on Meinberg GPS receivers which are not only called GPS16x. 2927282408Scy Replaced some constant numbers by defines from ntp_calendar.h 2928282408Scy Modified creation of parse-specific variables for Meinberg devices 2929282408Scy in gps16x_message(). 2930282408Scy Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 2931282408Scy Modified mbg_tm_str() which now expexts an additional parameter controlling 2932282408Scy if the time status shall be printed. 2933282408Scy* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2934282408Scy* [Sec 2781] Authentication doesn't protect symmetric associations against 2935282408Scy DoS attacks. 2936282408Scy* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 2937282408Scy* [Bug 2789] Quiet compiler warnings from libevent. 2938282408Scy* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 2939282408Scy pause briefly before measuring system clock precision to yield 2940282408Scy correct results. 2941282408Scy* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 2942282408Scy* Use predefined function types for parse driver functions 2943282408Scy used to set up function pointers. 2944282408Scy Account for changed prototype of parse_inp_fnc_t functions. 2945282408Scy Cast parse conversion results to appropriate types to avoid 2946282408Scy compiler warnings. 2947282408Scy Let ioctl() for Windows accept a (void *) to avoid compiler warnings 2948282408Scy when called with pointers to different types. 2949282408Scy 2950282408Scy--- 2951280849ScyNTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 2952280849Scy 2953280849ScyFocus: Security and Bug fixes, enhancements. 2954280849Scy 2955280849ScySeverity: HIGH 2956280849Scy 2957280849ScyIn addition to bug fixes and enhancements, this release fixes the 2958280849Scyfollowing high-severity vulnerabilities: 2959280849Scy 2960280849Scy* vallen is not validated in several places in ntp_crypto.c, leading 2961280849Scy to a potential information leak or possibly a crash 2962280849Scy 2963280849Scy References: Sec 2671 / CVE-2014-9297 / VU#852879 2964280849Scy Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 2965280849Scy CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2966280849Scy Date Resolved: Stable (4.2.8p1) 04 Feb 2015 2967280849Scy Summary: The vallen packet value is not validated in several code 2968280849Scy paths in ntp_crypto.c which can lead to information leakage 2969280849Scy or perhaps a crash of the ntpd process. 2970280849Scy Mitigation - any of: 2971280849Scy Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 2972280849Scy or the NTP Public Services Project Download Page. 2973280849Scy Disable Autokey Authentication by removing, or commenting out, 2974280849Scy all configuration directives beginning with the "crypto" 2975280849Scy keyword in your ntp.conf file. 2976280849Scy Credit: This vulnerability was discovered by Stephen Roettger of the 2977280849Scy Google Security Team, with additional cases found by Sebastian 2978280849Scy Krahmer of the SUSE Security Team and Harlan Stenn of Network 2979280849Scy Time Foundation. 2980280849Scy 2981280849Scy* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 2982280849Scy can be bypassed. 2983280849Scy 2984280849Scy References: Sec 2672 / CVE-2014-9298 / VU#852879 2985280849Scy Affects: All NTP4 releases before 4.2.8p1, under at least some 2986280849Scy versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 2987280849Scy CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 2988280849Scy Date Resolved: Stable (4.2.8p1) 04 Feb 2014 2989280849Scy Summary: While available kernels will prevent 127.0.0.1 addresses 2990280849Scy from "appearing" on non-localhost IPv4 interfaces, some kernels 2991280849Scy do not offer the same protection for ::1 source addresses on 2992280849Scy IPv6 interfaces. Since NTP's access control is based on source 2993280849Scy address and localhost addresses generally have no restrictions, 2994280849Scy an attacker can send malicious control and configuration packets 2995280849Scy by spoofing ::1 addresses from the outside. Note Well: This is 2996280849Scy not really a bug in NTP, it's a problem with some OSes. If you 2997280849Scy have one of these OSes where ::1 can be spoofed, ALL ::1 -based 2998280849Scy ACL restrictions on any application can be bypassed! 2999280849Scy Mitigation: 3000280849Scy Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 3001280849Scy or the NTP Public Services Project Download Page 3002280849Scy Install firewall rules to block packets claiming to come from 3003280849Scy ::1 from inappropriate network interfaces. 3004280849Scy Credit: This vulnerability was discovered by Stephen Roettger of 3005280849Scy the Google Security Team. 3006280849Scy 3007280849ScyAdditionally, over 30 bugfixes and improvements were made to the codebase. 3008280849ScySee the ChangeLog for more information. 3009280849Scy 3010280849Scy--- 3011280849ScyNTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 3012280849Scy 3013280849ScyFocus: Security and Bug fixes, enhancements. 3014280849Scy 3015280849ScySeverity: HIGH 3016280849Scy 3017280849ScyIn addition to bug fixes and enhancements, this release fixes the 3018280849Scyfollowing high-severity vulnerabilities: 3019280849Scy 3020280849Scy************************** vv NOTE WELL vv ***************************** 3021280849Scy 3022280849ScyThe vulnerabilities listed below can be significantly mitigated by 3023280849Scyfollowing the BCP of putting 3024280849Scy 3025280849Scy restrict default ... noquery 3026280849Scy 3027280849Scyin the ntp.conf file. With the exception of: 3028280849Scy 3029280849Scy receive(): missing return on error 3030280849Scy References: Sec 2670 / CVE-2014-9296 / VU#852879 3031280849Scy 3032280849Scybelow (which is a limited-risk vulnerability), none of the recent 3033280849Scyvulnerabilities listed below can be exploited if the source IP is 3034280849Scyrestricted from sending a 'query'-class packet by your ntp.conf file. 3035280849Scy 3036280849Scy************************** ^^ NOTE WELL ^^ ***************************** 3037280849Scy 3038280849Scy* Weak default key in config_auth(). 3039280849Scy 3040280849Scy References: [Sec 2665] / CVE-2014-9293 / VU#852879 3041280849Scy CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3042280849Scy Vulnerable Versions: all releases prior to 4.2.7p11 3043280849Scy Date Resolved: 28 Jan 2010 3044280849Scy 3045280849Scy Summary: If no 'auth' key is set in the configuration file, ntpd 3046280849Scy would generate a random key on the fly. There were two 3047280849Scy problems with this: 1) the generated key was 31 bits in size, 3048280849Scy and 2) it used the (now weak) ntp_random() function, which was 3049280849Scy seeded with a 32-bit value and could only provide 32 bits of 3050280849Scy entropy. This was sufficient back in the late 1990s when the 3051280849Scy code was written. Not today. 3052280849Scy 3053280849Scy Mitigation - any of: 3054280849Scy - Upgrade to 4.2.7p11 or later. 3055280849Scy - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3056280849Scy 3057280849Scy Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 3058280849Scy of the Google Security Team. 3059280849Scy 3060280849Scy* Non-cryptographic random number generator with weak seed used by 3061280849Scy ntp-keygen to generate symmetric keys. 3062280849Scy 3063280849Scy References: [Sec 2666] / CVE-2014-9294 / VU#852879 3064280849Scy CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 3065280849Scy Vulnerable Versions: All NTP4 releases before 4.2.7p230 3066280849Scy Date Resolved: Dev (4.2.7p230) 01 Nov 2011 3067280849Scy 3068280849Scy Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 3069280849Scy prepare a random number generator that was of good quality back 3070280849Scy in the late 1990s. The random numbers produced was then used to 3071280849Scy generate symmetric keys. In ntp-4.2.8 we use a current-technology 3072280849Scy cryptographic random number generator, either RAND_bytes from 3073280849Scy OpenSSL, or arc4random(). 3074280849Scy 3075280849Scy Mitigation - any of: 3076280849Scy - Upgrade to 4.2.7p230 or later. 3077280849Scy - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3078280849Scy 3079280849Scy Credit: This vulnerability was discovered in ntp-4.2.6 by 3080280849Scy Stephen Roettger of the Google Security Team. 3081280849Scy 3082280849Scy* Buffer overflow in crypto_recv() 3083280849Scy 3084280849Scy References: Sec 2667 / CVE-2014-9295 / VU#852879 3085280849Scy CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3086280849Scy Versions: All releases before 4.2.8 3087280849Scy Date Resolved: Stable (4.2.8) 18 Dec 2014 3088280849Scy 3089280849Scy Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 3090280849Scy file contains a 'crypto pw ...' directive) a remote attacker 3091280849Scy can send a carefully crafted packet that can overflow a stack 3092280849Scy buffer and potentially allow malicious code to be executed 3093280849Scy with the privilege level of the ntpd process. 3094280849Scy 3095280849Scy Mitigation - any of: 3096280849Scy - Upgrade to 4.2.8, or later, or 3097280849Scy - Disable Autokey Authentication by removing, or commenting out, 3098280849Scy all configuration directives beginning with the crypto keyword 3099280849Scy in your ntp.conf file. 3100280849Scy 3101280849Scy Credit: This vulnerability was discovered by Stephen Roettger of the 3102280849Scy Google Security Team. 3103280849Scy 3104280849Scy* Buffer overflow in ctl_putdata() 3105280849Scy 3106280849Scy References: Sec 2668 / CVE-2014-9295 / VU#852879 3107280849Scy CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3108280849Scy Versions: All NTP4 releases before 4.2.8 3109280849Scy Date Resolved: Stable (4.2.8) 18 Dec 2014 3110280849Scy 3111280849Scy Summary: A remote attacker can send a carefully crafted packet that 3112280849Scy can overflow a stack buffer and potentially allow malicious 3113280849Scy code to be executed with the privilege level of the ntpd process. 3114280849Scy 3115280849Scy Mitigation - any of: 3116280849Scy - Upgrade to 4.2.8, or later. 3117280849Scy - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3118280849Scy 3119280849Scy Credit: This vulnerability was discovered by Stephen Roettger of the 3120280849Scy Google Security Team. 3121280849Scy 3122280849Scy* Buffer overflow in configure() 3123280849Scy 3124280849Scy References: Sec 2669 / CVE-2014-9295 / VU#852879 3125280849Scy CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 3126280849Scy Versions: All NTP4 releases before 4.2.8 3127280849Scy Date Resolved: Stable (4.2.8) 18 Dec 2014 3128280849Scy 3129280849Scy Summary: A remote attacker can send a carefully crafted packet that 3130280849Scy can overflow a stack buffer and potentially allow malicious 3131280849Scy code to be executed with the privilege level of the ntpd process. 3132280849Scy 3133280849Scy Mitigation - any of: 3134280849Scy - Upgrade to 4.2.8, or later. 3135280849Scy - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 3136280849Scy 3137280849Scy Credit: This vulnerability was discovered by Stephen Roettger of the 3138280849Scy Google Security Team. 3139280849Scy 3140280849Scy* receive(): missing return on error 3141280849Scy 3142280849Scy References: Sec 2670 / CVE-2014-9296 / VU#852879 3143280849Scy CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 3144280849Scy Versions: All NTP4 releases before 4.2.8 3145280849Scy Date Resolved: Stable (4.2.8) 18 Dec 2014 3146280849Scy 3147280849Scy Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 3148280849Scy the code path where an error was detected, which meant 3149280849Scy processing did not stop when a specific rare error occurred. 3150280849Scy We haven't found a way for this bug to affect system integrity. 3151280849Scy If there is no way to affect system integrity the base CVSS 3152280849Scy score for this bug is 0. If there is one avenue through which 3153280849Scy system integrity can be partially affected, the base score 3154280849Scy becomes a 5. If system integrity can be partially affected 3155280849Scy via all three integrity metrics, the CVSS base score become 7.5. 3156280849Scy 3157280849Scy Mitigation - any of: 3158280849Scy - Upgrade to 4.2.8, or later, 3159280849Scy - Remove or comment out all configuration directives 3160280849Scy beginning with the crypto keyword in your ntp.conf file. 3161280849Scy 3162280849Scy Credit: This vulnerability was discovered by Stephen Roettger of the 3163280849Scy Google Security Team. 3164280849Scy 3165280849ScySee http://support.ntp.org/security for more information. 3166280849Scy 3167280849ScyNew features / changes in this release: 3168280849Scy 3169280849ScyImportant Changes 3170280849Scy 3171280849Scy* Internal NTP Era counters 3172280849Scy 3173280849ScyThe internal counters that track the "era" (range of years) we are in 3174280849Scyrolls over every 136 years'. The current "era" started at the stroke of 3175280849Scymidnight on 1 Jan 1900, and ends just before the stroke of midnight on 3176280849Scy1 Jan 2036. 3177280849ScyIn the past, we have used the "midpoint" of the range to decide which 3178280849Scyera we were in. Given the longevity of some products, it became clear 3179280849Scythat it would be more functional to "look back" less, and "look forward" 3180280849Scymore. We now compile a timestamp into the ntpd executable and when we 3181280849Scyget a timestamp we us the "built-on" to tell us what era we are in. 3182280849ScyThis check "looks back" 10 years, and "looks forward" 126 years. 3183280849Scy 3184280849Scy* ntpdc responses disabled by default 3185280849Scy 3186280849ScyDave Hart writes: 3187280849Scy 3188280849ScyFor a long time, ntpq and its mostly text-based mode 6 (control) 3189280849Scyprotocol have been preferred over ntpdc and its mode 7 (private 3190280849Scyrequest) protocol for runtime queries and configuration. There has 3191280849Scybeen a goal of deprecating ntpdc, previously held back by numerous 3192280849Scycapabilities exposed by ntpdc with no ntpq equivalent. I have been 3193280849Scyadding commands to ntpq to cover these cases, and I believe I've 3194280849Scycovered them all, though I've not compared command-by-command 3195280849Scyrecently. 3196280849Scy 3197280849ScyAs I've said previously, the binary mode 7 protocol involves a lot of 3198280849Scyhand-rolled structure layout and byte-swapping code in both ntpd and 3199280849Scyntpdc which is hard to get right. As ntpd grows and changes, the 3200280849Scychanges are difficult to expose via ntpdc while maintaining forward 3201280849Scyand backward compatibility between ntpdc and ntpd. In contrast, 3202280849Scyntpq's text-based, label=value approach involves more code reuse and 3203280849Scyallows compatible changes without extra work in most cases. 3204280849Scy 3205280849ScyMode 7 has always been defined as vendor/implementation-specific while 3206280849Scymode 6 is described in RFC 1305 and intended to be open to interoperate 3207280849Scywith other implementations. There is an early draft of an updated 3208280849Scymode 6 description that likely will join the other NTPv4 RFCs 3209280849Scyeventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 3210280849Scy 3211280849ScyFor these reasons, ntpd 4.2.7p230 by default disables processing of 3212280849Scyntpdc queries, reducing ntpd's attack surface and functionally 3213280849Scydeprecating ntpdc. If you are in the habit of using ntpdc for certain 3214280849Scyoperations, please try the ntpq equivalent. If there's no equivalent, 3215280849Scyplease open a bug report at http://bugs.ntp.org./ 3216280849Scy 3217280849ScyIn addition to the above, over 1100 issues have been resolved between 3218280849Scythe 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 3219280849Scylists these. 3220280849Scy 3221280849Scy--- 3222280849ScyNTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 3223280849Scy 3224280849ScyFocus: Bug fixes 3225280849Scy 3226280849ScySeverity: Medium 3227280849Scy 3228280849ScyThis is a recommended upgrade. 3229280849Scy 3230280849ScyThis release updates sys_rootdisp and sys_jitter calculations to match the 3231280849ScyRFC specification, fixes a potential IPv6 address matching error for the 3232280849Scy"nic" and "interface" configuration directives, suppresses the creation of 3233280849Scyextraneous ephemeral associations for certain broadcastclient and 3234280849Scymulticastclient configurations, cleans up some ntpq display issues, and 3235280849Scyincludes improvements to orphan mode, minor bugs fixes and code clean-ups. 3236280849Scy 3237280849ScyNew features / changes in this release: 3238280849Scy 3239280849Scyntpd 3240280849Scy 3241280849Scy * Updated "nic" and "interface" IPv6 address handling to prevent 3242280849Scy mismatches with localhost [::1] and wildcard [::] which resulted from 3243280849Scy using the address/prefix format (e.g. fe80::/64) 3244280849Scy * Fix orphan mode stratum incorrectly counting to infinity 3245280849Scy * Orphan parent selection metric updated to includes missing ntohl() 3246280849Scy * Non-printable stratum 16 refid no longer sent to ntp 3247280849Scy * Duplicate ephemeral associations suppressed for broadcastclient and 3248280849Scy multicastclient without broadcastdelay 3249280849Scy * Exclude undetermined sys_refid from use in loopback TEST12 3250280849Scy * Exclude MODE_SERVER responses from KoD rate limiting 3251280849Scy * Include root delay in clock_update() sys_rootdisp calculations 3252280849Scy * get_systime() updated to exclude sys_residual offset (which only 3253280849Scy affected bits "below" sys_tick, the precision threshold) 3254280849Scy * sys.peer jitter weighting corrected in sys_jitter calculation 3255280849Scy 3256280849Scyntpq 3257280849Scy 3258280849Scy * -n option extended to include the billboard "server" column 3259280849Scy * IPv6 addresses in the local column truncated to prevent overruns 3260280849Scy 3261280849Scy--- 3262280849ScyNTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 3263280849Scy 3264280849ScyFocus: Bug fixes and portability improvements 3265280849Scy 3266280849ScySeverity: Medium 3267280849Scy 3268280849ScyThis is a recommended upgrade. 3269280849Scy 3270280849ScyThis release includes build infrastructure updates, code 3271280849Scyclean-ups, minor bug fixes, fixes for a number of minor 3272280849Scyref-clock issues, and documentation revisions. 3273280849Scy 3274280849ScyPortability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 3275280849Scy 3276280849ScyNew features / changes in this release: 3277280849Scy 3278280849ScyBuild system 3279280849Scy 3280280849Scy* Fix checking for struct rtattr 3281280849Scy* Update config.guess and config.sub for AIX 3282280849Scy* Upgrade required version of autogen and libopts for building 3283280849Scy from our source code repository 3284280849Scy 3285280849Scyntpd 3286280849Scy 3287280849Scy* Back-ported several fixes for Coverity warnings from ntp-dev 3288280849Scy* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 3289280849Scy* Allow "logconfig =allall" configuration directive 3290280849Scy* Bind tentative IPv6 addresses on Linux 3291280849Scy* Correct WWVB/Spectracom driver to timestamp CR instead of LF 3292280849Scy* Improved tally bit handling to prevent incorrect ntpq peer status reports 3293280849Scy* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 3294280849Scy candidate list unless they are designated a "prefer peer" 3295280849Scy* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 3296280849Scy selection during the 'tos orphanwait' period 3297280849Scy* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 3298280849Scy drivers 3299280849Scy* Improved support of the Parse Refclock trusttime flag in Meinberg mode 3300280849Scy* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 3301280849Scy* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 3302280849Scy clock slew on Microsoft Windows 3303280849Scy* Code cleanup in libntpq 3304280849Scy 3305280849Scyntpdc 3306280849Scy 3307280849Scy* Fix timerstats reporting 3308280849Scy 3309280849Scyntpdate 3310280849Scy 3311280849Scy* Reduce time required to set clock 3312280849Scy* Allow a timeout greater than 2 seconds 3313280849Scy 3314280849Scysntp 3315280849Scy 3316280849Scy* Backward incompatible command-line option change: 3317280849Scy -l/--filelog changed -l/--logfile (to be consistent with ntpd) 3318280849Scy 3319280849ScyDocumentation 3320280849Scy 3321280849Scy* Update html2man. Fix some tags in the .html files 3322280849Scy* Distribute ntp-wait.html 3323280849Scy 3324280849Scy--- 3325280849ScyNTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 3326280849Scy 3327280849ScyFocus: Bug fixes and portability improvements 3328280849Scy 3329280849ScySeverity: Medium 3330280849Scy 3331280849ScyThis is a recommended upgrade. 3332280849Scy 3333280849ScyThis release includes build infrastructure updates, code 3334280849Scyclean-ups, minor bug fixes, fixes for a number of minor 3335280849Scyref-clock issues, and documentation revisions. 3336280849Scy 3337280849ScyPortability improvements in this release affect AIX, Atari FreeMiNT, 3338280849ScyFreeBSD4, Linux and Microsoft Windows. 3339280849Scy 3340280849ScyNew features / changes in this release: 3341280849Scy 3342280849ScyBuild system 3343280849Scy* Use lsb_release to get information about Linux distributions. 3344280849Scy* 'test' is in /usr/bin (instead of /bin) on some systems. 3345280849Scy* Basic sanity checks for the ChangeLog file. 3346280849Scy* Source certain build files with ./filename for systems without . in PATH. 3347280849Scy* IRIX portability fix. 3348280849Scy* Use a single copy of the "libopts" code. 3349280849Scy* autogen/libopts upgrade. 3350280849Scy* configure.ac m4 quoting cleanup. 3351280849Scy 3352280849Scyntpd 3353280849Scy* Do not bind to IN6_IFF_ANYCAST addresses. 3354280849Scy* Log the reason for exiting under Windows. 3355280849Scy* Multicast fixes for Windows. 3356280849Scy* Interpolation fixes for Windows. 3357280849Scy* IPv4 and IPv6 Multicast fixes. 3358280849Scy* Manycast solicitation fixes and general repairs. 3359280849Scy* JJY refclock cleanup. 3360280849Scy* NMEA refclock improvements. 3361280849Scy* Oncore debug message cleanup. 3362280849Scy* Palisade refclock now builds under Linux. 3363280849Scy* Give RAWDCF more baud rates. 3364280849Scy* Support Truetime Satellite clocks under Windows. 3365280849Scy* Support Arbiter 1093C Satellite clocks under Windows. 3366280849Scy* Make sure that the "filegen" configuration command defaults to "enable". 3367280849Scy* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 3368280849Scy* Prohibit 'includefile' directive in remote configuration command. 3369280849Scy* Fix 'nic' interface bindings. 3370280849Scy* Fix the way we link with openssl if openssl is installed in the base 3371280849Scy system. 3372280849Scy 3373280849Scyntp-keygen 3374280849Scy* Fix -V coredump. 3375280849Scy* OpenSSL version display cleanup. 3376280849Scy 3377280849Scyntpdc 3378280849Scy* Many counters should be treated as unsigned. 3379280849Scy 3380280849Scyntpdate 3381280849Scy* Do not ignore replies with equal receive and transmit timestamps. 3382280849Scy 3383280849Scyntpq 3384280849Scy* libntpq warning cleanup. 3385280849Scy 3386280849Scyntpsnmpd 3387280849Scy* Correct SNMP type for "precision" and "resolution". 3388280849Scy* Update the MIB from the draft version to RFC-5907. 3389280849Scy 3390280849Scysntp 3391280849Scy* Display timezone offset when showing time for sntp in the local 3392280849Scy timezone. 3393280849Scy* Pay proper attention to RATE KoD packets. 3394280849Scy* Fix a miscalculation of the offset. 3395280849Scy* Properly parse empty lines in the key file. 3396280849Scy* Logging cleanup. 3397280849Scy* Use tv_usec correctly in set_time(). 3398280849Scy* Documentation cleanup. 3399280849Scy 3400280849Scy--- 3401280849ScyNTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 3402280849Scy 3403280849ScyFocus: Bug fixes and portability improvements 3404280849Scy 3405280849ScySeverity: Medium 3406280849Scy 3407280849ScyThis is a recommended upgrade. 3408280849Scy 3409280849ScyThis release includes build infrastructure updates, code 3410280849Scyclean-ups, minor bug fixes, fixes for a number of minor 3411280849Scyref-clock issues, improved KOD handling, OpenSSL related 3412280849Scyupdates and documentation revisions. 3413280849Scy 3414280849ScyPortability improvements in this release affect Irix, Linux, 3415280849ScyMac OS, Microsoft Windows, OpenBSD and QNX6 3416280849Scy 3417280849ScyNew features / changes in this release: 3418280849Scy 3419280849Scyntpd 3420280849Scy* Range syntax for the trustedkey configuration directive 3421280849Scy* Unified IPv4 and IPv6 restrict lists 3422280849Scy 3423280849Scyntpdate 3424280849Scy* Rate limiting and KOD handling 3425280849Scy 3426280849Scyntpsnmpd 3427280849Scy* default connection to net-snmpd via a unix-domain socket 3428280849Scy* command-line 'socket name' option 3429280849Scy 3430280849Scyntpq / ntpdc 3431280849Scy* support for the "passwd ..." syntax 3432280849Scy* key-type specific password prompts 3433280849Scy 3434280849Scysntp 3435280849Scy* MD5 authentication of an ntpd 3436280849Scy* Broadcast and crypto 3437280849Scy* OpenSSL support 3438280849Scy 3439280849Scy--- 3440280849ScyNTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 3441280849Scy 3442280849ScyFocus: Bug fixes, portability fixes, and documentation improvements 3443280849Scy 3444280849ScySeverity: Medium 3445280849Scy 3446280849ScyThis is a recommended upgrade. 3447280849Scy 3448280849Scy--- 3449280849ScyNTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3450280849Scy 3451280849ScyFocus: enhancements and bug fixes. 3452280849Scy 3453280849Scy--- 3454200576SrobertoNTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3455200576Sroberto 3456200576SrobertoFocus: Security Fixes 3457200576Sroberto 3458200576SrobertoSeverity: HIGH 3459200576Sroberto 3460200576SrobertoThis release fixes the following high-severity vulnerability: 3461200576Sroberto 3462200576Sroberto* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3463200576Sroberto 3464200576Sroberto See http://support.ntp.org/security for more information. 3465200576Sroberto 3466200576Sroberto NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3467200576Sroberto In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3468200576Sroberto transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3469200576Sroberto request or a mode 7 error response from an address which is not listed 3470200576Sroberto in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3471200576Sroberto reply with a mode 7 error response (and log a message). In this case: 3472200576Sroberto 3473200576Sroberto * If an attacker spoofs the source address of ntpd host A in a 3474200576Sroberto mode 7 response packet sent to ntpd host B, both A and B will 3475200576Sroberto continuously send each other error responses, for as long as 3476200576Sroberto those packets get through. 3477200576Sroberto 3478200576Sroberto * If an attacker spoofs an address of ntpd host A in a mode 7 3479200576Sroberto response packet sent to ntpd host A, A will respond to itself 3480200576Sroberto endlessly, consuming CPU and logging excessively. 3481200576Sroberto 3482200576Sroberto Credit for finding this vulnerability goes to Robin Park and Dmitri 3483200576Sroberto Vinokurov of Alcatel-Lucent. 3484200576Sroberto 3485200576SrobertoTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3486200576Sroberto 3487200576Sroberto--- 3488280849Scyntpd now syncs to refclocks right away. 3489280849Scy 3490280849ScyBackward-Incompatible changes: 3491280849Scy 3492280849Scyntpd no longer accepts '-v name' or '-V name' to define internal variables. 3493280849ScyUse '--var name' or '--dvar name' instead. (Bug 817) 3494280849Scy 3495280849Scy--- 3496200576SrobertoNTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3497200576Sroberto 3498200576SrobertoFocus: Security and Bug Fixes 3499200576Sroberto 3500200576SrobertoSeverity: HIGH 3501200576Sroberto 3502200576SrobertoThis release fixes the following high-severity vulnerability: 3503200576Sroberto 3504200576Sroberto* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3505200576Sroberto 3506200576Sroberto See http://support.ntp.org/security for more information. 3507200576Sroberto 3508200576Sroberto If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3509200576Sroberto line) then a carefully crafted packet sent to the machine will cause 3510200576Sroberto a buffer overflow and possible execution of injected code, running 3511200576Sroberto with the privileges of the ntpd process (often root). 3512200576Sroberto 3513200576Sroberto Credit for finding this vulnerability goes to Chris Ries of CMU. 3514200576Sroberto 3515200576SrobertoThis release fixes the following low-severity vulnerabilities: 3516200576Sroberto 3517200576Sroberto* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3518200576Sroberto Credit for finding this vulnerability goes to Geoff Keating of Apple. 3519200576Sroberto 3520200576Sroberto* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3521200576Sroberto Credit for finding this issue goes to Dave Hart. 3522200576Sroberto 3523200576SrobertoThis release fixes a number of bugs and adds some improvements: 3524200576Sroberto 3525200576Sroberto* Improved logging 3526200576Sroberto* Fix many compiler warnings 3527200576Sroberto* Many fixes and improvements for Windows 3528200576Sroberto* Adds support for AIX 6.1 3529200576Sroberto* Resolves some issues under MacOS X and Solaris 3530200576Sroberto 3531200576SrobertoTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3532200576Sroberto 3533200576Sroberto--- 3534200576SrobertoNTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3535200576Sroberto 3536200576SrobertoFocus: Security Fix 3537200576Sroberto 3538200576SrobertoSeverity: Low 3539200576Sroberto 3540200576SrobertoThis release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3541200576Srobertothe OpenSSL library relating to the incorrect checking of the return 3542200576Srobertovalue of EVP_VerifyFinal function. 3543200576Sroberto 3544200576SrobertoCredit for finding this issue goes to the Google Security Team for 3545200576Srobertofinding the original issue with OpenSSL, and to ocert.org for finding 3546200576Srobertothe problem in NTP and telling us about it. 3547200576Sroberto 3548200576SrobertoThis is a recommended upgrade. 3549200576Sroberto--- 3550182007SrobertoNTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3551182007Sroberto 3552182007SrobertoFocus: Minor Bugfixes 3553182007Sroberto 3554182007SrobertoThis release fixes a number of Windows-specific ntpd bugs and 3555182007Srobertoplatform-independent ntpdate bugs. A logging bugfix has been applied 3556182007Srobertoto the ONCORE driver. 3557182007Sroberto 3558182007SrobertoThe "dynamic" keyword and is now obsolete and deferred binding to local 3559182007Srobertointerfaces is the new default. The minimum time restriction for the 3560182007Srobertointerface update interval has been dropped. 3561182007Sroberto 3562182007SrobertoA number of minor build system and documentation fixes are included. 3563182007Sroberto 3564182007SrobertoThis is a recommended upgrade for Windows. 3565182007Sroberto 3566182007Sroberto--- 3567182007SrobertoNTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3568182007Sroberto 3569182007SrobertoFocus: Minor Bugfixes 3570182007Sroberto 3571182007SrobertoThis release updates certain copyright information, fixes several display 3572182007Srobertobugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3573182007Srobertoshutdown in the parse refclock driver, removes some lint from the code, 3574182007Srobertostops accessing certain buffers immediately after they were freed, fixes 3575182007Srobertoa problem with non-command-line specification of -6, and allows the loopback 3576182007Srobertointerface to share addresses with other interfaces. 3577182007Sroberto 3578182007Sroberto--- 3579182007SrobertoNTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3580182007Sroberto 3581182007SrobertoFocus: Minor Bugfixes 3582182007Sroberto 3583182007SrobertoThis release fixes a bug in Windows that made it difficult to 3584182007Srobertoterminate ntpd under windows. 3585182007SrobertoThis is a recommended upgrade for Windows. 3586182007Sroberto 3587182007Sroberto--- 3588182007SrobertoNTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3589182007Sroberto 3590182007SrobertoFocus: Minor Bugfixes 3591182007Sroberto 3592182007SrobertoThis release fixes a multicast mode authentication problem, 3593182007Srobertoan error in NTP packet handling on Windows that could lead to 3594182007Srobertontpd crashing, and several other minor bugs. Handling of 3595182007Srobertomulticast interfaces and logging configuration were improved. 3596182007SrobertoThe required versions of autogen and libopts were incremented. 3597182007SrobertoThis is a recommended upgrade for Windows and multicast users. 3598182007Sroberto 3599182007Sroberto--- 3600182007SrobertoNTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3601182007Sroberto 3602182007SrobertoFocus: enhancements and bug fixes. 3603182007Sroberto 3604182007SrobertoDynamic interface rescanning was added to simplify the use of ntpd in 3605182007Srobertoconjunction with DHCP. GNU AutoGen is used for its command-line options 3606182007Srobertoprocessing. Separate PPS devices are supported for PARSE refclocks, MD5 3607182007Srobertosignatures are now provided for the release files. Drivers have been 3608182007Srobertoadded for some new ref-clocks and have been removed for some older 3609182007Srobertoref-clocks. This release also includes other improvements, documentation 3610182007Srobertoand bug fixes. 3611182007Sroberto 3612182007SrobertoK&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3613182007SrobertoC support. 3614182007Sroberto 3615182007Sroberto--- 3616182007SrobertoNTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3617182007Sroberto 3618182007SrobertoFocus: enhancements and bug fixes. 3619