1178355Ssam--- 2178355SsamNTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 3178355Ssam 4208060SdougbFocus: Security, Bug fixes, enhancements. 5178355Ssam 6178355SsamSeverity: HIGH 7178355Ssam 8178355SsamIn addition to bug fixes and enhancements, this release fixes the 9178355Ssamfollowing 1 high- (Windows only), 2 medium-, 2 medium-/low, and 10178355Ssam5 low-severity vulnerabilities, and provides 28 other non-security 11178355Ssamfixes and improvements: 12178355Ssam 13208060Sdougb* Trap crash 14178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 15178355Ssam References: Sec 3119 / CVE-2016-9311 / VU#633847 16178355Ssam Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 17178355Ssam including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 18178355Ssam CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 19178355Ssam CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 20178355Ssam Summary: 21178355Ssam ntpd does not enable trap service by default. If trap service 22178355Ssam has been explicitly enabled, an attacker can send a specially 23178355Ssam crafted packet to cause a null pointer dereference that will 24208060Sdougb crash ntpd, resulting in a denial of service. 25178355Ssam Mitigation: 26178355Ssam Implement BCP-38. 27178355Ssam Use "restrict default noquery ..." in your ntp.conf file. Only 28178355Ssam allow mode 6 queries from trusted networks and hosts. 29178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 30178355Ssam or the NTP Public Services Project Download Page 31178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 32178355Ssam (without -g) if it stops running. 33178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 34178355Ssam 35178355Ssam* Mode 6 information disclosure and DDoS vector 36178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 37178355Ssam References: Sec 3118 / CVE-2016-9310 / VU#633847 38178355Ssam Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 39178355Ssam including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 40178355Ssam CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 41178355Ssam CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 42186106Ssam Summary: 43178355Ssam An exploitable configuration modification vulnerability exists 44178355Ssam in the control mode (mode 6) functionality of ntpd. If, against 45178355Ssam long-standing BCP recommendations, "restrict default noquery ..." 46178355Ssam is not specified, a specially crafted control mode packet can set 47178355Ssam ntpd traps, providing information disclosure and DDoS 48178355Ssam amplification, and unset ntpd traps, disabling legitimate 49178355Ssam monitoring. A remote, unauthenticated, network attacker can 50178355Ssam trigger this vulnerability. 51178355Ssam Mitigation: 52178355Ssam Implement BCP-38. 53178355Ssam Use "restrict default noquery ..." in your ntp.conf file. 54178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 55178355Ssam or the NTP Public Services Project Download Page 56178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 57178355Ssam (without -g) if it stops running. 58178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 59178355Ssam 60178355Ssam* Broadcast Mode Replay Prevention DoS 61178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 62178355Ssam References: Sec 3114 / CVE-2016-7427 / VU#633847 63178355Ssam Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 64178355Ssam ntp-4.3.90 up to, but not including ntp-4.3.94. 65178355Ssam CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 66178355Ssam CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 67178355Ssam Summary: 68178355Ssam The broadcast mode of NTP is expected to only be used in a 69178355Ssam trusted network. If the broadcast network is accessible to an 70178355Ssam attacker, a potentially exploitable denial of service 71178355Ssam vulnerability in ntpd's broadcast mode replay prevention 72178355Ssam functionality can be abused. An attacker with access to the NTP 73178355Ssam broadcast domain can periodically inject specially crafted 74178355Ssam broadcast mode NTP packets into the broadcast domain which, 75178355Ssam while being logged by ntpd, can cause ntpd to reject broadcast 76178355Ssam mode packets from legitimate NTP broadcast servers. 77178355Ssam Mitigation: 78178355Ssam Implement BCP-38. 79178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 80178355Ssam or the NTP Public Services Project Download Page 81178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 82178355Ssam (without -g) if it stops running. 83178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 84178355Ssam 85178355Ssam* Broadcast Mode Poll Interval Enforcement DoS 86223497Sadrian Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 87178355Ssam References: Sec 3113 / CVE-2016-7428 / VU#633847 88178355Ssam Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 89178355Ssam ntp-4.3.90 up to, but not including ntp-4.3.94 90178355Ssam CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 91178355Ssam CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 92178355Ssam Summary: 93178355Ssam The broadcast mode of NTP is expected to only be used in a 94178355Ssam trusted network. If the broadcast network is accessible to an 95178355Ssam attacker, a potentially exploitable denial of service 96178355Ssam vulnerability in ntpd's broadcast mode poll interval enforcement 97178355Ssam functionality can be abused. To limit abuse, ntpd restricts the 98178355Ssam rate at which each broadcast association will process incoming 99223498Sadrian packets. ntpd will reject broadcast mode packets that arrive 100178355Ssam before the poll interval specified in the preceding broadcast 101178355Ssam packet expires. An attacker with access to the NTP broadcast 102178355Ssam domain can send specially crafted broadcast mode NTP packets to 103178355Ssam the broadcast domain which, while being logged by ntpd, will 104178355Ssam cause ntpd to reject broadcast mode packets from legitimate NTP 105178355Ssam broadcast servers. 106178355Ssam Mitigation: 107178355Ssam Implement BCP-38. 108178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 109223498Sadrian or the NTP Public Services Project Download Page 110178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 111178355Ssam (without -g) if it stops running. 112178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 113178355Ssam 114178355Ssam* Windows: ntpd DoS by oversized UDP packet 115178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 116178355Ssam References: Sec 3110 / CVE-2016-9312 / VU#633847 117178355Ssam Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 118178355Ssam and ntp-4.3.0 up to, but not including ntp-4.3.94. 119178355Ssam CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 120178355Ssam CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 121178355Ssam Summary: 122178355Ssam If a vulnerable instance of ntpd on Windows receives a crafted 123178355Ssam malicious packet that is "too big", ntpd will stop working. 124178355Ssam Mitigation: 125178355Ssam Implement BCP-38. 126178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 127178355Ssam or the NTP Public Services Project Download Page 128178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 129178355Ssam (without -g) if it stops running. 130178355Ssam Credit: This weakness was discovered by Robert Pajak of ABB. 131178355Ssam 132178355Ssam* 0rigin (zero origin) issues 133178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 134178355Ssam References: Sec 3102 / CVE-2016-7431 / VU#633847 135178355Ssam Affects: ntp-4.2.8p8, and ntp-4.3.93. 136178355Ssam CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 137178355Ssam CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 138178355Ssam Summary: 139178355Ssam Zero Origin timestamp problems were fixed by Bug 2945 in 140178355Ssam ntp-4.2.8p6. However, subsequent timestamp validation checks 141223496Sadrian introduced a regression in the handling of some Zero origin 142223496Sadrian timestamp checks. 143223496Sadrian Mitigation: 144223496Sadrian Implement BCP-38. 145223496Sadrian Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 146223496Sadrian or the NTP Public Services Project Download Page 147178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 148178355Ssam (without -g) if it stops running. 149178355Ssam Credit: This weakness was discovered by Sharon Goldberg and Aanchal 150178355Ssam Malhotra of Boston University. 151178355Ssam 152178355Ssam* read_mru_list() does inadequate incoming packet checks 153178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 154178355Ssam References: Sec 3082 / CVE-2016-7434 / VU#633847 155178355Ssam Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 156178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.94. 157178355Ssam CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 158178355Ssam CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 159178355Ssam Summary: 160178355Ssam If ntpd is configured to allow mrulist query requests from a 161178355Ssam server that sends a crafted malicious packet, ntpd will crash 162178355Ssam on receipt of that crafted malicious mrulist query packet. 163178355Ssam Mitigation: 164178355Ssam Only allow mrulist query packets from trusted hosts. 165178355Ssam Implement BCP-38. 166178355Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 167178355Ssam or the NTP Public Services Project Download Page 168178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 169178355Ssam (without -g) if it stops running. 170178355Ssam Credit: This weakness was discovered by Magnus Stubman. 171178355Ssam 172178355Ssam* Attack on interface selection 173178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 174178355Ssam References: Sec 3072 / CVE-2016-7429 / VU#633847 175178355Ssam Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 176178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.94 177178355Ssam CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 178178355Ssam CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 179178355Ssam Summary: 180178355Ssam When ntpd receives a server response on a socket that corresponds 181178355Ssam to a different interface than was used for the request, the peer 182178355Ssam structure is updated to use the interface for new requests. If 183178355Ssam ntpd is running on a host with multiple interfaces in separate 184178355Ssam networks and the operating system doesn't check source address in 185223496Sadrian received packets (e.g. rp_filter on Linux is set to 0), an 186223496Sadrian attacker that knows the address of the source can send a packet 187223496Sadrian with spoofed source address which will cause ntpd to select wrong 188223496Sadrian interface for the source and prevent it from sending new requests 189223496Sadrian until the list of interfaces is refreshed, which happens on 190223496Sadrian routing changes or every 5 minutes by default. If the attack is 191223496Sadrian repeated often enough (once per second), ntpd will not be able to 192223496Sadrian synchronize with the source. 193223496Sadrian Mitigation: 194223496Sadrian Implement BCP-38. 195223496Sadrian Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 196223496Sadrian or the NTP Public Services Project Download Page 197223496Sadrian If you are going to configure your OS to disable source address 198223496Sadrian checks, also configure your firewall configuration to control 199178355Ssam what interfaces can receive packets from what networks. 200178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 201178355Ssam (without -g) if it stops running. 202178355Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 203178355Ssam 204178355Ssam* Client rate limiting and server responses 205178355Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 206178355Ssam References: Sec 3071 / CVE-2016-7426 / VU#633847 207178355Ssam Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 208178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.94 209178355Ssam CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 210178355Ssam CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 211178355Ssam Summary: 212178355Ssam When ntpd is configured with rate limiting for all associations 213187343Ssam (restrict default limited in ntp.conf), the limits are applied 214187343Ssam also to responses received from its configured sources. An 215187343Ssam attacker who knows the sources (e.g., from an IPv4 refid in 216187343Ssam server response) and knows the system is (mis)configured in this 217187343Ssam way can periodically send packets with spoofed source address to 218187343Ssam keep the rate limiting activated and prevent ntpd from accepting 219187343Ssam valid responses from its sources. 220187343Ssam 221187343Ssam While this blanket rate limiting can be useful to prevent 222187343Ssam brute-force attacks on the origin timestamp, it allows this DoS 223187343Ssam attack. Similarly, it allows the attacker to prevent mobilization 224187343Ssam of ephemeral associations. 225187343Ssam Mitigation: 226187343Ssam Implement BCP-38. 227187343Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 228187343Ssam or the NTP Public Services Project Download Page 229187343Ssam Properly monitor your ntpd instances, and auto-restart ntpd 230187343Ssam (without -g) if it stops running. 231187343Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 232187343Ssam 233187343Ssam* Fix for bug 2085 broke initial sync calculations 234187343Ssam Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 235187343Ssam References: Sec 3067 / CVE-2016-7433 / VU#633847 236187343Ssam Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 237187343Ssam ntp-4.3.0 up to, but not including ntp-4.3.94. But the 238187343Ssam root-distance calculation in general is incorrect in all versions 239187343Ssam of ntp-4 until this release. 240187343Ssam CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 241187343Ssam CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 242187343Ssam Summary: 243187343Ssam Bug 2085 described a condition where the root delay was included 244187343Ssam twice, causing the jitter value to be higher than expected. Due 245187343Ssam to a misinterpretation of a small-print variable in The Book, the 246187343Ssam fix for this problem was incorrect, resulting in a root distance 247187343Ssam that did not include the peer dispersion. The calculations and 248187343Ssam formulae have been reviewed and reconciled, and the code has been 249187343Ssam updated accordingly. 250187343Ssam Mitigation: 251187343Ssam Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 252187343Ssam or the NTP Public Services Project Download Page 253187343Ssam Properly monitor your ntpd instances, and auto-restart ntpd 254223504Sadrian (without -g) if it stops running. 255187343Ssam Credit: This weakness was discovered independently by Brian Utterback of 256187343Ssam Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 257187343Ssam 258187343SsamOther fixes: 259187343Ssam 260187343Ssam* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 261187343Ssam* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 262178355Ssam* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 263178355Ssam - moved retry decision where it belongs. <perlinger@ntp.org> 264178355Ssam* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 265178355Ssam using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 266178355Ssam* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 267178355Ssam* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 268178355Ssam - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 269178355Ssam* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 270178355Ssam - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 271178355Ssam - added shim layer for SSL API calls with issues (both directions) 272178355Ssam* [Bug 3089] Serial Parser does not work anymore for hopfser like device 273178355Ssam - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 274178355Ssam* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 275178355Ssam* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 276178355Ssam - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 277178355Ssam* [Bug 3067] Root distance calculation needs improvement. HStenn 278178355Ssam* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 279178355Ssam - PPS-HACK works again. 280178355Ssam* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 281178355Ssam - applied patch by Brian Utterback <brian.utterback@oracle.com> 282178355Ssam* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 283178355Ssam* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 284178355Ssam <perlinger@ntp.org> 285178355Ssam - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 286178355Ssam* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 287178355Ssam - Patch provided by Kuramatsu. 288178355Ssam* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 289178355Ssam - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 290178355Ssam* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 291178355Ssam* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 292178355Ssam* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 293178355Ssam* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 294178355Ssam - fixed GPS week expansion to work based on build date. Special thanks 295178355Ssam to Craig Leres for initial patch and testing. 296178355Ssam* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 297178355Ssam - fixed Makefile.am <perlinger@ntp.org> 298178355Ssam* [Bug 2689] ATOM driver processes last PPS pulse at startup, 299178355Ssam even if it is very old <perlinger@ntp.org> 300178355Ssam - make sure PPS source is alive before processing samples 301178355Ssam - improve stability close to the 500ms phase jump (phase gate) 302178355Ssam* Fix typos in include/ntp.h. 303178355Ssam* Shim X509_get_signature_nid() if needed 304178355Ssam* git author attribution cleanup 305178355Ssam* bk ignore file cleanup 306178355Ssam* remove locks in Windows IO, use rpc-like thread synchronisation instead 307178355Ssam 308178355Ssam--- 309178355SsamNTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 310178355Ssam 311178355SsamFocus: Security, Bug fixes, enhancements. 312178355Ssam 313178355SsamSeverity: HIGH 314178355Ssam 315178355SsamIn addition to bug fixes and enhancements, this release fixes the 316178355Ssamfollowing 1 high- and 4 low-severity vulnerabilities: 317178355Ssam 318178355Ssam* CRYPTO_NAK crash 319178355Ssam Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 320178355Ssam References: Sec 3046 / CVE-2016-4957 / VU#321640 321178355Ssam Affects: ntp-4.2.8p7, and ntp-4.3.92. 322178355Ssam CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 323178355Ssam CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 324178355Ssam Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 325178355Ssam could cause ntpd to crash. 326178355Ssam Mitigation: 327178355Ssam Implement BCP-38. 328178355Ssam Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 329178355Ssam or the NTP Public Services Project Download Page 330178355Ssam If you cannot upgrade from 4.2.8p7, the only other alternatives 331178355Ssam are to patch your code or filter CRYPTO_NAK packets. 332178355Ssam Properly monitor your ntpd instances, and auto-restart ntpd 333178355Ssam (without -g) if it stops running. 334178355Ssam Credit: This weakness was discovered by Nicolas Edet of Cisco. 335178355Ssam 336178355Ssam* Bad authentication demobilizes ephemeral associations 337178355Ssam Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 338178355Ssam References: Sec 3045 / CVE-2016-4953 / VU#321640 339178355Ssam Affects: ntp-4, up to but not including ntp-4.2.8p8, and 340178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.93. 341178355Ssam CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 342178355Ssam CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 343178355Ssam Summary: An attacker who knows the origin timestamp and can send a 344178355Ssam spoofed packet containing a CRYPTO-NAK to an ephemeral peer 345178355Ssam target before any other response is sent can demobilize that 346178355Ssam association. 347178355Ssam Mitigation: 348178355Ssam Implement BCP-38. 349178355Ssam Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 350178355Ssam or the NTP Public Services Project Download Page 351178355Ssam Properly monitor your ntpd instances. 352178355Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 353178355Ssam 354178355Ssam* Processing spoofed server packets 355178355Ssam Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 356178355Ssam References: Sec 3044 / CVE-2016-4954 / VU#321640 357178355Ssam Affects: ntp-4, up to but not including ntp-4.2.8p8, and 358178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.93. 359178355Ssam CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 360178355Ssam CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 361178355Ssam Summary: An attacker who is able to spoof packets with correct origin 362178355Ssam timestamps from enough servers before the expected response 363178355Ssam packets arrive at the target machine can affect some peer 364178355Ssam variables and, for example, cause a false leap indication to be set. 365178355Ssam Mitigation: 366178355Ssam Implement BCP-38. 367178355Ssam Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 368178355Ssam or the NTP Public Services Project Download Page 369178355Ssam Properly monitor your ntpd instances. 370178355Ssam Credit: This weakness was discovered by Jakub Prokes of Red Hat. 371178355Ssam 372178355Ssam* Autokey association reset 373178355Ssam Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 374178355Ssam References: Sec 3043 / CVE-2016-4955 / VU#321640 375178355Ssam Affects: ntp-4, up to but not including ntp-4.2.8p8, and 376178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.93. 377178355Ssam CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 378178355Ssam CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 379178355Ssam Summary: An attacker who is able to spoof a packet with a correct 380178355Ssam origin timestamp before the expected response packet arrives at 381178355Ssam the target machine can send a CRYPTO_NAK or a bad MAC and cause 382178355Ssam the association's peer variables to be cleared. If this can be 383178355Ssam done often enough, it will prevent that association from working. 384178355Ssam Mitigation: 385178355Ssam Implement BCP-38. 386178355Ssam Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 387178355Ssam or the NTP Public Services Project Download Page 388178355Ssam Properly monitor your ntpd instances. 389178355Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 390178355Ssam 391178355Ssam* Broadcast interleave 392178355Ssam Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 393178355Ssam References: Sec 3042 / CVE-2016-4956 / VU#321640 394178355Ssam Affects: ntp-4, up to but not including ntp-4.2.8p8, and 395178355Ssam ntp-4.3.0 up to, but not including ntp-4.3.93. 396178355Ssam CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 397178355Ssam CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 398178355Ssam Summary: The fix for NtpBug2978 does not cover broadcast associations, 399178355Ssam so broadcast clients can be triggered to flip into interleave mode. 400178355Ssam Mitigation: 401178355Ssam Implement BCP-38. 402178355Ssam Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 403178355Ssam or the NTP Public Services Project Download Page 404178355Ssam Properly monitor your ntpd instances. 405178355Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 406178355Ssam 407178355SsamOther fixes: 408178355Ssam* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 409178355Ssam - provide build environment 410178355Ssam - 'wint_t' and 'struct timespec' defined by VS2015 411178355Ssam - fixed print()/scanf() format issues 412178355Ssam* [Bug 3052] Add a .gitignore file. Edmund Wong. 413178355Ssam* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 414178355Ssam* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 415178355Ssam JPerlinger, HStenn. 416178355Ssam* Fix typo in ntp-wait and plot_summary. HStenn. 417178355Ssam* Make sure we have an "author" file for git imports. HStenn. 418178355Ssam* Update the sntp problem tests for MacOS. HStenn. 419178355Ssam 420178355Ssam--- 421178355SsamNTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 422178355Ssam 423178355SsamFocus: Security, Bug fixes, enhancements. 424178355Ssam 425178355SsamSeverity: MEDIUM 426178355Ssam 427178355SsamWhen building NTP from source, there is a new configure option 428178355Ssamavailable, --enable-dynamic-interleave. More information on this below. 429178355Ssam 430178355SsamAlso note that ntp-4.2.8p7 logs more "unexpected events" than previous 431178355Ssamversions of ntp. These events have almost certainly happened in the 432178355Ssampast, it's just that they were silently counted and not logged. With 433178355Ssamthe increasing awareness around security, we feel it's better to clearly 434178355Ssamlog these events to help detect abusive behavior. This increased 435178355Ssamlogging can also help detect other problems, too. 436178355Ssam 437178355SsamIn addition to bug fixes and enhancements, this release fixes the 438178355Ssamfollowing 9 low- and medium-severity vulnerabilities: 439178355Ssam 440178355Ssam* Improve NTP security against buffer comparison timing attacks, 441178355Ssam AKA: authdecrypt-timing 442178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 443178355Ssam References: Sec 2879 / CVE-2016-1550 444178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 445178355Ssam 4.3.0 up to, but not including 4.3.92 446178355Ssam CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 447178355Ssam CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 448178355Ssam Summary: Packet authentication tests have been performed using 449178355Ssam memcmp() or possibly bcmp(), and it is potentially possible 450178355Ssam for a local or perhaps LAN-based attacker to send a packet with 451178355Ssam an authentication payload and indirectly observe how much of 452178355Ssam the digest has matched. 453178355Ssam Mitigation: 454178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 455178355Ssam or the NTP Public Services Project Download Page. 456178355Ssam Properly monitor your ntpd instances. 457178355Ssam Credit: This weakness was discovered independently by Loganaden 458178355Ssam Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 459178355Ssam 460178355Ssam* Zero origin timestamp bypass: Additional KoD checks. 461178355Ssam References: Sec 2945 / Sec 2901 / CVE-2015-8138 462178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, 463178355Ssam Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 464178355Ssam 465178355Ssam* peer associations were broken by the fix for NtpBug2899 466178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 467178355Ssam References: Sec 2952 / CVE-2015-7704 468178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 469178355Ssam 4.3.0 up to, but not including 4.3.92 470178355Ssam CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 471178355Ssam Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 472178355Ssam associations did not address all of the issues. 473178355Ssam Mitigation: 474178355Ssam Implement BCP-38. 475178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 476178355Ssam or the NTP Public Services Project Download Page 477178355Ssam If you can't upgrade, use "server" associations instead of 478178355Ssam "peer" associations. 479178355Ssam Monitor your ntpd instances. 480178355Ssam Credit: This problem was discovered by Michael Tatarinov. 481178355Ssam 482178355Ssam* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 483178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 484178355Ssam References: Sec 3007 / CVE-2016-1547 / VU#718152 485178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 486178355Ssam 4.3.0 up to, but not including 4.3.92 487178355Ssam CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 488178355Ssam CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 489178355Ssam Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 490178355Ssam off-path attacker can cause a preemptable client association to 491178355Ssam be demobilized by sending a crypto NAK packet to a victim client 492178355Ssam with a spoofed source address of an existing associated peer. 493178355Ssam This is true even if authentication is enabled. 494178355Ssam 495178355Ssam Furthermore, if the attacker keeps sending crypto NAK packets, 496178355Ssam for example one every second, the victim never has a chance to 497178355Ssam reestablish the association and synchronize time with that 498178355Ssam legitimate server. 499178355Ssam 500178355Ssam For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 501178355Ssam stringent checks are performed on incoming packets, but there 502178355Ssam are still ways to exploit this vulnerability in versions before 503178355Ssam ntp-4.2.8p7. 504178355Ssam Mitigation: 505178355Ssam Implement BCP-38. 506178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 507178355Ssam or the NTP Public Services Project Download Page 508178355Ssam Properly monitor your =ntpd= instances 509178355Ssam Credit: This weakness was discovered by Stephen Gray and 510178355Ssam Matthew Van Gundy of Cisco ASIG. 511178355Ssam 512178355Ssam* ctl_getitem() return value not always checked 513178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 514178355Ssam References: Sec 3008 / CVE-2016-2519 515178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 516178355Ssam 4.3.0 up to, but not including 4.3.92 517178355Ssam CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 518178355Ssam CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 519178355Ssam Summary: ntpq and ntpdc can be used to store and retrieve information 520178355Ssam in ntpd. It is possible to store a data value that is larger 521178355Ssam than the size of the buffer that the ctl_getitem() function of 522178355Ssam ntpd uses to report the return value. If the length of the 523178355Ssam requested data value returned by ctl_getitem() is too large, 524178355Ssam the value NULL is returned instead. There are 2 cases where the 525178355Ssam return value from ctl_getitem() was not directly checked to make 526178355Ssam sure it's not NULL, but there are subsequent INSIST() checks 527178355Ssam that make sure the return value is not NULL. There are no data 528178355Ssam values ordinarily stored in ntpd that would exceed this buffer 529178355Ssam length. But if one has permission to store values and one stores 530178355Ssam a value that is "too large", then ntpd will abort if an attempt 531178355Ssam is made to read that oversized value. 532178355Ssam Mitigation: 533178355Ssam Implement BCP-38. 534178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 535178355Ssam or the NTP Public Services Project Download Page 536178355Ssam Properly monitor your ntpd instances. 537178355Ssam Credit: This weakness was discovered by Yihan Lian of the Cloud 538178355Ssam Security Team, Qihoo 360. 539178355Ssam 540178355Ssam* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 541178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 542178355Ssam References: Sec 3009 / CVE-2016-2518 / VU#718152 543178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 544178355Ssam 4.3.0 up to, but not including 4.3.92 545178355Ssam CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 546178355Ssam CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 547178355Ssam Summary: Using a crafted packet to create a peer association with 548178355Ssam hmode > 7 causes the MATCH_ASSOC() lookup to make an 549178355Ssam out-of-bounds reference. 550178355Ssam Mitigation: 551178355Ssam Implement BCP-38. 552178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 553178355Ssam or the NTP Public Services Project Download Page 554178355Ssam Properly monitor your ntpd instances 555178355Ssam Credit: This weakness was discovered by Yihan Lian of the Cloud 556178355Ssam Security Team, Qihoo 360. 557178355Ssam 558178355Ssam* remote configuration trustedkey/requestkey/controlkey values are not 559178355Ssam properly validated 560178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 561178355Ssam References: Sec 3010 / CVE-2016-2517 / VU#718152 562178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 563178355Ssam 4.3.0 up to, but not including 4.3.92 564178355Ssam CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 565178355Ssam CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 566178355Ssam Summary: If ntpd was expressly configured to allow for remote 567178355Ssam configuration, a malicious user who knows the controlkey for 568178355Ssam ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 569178355Ssam can create a session with ntpd and then send a crafted packet to 570178355Ssam ntpd that will change the value of the trustedkey, controlkey, 571178355Ssam or requestkey to a value that will prevent any subsequent 572178355Ssam authentication with ntpd until ntpd is restarted. 573178355Ssam Mitigation: 574178355Ssam Implement BCP-38. 575178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 576178355Ssam or the NTP Public Services Project Download Page 577178355Ssam Properly monitor your =ntpd= instances 578178355Ssam Credit: This weakness was discovered by Yihan Lian of the Cloud 579178355Ssam Security Team, Qihoo 360. 580178355Ssam 581178355Ssam* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 582178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 583178355Ssam References: Sec 3011 / CVE-2016-2516 / VU#718152 584178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 585178355Ssam 4.3.0 up to, but not including 4.3.92 586178355Ssam CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 587178355Ssam CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 588178355Ssam Summary: If ntpd was expressly configured to allow for remote 589178355Ssam configuration, a malicious user who knows the controlkey for 590178355Ssam ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 591178355Ssam can create a session with ntpd and if an existing association is 592178355Ssam unconfigured using the same IP twice on the unconfig directive 593178355Ssam line, ntpd will abort. 594178355Ssam Mitigation: 595178355Ssam Implement BCP-38. 596178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 597178355Ssam or the NTP Public Services Project Download Page 598178355Ssam Properly monitor your ntpd instances 599178355Ssam Credit: This weakness was discovered by Yihan Lian of the Cloud 600178355Ssam Security Team, Qihoo 360. 601178355Ssam 602178355Ssam* Refclock impersonation vulnerability 603178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 604178355Ssam References: Sec 3020 / CVE-2016-1551 605178355Ssam Affects: On a very limited number of OSes, all NTP releases up to but 606178355Ssam not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 607178355Ssam By "very limited number of OSes" we mean no general-purpose OSes 608178355Ssam have yet been identified that have this vulnerability. 609178355Ssam CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 610178355Ssam CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 611178355Ssam Summary: While most OSes implement martian packet filtering in their 612178355Ssam network stack, at least regarding 127.0.0.0/8, some will allow 613178355Ssam packets claiming to be from 127.0.0.0/8 that arrive over a 614178355Ssam physical network. On these OSes, if ntpd is configured to use a 615178355Ssam reference clock an attacker can inject packets over the network 616178355Ssam that look like they are coming from that reference clock. 617178355Ssam Mitigation: 618178355Ssam Implement martian packet filtering and BCP-38. 619178355Ssam Configure ntpd to use an adequate number of time sources. 620178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 621178355Ssam or the NTP Public Services Project Download Page 622178355Ssam If you are unable to upgrade and if you are running an OS that 623178355Ssam has this vulnerability, implement martian packet filters and 624178355Ssam lobby your OS vendor to fix this problem, or run your 625178355Ssam refclocks on computers that use OSes that are not vulnerable 626178355Ssam to these attacks and have your vulnerable machines get their 627178355Ssam time from protected resources. 628178355Ssam Properly monitor your ntpd instances. 629178355Ssam Credit: This weakness was discovered by Matt Street and others of 630178355Ssam Cisco ASIG. 631178355Ssam 632178355SsamThe following issues were fixed in earlier releases and contain 633178355Ssamimprovements in 4.2.8p7: 634178355Ssam 635178355Ssam* Clients that receive a KoD should validate the origin timestamp field. 636178355Ssam References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 637178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, 638178355Ssam Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 639178355Ssam 640178355Ssam* Skeleton key: passive server with trusted key can serve time. 641178355Ssam References: Sec 2936 / CVE-2015-7974 642178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, 643178355Ssam Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 644178355Ssam 645178355SsamTwo other vulnerabilities have been reported, and the mitigations 646178355Ssamfor these are as follows: 647178355Ssam 648178355Ssam* Interleave-pivot 649178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 650178355Ssam References: Sec 2978 / CVE-2016-1548 651178355Ssam Affects: All ntp-4 releases. 652178355Ssam CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 653178355Ssam CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 654178355Ssam Summary: It is possible to change the time of an ntpd client or deny 655178355Ssam service to an ntpd client by forcing it to change from basic 656178355Ssam client/server mode to interleaved symmetric mode. An attacker 657178355Ssam can spoof a packet from a legitimate ntpd server with an origin 658178355Ssam timestamp that matches the peer->dst timestamp recorded for that 659178355Ssam server. After making this switch, the client will reject all 660178355Ssam future legitimate server responses. It is possible to force the 661178355Ssam victim client to move time after the mode has been changed. 662178355Ssam ntpq gives no indication that the mode has been switched. 663178355Ssam Mitigation: 664178355Ssam Implement BCP-38. 665178355Ssam Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 666178355Ssam or the NTP Public Services Project Download Page. These 667178355Ssam versions will not dynamically "flip" into interleave mode 668178355Ssam unless configured to do so. 669178355Ssam Properly monitor your ntpd instances. 670178355Ssam Credit: This weakness was discovered by Miroslav Lichvar of RedHat 671178355Ssam and separately by Jonathan Gardner of Cisco ASIG. 672178355Ssam 673178355Ssam* Sybil vulnerability: ephemeral association attack 674178355Ssam Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 675178355Ssam References: Sec 3012 / CVE-2016-1549 676178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 677178355Ssam 4.3.0 up to, but not including 4.3.92 678178355Ssam CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 679178355Ssam CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 680178355Ssam Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 681178355Ssam the feature introduced in ntp-4.2.8p6 allowing an optional 4th 682178355Ssam field in the ntp.keys file to specify which IPs can serve time, 683178355Ssam a malicious authenticated peer can create arbitrarily-many 684178355Ssam ephemeral associations in order to win the clock selection of 685178355Ssam ntpd and modify a victim's clock. 686178355Ssam Mitigation: 687178355Ssam Implement BCP-38. 688178355Ssam Use the 4th field in the ntp.keys file to specify which IPs 689178355Ssam can be time servers. 690178355Ssam Properly monitor your ntpd instances. 691178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 692178355Ssam 693178355SsamOther fixes: 694178355Ssam 695178355Ssam* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 696178355Ssam - fixed yet another race condition in the threaded resolver code. 697178355Ssam* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 698178355Ssam* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 699178355Ssam - integrated patches by Loganaden Velvidron <logan@ntp.org> 700178355Ssam with some modifications & unit tests 701178355Ssam* [Bug 2960] async name resolution fixes for chroot() environments. 702178355Ssam Reinhard Max. 703178355Ssam* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 704178355Ssam* [Bug 2995] Fixes to compile on Windows 705178355Ssam* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 706178355Ssam* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 707178355Ssam - Patch provided by Ch. Weisgerber 708178355Ssam* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 709178355Ssam - A change related to [Bug 2853] forbids trailing white space in 710178355Ssam remote config commands. perlinger@ntp.org 711178355Ssam* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 712178355Ssam - report and patch from Aleksandr Kostikov. 713178355Ssam - Overhaul of Windows IO completion port handling. perlinger@ntp.org 714178355Ssam* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 715178355Ssam - fixed memory leak in access list (auth[read]keys.c) 716178355Ssam - refactored handling of key access lists (auth[read]keys.c) 717178355Ssam - reduced number of error branches (authreadkeys.c) 718178355Ssam* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 719178355Ssam* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 720178355Ssam* [Bug 3031] ntp broadcastclient unable to synchronize to an server 721178355Ssam when the time of server changed. perlinger@ntp.org 722178355Ssam - Check the initial delay calculation and reject/unpeer the broadcast 723178355Ssam server if the delay exceeds 50ms. Retry again after the next 724178355Ssam broadcast packet. 725178355Ssam* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 726178355Ssam* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 727178355Ssam* Update html/xleave.html documentation. Harlan Stenn. 728178355Ssam* Update ntp.conf documentation. Harlan Stenn. 729178355Ssam* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 730178355Ssam* Fix typo in html/monopt.html. Harlan Stenn. 731178355Ssam* Add README.pullrequests. Harlan Stenn. 732178355Ssam* Cleanup to include/ntp.h. Harlan Stenn. 733178355Ssam 734178355SsamNew option to 'configure': 735178355Ssam 736178355SsamWhile looking in to the issues around Bug 2978, the "interleave pivot" 737178355Ssamissue, it became clear that there are some intricate and unresolved 738178355Ssamissues with interleave operations. We also realized that the interleave 739178355Ssamprotocol was never added to the NTPv4 Standard, and it should have been. 740178355Ssam 741178355SsamInterleave mode was first released in July of 2008, and can be engaged 742178355Ssamin two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 743178355Ssamcontain the 'xleave' option, which will expressly enable interlave mode 744178355Ssamfor that association. Additionally, if a time packet arrives and is 745178355Ssamfound inconsistent with normal protocol behavior but has certain 746178355Ssamcharacteristics that are compatible with interleave mode, NTP will 747178355Ssamdynamically switch to interleave mode. With sufficient knowledge, an 748178355Ssamattacker can send a crafted forged packet to an NTP instance that 749178355Ssamtriggers only one side to enter interleaved mode. 750178355Ssam 751178355SsamTo prevent this attack until we can thoroughly document, describe, 752178355Ssamfix, and test the dynamic interleave mode, we've added a new 753178355Ssam'configure' option to the build process: 754178355Ssam 755178355Ssam --enable-dynamic-interleave 756178355Ssam 757178355SsamThis option controls whether or not NTP will, if conditions are right, 758178355Ssamengage dynamic interleave mode. Dynamic interleave mode is disabled by 759178355Ssamdefault in ntp-4.2.8p7. 760178355Ssam 761178355Ssam--- 762178355SsamNTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 763178355Ssam 764178355SsamFocus: Security, Bug fixes, enhancements. 765178355Ssam 766178355SsamSeverity: MEDIUM 767178355Ssam 768178355SsamIn addition to bug fixes and enhancements, this release fixes the 769178355Ssamfollowing 1 low- and 8 medium-severity vulnerabilities: 770178355Ssam 771178355Ssam* Potential Infinite Loop in 'ntpq' 772178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 773178355Ssam References: Sec 2548 / CVE-2015-8158 774178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 775178355Ssam 4.3.0 up to, but not including 4.3.90 776178355Ssam CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 777178355Ssam CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 778178355Ssam Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 779178355Ssam The loop's only stopping conditions are receiving a complete and 780178355Ssam correct response or hitting a small number of error conditions. 781178355Ssam If the packet contains incorrect values that don't trigger one of 782178355Ssam the error conditions, the loop continues to receive new packets. 783178355Ssam Note well, this is an attack against an instance of 'ntpq', not 784178355Ssam 'ntpd', and this attack requires the attacker to do one of the 785178355Ssam following: 786178355Ssam * Own a malicious NTP server that the client trusts 787178355Ssam * Prevent a legitimate NTP server from sending packets to 788178355Ssam the 'ntpq' client 789178355Ssam * MITM the 'ntpq' communications between the 'ntpq' client 790178355Ssam and the NTP server 791178355Ssam Mitigation: 792178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 793178355Ssam or the NTP Public Services Project Download Page 794178355Ssam Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 795178355Ssam 796178355Ssam* 0rigin: Zero Origin Timestamp Bypass 797178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 798178355Ssam References: Sec 2945 / CVE-2015-8138 799178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 800178355Ssam 4.3.0 up to, but not including 4.3.90 801178355Ssam CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 802178355Ssam CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 803178355Ssam (3.7 - LOW if you score AC:L) 804178355Ssam Summary: To distinguish legitimate peer responses from forgeries, a 805178355Ssam client attempts to verify a response packet by ensuring that the 806178355Ssam origin timestamp in the packet matches the origin timestamp it 807178355Ssam transmitted in its last request. A logic error exists that 808178355Ssam allows packets with an origin timestamp of zero to bypass this 809178355Ssam check whenever there is not an outstanding request to the server. 810178355Ssam Mitigation: 811178355Ssam Configure 'ntpd' to get time from multiple sources. 812178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 813178355Ssam or the NTP Public Services Project Download Page. 814178355Ssam Monitor your 'ntpd= instances. 815178355Ssam Credit: This weakness was discovered by Matthey Van Gundy and 816178355Ssam Jonathan Gardner of Cisco ASIG. 817178355Ssam 818178355Ssam* Stack exhaustion in recursive traversal of restriction list 819178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016 820178355Ssam References: Sec 2940 / CVE-2015-7978 821178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 822178355Ssam 4.3.0 up to, but not including 4.3.90 823178355Ssam CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 824178355Ssam Summary: An unauthenticated 'ntpdc reslist' command can cause a 825178355Ssam segmentation fault in ntpd by exhausting the call stack. 826178355Ssam Mitigation: 827178355Ssam Implement BCP-38. 828178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 829178355Ssam or the NTP Public Services Project Download Page. 830178355Ssam If you are unable to upgrade: 831178355Ssam In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 832178355Ssam If you must enable mode 7: 833178355Ssam configure the use of a 'requestkey' to control who can 834178355Ssam issue mode 7 requests. 835178355Ssam configure 'restrict noquery' to further limit mode 7 836178355Ssam requests to trusted sources. 837178355Ssam Monitor your ntpd instances. 838178355Ssam Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 839178355Ssam 840178355Ssam* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 841178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 842178355Ssam References: Sec 2942 / CVE-2015-7979 843178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 844178355Ssam 4.3.0 up to, but not including 4.3.90 845178355Ssam CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 846178355Ssam Summary: An off-path attacker can send broadcast packets with bad 847178355Ssam authentication (wrong key, mismatched key, incorrect MAC, etc) 848178355Ssam to broadcast clients. It is observed that the broadcast client 849178355Ssam tears down the association with the broadcast server upon 850178355Ssam receiving just one bad packet. 851178355Ssam Mitigation: 852178355Ssam Implement BCP-38. 853178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 854178355Ssam or the NTP Public Services Project Download Page. 855178355Ssam Monitor your 'ntpd' instances. 856178355Ssam If this sort of attack is an active problem for you, you have 857178355Ssam deeper problems to investigate. In this case also consider 858178355Ssam having smaller NTP broadcast domains. 859178355Ssam Credit: This weakness was discovered by Aanchal Malhotra of Boston 860178355Ssam University. 861178355Ssam 862178355Ssam* reslist NULL pointer dereference 863178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 864178355Ssam References: Sec 2939 / CVE-2015-7977 865178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 866178355Ssam 4.3.0 up to, but not including 4.3.90 867178355Ssam CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 868178355Ssam Summary: An unauthenticated 'ntpdc reslist' command can cause a 869178355Ssam segmentation fault in ntpd by causing a NULL pointer dereference. 870178355Ssam Mitigation: 871178355Ssam Implement BCP-38. 872178355Ssam Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 873178355Ssam the NTP Public Services Project Download Page. 874178355Ssam If you are unable to upgrade: 875178355Ssam mode 7 is disabled by default. Don't enable it. 876178355Ssam If you must enable mode 7: 877178355Ssam configure the use of a 'requestkey' to control who can 878178355Ssam issue mode 7 requests. 879178355Ssam configure 'restrict noquery' to further limit mode 7 880178355Ssam requests to trusted sources. 881178355Ssam Monitor your ntpd instances. 882178355Ssam Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 883178355Ssam 884178355Ssam* 'ntpq saveconfig' command allows dangerous characters in filenames. 885178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 886178355Ssam References: Sec 2938 / CVE-2015-7976 887178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 888178355Ssam 4.3.0 up to, but not including 4.3.90 889178355Ssam CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 890178355Ssam Summary: The ntpq saveconfig command does not do adequate filtering 891178355Ssam of special characters from the supplied filename. 892178355Ssam Note well: The ability to use the saveconfig command is controlled 893178355Ssam by the 'restrict nomodify' directive, and the recommended default 894178355Ssam configuration is to disable this capability. If the ability to 895178355Ssam execute a 'saveconfig' is required, it can easily (and should) be 896178355Ssam limited and restricted to a known small number of IP addresses. 897178355Ssam Mitigation: 898178355Ssam Implement BCP-38. 899178355Ssam use 'restrict default nomodify' in your 'ntp.conf' file. 900178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 901178355Ssam If you are unable to upgrade: 902178355Ssam build NTP with 'configure --disable-saveconfig' if you will 903178355Ssam never need this capability, or 904178355Ssam use 'restrict default nomodify' in your 'ntp.conf' file. Be 905178355Ssam careful about what IPs have the ability to send 'modify' 906178355Ssam requests to 'ntpd'. 907178355Ssam Monitor your ntpd instances. 908178355Ssam 'saveconfig' requests are logged to syslog - monitor your syslog files. 909178355Ssam Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 910178355Ssam 911178355Ssam* nextvar() missing length check in ntpq 912178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 913178355Ssam References: Sec 2937 / CVE-2015-7975 914178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 915178355Ssam 4.3.0 up to, but not including 4.3.90 916178355Ssam CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 917178355Ssam If you score A:C, this becomes 4.0. 918178355Ssam CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 919178355Ssam Summary: ntpq may call nextvar() which executes a memcpy() into the 920178355Ssam name buffer without a proper length check against its maximum 921178355Ssam length of 256 bytes. Note well that we're taking about ntpq here. 922178355Ssam The usual worst-case effect of this vulnerability is that the 923178355Ssam specific instance of ntpq will crash and the person or process 924178355Ssam that did this will have stopped themselves. 925178355Ssam Mitigation: 926178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 927178355Ssam or the NTP Public Services Project Download Page. 928178355Ssam If you are unable to upgrade: 929178355Ssam If you have scripts that feed input to ntpq make sure there are 930178355Ssam some sanity checks on the input received from the "outside". 931178355Ssam This is potentially more dangerous if ntpq is run as root. 932178355Ssam Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 933178355Ssam 934178355Ssam* Skeleton Key: Any trusted key system can serve time 935178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 936178355Ssam References: Sec 2936 / CVE-2015-7974 937178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 938178355Ssam 4.3.0 up to, but not including 4.3.90 939178355Ssam CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 940178355Ssam Summary: Symmetric key encryption uses a shared trusted key. The 941178355Ssam reported title for this issue was "Missing key check allows 942178355Ssam impersonation between authenticated peers" and the report claimed 943178355Ssam "A key specified only for one server should only work to 944178355Ssam authenticate that server, other trusted keys should be refused." 945178355Ssam Except there has never been any correlation between this trusted 946178355Ssam key and server v. clients machines and there has never been any 947178355Ssam way to specify a key only for one server. We have treated this as 948178355Ssam an enhancement request, and ntp-4.2.8p6 includes other checks and 949178355Ssam tests to strengthen clients against attacks coming from broadcast 950178355Ssam servers. 951178355Ssam Mitigation: 952178355Ssam Implement BCP-38. 953178355Ssam If this scenario represents a real or a potential issue for you, 954178355Ssam upgrade to 4.2.8p6, or later, from the NTP Project Download 955178355Ssam Page or the NTP Public Services Project Download Page, and 956178355Ssam use the new field in the ntp.keys file that specifies the list 957178355Ssam of IPs that are allowed to serve time. Note that this alone 958178355Ssam will not protect against time packets with forged source IP 959178355Ssam addresses, however other changes in ntp-4.2.8p6 provide 960178355Ssam significant mitigation against broadcast attacks. MITM attacks 961178355Ssam are a different story. 962178355Ssam If you are unable to upgrade: 963178355Ssam Don't use broadcast mode if you cannot monitor your client 964178355Ssam servers. 965178355Ssam If you choose to use symmetric keys to authenticate time 966178355Ssam packets in a hostile environment where ephemeral time 967178355Ssam servers can be created, or if it is expected that malicious 968178355Ssam time servers will participate in an NTP broadcast domain, 969178355Ssam limit the number of participating systems that participate 970178355Ssam in the shared-key group. 971178355Ssam Monitor your ntpd instances. 972178355Ssam Credit: This weakness was discovered by Matt Street of Cisco ASIG. 973178355Ssam 974178355Ssam* Deja Vu: Replay attack on authenticated broadcast mode 975178355Ssam Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 976178355Ssam References: Sec 2935 / CVE-2015-7973 977178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 978178355Ssam 4.3.0 up to, but not including 4.3.90 979178355Ssam CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 980178355Ssam Summary: If an NTP network is configured for broadcast operations then 981178355Ssam either a man-in-the-middle attacker or a malicious participant 982178355Ssam that has the same trusted keys as the victim can replay time packets. 983178355Ssam Mitigation: 984178355Ssam Implement BCP-38. 985178355Ssam Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 986178355Ssam or the NTP Public Services Project Download Page. 987178355Ssam If you are unable to upgrade: 988178355Ssam Don't use broadcast mode if you cannot monitor your client servers. 989178355Ssam Monitor your ntpd instances. 990178355Ssam Credit: This weakness was discovered by Aanchal Malhotra of Boston 991178355Ssam University. 992178355Ssam 993178355SsamOther fixes: 994178355Ssam 995178355Ssam* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 996178355Ssam* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 997178355Ssam - applied patch by shenpeng11@huawei.com with minor adjustments 998178355Ssam* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 999178355Ssam* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 1000178355Ssam* [Bug 2892] Several test cases assume IPv6 capabilities even when 1001178355Ssam IPv6 is disabled in the build. perlinger@ntp.org 1002178355Ssam - Found this already fixed, but validation led to cleanup actions. 1003178355Ssam* [Bug 2905] DNS lookups broken. perlinger@ntp.org 1004178355Ssam - added limits to stack consumption, fixed some return code handling 1005178355Ssam* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1006178355Ssam - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1007178355Ssam - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 1008178355Ssam* [Bug 2980] reduce number of warnings. perlinger@ntp.org 1009178355Ssam - integrated several patches from Havard Eidnes (he@uninett.no) 1010178355Ssam* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 1011178355Ssam - implement 'auth_log2()' using integer bithack instead of float calculation 1012178355Ssam* Make leapsec_query debug messages less verbose. Harlan Stenn. 1013178355Ssam 1014178355Ssam--- 1015178355SsamNTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 1016178355Ssam 1017178355SsamFocus: Security, Bug fixes, enhancements. 1018178355Ssam 1019178355SsamSeverity: MEDIUM 1020178355Ssam 1021178355SsamIn addition to bug fixes and enhancements, this release fixes the 1022178355Ssamfollowing medium-severity vulnerability: 1023178355Ssam 1024178355Ssam* Small-step/big-step. Close the panic gate earlier. 1025178355Ssam References: Sec 2956, CVE-2015-5300 1026178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 1027178355Ssam 4.3.0 up to, but not including 4.3.78 1028178355Ssam CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 1029178355Ssam Summary: If ntpd is always started with the -g option, which is 1030178355Ssam common and against long-standing recommendation, and if at the 1031178355Ssam moment ntpd is restarted an attacker can immediately respond to 1032178355Ssam enough requests from enough sources trusted by the target, which 1033178355Ssam is difficult and not common, there is a window of opportunity 1034178355Ssam where the attacker can cause ntpd to set the time to an 1035178355Ssam arbitrary value. Similarly, if an attacker is able to respond 1036178355Ssam to enough requests from enough sources trusted by the target, 1037178355Ssam the attacker can cause ntpd to abort and restart, at which 1038178355Ssam point it can tell the target to set the time to an arbitrary 1039178355Ssam value if and only if ntpd was re-started against long-standing 1040178355Ssam recommendation with the -g flag, or if ntpd was not given the 1041178355Ssam -g flag, the attacker can move the target system's time by at 1042178355Ssam most 900 seconds' time per attack. 1043178355Ssam Mitigation: 1044178355Ssam Configure ntpd to get time from multiple sources. 1045178355Ssam Upgrade to 4.2.8p5, or later, from the NTP Project Download 1046178355Ssam Page or the NTP Public Services Project Download Page 1047178355Ssam As we've long documented, only use the -g option to ntpd in 1048178355Ssam cold-start situations. 1049178355Ssam Monitor your ntpd instances. 1050178355Ssam Credit: This weakness was discovered by Aanchal Malhotra, 1051178355Ssam Isaac E. Cohen, and Sharon Goldberg at Boston University. 1052178355Ssam 1053178355Ssam NOTE WELL: The -g flag disables the limit check on the panic_gate 1054178355Ssam in ntpd, which is 900 seconds by default. The bug identified by 1055178355Ssam the researchers at Boston University is that the panic_gate 1056178355Ssam check was only re-enabled after the first change to the system 1057178355Ssam clock that was greater than 128 milliseconds, by default. The 1058178355Ssam correct behavior is that the panic_gate check should be 1059178355Ssam re-enabled after any initial time correction. 1060178355Ssam 1061178355Ssam If an attacker is able to inject consistent but erroneous time 1062178355Ssam responses to your systems via the network or "over the air", 1063178355Ssam perhaps by spoofing radio, cellphone, or navigation satellite 1064178355Ssam transmissions, they are in a great position to affect your 1065178355Ssam system's clock. There comes a point where your very best 1066178355Ssam defenses include: 1067178355Ssam 1068178355Ssam Configure ntpd to get time from multiple sources. 1069178355Ssam Monitor your ntpd instances. 1070178355Ssam 1071178355SsamOther fixes: 1072178355Ssam 1073178355Ssam* Coverity submission process updated from Coverity 5 to Coverity 7. 1074178355Ssam The NTP codebase has been undergoing regular Coverity scans on an 1075178355Ssam ongoing basis since 2006. As part of our recent upgrade from 1076178355Ssam Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 1077178355Ssam the newly-written Unity test programs. These were fixed. 1078178355Ssam* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 1079178355Ssam* [Bug 2887] stratum -1 config results as showing value 99 1080178355Ssam - fudge stratum should only accept values [0..16]. perlinger@ntp.org 1081178355Ssam* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 1082178355Ssam* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 1083178355Ssam* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 1084178355Ssam - applied patch by Christos Zoulas. perlinger@ntp.org 1085178355Ssam* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 1086178355Ssam* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 1087178355Ssam - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 1088178355Ssam - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 1089178355Ssam* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 1090178355Ssam - accept key file only if there are no parsing errors 1091178355Ssam - fixed size_t/u_int format clash 1092178355Ssam - fixed wrong use of 'strlcpy' 1093178355Ssam* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 1094178355Ssam* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 1095178355Ssam - fixed several other warnings (cast-alignment, missing const, missing prototypes) 1096178355Ssam - promote use of 'size_t' for values that express a size 1097178355Ssam - use ptr-to-const for read-only arguments 1098178355Ssam - make sure SOCKET values are not truncated (win32-specific) 1099178355Ssam - format string fixes 1100178355Ssam* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 1101178355Ssam* [Bug 2967] ntpdate command suffers an assertion failure 1102178355Ssam - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 1103178355Ssam* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 1104178355Ssam lots of clients. perlinger@ntp.org 1105178355Ssam* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 1106178355Ssam - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 1107178355Ssam* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 1108178355Ssam* Unity test cleanup. Harlan Stenn. 1109178355Ssam* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 1110178355Ssam* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 1111178355Ssam* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 1112178355Ssam* Quiet a warning from clang. Harlan Stenn. 1113178355Ssam 1114178355Ssam--- 1115178355SsamNTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 1116178355Ssam 1117178355SsamFocus: Security, Bug fixes, enhancements. 1118178355Ssam 1119178355SsamSeverity: MEDIUM 1120178355Ssam 1121178355SsamIn addition to bug fixes and enhancements, this release fixes the 1122178355Ssamfollowing 13 low- and medium-severity vulnerabilities: 1123178355Ssam 1124178355Ssam* Incomplete vallen (value length) checks in ntp_crypto.c, leading 1125178355Ssam to potential crashes or potential code injection/information leakage. 1126178355Ssam 1127178355Ssam References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 1128178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1129178355Ssam and 4.3.0 up to, but not including 4.3.77 1130178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1131178355Ssam Summary: The fix for CVE-2014-9750 was incomplete in that there were 1132178355Ssam certain code paths where a packet with particular autokey operations 1133178355Ssam that contained malicious data was not always being completely 1134178355Ssam validated. Receipt of these packets can cause ntpd to crash. 1135178355Ssam Mitigation: 1136178355Ssam Don't use autokey. 1137178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1138178355Ssam Page or the NTP Public Services Project Download Page 1139178355Ssam Monitor your ntpd instances. 1140178355Ssam Credit: This weakness was discovered by Tenable Network Security. 1141178355Ssam 1142178355Ssam* Clients that receive a KoD should validate the origin timestamp field. 1143178355Ssam 1144178355Ssam References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 1145178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1146178355Ssam and 4.3.0 up to, but not including 4.3.77 1147178355Ssam CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 1148178355Ssam Summary: An ntpd client that honors Kiss-of-Death responses will honor 1149178355Ssam KoD messages that have been forged by an attacker, causing it to 1150178355Ssam delay or stop querying its servers for time updates. Also, an 1151178355Ssam attacker can forge packets that claim to be from the target and 1152186106Ssam send them to servers often enough that a server that implements 1153186106Ssam KoD rate limiting will send the target machine a KoD response to 1154186106Ssam attempt to reduce the rate of incoming packets, or it may also 1155186106Ssam trigger a firewall block at the server for packets from the target 1156186106Ssam machine. For either of these attacks to succeed, the attacker must 1157186106Ssam know what servers the target is communicating with. An attacker 1158186106Ssam can be anywhere on the Internet and can frequently learn the 1159186106Ssam identity of the target's time source by sending the target a 1160186106Ssam time query. 1161186106Ssam Mitigation: 1162186106Ssam Implement BCP-38. 1163186106Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 1164186106Ssam or the NTP Public Services Project Download Page 1165186106Ssam If you can't upgrade, restrict who can query ntpd to learn who 1166186106Ssam its servers are, and what IPs are allowed to ask your system 1167186106Ssam for the time. This mitigation is heavy-handed. 1168186106Ssam Monitor your ntpd instances. 1169186106Ssam Note: 1170186106Ssam 4.2.8p4 protects against the first attack. For the second attack, 1171186106Ssam all we can do is warn when it is happening, which we do in 4.2.8p4. 1172186106Ssam Credit: This weakness was discovered by Aanchal Malhotra, 1173186106Ssam Issac E. Cohen, and Sharon Goldberg of Boston University. 1174186106Ssam 1175186106Ssam* configuration directives to change "pidfile" and "driftfile" should 1176186106Ssam only be allowed locally. 1177186106Ssam 1178186106Ssam References: Sec 2902 / CVE-2015-5196 1179186106Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1180187846Ssam and 4.3.0 up to, but not including 4.3.77 1181186106Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 1182186106Ssam Summary: If ntpd is configured to allow for remote configuration, 1183186106Ssam and if the (possibly spoofed) source IP address is allowed to 1184186106Ssam send remote configuration requests, and if the attacker knows 1185187846Ssam the remote configuration password, it's possible for an attacker 1186186106Ssam to use the "pidfile" or "driftfile" directives to potentially 1187186106Ssam overwrite other files. 1188186106Ssam Mitigation: 1189186106Ssam Implement BCP-38. 1190187846Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1191186106Ssam Page or the NTP Public Services Project Download Page 1192186106Ssam If you cannot upgrade, don't enable remote configuration. 1193186106Ssam If you must enable remote configuration and cannot upgrade, 1194186106Ssam remote configuration of NTF's ntpd requires: 1195186106Ssam - an explicitly configured trustedkey, and you should also 1196186106Ssam configure a controlkey. 1197186106Ssam - access from a permitted IP. You choose the IPs. 1198186106Ssam - authentication. Don't disable it. Practice secure key safety. 1199186106Ssam Monitor your ntpd instances. 1200186106Ssam Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1201186106Ssam 1202186106Ssam* Slow memory leak in CRYPTO_ASSOC 1203186106Ssam 1204186106Ssam References: Sec 2909 / CVE-2015-7701 1205186106Ssam Affects: All ntp-4 releases that use autokey up to, but not 1206186106Ssam including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1207186106Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 1208186106Ssam 4.6 otherwise 1209186106Ssam Summary: If ntpd is configured to use autokey, then an attacker can 1210186106Ssam send packets to ntpd that will, after several days of ongoing 1211186106Ssam attack, cause it to run out of memory. 1212186106Ssam Mitigation: 1213186106Ssam Don't use autokey. 1214186106Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1215186106Ssam Page or the NTP Public Services Project Download Page 1216186106Ssam Monitor your ntpd instances. 1217186106Ssam Credit: This weakness was discovered by Tenable Network Security. 1218178355Ssam 1219178355Ssam* mode 7 loop counter underrun 1220178355Ssam 1221178355Ssam References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 1222178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1223208060Sdougb and 4.3.0 up to, but not including 4.3.77 1224178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 1225178355Ssam Summary: If ntpd is configured to enable mode 7 packets, and if the 1226178355Ssam use of mode 7 packets is not properly protected thru the use of 1227178355Ssam the available mode 7 authentication and restriction mechanisms, 1228178355Ssam and if the (possibly spoofed) source IP address is allowed to 1229178355Ssam send mode 7 queries, then an attacker can send a crafted packet 1230178355Ssam to ntpd that will cause it to crash. 1231178355Ssam Mitigation: 1232178355Ssam Implement BCP-38. 1233178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1234178355Ssam Page or the NTP Public Services Project Download Page. 1235178355Ssam If you are unable to upgrade: 1236178355Ssam In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 1237178355Ssam If you must enable mode 7: 1238178355Ssam configure the use of a requestkey to control who can issue 1239178355Ssam mode 7 requests. 1240178355Ssam configure restrict noquery to further limit mode 7 requests 1241178355Ssam to trusted sources. 1242178355Ssam Monitor your ntpd instances. 1243178355SsamCredit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 1244178355Ssam 1245178355Ssam* memory corruption in password store 1246178355Ssam 1247178355Ssam References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 1248178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1249178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 1250178355Ssam Summary: If ntpd is configured to allow remote configuration, and if 1251178355Ssam the (possibly spoofed) source IP address is allowed to send 1252178355Ssam remote configuration requests, and if the attacker knows the 1253178355Ssam remote configuration password or if ntpd was configured to 1254178355Ssam disable authentication, then an attacker can send a set of 1255178355Ssam packets to ntpd that may cause a crash or theoretically 1256178355Ssam perform a code injection attack. 1257178355Ssam Mitigation: 1258178355Ssam Implement BCP-38. 1259178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1260178355Ssam Page or the NTP Public Services Project Download Page. 1261178355Ssam If you are unable to upgrade, remote configuration of NTF's 1262178355Ssam ntpd requires: 1263178355Ssam an explicitly configured "trusted" key. Only configure 1264178355Ssam this if you need it. 1265178355Ssam access from a permitted IP address. You choose the IPs. 1266178355Ssam authentication. Don't disable it. Practice secure key safety. 1267178355Ssam Monitor your ntpd instances. 1268178355Ssam Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1269178355Ssam 1270178355Ssam* Infinite loop if extended logging enabled and the logfile and 1271178355Ssam keyfile are the same. 1272178355Ssam 1273178355Ssam References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 1274178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, 1275178355Ssam and 4.3.0 up to, but not including 4.3.77 1276178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 1277178355Ssam Summary: If ntpd is configured to allow remote configuration, and if 1278178355Ssam the (possibly spoofed) source IP address is allowed to send 1279178355Ssam remote configuration requests, and if the attacker knows the 1280178355Ssam remote configuration password or if ntpd was configured to 1281178355Ssam disable authentication, then an attacker can send a set of 1282178355Ssam packets to ntpd that will cause it to crash and/or create a 1283178355Ssam potentially huge log file. Specifically, the attacker could 1284178355Ssam enable extended logging, point the key file at the log file, 1285178355Ssam and cause what amounts to an infinite loop. 1286178355Ssam Mitigation: 1287178355Ssam Implement BCP-38. 1288178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1289178355Ssam Page or the NTP Public Services Project Download Page. 1290178355Ssam If you are unable to upgrade, remote configuration of NTF's ntpd 1291178355Ssam requires: 1292178355Ssam an explicitly configured "trusted" key. Only configure this 1293178355Ssam if you need it. 1294178355Ssam access from a permitted IP address. You choose the IPs. 1295178355Ssam authentication. Don't disable it. Practice secure key safety. 1296178355Ssam Monitor your ntpd instances. 1297178355Ssam Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1298178355Ssam 1299178355Ssam* Potential path traversal vulnerability in the config file saving of 1300178355Ssam ntpd on VMS. 1301178355Ssam 1302178355Ssam References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 1303178355Ssam Affects: All ntp-4 releases running under VMS up to, but not 1304178355Ssam including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1305178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 1306178355Ssam Summary: If ntpd is configured to allow remote configuration, and if 1307178355Ssam the (possibly spoofed) IP address is allowed to send remote 1308178355Ssam configuration requests, and if the attacker knows the remote 1309178355Ssam configuration password or if ntpd was configured to disable 1310178355Ssam authentication, then an attacker can send a set of packets to 1311178355Ssam ntpd that may cause ntpd to overwrite files. 1312178355Ssam Mitigation: 1313178355Ssam Implement BCP-38. 1314208060Sdougb Upgrade to 4.2.8p4, or later, from the NTP Project Download 1315178355Ssam Page or the NTP Public Services Project Download Page. 1316178355Ssam If you are unable to upgrade, remote configuration of NTF's ntpd 1317178355Ssam requires: 1318178355Ssam an explicitly configured "trusted" key. Only configure 1319178355Ssam this if you need it. 1320178355Ssam access from permitted IP addresses. You choose the IPs. 1321178355Ssam authentication. Don't disable it. Practice key security safety. 1322178355Ssam Monitor your ntpd instances. 1323178355Ssam Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1324178355Ssam 1325178355Ssam* ntpq atoascii() potential memory corruption 1326178355Ssam 1327178355Ssam References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 1328178355Ssam Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 1329178355Ssam and 4.3.0 up to, but not including 4.3.77 1330178355Ssam CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 1331178355Ssam Summary: If an attacker can figure out the precise moment that ntpq 1332178355Ssam is listening for data and the port number it is listening on or 1333178355Ssam if the attacker can provide a malicious instance ntpd that 1334178355Ssam victims will connect to then an attacker can send a set of 1335178355Ssam crafted mode 6 response packets that, if received by ntpq, 1336178355Ssam can cause ntpq to crash. 1337178355Ssam Mitigation: 1338178355Ssam Implement BCP-38. 1339178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1340178355Ssam Page or the NTP Public Services Project Download Page. 1341178355Ssam If you are unable to upgrade and you run ntpq against a server 1342178355Ssam and ntpq crashes, try again using raw mode. Build or get a 1343178355Ssam patched ntpq and see if that fixes the problem. Report new 1344178355Ssam bugs in ntpq or abusive servers appropriately. 1345178355Ssam If you use ntpq in scripts, make sure ntpq does what you expect 1346178355Ssam in your scripts. 1347178355Ssam Credit: This weakness was discovered by Yves Younan and 1348178355Ssam Aleksander Nikolich of Cisco Talos. 1349178355Ssam 1350178355Ssam* Invalid length data provided by a custom refclock driver could cause 1351178355Ssam a buffer overflow. 1352178355Ssam 1353178355Ssam References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 1354178355Ssam Affects: Potentially all ntp-4 releases running up to, but not 1355178355Ssam including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 1356178355Ssam that have custom refclocks 1357178355Ssam CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 1358178355Ssam 5.9 unusual worst case 1359178355Ssam Summary: A negative value for the datalen parameter will overflow a 1360178355Ssam data buffer. NTF's ntpd driver implementations always set this 1361178355Ssam value to 0 and are therefore not vulnerable to this weakness. 1362178355Ssam If you are running a custom refclock driver in ntpd and that 1363178355Ssam driver supplies a negative value for datalen (no custom driver 1364178355Ssam of even minimal competence would do this) then ntpd would 1365178355Ssam overflow a data buffer. It is even hypothetically possible 1366178355Ssam in this case that instead of simply crashing ntpd the attacker 1367178355Ssam could effect a code injection attack. 1368178355Ssam Mitigation: 1369178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1370178355Ssam Page or the NTP Public Services Project Download Page. 1371178355Ssam If you are unable to upgrade: 1372178355Ssam If you are running custom refclock drivers, make sure 1373178355Ssam the signed datalen value is either zero or positive. 1374178355Ssam Monitor your ntpd instances. 1375178355Ssam Credit: This weakness was discovered by Yves Younan of Cisco Talos. 1376178355Ssam 1377178355Ssam* Password Length Memory Corruption Vulnerability 1378178355Ssam 1379178355Ssam References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 1380208060Sdougb Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1381178355Ssam 4.3.0 up to, but not including 4.3.77 1382178355Ssam CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 1383178355Ssam 1.7 usual case, 6.8, worst case 1384178355Ssam Summary: If ntpd is configured to allow remote configuration, and if 1385178355Ssam the (possibly spoofed) source IP address is allowed to send 1386178355Ssam remote configuration requests, and if the attacker knows the 1387178355Ssam remote configuration password or if ntpd was (foolishly) 1388178355Ssam configured to disable authentication, then an attacker can 1389208060Sdougb send a set of packets to ntpd that may cause it to crash, 1390178355Ssam with the hypothetical possibility of a small code injection. 1391178355Ssam Mitigation: 1392178355Ssam Implement BCP-38. 1393178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1394178355Ssam Page or the NTP Public Services Project Download Page. 1395178355Ssam If you are unable to upgrade, remote configuration of NTF's 1396178355Ssam ntpd requires: 1397178355Ssam an explicitly configured "trusted" key. Only configure 1398178355Ssam this if you need it. 1399178355Ssam access from a permitted IP address. You choose the IPs. 1400178355Ssam authentication. Don't disable it. Practice secure key safety. 1401178355Ssam Monitor your ntpd instances. 1402178355Ssam Credit: This weakness was discovered by Yves Younan and 1403178355Ssam Aleksander Nikolich of Cisco Talos. 1404178355Ssam 1405178355Ssam* decodenetnum() will ASSERT botch instead of returning FAIL on some 1406178355Ssam bogus values. 1407178355Ssam 1408178355Ssam References: Sec 2922 / CVE-2015-7855 1409178355Ssam Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 1410178355Ssam 4.3.0 up to, but not including 4.3.77 1411178355Ssam CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 1412178355Ssam Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 1413178355Ssam an unusually long data value where a network address is expected, 1414178355Ssam the decodenetnum() function will abort with an assertion failure 1415178355Ssam instead of simply returning a failure condition. 1416178355Ssam Mitigation: 1417178355Ssam Implement BCP-38. 1418178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1419178355Ssam Page or the NTP Public Services Project Download Page. 1420178355Ssam If you are unable to upgrade: 1421178355Ssam mode 7 is disabled by default. Don't enable it. 1422178355Ssam Use restrict noquery to limit who can send mode 6 1423178355Ssam and mode 7 requests. 1424178355Ssam Configure and use the controlkey and requestkey 1425178355Ssam authentication directives to limit who can 1426178355Ssam send mode 6 and mode 7 requests. 1427178355Ssam Monitor your ntpd instances. 1428178355Ssam Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 1429178355Ssam 1430178355Ssam* NAK to the Future: Symmetric association authentication bypass via 1431178355Ssam crypto-NAK. 1432178355Ssam 1433178355Ssam References: Sec 2941 / CVE-2015-7871 1434178355Ssam Affects: All ntp-4 releases between 4.2.5p186 up to but not including 1435178355Ssam 4.2.8p4, and 4.3.0 up to but not including 4.3.77 1436178355Ssam CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 1437178355Ssam Summary: Crypto-NAK packets can be used to cause ntpd to accept time 1438178355Ssam from unauthenticated ephemeral symmetric peers by bypassing the 1439178355Ssam authentication required to mobilize peer associations. This 1440178355Ssam vulnerability appears to have been introduced in ntp-4.2.5p186 1441178355Ssam when the code handling mobilization of new passive symmetric 1442178355Ssam associations (lines 1103-1165) was refactored. 1443178355Ssam Mitigation: 1444178355Ssam Implement BCP-38. 1445178355Ssam Upgrade to 4.2.8p4, or later, from the NTP Project Download 1446178355Ssam Page or the NTP Public Services Project Download Page. 1447178355Ssam If you are unable to upgrade: 1448178355Ssam Apply the patch to the bottom of the "authentic" check 1449178355Ssam block around line 1136 of ntp_proto.c. 1450178355Ssam Monitor your ntpd instances. 1451178355Ssam Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 1452178355Ssam 1453178355SsamBackward-Incompatible changes: 1454178355Ssam* [Bug 2817] Default on Linux is now "rlimit memlock -1". 1455178355Ssam While the general default of 32M is still the case, under Linux 1456178355Ssam the default value has been changed to -1 (do not lock ntpd into 1457178355Ssam memory). A value of 0 means "lock ntpd into memory with whatever 1458178355Ssam memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 1459178355Ssam value in it, that value will continue to be used. 1460178355Ssam 1461178355Ssam* [Bug 2886] Misspelling: "outlyer" should be "outlier". 1462178355Ssam If you've written a script that looks for this case in, say, the 1463178355Ssam output of ntpq, you probably want to change your regex matches 1464178355Ssam from 'outlyer' to 'outl[iy]er'. 1465178355Ssam 1466178355SsamNew features in this release: 1467178355Ssam* 'rlimit memlock' now has finer-grained control. A value of -1 means 1468178355Ssam "don't lock ntpd into memore". This is the default for Linux boxes. 1469178355Ssam A value of 0 means "lock ntpd into memory" with no limits. Otherwise 1470178355Ssam the value is the number of megabytes of memory to lock. The default 1471178355Ssam is 32 megabytes. 1472178355Ssam 1473178355Ssam* The old Google Test framework has been replaced with a new framework, 1474178355Ssam based on http://www.throwtheswitch.org/unity/ . 1475178355Ssam 1476178355SsamBug Fixes and Improvements: 1477178355Ssam* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 1478178355Ssam privileges and limiting resources in NTPD removes the need to link 1479178355Ssam forcefully against 'libgcc_s' which does not always work. J.Perlinger 1480178355Ssam* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 1481178355Ssam* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 1482178355Ssam* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 1483178355Ssam* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 1484178355Ssam* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 1485178355Ssam* [Bug 2849] Systems with more than one default route may never 1486178355Ssam synchronize. Brian Utterback. Note that this patch might need to 1487178355Ssam be reverted once Bug 2043 has been fixed. 1488178355Ssam* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 1489178355Ssam* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 1490178355Ssam* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 1491178355Ssam* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 1492178355Ssam* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 1493178355Ssam* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 1494178355Ssam be configured for the distribution targets. Harlan Stenn. 1495178355Ssam* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 1496178355Ssam* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 1497178355Ssam* [Bug 2888] streamline calendar functions. perlinger@ntp.org 1498178355Ssam* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 1499178355Ssam* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 1500178355Ssam* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 1501178355Ssam* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 1502178355Ssam* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 1503178355Ssam* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 1504178355Ssam* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 1505178355Ssam* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 1506178355Ssam* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 1507178355Ssam* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 1508178355Ssam* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 1509178355Ssam* sntp/tests/ function parameter list cleanup. Damir Tomi��. 1510178355Ssam* tests/libntp/ function parameter list cleanup. Damir Tomi��. 1511178355Ssam* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 1512178355Ssam* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 1513178355Ssam* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 1514178355Ssam* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 1515178355Ssam* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 1516178355Ssam* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1517178355Ssam caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 1518178355Ssam formatting; first declaration, then code (C90); deleted unnecessary comments; 1519178355Ssam changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 1520178355Ssam* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 1521178355Ssam fix formatting, cleanup. Tomasz Flendrich 1522178355Ssam* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 1523178355Ssam Tomasz Flendrich 1524178355Ssam* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 1525178355Ssam fix formatting. Tomasz Flendrich 1526178355Ssam* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 1527178355Ssam* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 1528178355Ssam* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 1529178355Ssam Tomasz Flendrich 1530178355Ssam* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 1531178355Ssam* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 1532178355Ssam* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 1533178355Ssam* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 1534178355Ssam* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 1535178355Ssam* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 1536178355Ssam* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 1537178355Ssamfixed formatting. Tomasz Flendrich 1538178355Ssam* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 1539178355Ssam removed unnecessary comments, cleanup. Tomasz Flendrich 1540178355Ssam* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 1541178355Ssam comments, cleanup. Tomasz Flendrich 1542178355Ssam* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 1543178355Ssam Tomasz Flendrich 1544178355Ssam* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 1545178355Ssam* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 1546178355Ssam* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 1547178355Ssam Tomasz Flendrich 1548178355Ssam* sntp/tests/kodDatabase.c added consts, deleted empty function, 1549178355Ssam fixed formatting. Tomasz Flendrich 1550178355Ssam* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 1551208060Sdougb* sntp/tests/packetHandling.c is now using proper Unity's assertions, 1552178355Ssam fixed formatting, deleted unused variable. Tomasz Flendrich 1553178355Ssam* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 1554178355Ssam Tomasz Flendrich 1555178355Ssam* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 1556178355Ssam fixed formatting. Tomasz Flendrich 1557178355Ssam* sntp/tests/utilities.c is now using proper Unity's assertions, changed 1558178355Ssam the order of includes, fixed formatting, removed unnecessary comments. 1559178355Ssam Tomasz Flendrich 1560178355Ssam* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 1561178355Ssam* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 1562178355Ssam made one function do its job, deleted unnecessary prints, fixed formatting. 1563178355Ssam Tomasz Flendrich 1564186106Ssam* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 1565186106Ssam* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 1566186106Ssam* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 1567186106Ssam* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 1568178355Ssam* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 1569178355Ssam* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 1570178355Ssam* Don't build sntp/libevent/sample/. Harlan Stenn. 1571178355Ssam* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 1572208060Sdougb* br-flock: --enable-local-libevent. Harlan Stenn. 1573178355Ssam* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 1574178355Ssam* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 1575187343Ssam* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 1576187343Ssam* Code cleanup. Harlan Stenn. 1577187343Ssam* libntp/icom.c: Typo fix. Harlan Stenn. 1578187343Ssam* util/ntptime.c: initialization nit. Harlan Stenn. 1579187343Ssam* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 1580187343Ssam* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 1581187343Ssam* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 1582187343Ssam Tomasz Flendrich 1583187343Ssam* Changed progname to be const in many files - now it's consistent. Tomasz 1584187343Ssam Flendrich 1585187343Ssam* Typo fix for GCC warning suppression. Harlan Stenn. 1586187343Ssam* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 1587187343Ssam* Added declarations to all Unity tests, and did minor fixes to them. 1588187343Ssam Reduced the number of warnings by half. Damir Tomi��. 1589187343Ssam* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 1590187343Ssam with the latest Unity updates from Mark. Damir Tomi��. 1591187343Ssam* Retire google test - phase I. Harlan Stenn. 1592178355Ssam* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 1593178355Ssam* Update the NEWS file. Harlan Stenn. 1594178355Ssam* Autoconf cleanup. Harlan Stenn. 1595178355Ssam* Unit test dist cleanup. Harlan Stenn. 1596178355Ssam* Cleanup various test Makefile.am files. Harlan Stenn. 1597178355Ssam* Pthread autoconf macro cleanup. Harlan Stenn. 1598178355Ssam* Fix progname definition in unity runner scripts. Harlan Stenn. 1599178355Ssam* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 1600178355Ssam* Update the patch for bug 2817. Harlan Stenn. 1601178355Ssam* More updates for bug 2817. Harlan Stenn. 1602178355Ssam* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 1603178355Ssam* gcc on older HPUX may need +allowdups. Harlan Stenn. 1604178355Ssam* Adding missing MCAST protection. Harlan Stenn. 1605178355Ssam* Disable certain test programs on certain platforms. Harlan Stenn. 1606178355Ssam* Implement --enable-problem-tests (on by default). Harlan Stenn. 1607178355Ssam* build system tweaks. Harlan Stenn. 1608178355Ssam 1609178355Ssam--- 1610178355SsamNTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 1611178355Ssam 1612178355SsamFocus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 1613178355Ssam 1614178355SsamSeverity: MEDIUM 1615178355Ssam 1616178355SsamSecurity Fix: 1617178355Ssam 1618178355Ssam* [Sec 2853] Crafted remote config packet can crash some versions of 1619178355Ssam ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 1620178355Ssam 1621178355SsamUnder specific circumstances an attacker can send a crafted packet to 1622178355Ssamcause a vulnerable ntpd instance to crash. This requires each of the 1623178355Ssamfollowing to be true: 1624178355Ssam 1625178355Ssam1) ntpd set up to allow remote configuration (not allowed by default), and 1626178355Ssam2) knowledge of the configuration password, and 1627178355Ssam3) access to a computer entrusted to perform remote configuration. 1628178355Ssam 1629178355SsamThis vulnerability is considered low-risk. 1630178355Ssam 1631178355SsamNew features in this release: 1632178355Ssam 1633178355SsamOptional (disabled by default) support to have ntpd provide smeared 1634178355Ssamleap second time. A specially built and configured ntpd will only 1635178355Ssamoffer smeared time in response to client packets. These response 1636178355Ssampackets will also contain a "refid" of 254.a.b.c, where the 24 bits 1637178355Ssamof a, b, and c encode the amount of smear in a 2:22 integer:fraction 1638178355Ssamformat. See README.leapsmear and http://bugs.ntp.org/2855 for more 1639178355Ssaminformation. 1640178355Ssam 1641178355Ssam *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 1642178355Ssam *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 1643178355Ssam 1644178355SsamWe've imported the Unity test framework, and have begun converting 1645178355Ssamthe existing google-test items to this new framework. If you want 1646178355Ssamto write new tests or change old ones, you'll need to have ruby 1647178355Ssaminstalled. You don't need ruby to run the test suite. 1648178355Ssam 1649178355SsamBug Fixes and Improvements: 1650178355Ssam 1651178355Ssam* CID 739725: Fix a rare resource leak in libevent/listener.c. 1652178355Ssam* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 1653178355Ssam* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 1654178355Ssam* CID 1269537: Clean up a line of dead code in getShmTime(). 1655178355Ssam* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 1656178355Ssam* [Bug 2590] autogen-5.18.5. 1657178355Ssam* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 1658178355Ssam of 'limited'. 1659178355Ssam* [Bug 2650] fix includefile processing. 1660178355Ssam* [Bug 2745] ntpd -x steps clock on leap second 1661178355Ssam Fixed an initial-value problem that caused misbehaviour in absence of 1662178355Ssam any leapsecond information. 1663178355Ssam Do leap second stepping only of the step adjustment is beyond the 1664178355Ssam proper jump distance limit and step correction is allowed at all. 1665178355Ssam* [Bug 2750] build for Win64 1666178355Ssam Building for 32bit of loopback ppsapi needs def file 1667178355Ssam* [Bug 2776] Improve ntpq's 'help keytype'. 1668178355Ssam* [Bug 2778] Implement "apeers" ntpq command to include associd. 1669178355Ssam* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 1670178355Ssam* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 1671178355Ssam interface is ignored as long as this flag is not set since the 1672178355Ssam interface is not usable (e.g., no link). 1673178355Ssam* [Bug 2794] Clean up kernel clock status reports. 1674178355Ssam* [Bug 2800] refclock_true.c true_debug() can't open debug log because 1675178355Ssam of incompatible open/fdopen parameters. 1676178355Ssam* [Bug 2804] install-local-data assumes GNU 'find' semantics. 1677178355Ssam* [Bug 2805] ntpd fails to join multicast group. 1678178355Ssam* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 1679178355Ssam* [Bug 2808] GPSD_JSON driver enhancements, step 1. 1680178355Ssam Fix crash during cleanup if GPS device not present and char device. 1681178355Ssam Increase internal token buffer to parse all JSON data, even SKY. 1682178355Ssam Defer logging of errors during driver init until the first unit is 1683178355Ssam started, so the syslog is not cluttered when the driver is not used. 1684178355Ssam Various improvements, see http://bugs.ntp.org/2808 for details. 1685178355Ssam Changed libjsmn to a more recent version. 1686178355Ssam* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 1687178355Ssam* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 1688178355Ssam* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 1689178355Ssam* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 1690178355Ssam* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 1691178355Ssam* [Bug 2824] Convert update-leap to perl. (also see 2769) 1692178355Ssam* [Bug 2825] Quiet file installation in html/ . 1693178355Ssam* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 1694178355Ssam NTPD transfers the current TAI (instead of an announcement) now. 1695178355Ssam This might still needed improvement. 1696178355Ssam Update autokey data ASAP when 'sys_tai' changes. 1697178355Ssam Fix unit test that was broken by changes for autokey update. 1698178355Ssam Avoid potential signature length issue and use DPRINTF where possible 1699178355Ssam in ntp_crypto.c. 1700178355Ssam* [Bug 2832] refclock_jjy.c supports the TDC-300. 1701178355Ssam* [Bug 2834] Correct a broken html tag in html/refclock.html 1702178355Ssam* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 1703178355Ssam robust, and require 2 consecutive timestamps to be consistent. 1704178355Ssam* [Bug 2837] Allow a configurable DSCP value. 1705178355Ssam* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 1706178355Ssam* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 1707178355Ssam* [Bug 2842] Bug in mdoc2man. 1708178355Ssam* [Bug 2843] make check fails on 4.3.36 1709178355Ssam Fixed compiler warnings about numeric range overflow 1710178355Ssam (The original topic was fixed in a byplay to bug#2830) 1711178355Ssam* [Bug 2845] Harden memory allocation in ntpd. 1712178355Ssam* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 1713178355Ssam* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 1714178355Ssam* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 1715178355Ssam* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 1716178355Ssam* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 1717178355Ssam* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 1718178355Ssam* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 1719178355Ssam* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 1720178355Ssam* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 1721178355Ssam* html/drivers/driver22.html: typo fix. Harlan Stenn. 1722178355Ssam* refidsmear test cleanup. Tomasz Flendrich. 1723178355Ssam* refidsmear function support and tests. Harlan Stenn. 1724178355Ssam* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 1725178355Ssam something that was only in the 4.2.6 sntp. Harlan Stenn. 1726178355Ssam* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 1727178355Ssam Damir Tomi�� 1728178355Ssam* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 1729178355Ssam Damir Tomi�� 1730178355Ssam* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 1731178355Ssam Damir Tomi�� 1732178355Ssam* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 1733178355Ssam* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 1734186106Ssam* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 1735186106Ssam atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 1736187846Ssam calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 1737186106Ssam numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 1738186106Ssam timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 1739186106Ssam Damir Tomi�� 1740186106Ssam* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 1741186106Ssam networking.c, keyFile.c, utilities.cpp, sntptest.h, 1742187846Ssam fileHandlingTest.h. Damir Tomi�� 1743186106Ssam* Initial support for experimental leap smear code. Harlan Stenn. 1744186106Ssam* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 1745186106Ssam* Report select() debug messages at debug level 3 now. 1746186106Ssam* sntp/scripts/genLocInfo: treat raspbian as debian. 1747186106Ssam* Unity test framework fixes. 1748187846Ssam ** Requires ruby for changes to tests. 1749186106Ssam* Initial support for PACKAGE_VERSION tests. 1750186106Ssam* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 1751186106Ssam* tests/bug-2803/Makefile.am must distribute bug-2803.h. 1752186106Ssam* Add an assert to the ntpq ifstats code. 1753186106Ssam* Clean up the RLIMIT_STACK code. 1754187846Ssam* Improve the ntpq documentation around the controlkey keyid. 1755186106Ssam* ntpq.c cleanup. 1756186106Ssam* Windows port build cleanup. 1757186106Ssam 1758186106Ssam--- 1759186106SsamNTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 1760187846Ssam 1761186106SsamFocus: Security and Bug fixes, enhancements. 1762186106Ssam 1763186106SsamSeverity: MEDIUM 1764186106Ssam 1765186106SsamIn addition to bug fixes and enhancements, this release fixes the 1766187846Ssamfollowing medium-severity vulnerabilities involving private key 1767186106Ssamauthentication: 1768186106Ssam 1769186106Ssam* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1770186106Ssam 1771178355Ssam References: Sec 2779 / CVE-2015-1798 / VU#374268 1772178355Ssam Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 1773178355Ssam including ntp-4.2.8p2 where the installation uses symmetric keys 1774 to authenticate remote associations. 1775 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1776 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1777 Summary: When ntpd is configured to use a symmetric key to authenticate 1778 a remote NTP server/peer, it checks if the NTP message 1779 authentication code (MAC) in received packets is valid, but not if 1780 there actually is any MAC included. Packets without a MAC are 1781 accepted as if they had a valid MAC. This allows a MITM attacker to 1782 send false packets that are accepted by the client/peer without 1783 having to know the symmetric key. The attacker needs to know the 1784 transmit timestamp of the client to match it in the forged reply 1785 and the false reply needs to reach the client before the genuine 1786 reply from the server. The attacker doesn't necessarily need to be 1787 relaying the packets between the client and the server. 1788 1789 Authentication using autokey doesn't have this problem as there is 1790 a check that requires the key ID to be larger than NTP_MAXKEY, 1791 which fails for packets without a MAC. 1792 Mitigation: 1793 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1794 or the NTP Public Services Project Download Page 1795 Configure ntpd with enough time sources and monitor it properly. 1796 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1797 1798* [Sec 2781] Authentication doesn't protect symmetric associations against 1799 DoS attacks. 1800 1801 References: Sec 2781 / CVE-2015-1799 / VU#374268 1802 Affects: All NTP releases starting with at least xntp3.3wy up to but 1803 not including ntp-4.2.8p2 where the installation uses symmetric 1804 key authentication. 1805 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1806 Note: the CVSS base Score for this issue could be 4.3 or lower, and 1807 it could be higher than 5.4. 1808 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1809 Summary: An attacker knowing that NTP hosts A and B are peering with 1810 each other (symmetric association) can send a packet to host A 1811 with source address of B which will set the NTP state variables 1812 on A to the values sent by the attacker. Host A will then send 1813 on its next poll to B a packet with originate timestamp that 1814 doesn't match the transmit timestamp of B and the packet will 1815 be dropped. If the attacker does this periodically for both 1816 hosts, they won't be able to synchronize to each other. This is 1817 a known denial-of-service attack, described at 1818 https://www.eecis.udel.edu/~mills/onwire.html . 1819 1820 According to the document the NTP authentication is supposed to 1821 protect symmetric associations against this attack, but that 1822 doesn't seem to be the case. The state variables are updated even 1823 when authentication fails and the peers are sending packets with 1824 originate timestamps that don't match the transmit timestamps on 1825 the receiving side. 1826 1827 This seems to be a very old problem, dating back to at least 1828 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 1829 specifications, so other NTP implementations with support for 1830 symmetric associations and authentication may be vulnerable too. 1831 An update to the NTP RFC to correct this error is in-process. 1832 Mitigation: 1833 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1834 or the NTP Public Services Project Download Page 1835 Note that for users of autokey, this specific style of MITM attack 1836 is simply a long-known potential problem. 1837 Configure ntpd with appropriate time sources and monitor ntpd. 1838 Alert your staff if problems are detected. 1839 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1840 1841* New script: update-leap 1842The update-leap script will verify and if necessary, update the 1843leap-second definition file. 1844It requires the following commands in order to work: 1845 1846 wget logger tr sed shasum 1847 1848Some may choose to run this from cron. It needs more portability testing. 1849 1850Bug Fixes and Improvements: 1851 1852* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 1853* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 1854* [Bug 2346] "graceful termination" signals do not do peer cleanup. 1855* [Bug 2728] See if C99-style structure initialization works. 1856* [Bug 2747] Upgrade libevent to 2.1.5-beta. 1857* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 1858* [Bug 2751] jitter.h has stale copies of l_fp macros. 1859* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 1860* [Bug 2757] Quiet compiler warnings. 1861* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 1862* [Bug 2763] Allow different thresholds for forward and backward steps. 1863* [Bug 2766] ntp-keygen output files should not be world-readable. 1864* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 1865* [Bug 2771] nonvolatile value is documented in wrong units. 1866* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 1867* [Bug 2774] Unreasonably verbose printout - leap pending/warning 1868* [Bug 2775] ntp-keygen.c fails to compile under Windows. 1869* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 1870 Removed non-ASCII characters from some copyright comments. 1871 Removed trailing whitespace. 1872 Updated definitions for Meinberg clocks from current Meinberg header files. 1873 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 1874 Account for updated definitions pulled from Meinberg header files. 1875 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 1876 Replaced some constant numbers by defines from ntp_calendar.h 1877 Modified creation of parse-specific variables for Meinberg devices 1878 in gps16x_message(). 1879 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 1880 Modified mbg_tm_str() which now expexts an additional parameter controlling 1881 if the time status shall be printed. 1882* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1883* [Sec 2781] Authentication doesn't protect symmetric associations against 1884 DoS attacks. 1885* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 1886* [Bug 2789] Quiet compiler warnings from libevent. 1887* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 1888 pause briefly before measuring system clock precision to yield 1889 correct results. 1890* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 1891* Use predefined function types for parse driver functions 1892 used to set up function pointers. 1893 Account for changed prototype of parse_inp_fnc_t functions. 1894 Cast parse conversion results to appropriate types to avoid 1895 compiler warnings. 1896 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 1897 when called with pointers to different types. 1898 1899--- 1900NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 1901 1902Focus: Security and Bug fixes, enhancements. 1903 1904Severity: HIGH 1905 1906In addition to bug fixes and enhancements, this release fixes the 1907following high-severity vulnerabilities: 1908 1909* vallen is not validated in several places in ntp_crypto.c, leading 1910 to a potential information leak or possibly a crash 1911 1912 References: Sec 2671 / CVE-2014-9297 / VU#852879 1913 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 1914 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1915 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 1916 Summary: The vallen packet value is not validated in several code 1917 paths in ntp_crypto.c which can lead to information leakage 1918 or perhaps a crash of the ntpd process. 1919 Mitigation - any of: 1920 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1921 or the NTP Public Services Project Download Page. 1922 Disable Autokey Authentication by removing, or commenting out, 1923 all configuration directives beginning with the "crypto" 1924 keyword in your ntp.conf file. 1925 Credit: This vulnerability was discovered by Stephen Roettger of the 1926 Google Security Team, with additional cases found by Sebastian 1927 Krahmer of the SUSE Security Team and Harlan Stenn of Network 1928 Time Foundation. 1929 1930* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 1931 can be bypassed. 1932 1933 References: Sec 2672 / CVE-2014-9298 / VU#852879 1934 Affects: All NTP4 releases before 4.2.8p1, under at least some 1935 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 1936 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 1937 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 1938 Summary: While available kernels will prevent 127.0.0.1 addresses 1939 from "appearing" on non-localhost IPv4 interfaces, some kernels 1940 do not offer the same protection for ::1 source addresses on 1941 IPv6 interfaces. Since NTP's access control is based on source 1942 address and localhost addresses generally have no restrictions, 1943 an attacker can send malicious control and configuration packets 1944 by spoofing ::1 addresses from the outside. Note Well: This is 1945 not really a bug in NTP, it's a problem with some OSes. If you 1946 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 1947 ACL restrictions on any application can be bypassed! 1948 Mitigation: 1949 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1950 or the NTP Public Services Project Download Page 1951 Install firewall rules to block packets claiming to come from 1952 ::1 from inappropriate network interfaces. 1953 Credit: This vulnerability was discovered by Stephen Roettger of 1954 the Google Security Team. 1955 1956Additionally, over 30 bugfixes and improvements were made to the codebase. 1957See the ChangeLog for more information. 1958 1959--- 1960NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 1961 1962Focus: Security and Bug fixes, enhancements. 1963 1964Severity: HIGH 1965 1966In addition to bug fixes and enhancements, this release fixes the 1967following high-severity vulnerabilities: 1968 1969************************** vv NOTE WELL vv ***************************** 1970 1971The vulnerabilities listed below can be significantly mitigated by 1972following the BCP of putting 1973 1974 restrict default ... noquery 1975 1976in the ntp.conf file. With the exception of: 1977 1978 receive(): missing return on error 1979 References: Sec 2670 / CVE-2014-9296 / VU#852879 1980 1981below (which is a limited-risk vulnerability), none of the recent 1982vulnerabilities listed below can be exploited if the source IP is 1983restricted from sending a 'query'-class packet by your ntp.conf file. 1984 1985************************** ^^ NOTE WELL ^^ ***************************** 1986 1987* Weak default key in config_auth(). 1988 1989 References: [Sec 2665] / CVE-2014-9293 / VU#852879 1990 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1991 Vulnerable Versions: all releases prior to 4.2.7p11 1992 Date Resolved: 28 Jan 2010 1993 1994 Summary: If no 'auth' key is set in the configuration file, ntpd 1995 would generate a random key on the fly. There were two 1996 problems with this: 1) the generated key was 31 bits in size, 1997 and 2) it used the (now weak) ntp_random() function, which was 1998 seeded with a 32-bit value and could only provide 32 bits of 1999 entropy. This was sufficient back in the late 1990s when the 2000 code was written. Not today. 2001 2002 Mitigation - any of: 2003 - Upgrade to 4.2.7p11 or later. 2004 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2005 2006 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 2007 of the Google Security Team. 2008 2009* Non-cryptographic random number generator with weak seed used by 2010 ntp-keygen to generate symmetric keys. 2011 2012 References: [Sec 2666] / CVE-2014-9294 / VU#852879 2013 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 2014 Vulnerable Versions: All NTP4 releases before 4.2.7p230 2015 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 2016 2017 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 2018 prepare a random number generator that was of good quality back 2019 in the late 1990s. The random numbers produced was then used to 2020 generate symmetric keys. In ntp-4.2.8 we use a current-technology 2021 cryptographic random number generator, either RAND_bytes from 2022 OpenSSL, or arc4random(). 2023 2024 Mitigation - any of: 2025 - Upgrade to 4.2.7p230 or later. 2026 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2027 2028 Credit: This vulnerability was discovered in ntp-4.2.6 by 2029 Stephen Roettger of the Google Security Team. 2030 2031* Buffer overflow in crypto_recv() 2032 2033 References: Sec 2667 / CVE-2014-9295 / VU#852879 2034 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2035 Versions: All releases before 4.2.8 2036 Date Resolved: Stable (4.2.8) 18 Dec 2014 2037 2038 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 2039 file contains a 'crypto pw ...' directive) a remote attacker 2040 can send a carefully crafted packet that can overflow a stack 2041 buffer and potentially allow malicious code to be executed 2042 with the privilege level of the ntpd process. 2043 2044 Mitigation - any of: 2045 - Upgrade to 4.2.8, or later, or 2046 - Disable Autokey Authentication by removing, or commenting out, 2047 all configuration directives beginning with the crypto keyword 2048 in your ntp.conf file. 2049 2050 Credit: This vulnerability was discovered by Stephen Roettger of the 2051 Google Security Team. 2052 2053* Buffer overflow in ctl_putdata() 2054 2055 References: Sec 2668 / CVE-2014-9295 / VU#852879 2056 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2057 Versions: All NTP4 releases before 4.2.8 2058 Date Resolved: Stable (4.2.8) 18 Dec 2014 2059 2060 Summary: A remote attacker can send a carefully crafted packet that 2061 can overflow a stack buffer and potentially allow malicious 2062 code to be executed with the privilege level of the ntpd process. 2063 2064 Mitigation - any of: 2065 - Upgrade to 4.2.8, or later. 2066 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2067 2068 Credit: This vulnerability was discovered by Stephen Roettger of the 2069 Google Security Team. 2070 2071* Buffer overflow in configure() 2072 2073 References: Sec 2669 / CVE-2014-9295 / VU#852879 2074 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 2075 Versions: All NTP4 releases before 4.2.8 2076 Date Resolved: Stable (4.2.8) 18 Dec 2014 2077 2078 Summary: A remote attacker can send a carefully crafted packet that 2079 can overflow a stack buffer and potentially allow malicious 2080 code to be executed with the privilege level of the ntpd process. 2081 2082 Mitigation - any of: 2083 - Upgrade to 4.2.8, or later. 2084 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 2085 2086 Credit: This vulnerability was discovered by Stephen Roettger of the 2087 Google Security Team. 2088 2089* receive(): missing return on error 2090 2091 References: Sec 2670 / CVE-2014-9296 / VU#852879 2092 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 2093 Versions: All NTP4 releases before 4.2.8 2094 Date Resolved: Stable (4.2.8) 18 Dec 2014 2095 2096 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 2097 the code path where an error was detected, which meant 2098 processing did not stop when a specific rare error occurred. 2099 We haven't found a way for this bug to affect system integrity. 2100 If there is no way to affect system integrity the base CVSS 2101 score for this bug is 0. If there is one avenue through which 2102 system integrity can be partially affected, the base score 2103 becomes a 5. If system integrity can be partially affected 2104 via all three integrity metrics, the CVSS base score become 7.5. 2105 2106 Mitigation - any of: 2107 - Upgrade to 4.2.8, or later, 2108 - Remove or comment out all configuration directives 2109 beginning with the crypto keyword in your ntp.conf file. 2110 2111 Credit: This vulnerability was discovered by Stephen Roettger of the 2112 Google Security Team. 2113 2114See http://support.ntp.org/security for more information. 2115 2116New features / changes in this release: 2117 2118Important Changes 2119 2120* Internal NTP Era counters 2121 2122The internal counters that track the "era" (range of years) we are in 2123rolls over every 136 years'. The current "era" started at the stroke of 2124midnight on 1 Jan 1900, and ends just before the stroke of midnight on 21251 Jan 2036. 2126In the past, we have used the "midpoint" of the range to decide which 2127era we were in. Given the longevity of some products, it became clear 2128that it would be more functional to "look back" less, and "look forward" 2129more. We now compile a timestamp into the ntpd executable and when we 2130get a timestamp we us the "built-on" to tell us what era we are in. 2131This check "looks back" 10 years, and "looks forward" 126 years. 2132 2133* ntpdc responses disabled by default 2134 2135Dave Hart writes: 2136 2137For a long time, ntpq and its mostly text-based mode 6 (control) 2138protocol have been preferred over ntpdc and its mode 7 (private 2139request) protocol for runtime queries and configuration. There has 2140been a goal of deprecating ntpdc, previously held back by numerous 2141capabilities exposed by ntpdc with no ntpq equivalent. I have been 2142adding commands to ntpq to cover these cases, and I believe I've 2143covered them all, though I've not compared command-by-command 2144recently. 2145 2146As I've said previously, the binary mode 7 protocol involves a lot of 2147hand-rolled structure layout and byte-swapping code in both ntpd and 2148ntpdc which is hard to get right. As ntpd grows and changes, the 2149changes are difficult to expose via ntpdc while maintaining forward 2150and backward compatibility between ntpdc and ntpd. In contrast, 2151ntpq's text-based, label=value approach involves more code reuse and 2152allows compatible changes without extra work in most cases. 2153 2154Mode 7 has always been defined as vendor/implementation-specific while 2155mode 6 is described in RFC 1305 and intended to be open to interoperate 2156with other implementations. There is an early draft of an updated 2157mode 6 description that likely will join the other NTPv4 RFCs 2158eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 2159 2160For these reasons, ntpd 4.2.7p230 by default disables processing of 2161ntpdc queries, reducing ntpd's attack surface and functionally 2162deprecating ntpdc. If you are in the habit of using ntpdc for certain 2163operations, please try the ntpq equivalent. If there's no equivalent, 2164please open a bug report at http://bugs.ntp.org./ 2165 2166In addition to the above, over 1100 issues have been resolved between 2167the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 2168lists these. 2169 2170--- 2171NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 2172 2173Focus: Bug fixes 2174 2175Severity: Medium 2176 2177This is a recommended upgrade. 2178 2179This release updates sys_rootdisp and sys_jitter calculations to match the 2180RFC specification, fixes a potential IPv6 address matching error for the 2181"nic" and "interface" configuration directives, suppresses the creation of 2182extraneous ephemeral associations for certain broadcastclient and 2183multicastclient configurations, cleans up some ntpq display issues, and 2184includes improvements to orphan mode, minor bugs fixes and code clean-ups. 2185 2186New features / changes in this release: 2187 2188ntpd 2189 2190 * Updated "nic" and "interface" IPv6 address handling to prevent 2191 mismatches with localhost [::1] and wildcard [::] which resulted from 2192 using the address/prefix format (e.g. fe80::/64) 2193 * Fix orphan mode stratum incorrectly counting to infinity 2194 * Orphan parent selection metric updated to includes missing ntohl() 2195 * Non-printable stratum 16 refid no longer sent to ntp 2196 * Duplicate ephemeral associations suppressed for broadcastclient and 2197 multicastclient without broadcastdelay 2198 * Exclude undetermined sys_refid from use in loopback TEST12 2199 * Exclude MODE_SERVER responses from KoD rate limiting 2200 * Include root delay in clock_update() sys_rootdisp calculations 2201 * get_systime() updated to exclude sys_residual offset (which only 2202 affected bits "below" sys_tick, the precision threshold) 2203 * sys.peer jitter weighting corrected in sys_jitter calculation 2204 2205ntpq 2206 2207 * -n option extended to include the billboard "server" column 2208 * IPv6 addresses in the local column truncated to prevent overruns 2209 2210--- 2211NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 2212 2213Focus: Bug fixes and portability improvements 2214 2215Severity: Medium 2216 2217This is a recommended upgrade. 2218 2219This release includes build infrastructure updates, code 2220clean-ups, minor bug fixes, fixes for a number of minor 2221ref-clock issues, and documentation revisions. 2222 2223Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 2224 2225New features / changes in this release: 2226 2227Build system 2228 2229* Fix checking for struct rtattr 2230* Update config.guess and config.sub for AIX 2231* Upgrade required version of autogen and libopts for building 2232 from our source code repository 2233 2234ntpd 2235 2236* Back-ported several fixes for Coverity warnings from ntp-dev 2237* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 2238* Allow "logconfig =allall" configuration directive 2239* Bind tentative IPv6 addresses on Linux 2240* Correct WWVB/Spectracom driver to timestamp CR instead of LF 2241* Improved tally bit handling to prevent incorrect ntpq peer status reports 2242* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 2243 candidate list unless they are designated a "prefer peer" 2244* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 2245 selection during the 'tos orphanwait' period 2246* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 2247 drivers 2248* Improved support of the Parse Refclock trusttime flag in Meinberg mode 2249* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 2250* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 2251 clock slew on Microsoft Windows 2252* Code cleanup in libntpq 2253 2254ntpdc 2255 2256* Fix timerstats reporting 2257 2258ntpdate 2259 2260* Reduce time required to set clock 2261* Allow a timeout greater than 2 seconds 2262 2263sntp 2264 2265* Backward incompatible command-line option change: 2266 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 2267 2268Documentation 2269 2270* Update html2man. Fix some tags in the .html files 2271* Distribute ntp-wait.html 2272 2273--- 2274NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 2275 2276Focus: Bug fixes and portability improvements 2277 2278Severity: Medium 2279 2280This is a recommended upgrade. 2281 2282This release includes build infrastructure updates, code 2283clean-ups, minor bug fixes, fixes for a number of minor 2284ref-clock issues, and documentation revisions. 2285 2286Portability improvements in this release affect AIX, Atari FreeMiNT, 2287FreeBSD4, Linux and Microsoft Windows. 2288 2289New features / changes in this release: 2290 2291Build system 2292* Use lsb_release to get information about Linux distributions. 2293* 'test' is in /usr/bin (instead of /bin) on some systems. 2294* Basic sanity checks for the ChangeLog file. 2295* Source certain build files with ./filename for systems without . in PATH. 2296* IRIX portability fix. 2297* Use a single copy of the "libopts" code. 2298* autogen/libopts upgrade. 2299* configure.ac m4 quoting cleanup. 2300 2301ntpd 2302* Do not bind to IN6_IFF_ANYCAST addresses. 2303* Log the reason for exiting under Windows. 2304* Multicast fixes for Windows. 2305* Interpolation fixes for Windows. 2306* IPv4 and IPv6 Multicast fixes. 2307* Manycast solicitation fixes and general repairs. 2308* JJY refclock cleanup. 2309* NMEA refclock improvements. 2310* Oncore debug message cleanup. 2311* Palisade refclock now builds under Linux. 2312* Give RAWDCF more baud rates. 2313* Support Truetime Satellite clocks under Windows. 2314* Support Arbiter 1093C Satellite clocks under Windows. 2315* Make sure that the "filegen" configuration command defaults to "enable". 2316* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 2317* Prohibit 'includefile' directive in remote configuration command. 2318* Fix 'nic' interface bindings. 2319* Fix the way we link with openssl if openssl is installed in the base 2320 system. 2321 2322ntp-keygen 2323* Fix -V coredump. 2324* OpenSSL version display cleanup. 2325 2326ntpdc 2327* Many counters should be treated as unsigned. 2328 2329ntpdate 2330* Do not ignore replies with equal receive and transmit timestamps. 2331 2332ntpq 2333* libntpq warning cleanup. 2334 2335ntpsnmpd 2336* Correct SNMP type for "precision" and "resolution". 2337* Update the MIB from the draft version to RFC-5907. 2338 2339sntp 2340* Display timezone offset when showing time for sntp in the local 2341 timezone. 2342* Pay proper attention to RATE KoD packets. 2343* Fix a miscalculation of the offset. 2344* Properly parse empty lines in the key file. 2345* Logging cleanup. 2346* Use tv_usec correctly in set_time(). 2347* Documentation cleanup. 2348 2349--- 2350NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 2351 2352Focus: Bug fixes and portability improvements 2353 2354Severity: Medium 2355 2356This is a recommended upgrade. 2357 2358This release includes build infrastructure updates, code 2359clean-ups, minor bug fixes, fixes for a number of minor 2360ref-clock issues, improved KOD handling, OpenSSL related 2361updates and documentation revisions. 2362 2363Portability improvements in this release affect Irix, Linux, 2364Mac OS, Microsoft Windows, OpenBSD and QNX6 2365 2366New features / changes in this release: 2367 2368ntpd 2369* Range syntax for the trustedkey configuration directive 2370* Unified IPv4 and IPv6 restrict lists 2371 2372ntpdate 2373* Rate limiting and KOD handling 2374 2375ntpsnmpd 2376* default connection to net-snmpd via a unix-domain socket 2377* command-line 'socket name' option 2378 2379ntpq / ntpdc 2380* support for the "passwd ..." syntax 2381* key-type specific password prompts 2382 2383sntp 2384* MD5 authentication of an ntpd 2385* Broadcast and crypto 2386* OpenSSL support 2387 2388--- 2389NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 2390 2391Focus: Bug fixes, portability fixes, and documentation improvements 2392 2393Severity: Medium 2394 2395This is a recommended upgrade. 2396 2397--- 2398NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 2399 2400Focus: enhancements and bug fixes. 2401 2402--- 2403NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 2404 2405Focus: Security Fixes 2406 2407Severity: HIGH 2408 2409This release fixes the following high-severity vulnerability: 2410 2411* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 2412 2413 See http://support.ntp.org/security for more information. 2414 2415 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 2416 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 2417 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 2418 request or a mode 7 error response from an address which is not listed 2419 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 2420 reply with a mode 7 error response (and log a message). In this case: 2421 2422 * If an attacker spoofs the source address of ntpd host A in a 2423 mode 7 response packet sent to ntpd host B, both A and B will 2424 continuously send each other error responses, for as long as 2425 those packets get through. 2426 2427 * If an attacker spoofs an address of ntpd host A in a mode 7 2428 response packet sent to ntpd host A, A will respond to itself 2429 endlessly, consuming CPU and logging excessively. 2430 2431 Credit for finding this vulnerability goes to Robin Park and Dmitri 2432 Vinokurov of Alcatel-Lucent. 2433 2434THIS IS A STRONGLY RECOMMENDED UPGRADE. 2435 2436--- 2437ntpd now syncs to refclocks right away. 2438 2439Backward-Incompatible changes: 2440 2441ntpd no longer accepts '-v name' or '-V name' to define internal variables. 2442Use '--var name' or '--dvar name' instead. (Bug 817) 2443 2444--- 2445NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 2446 2447Focus: Security and Bug Fixes 2448 2449Severity: HIGH 2450 2451This release fixes the following high-severity vulnerability: 2452 2453* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 2454 2455 See http://support.ntp.org/security for more information. 2456 2457 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 2458 line) then a carefully crafted packet sent to the machine will cause 2459 a buffer overflow and possible execution of injected code, running 2460 with the privileges of the ntpd process (often root). 2461 2462 Credit for finding this vulnerability goes to Chris Ries of CMU. 2463 2464This release fixes the following low-severity vulnerabilities: 2465 2466* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 2467 Credit for finding this vulnerability goes to Geoff Keating of Apple. 2468 2469* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 2470 Credit for finding this issue goes to Dave Hart. 2471 2472This release fixes a number of bugs and adds some improvements: 2473 2474* Improved logging 2475* Fix many compiler warnings 2476* Many fixes and improvements for Windows 2477* Adds support for AIX 6.1 2478* Resolves some issues under MacOS X and Solaris 2479 2480THIS IS A STRONGLY RECOMMENDED UPGRADE. 2481 2482--- 2483NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 2484 2485Focus: Security Fix 2486 2487Severity: Low 2488 2489This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 2490the OpenSSL library relating to the incorrect checking of the return 2491value of EVP_VerifyFinal function. 2492 2493Credit for finding this issue goes to the Google Security Team for 2494finding the original issue with OpenSSL, and to ocert.org for finding 2495the problem in NTP and telling us about it. 2496 2497This is a recommended upgrade. 2498--- 2499NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 2500 2501Focus: Minor Bugfixes 2502 2503This release fixes a number of Windows-specific ntpd bugs and 2504platform-independent ntpdate bugs. A logging bugfix has been applied 2505to the ONCORE driver. 2506 2507The "dynamic" keyword and is now obsolete and deferred binding to local 2508interfaces is the new default. The minimum time restriction for the 2509interface update interval has been dropped. 2510 2511A number of minor build system and documentation fixes are included. 2512 2513This is a recommended upgrade for Windows. 2514 2515--- 2516NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 2517 2518Focus: Minor Bugfixes 2519 2520This release updates certain copyright information, fixes several display 2521bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 2522shutdown in the parse refclock driver, removes some lint from the code, 2523stops accessing certain buffers immediately after they were freed, fixes 2524a problem with non-command-line specification of -6, and allows the loopback 2525interface to share addresses with other interfaces. 2526 2527--- 2528NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 2529 2530Focus: Minor Bugfixes 2531 2532This release fixes a bug in Windows that made it difficult to 2533terminate ntpd under windows. 2534This is a recommended upgrade for Windows. 2535 2536--- 2537NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 2538 2539Focus: Minor Bugfixes 2540 2541This release fixes a multicast mode authentication problem, 2542an error in NTP packet handling on Windows that could lead to 2543ntpd crashing, and several other minor bugs. Handling of 2544multicast interfaces and logging configuration were improved. 2545The required versions of autogen and libopts were incremented. 2546This is a recommended upgrade for Windows and multicast users. 2547 2548--- 2549NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 2550 2551Focus: enhancements and bug fixes. 2552 2553Dynamic interface rescanning was added to simplify the use of ntpd in 2554conjunction with DHCP. GNU AutoGen is used for its command-line options 2555processing. Separate PPS devices are supported for PARSE refclocks, MD5 2556signatures are now provided for the release files. Drivers have been 2557added for some new ref-clocks and have been removed for some older 2558ref-clocks. This release also includes other improvements, documentation 2559and bug fixes. 2560 2561K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 2562C support. 2563 2564--- 2565NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 2566 2567Focus: enhancements and bug fixes. 2568