1052d159aSCy Schubert--- 2e6bfd18dSCy SchubertNTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06) 3e6bfd18dSCy Schubert 4e6bfd18dSCy SchubertFocus: Bug fixes 5e6bfd18dSCy Schubert 6e6bfd18dSCy SchubertSeverity: HIGH (for people running 4.2.8p16) 7e6bfd18dSCy Schubert 8e6bfd18dSCy SchubertThis release: 9e6bfd18dSCy Schubert 10e6bfd18dSCy Schubert- fixes 3 bugs, including a regression 11e6bfd18dSCy Schubert- adds new unit tests 12e6bfd18dSCy Schubert 13e6bfd18dSCy SchubertDetails below: 14e6bfd18dSCy Schubert 15e6bfd18dSCy Schubert* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at 16e6bfd18dSCy Schubert event_sync. Reported by Edward McGuire. <hart@ntp.org> 17e6bfd18dSCy Schubert* [Bug 3822] ntpd significantly delays first poll of servers specified by name. 18e6bfd18dSCy Schubert <hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16. 19e6bfd18dSCy Schubert* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with 20e6bfd18dSCy Schubert 4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to 21e6bfd18dSCy Schubert Miroslav Lichvar and Matt for rapid testing and identifying the 22e6bfd18dSCy Schubert problem. <hart@ntp.org> 23e6bfd18dSCy Schubert* Add tests/libntp/digests.c to catch regressions reading keys file or with 24e6bfd18dSCy Schubert symmetric authentication digest output. 25e6bfd18dSCy Schubert 26e6bfd18dSCy Schubert--- 27a466cc55SCy SchubertNTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30) 28a466cc55SCy Schubert 29a466cc55SCy SchubertFocus: Security, Bug fixes 30a466cc55SCy Schubert 31a466cc55SCy SchubertSeverity: LOW 32a466cc55SCy Schubert 33a466cc55SCy SchubertThis release: 34a466cc55SCy Schubert 35a466cc55SCy Schubert- fixes 4 vulnerabilities (3 LOW and 1 None severity), 36a466cc55SCy Schubert- fixes 46 bugs 37a466cc55SCy Schubert- includes 15 general improvements 38a466cc55SCy Schubert- adds support for OpenSSL-3.0 39a466cc55SCy Schubert 40a466cc55SCy SchubertDetails below: 41a466cc55SCy Schubert 42a466cc55SCy Schubert* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org> 43a466cc55SCy Schubert* [Sec 3807] praecis_parse() in the Palisade refclock driver has a 44a466cc55SCy Schubert hypothetical input buffer overflow. Reported by ... stenn@ 45a466cc55SCy Schubert* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org> 46a466cc55SCy Schubert - solved numerically instead of using string manipulation 47a466cc55SCy Schubert* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled. 48a466cc55SCy Schubert <stenn@ntp.org> 49a466cc55SCy Schubert* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@> 50a466cc55SCy Schubert* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org> 51a466cc55SCy Schubert* [Bug 3814] First poll delay of new or cleared associations miscalculated. 52a466cc55SCy Schubert <hart@ntp.org> 53a466cc55SCy Schubert* [Bug 3802] ntp-keygen -I default identity modulus bits too small for 54a466cc55SCy Schubert OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org> 55a466cc55SCy Schubert* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org> 56a466cc55SCy Schubert* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org> 57a466cc55SCy Schubert* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org> 58a466cc55SCy Schubert* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when 59a466cc55SCy Schubert disconnected, breaking ntpq and ntpdc. <hart@ntp.org> 60a466cc55SCy Schubert* [Bug 3795] pollskewlist documentation uses | when it shouldn't. 61a466cc55SCy Schubert - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org> 62a466cc55SCy Schubert* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org> 63a466cc55SCy Schubert - Report and patch by Yuezhen LUAN <wei6410@sina.com>. 64a466cc55SCy Schubert* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org> 65a466cc55SCy Schubert* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded. 66a466cc55SCy Schubert <hart@ntp.org> 67a466cc55SCy Schubert* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org> 68a466cc55SCy Schubert* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org> 69a466cc55SCy Schubert - Reported by Edward McGuire, fix identified by <wei6410@sina.com>. 70a466cc55SCy Schubert* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org> 71a466cc55SCy Schubert* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org> 72a466cc55SCy Schubert* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org> 73a466cc55SCy Schubert* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian. 74a466cc55SCy Schubert Philippe De Muyter <phdm@macqel.be> 75a466cc55SCy Schubert* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org> 76a466cc55SCy Schubert - openssl applink needed again for openSSL-1.1.1 77a466cc55SCy Schubert* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing. 78a466cc55SCy Schubert Reported by Brian Utterback, broken in 2010 by <hart@ntp.org> 79a466cc55SCy Schubert* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org> 80a466cc55SCy Schubert - command line options override config statements where applicable 81a466cc55SCy Schubert - make initial frequency settings idempotent and reversible 82a466cc55SCy Schubert - make sure kernel PLL gets a recovered drift componsation 83a466cc55SCy Schubert* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org> 84a466cc55SCy Schubert* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages 85a466cc55SCy Schubert - misleading title; essentially a request to ignore the receiver status. 86a466cc55SCy Schubert Added a mode bit for this. <perlinger@ntp.org> 87a466cc55SCy Schubert* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org> 88a466cc55SCy Schubert - original patch by Richard Schmidt, with mods & unit test fixes 89a466cc55SCy Schubert* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org> 90a466cc55SCy Schubert - implement/wrap 'realpath()' to resolve symlinks in device names 91a466cc55SCy Schubert* [Bug 3691] Buffer Overflow reading GPSD output 92a466cc55SCy Schubert - original patch by matt<ntpbr@mattcorallo.com> 93a466cc55SCy Schubert - increased max PDU size to 4k to avoid truncation 94a466cc55SCy Schubert* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org> 95a466cc55SCy Schubert - patch by Frank Kardel 96a466cc55SCy Schubert* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org> 97a466cc55SCy Schubert - ntp{q,dc} now use the same password processing as ntpd does in the key 98a466cc55SCy Schubert file, so having a binary secret >= 11 bytes is possible for all keys. 99a466cc55SCy Schubert (This is a different approach to the problem than suggested) 100a466cc55SCy Schubert* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org> 101a466cc55SCy Schubert* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org> 102a466cc55SCy Schubert - patch by Gerry Garvey 103a466cc55SCy Schubert* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org> 104a466cc55SCy Schubert - original patch by Gerry Garvey 105a466cc55SCy Schubert* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org> 106a466cc55SCy Schubert - original patch by Gerry Garvey 107a466cc55SCy Schubert* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough) 108a466cc55SCy Schubert - applied patches by Gerry Garvey 109a466cc55SCy Schubert* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage 110a466cc55SCy Schubert* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org> 111a466cc55SCy Schubert - idea+patch by Gerry Garvey 112a466cc55SCy Schubert* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org> 113a466cc55SCy Schubert* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 114a466cc55SCy Schubert - follow-up: fix inverted sense in check, reset shortfall counter 115a466cc55SCy Schubert* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org> 116a466cc55SCy Schubert* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org> 117a466cc55SCy Schubert - fixed bug identified by Edward McGuire <perlinger@ntp.org> 118a466cc55SCy Schubert* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org> 119a466cc55SCy Schubert - applied patch by Gerry Garvey 120a466cc55SCy Schubert* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org> 121a466cc55SCy Schubert - backport from -dev, plus some more work on warnings for unchecked results 122a466cc55SCy Schubert* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table. 123a466cc55SCy Schubert Reported by Israel G. Lugo. <hart@ntp.org> 124a466cc55SCy Schubert* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org> 125a466cc55SCy Schubert* [Bug 2990] multicastclient incorrectly causes bind to broadcast address. 126a466cc55SCy Schubert Integrated patch from Brian Utterback. <hart@ntp.org> 127a466cc55SCy Schubert* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org> 128a466cc55SCy Schubert* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com> 129a466cc55SCy Schubert* Use correct rounding in mstolfp(). perlinger/hart 130a466cc55SCy Schubert* M_ADDF should use u_int32. <hart@ntp.org> 131a466cc55SCy Schubert* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org> 132a466cc55SCy Schubert* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn 133a466cc55SCy Schubert* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org> 134a466cc55SCy Schubert* If DEBUG is enabled, the startup banner now says that debug assertions 135a466cc55SCy Schubert are in force and that ntpd will abort if any are violated. <stenn@ntp.org> 136a466cc55SCy Schubert* syslog valid incoming KoDs. <stenn@ntp.org> 137a466cc55SCy Schubert* Rename a poorly-named variable. <stenn@ntp.org> 138a466cc55SCy Schubert* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@> 139a466cc55SCy Schubert* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org> 140a466cc55SCy Schubert* Implement NTP_FUNC_REALPATH. <stenn@ntp.org> 141a466cc55SCy Schubert* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org> 142a466cc55SCy Schubert* upgrade to: autogen-5.18.16 143a466cc55SCy Schubert* upgrade to: libopts-42.1.17 144a466cc55SCy Schubert* upgrade to: autoconf-2.71 145a466cc55SCy Schubert* upgrade to: automake-1.16.15 146a466cc55SCy Schubert* Upgrade to libevent-2.1.12-stable <stenn@ntp.org> 147a466cc55SCy Schubert* Support OpenSSL-3.0 148a466cc55SCy Schubert 149a466cc55SCy Schubert--- 150767173ceSCy SchubertNTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23) 151767173ceSCy Schubert 152767173ceSCy SchubertFocus: Security, Bug fixes 153767173ceSCy Schubert 154767173ceSCy SchubertSeverity: MEDIUM 155767173ceSCy Schubert 156767173ceSCy SchubertThis release fixes one vulnerability: Associations that use CMAC 157767173ceSCy Schubertauthentication between ntpd from versions 4.2.8p11/4.3.97 and 158767173ceSCy Schubert4.2.8p14/4.3.100 will leak a small amount of memory for each packet. 159767173ceSCy SchubertEventually, ntpd will run out of memory and abort. 160767173ceSCy Schubert 161767173ceSCy SchubertIt also fixes 13 other bugs. 162767173ceSCy Schubert 163767173ceSCy Schubert* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org> 164767173ceSCy Schubert* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@> 165767173ceSCy Schubert - Thanks to Sylar Tao 166767173ceSCy Schubert* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org> 167767173ceSCy Schubert - rewrite 'decodenetnum()' in terms of inet_pton 168767173ceSCy Schubert* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org> 169767173ceSCy Schubert - limit number of receive buffers, with an iron reserve for refclocks 170767173ceSCy Schubert* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org> 171767173ceSCy Schubert* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org> 172767173ceSCy Schubert* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org> 173767173ceSCy Schubert - integrated patch from Charles Claggett 174767173ceSCy Schubert* [Bug 3659] Move definition of psl[] from ntp_config.h to 175767173ceSCy Schubert ntp_config.h <perlinger@ntp.org> 176767173ceSCy Schubert* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org> 177767173ceSCy Schubert* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org> 178767173ceSCy Schubert - fix by Gerry garvey 179767173ceSCy Schubert* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org> 180767173ceSCy Schubert - thanks to Gerry Garvey 181767173ceSCy Schubert* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org> 182767173ceSCy Schubert - patch by Gerry Garvey 183767173ceSCy Schubert* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org> 184767173ceSCy Schubert* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org> 185767173ceSCy Schubert - applied patch by Takao Abe 186767173ceSCy Schubert 187767173ceSCy Schubert--- 1882d4e511cSCy SchubertNTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03) 1892d4e511cSCy Schubert 1902d4e511cSCy SchubertFocus: Security, Bug fixes, enhancements. 1912d4e511cSCy Schubert 1922d4e511cSCy SchubertSeverity: MEDIUM 1932d4e511cSCy Schubert 1942d4e511cSCy SchubertThis release fixes three vulnerabilities: a bug that causes causes an ntpd 1952d4e511cSCy Schubertinstance that is explicitly configured to override the default and allow 1962d4e511cSCy Schubertntpdc (mode 7) connections to be made to a server to read some uninitialized 1972d4e511cSCy Schubertmemory; fixes the case where an unmonitored ntpd using an unauthenticated 1982d4e511cSCy Schubertassociation to its servers may be susceptible to a forged packet DoS attack; 1992d4e511cSCy Schubertand fixes an attack against a client instance that uses a single 2002d4e511cSCy Schubertunauthenticated time source. It also fixes 46 other bugs and addresses 2012d4e511cSCy Schubert4 other issues. 2022d4e511cSCy Schubert 2032d4e511cSCy Schubert* [Sec 3610] process_control() should bail earlier on short packets. stenn@ 2042d4e511cSCy Schubert - Reported by Philippe Antoine 2052d4e511cSCy Schubert* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org> 2062d4e511cSCy Schubert - Reported by Miroslav Lichvar 2072d4e511cSCy Schubert* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org> 2082d4e511cSCy Schubert - Reported by Miroslav Lichvar 2092d4e511cSCy Schubert* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ 2102d4e511cSCy Schubert* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org> 2112d4e511cSCy Schubert* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org> 2122d4e511cSCy Schubert* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ 2132d4e511cSCy Schubert* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence 2142d4e511cSCy Schubert - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org> 2152d4e511cSCy Schubert* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org> 2162d4e511cSCy Schubert - integrated patch by Cy Schubert 2172d4e511cSCy Schubert* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org> 2182d4e511cSCy Schubert - applied patch by Gerry Garvey 2192d4e511cSCy Schubert* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org> 2202d4e511cSCy Schubert - applied patch by Gerry Garvey 2212d4e511cSCy Schubert* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org> 2222d4e511cSCy Schubert - integrated patch by Richard Steedman 2232d4e511cSCy Schubert* [Bug 3615] accelerate refclock startup <perlinger@ntp.org> 2242d4e511cSCy Schubert* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org> 2252d4e511cSCy Schubert - Reported by Martin Burnicki 2262d4e511cSCy Schubert* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org> 2272d4e511cSCy Schubert - Reported by Philippe Antoine 2282d4e511cSCy Schubert* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org> 2292d4e511cSCy Schubert - officially document new "trust date" mode bit for NMEA driver 2302d4e511cSCy Schubert - restore the (previously undocumented) "trust date" feature lost with [bug 3577] 2312d4e511cSCy Schubert* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org> 2322d4e511cSCy Schubert - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' 2332d4e511cSCy Schubert* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org> 2342d4e511cSCy Schubert - removed ffs() and fls() prototypes as per Brian Utterback 2352d4e511cSCy Schubert* [Bug 3604] Wrong param byte order passing into record_raw_stats() in 2362d4e511cSCy Schubert ntp_io.c <perlinger@ntp.org> 2372d4e511cSCy Schubert - fixed byte and paramter order as suggested by wei6410@sina.com 2382d4e511cSCy Schubert* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org> 2392d4e511cSCy Schubert* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org> 2402d4e511cSCy Schubert - added padding as suggested by John Paul Adrian Glaubitz 2412d4e511cSCy Schubert* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org> 2422d4e511cSCy Schubert* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org> 2432d4e511cSCy Schubert* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org> 2442d4e511cSCy Schubert* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org> 2452d4e511cSCy Schubert - stdout+stderr are set to line buffered during test setup now 2462d4e511cSCy Schubert* [Bug 3583] synchronization error <perlinger@ntp.org> 2472d4e511cSCy Schubert - set clock to base date if system time is before that limit 2482d4e511cSCy Schubert* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org> 2492d4e511cSCy Schubert* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org> 2502d4e511cSCy Schubert - Reported by Paulo Neves 2512d4e511cSCy Schubert* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org> 2522d4e511cSCy Schubert - also updates for refclock_nmea.c and refclock_jupiter.c 2532d4e511cSCy Schubert* [Bug 3576] New GPS date function API <perlinger@ntp.org> 2542d4e511cSCy Schubert* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org> 2552d4e511cSCy Schubert* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org> 2562d4e511cSCy Schubert* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org> 2572d4e511cSCy Schubert - sidekick: service port resolution in 'ntpdate' 2582d4e511cSCy Schubert* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org> 2592d4e511cSCy Schubert - applied patch by Douglas Royds 2602d4e511cSCy Schubert* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org> 2612d4e511cSCy Schubert* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org> 2622d4e511cSCy Schubert - applied patch by Gerry Garvey 2632d4e511cSCy Schubert* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org> 2642d4e511cSCy Schubert - try to harden 'decodenetnum()' against 'getaddrinfo()' errors 2652d4e511cSCy Schubert - fix wrong cond-compile tests in unit tests 2662d4e511cSCy Schubert* [Bug 3517] Reducing build noise <perlinger@ntp.org> 2672d4e511cSCy Schubert* [Bug 3516] Require tooling from this decade <perlinger@ntp.org> 2682d4e511cSCy Schubert - patch by Philipp Prindeville 2692d4e511cSCy Schubert* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org> 2702d4e511cSCy Schubert - patch by Philipp Prindeville 2712d4e511cSCy Schubert* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org> 2722d4e511cSCy Schubert - patch by Philipp Prindeville 2732d4e511cSCy Schubert* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org> 2742d4e511cSCy Schubert - partial application of patch by Philipp Prindeville 2752d4e511cSCy Schubert* [Bug 3491] Signed values of LFP datatypes should always display a sign 2762d4e511cSCy Schubert - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org> 2772d4e511cSCy Schubert* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org> 2782d4e511cSCy Schubert - applied (modified) patch by Richard Steedman 2792d4e511cSCy Schubert* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org> 2802d4e511cSCy Schubert - applied patch by Gerry Garvey (with minor formatting changes) 2812d4e511cSCy Schubert* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org> 2822d4e511cSCy Schubert - applied patch by Miroslav Lichvar 2832d4e511cSCy Schubert* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network 2842d4e511cSCy Schubert <perlinger@ntp.org> 2852d4e511cSCy Schubert* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user 2862d4e511cSCy Schubert is specified with -u <perlinger@ntp.org> 2872d4e511cSCy Schubert - monitor daemon child startup & propagate exit codes 2882d4e511cSCy Schubert* [Bug 1433] runtime check whether the kernel really supports capabilities 2892d4e511cSCy Schubert - (modified) patch by Kurt Roeckx <perlinger@ntp.org> 2902d4e511cSCy Schubert* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org> 2912d4e511cSCy Schubert* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org> 2922d4e511cSCy Schubert* Startup log improvements. <stenn@ntp.org> 2932d4e511cSCy Schubert* Update the copyright year. 2942d4e511cSCy Schubert 2952d4e511cSCy Schubert--- 296052d159aSCy SchubertNTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07) 297052d159aSCy Schubert 298052d159aSCy SchubertFocus: Security, Bug fixes, enhancements. 299052d159aSCy Schubert 300052d159aSCy SchubertSeverity: MEDIUM 301052d159aSCy Schubert 302052d159aSCy SchubertThis release fixes a bug that allows an attacker with access to an 303052d159aSCy Schubertexplicitly trusted source to send a crafted malicious mode 6 (ntpq) 304052d159aSCy Schubertpacket that can trigger a NULL pointer dereference, crashing ntpd. 305052d159aSCy SchubertIt also provides 17 other bugfixes and 1 other improvement: 306052d159aSCy Schubert 307052d159aSCy Schubert* [Sec 3565] Crafted null dereference attack in authenticated 308052d159aSCy Schubert mode 6 packet <perlinger@ntp.org> 309052d159aSCy Schubert - reported by Magnus Stubman 310052d159aSCy Schubert* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org> 311052d159aSCy Schubert - applied patch by Ian Lepore 312052d159aSCy Schubert* [Bug 3558] Crash and integer size bug <perlinger@ntp.org> 313052d159aSCy Schubert - isolate and fix linux/windows specific code issue 314052d159aSCy Schubert* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org> 315052d159aSCy Schubert - provide better function for incremental string formatting 316052d159aSCy Schubert* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org> 317052d159aSCy Schubert - applied patch by Gerry Garvey 318052d159aSCy Schubert* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org> 319052d159aSCy Schubert - original finding by Gerry Garvey, additional cleanup needed 320052d159aSCy Schubert* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org> 321052d159aSCy Schubert - patch by Christous Zoulas 322052d159aSCy Schubert* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org> 323052d159aSCy Schubert - finding by Chen Jiabin, plus another one by me 324052d159aSCy Schubert* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org> 325052d159aSCy Schubert - applied patch by Maciej Szmigiero 326052d159aSCy Schubert* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org> 327052d159aSCy Schubert - applied patch by Andre Charbonneau 328052d159aSCy Schubert* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org> 329052d159aSCy Schubert - applied patch by Baruch Siach 330052d159aSCy Schubert* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org> 331052d159aSCy Schubert - applied patch by Baruch Siach 332052d159aSCy Schubert* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org> 333052d159aSCy Schubert - refactored handling of GPS era based on 'tos basedate' for 334052d159aSCy Schubert parse (TSIP) and JUPITER clocks 335052d159aSCy Schubert* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org> 336052d159aSCy Schubert - patch by Daniel J. Luke; this does not fix a potential linker 337052d159aSCy Schubert regression issue on MacOS. 338052d159aSCy Schubert* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet 339052d159aSCy Schubert anomaly <perlinger@ntp.org>, reported by GGarvey. 340052d159aSCy Schubert - --enable-bug3527-fix support by HStenn 341052d159aSCy Schubert* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org> 342052d159aSCy Schubert - applied patch by Gerry Garvey 343052d159aSCy Schubert* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org> 344052d159aSCy Schubert - added missing check, reported by Reinhard Max <perlinger@ntp.org> 345052d159aSCy Schubert* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64 346052d159aSCy Schubert - this is a variant of [bug 3558] and should be fixed with it 347052d159aSCy Schubert* Implement 'configure --disable-signalled-io' 348052d159aSCy Schubert 349f0574f5cSXin LI-- 3504e1ef62aSXin LINTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09) 35109100258SXin LI 35209100258SXin LIFocus: Security, Bug fixes, enhancements. 35309100258SXin LI 35409100258SXin LISeverity: MEDIUM 35509100258SXin LI 3564e1ef62aSXin LIThis release fixes a "hole" in the noepeer capability introduced to ntpd 3574e1ef62aSXin LIin ntp-4.2.8p11, and a buffer overflow in the openhost() function used by 3584e1ef62aSXin LIntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: 3594e1ef62aSXin LI 3604e1ef62aSXin LI* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. 3614e1ef62aSXin LI 3624e1ef62aSXin LI* [Sec 3012] Fix a hole in the new "noepeer" processing. 3634e1ef62aSXin LI 3644e1ef62aSXin LI* Bug Fixes: 3654e1ef62aSXin LI [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org> 3664e1ef62aSXin LI [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, 3674e1ef62aSXin LI other TrustedBSD platforms 3684e1ef62aSXin LI - applied patch by Ian Lepore <perlinger@ntp.org> 3694e1ef62aSXin LI [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org> 3704e1ef62aSXin LI - changed interaction with SCM to signal pending startup 3714e1ef62aSXin LI [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org> 3724e1ef62aSXin LI - applied patch by Gerry Garvey 3734e1ef62aSXin LI [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org> 3744e1ef62aSXin LI - applied patch by Gerry Garvey 3754e1ef62aSXin LI [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org> 3764e1ef62aSXin LI - rework of ntpq 'nextvar()' key/value parsing 3774e1ef62aSXin LI [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org> 3784e1ef62aSXin LI - applied patch by Gerry Garvey (with mods) 3794e1ef62aSXin LI [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org> 3804e1ef62aSXin LI - applied patch by Gerry Garvey 3814e1ef62aSXin LI [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org> 3824e1ef62aSXin LI - applied patch by Gerry Garvey (with mods) 3834e1ef62aSXin LI [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org> 3844e1ef62aSXin LI - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though 3854e1ef62aSXin LI [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org> 3864e1ef62aSXin LI - applied patch by Gerry Garvey 3874e1ef62aSXin LI [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org> 3884e1ef62aSXin LI - applied patch by Gerry Garvey 3894e1ef62aSXin LI [Bug 3471] Check for openssl/[ch]mac.h. HStenn. 3904e1ef62aSXin LI - add #define ENABLE_CMAC support in configure. HStenn. 3914e1ef62aSXin LI [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org> 3924e1ef62aSXin LI [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org> 3934e1ef62aSXin LI - patch by Stephen Friedl 3944e1ef62aSXin LI [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org> 3954e1ef62aSXin LI - fixed IO redirection and CTRL-C handling in ntq and ntpdc 3964e1ef62aSXin LI [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org> 3974e1ef62aSXin LI [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org> 3984e1ef62aSXin LI - initial patch by Hal Murray; also fixed refclock_report() trouble 3994e1ef62aSXin LI [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org> 4004e1ef62aSXin LI [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer 4014e1ef62aSXin LI - According to Brooks Davis, there was only one location <perlinger@ntp.org> 4024e1ef62aSXin LI [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org> 4034e1ef62aSXin LI - applied patch by Gerry Garvey 4044e1ef62aSXin LI [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org> 4054e1ef62aSXin LI - applied patch by Gerry Garvey 4064e1ef62aSXin LI [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, 4074e1ef62aSXin LI with modifications 4084e1ef62aSXin LI New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. 4094e1ef62aSXin LI [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org> 4104e1ef62aSXin LI - applied patch by Miroslav Lichvar 4114e1ef62aSXin LI [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. 4124e1ef62aSXin LI [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org> 4134e1ef62aSXin LI - integrated patch by Reinhard Max 4144e1ef62aSXin LI [Bug 2821] minor build issues <perlinger@ntp.org> 4154e1ef62aSXin LI - applied patches by Christos Zoulas, including real bug fixes 4164e1ef62aSXin LI html/authopt.html: cleanup, from <stenn@ntp.org> 4174e1ef62aSXin LI ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org> 4184e1ef62aSXin LI Symmetric key range is 1-65535. Update docs. <stenn@ntp.org> 4194e1ef62aSXin LI 4204e1ef62aSXin LI-- 4214e1ef62aSXin LINTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) 4224e1ef62aSXin LI 4234e1ef62aSXin LIFocus: Security, Bug fixes, enhancements. 4244e1ef62aSXin LI 4254e1ef62aSXin LISeverity: MEDIUM 4264e1ef62aSXin LI 42709100258SXin LIThis release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity 42809100258SXin LIvulnerabilities in ntpd, one medium-severity vulernability in ntpq, and 42909100258SXin LIprovides 65 other non-security fixes and improvements: 43009100258SXin LI 43109100258SXin LI* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved 43209100258SXin LI association (LOW/MED) 43309100258SXin LI Date Resolved: Stable (4.2.8p11) 27 Feb 2018 43409100258SXin LI References: Sec 3454 / CVE-2018-7185 / VU#961909 43509100258SXin LI Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. 43609100258SXin LI CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between 43709100258SXin LI 2.9 and 6.8. 43809100258SXin LI CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could 43909100258SXin LI score between 2.6 and 3.1 44009100258SXin LI Summary: 44109100258SXin LI The NTP Protocol allows for both non-authenticated and 44209100258SXin LI authenticated associations, in client/server, symmetric (peer), 44309100258SXin LI and several broadcast modes. In addition to the basic NTP 44409100258SXin LI operational modes, symmetric mode and broadcast servers can 44509100258SXin LI support an interleaved mode of operation. In ntp-4.2.8p4 a bug 44609100258SXin LI was inadvertently introduced into the protocol engine that 44709100258SXin LI allows a non-authenticated zero-origin (reset) packet to reset 44809100258SXin LI an authenticated interleaved peer association. If an attacker 44909100258SXin LI can send a packet with a zero-origin timestamp and the source 45009100258SXin LI IP address of the "other side" of an interleaved association, 45109100258SXin LI the 'victim' ntpd will reset its association. The attacker must 45209100258SXin LI continue sending these packets in order to maintain the 45309100258SXin LI disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, 45409100258SXin LI interleave mode could be entered dynamically. As of ntp-4.2.8p7, 45509100258SXin LI interleaved mode must be explicitly configured/enabled. 45609100258SXin LI Mitigation: 45709100258SXin LI Implement BCP-38. 45809100258SXin LI Upgrade to 4.2.8p11, or later, from the NTP Project Download Page 45909100258SXin LI or the NTP Public Services Project Download Page. 46009100258SXin LI If you are unable to upgrade to 4.2.8p11 or later and have 46109100258SXin LI 'peer HOST xleave' lines in your ntp.conf file, remove the 46209100258SXin LI 'xleave' option. 46309100258SXin LI Have enough sources of time. 46409100258SXin LI Properly monitor your ntpd instances. 46509100258SXin LI If ntpd stops running, auto-restart it without -g . 46609100258SXin LI Credit: 46709100258SXin LI This weakness was discovered by Miroslav Lichvar of Red Hat. 46809100258SXin LI 46909100258SXin LI* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad 47009100258SXin LI state (LOW/MED) 47109100258SXin LI Date Resolved: Stable (4.2.8p11) 27 Feb 2018 47209100258SXin LI References: Sec 3453 / CVE-2018-7184 / VU#961909 47309100258SXin LI Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. 47409100258SXin LI CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 47509100258SXin LI Could score between 2.9 and 6.8. 47609100258SXin LI CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 47709100258SXin LI Could score between 2.6 and 6.0. 47809100258SXin LI Summary: 47909100258SXin LI The fix for NtpBug2952 was incomplete, and while it fixed one 48009100258SXin LI problem it created another. Specifically, it drops bad packets 48109100258SXin LI before updating the "received" timestamp. This means a 48209100258SXin LI third-party can inject a packet with a zero-origin timestamp, 48309100258SXin LI meaning the sender wants to reset the association, and the 48409100258SXin LI transmit timestamp in this bogus packet will be saved as the 48509100258SXin LI most recent "received" timestamp. The real remote peer does 48609100258SXin LI not know this value and this will disrupt the association until 48709100258SXin LI the association resets. 48809100258SXin LI Mitigation: 48909100258SXin LI Implement BCP-38. 49009100258SXin LI Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 49109100258SXin LI or the NTP Public Services Project Download Page. 49209100258SXin LI Use authentication with 'peer' mode. 49309100258SXin LI Have enough sources of time. 49409100258SXin LI Properly monitor your ntpd instances. 49509100258SXin LI If ntpd stops running, auto-restart it without -g . 49609100258SXin LI Credit: 49709100258SXin LI This weakness was discovered by Miroslav Lichvar of Red Hat. 49809100258SXin LI 49909100258SXin LI* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive 50009100258SXin LI peering (LOW) 50109100258SXin LI Date Resolved: Stable (4.2.8p11) 27 Feb 2018 50209100258SXin LI References: Sec 3415 / CVE-2018-7170 / VU#961909 50309100258SXin LI Sec 3012 / CVE-2016-1549 / VU#718152 50409100258SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 50509100258SXin LI 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 50609100258SXin LI CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 50709100258SXin LI CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 50809100258SXin LI Summary: 50909100258SXin LI ntpd can be vulnerable to Sybil attacks. If a system is set up to 51009100258SXin LI use a trustedkey and if one is not using the feature introduced in 51109100258SXin LI ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to 51209100258SXin LI specify which IPs can serve time, a malicious authenticated peer 51309100258SXin LI -- i.e. one where the attacker knows the private symmetric key -- 51409100258SXin LI can create arbitrarily-many ephemeral associations in order to win 51509100258SXin LI the clock selection of ntpd and modify a victim's clock. Three 51609100258SXin LI additional protections are offered in ntp-4.2.8p11. One is the 51709100258SXin LI new 'noepeer' directive, which disables symmetric passive 51809100258SXin LI ephemeral peering. Another is the new 'ippeerlimit' directive, 51909100258SXin LI which limits the number of peers that can be created from an IP. 52009100258SXin LI The third extends the functionality of the 4th field in the 52109100258SXin LI ntp.keys file to include specifying a subnet range. 52209100258SXin LI Mitigation: 52309100258SXin LI Implement BCP-38. 52409100258SXin LI Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 52509100258SXin LI or the NTP Public Services Project Download Page. 52609100258SXin LI Use the 'noepeer' directive to prohibit symmetric passive 52709100258SXin LI ephemeral associations. 52809100258SXin LI Use the 'ippeerlimit' directive to limit the number of peers 52909100258SXin LI that can be created from an IP. 53009100258SXin LI Use the 4th argument in the ntp.keys file to limit the IPs and 53109100258SXin LI subnets that can be time servers. 53209100258SXin LI Have enough sources of time. 53309100258SXin LI Properly monitor your ntpd instances. 53409100258SXin LI If ntpd stops running, auto-restart it without -g . 53509100258SXin LI Credit: 53609100258SXin LI This weakness was reported as Bug 3012 by Matthew Van Gundy of 53709100258SXin LI Cisco ASIG, and separately by Stefan Moser as Bug 3415. 53809100258SXin LI 53909100258SXin LI* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) 54009100258SXin LI Date Resolved: 27 Feb 2018 54109100258SXin LI References: Sec 3414 / CVE-2018-7183 / VU#961909 54209100258SXin LI Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 54309100258SXin LI CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 54409100258SXin LI CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 54509100258SXin LI Summary: 54609100258SXin LI ntpq is a monitoring and control program for ntpd. decodearr() 54709100258SXin LI is an internal function of ntpq that is used to -- wait for it -- 54809100258SXin LI decode an array in a response string when formatted data is being 54909100258SXin LI displayed. This is a problem in affected versions of ntpq if a 55009100258SXin LI maliciously-altered ntpd returns an array result that will trip this 55109100258SXin LI bug, or if a bad actor is able to read an ntpq request on its way to 55209100258SXin LI a remote ntpd server and forge and send a response before the remote 55309100258SXin LI ntpd sends its response. It's potentially possible that the 55409100258SXin LI malicious data could become injectable/executable code. 55509100258SXin LI Mitigation: 55609100258SXin LI Implement BCP-38. 55709100258SXin LI Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 55809100258SXin LI or the NTP Public Services Project Download Page. 55909100258SXin LI Credit: 56009100258SXin LI This weakness was discovered by Michael Macnair of Thales e-Security. 56109100258SXin LI 56209100258SXin LI* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined 56309100258SXin LI behavior and information leak (Info/Medium) 56409100258SXin LI Date Resolved: 27 Feb 2018 56509100258SXin LI References: Sec 3412 / CVE-2018-7182 / VU#961909 56609100258SXin LI Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. 56709100258SXin LI CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N 56809100258SXin LI CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 56909100258SXin LI 0.0 if C:N 57009100258SXin LI Summary: 57109100258SXin LI ctl_getitem() is used by ntpd to process incoming mode 6 packets. 57209100258SXin LI A malicious mode 6 packet can be sent to an ntpd instance, and 57309100258SXin LI if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will 57409100258SXin LI cause ctl_getitem() to read past the end of its buffer. 57509100258SXin LI Mitigation: 57609100258SXin LI Implement BCP-38. 57709100258SXin LI Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page 57809100258SXin LI or the NTP Public Services Project Download Page. 57909100258SXin LI Have enough sources of time. 58009100258SXin LI Properly monitor your ntpd instances. 58109100258SXin LI If ntpd stops running, auto-restart it without -g . 58209100258SXin LI Credit: 58309100258SXin LI This weakness was discovered by Yihan Lian of Qihoo 360. 58409100258SXin LI 58509100258SXin LI* NTP Bug 3012: Sybil vulnerability: ephemeral association attack 58609100258SXin LI Also see Bug 3415, above. 58709100258SXin LI Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 58809100258SXin LI Date Resolved: Stable (4.2.8p11) 27 Feb 2018 58909100258SXin LI References: Sec 3012 / CVE-2016-1549 / VU#718152 59009100258SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 59109100258SXin LI 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. 59209100258SXin LI CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 59309100258SXin LI CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 59409100258SXin LI Summary: 59509100258SXin LI ntpd can be vulnerable to Sybil attacks. If a system is set up 59609100258SXin LI to use a trustedkey and if one is not using the feature 59709100258SXin LI introduced in ntp-4.2.8p6 allowing an optional 4th field in the 59809100258SXin LI ntp.keys file to specify which IPs can serve time, a malicious 59909100258SXin LI authenticated peer -- i.e. one where the attacker knows the 60009100258SXin LI private symmetric key -- can create arbitrarily-many ephemeral 60109100258SXin LI associations in order to win the clock selection of ntpd and 60209100258SXin LI modify a victim's clock. Two additional protections are 60309100258SXin LI offered in ntp-4.2.8p11. One is the 'noepeer' directive, which 60409100258SXin LI disables symmetric passive ephemeral peering. The other extends 60509100258SXin LI the functionality of the 4th field in the ntp.keys file to 60609100258SXin LI include specifying a subnet range. 60709100258SXin LI Mitigation: 60809100258SXin LI Implement BCP-38. 60909100258SXin LI Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or 61009100258SXin LI the NTP Public Services Project Download Page. 61109100258SXin LI Use the 'noepeer' directive to prohibit symmetric passive 61209100258SXin LI ephemeral associations. 61309100258SXin LI Use the 'ippeerlimit' directive to limit the number of peer 61409100258SXin LI associations from an IP. 61509100258SXin LI Use the 4th argument in the ntp.keys file to limit the IPs 61609100258SXin LI and subnets that can be time servers. 61709100258SXin LI Properly monitor your ntpd instances. 61809100258SXin LI Credit: 61909100258SXin LI This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 62009100258SXin LI 62109100258SXin LI* Bug fixes: 62209100258SXin LI [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> 62309100258SXin LI [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> 62409100258SXin LI - applied patch by Sean Haugh 62509100258SXin LI [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> 62609100258SXin LI [Bug 3450] Dubious error messages from plausibility checks in get_systime() 62709100258SXin LI - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> 62809100258SXin LI [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> 62909100258SXin LI - refactoring the MAC code, too 63009100258SXin LI [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org 63109100258SXin LI [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> 63209100258SXin LI - applied patch by ggarvey 63309100258SXin LI [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> 63409100258SXin LI - applied patch by ggarvey (with minor mods) 63509100258SXin LI [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain 63609100258SXin LI - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> 63709100258SXin LI [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> 63809100258SXin LI [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> 63909100258SXin LI [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" 64009100258SXin LI - fixed several issues with hash algos in ntpd, sntp, ntpq, 64109100258SXin LI ntpdc and the test suites <perlinger@ntp.org> 64209100258SXin LI [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> 64309100258SXin LI - initial patch by Daniel Pouzzner 64409100258SXin LI [Bug 3423] QNX adjtime() implementation error checking is 64509100258SXin LI wrong <perlinger@ntp.org> 64609100258SXin LI [Bug 3417] ntpq ifstats packet counters can be negative 64709100258SXin LI made IFSTATS counter quantities unsigned <perlinger@ntp.org> 64809100258SXin LI [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 64909100258SXin LI - raised receive buffer size to 1200 <perlinger@ntp.org> 65009100258SXin LI [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static 65109100258SXin LI analysis tool. <abe@ntp.org> 65209100258SXin LI [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. 65309100258SXin LI [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> 65409100258SXin LI - fix/drop assumptions on OpenSSL libs directory layout 65509100258SXin LI [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation 65609100258SXin LI - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> 65709100258SXin LI [Bug 3398] tests fail with core dump <perlinger@ntp.org> 65809100258SXin LI - patch contributed by Alexander Bluhm 65909100258SXin LI [Bug 3397] ctl_putstr() asserts that data fits in its buffer 66009100258SXin LI rework of formatting & data transfer stuff in 'ntp_control.c' 66109100258SXin LI avoids unecessary buffers and size limitations. <perlinger@ntp.org> 66209100258SXin LI [Bug 3394] Leap second deletion does not work on ntpd clients 66309100258SXin LI - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> 66409100258SXin LI [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size 66509100258SXin LI - increased mimimum stack size to 32kB <perlinger@ntp.org> 66609100258SXin LI [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> 66709100258SXin LI - reverted handling of PPS kernel consumer to 4.2.6 behavior 66809100258SXin LI [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> 66909100258SXin LI [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. 67009100258SXin LI [Bug 3016] wrong error position reported for bad ":config pool" 67109100258SXin LI - fixed location counter & ntpq output <perlinger@ntp.org> 67209100258SXin LI [Bug 2900] libntp build order problem. HStenn. 67309100258SXin LI [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> 67409100258SXin LI [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, 67509100258SXin LI perlinger@ntp.org 67609100258SXin LI [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. 67709100258SXin LI [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> 67809100258SXin LI Use strlcpy() to copy strings, not memcpy(). HStenn. 67909100258SXin LI Typos. HStenn. 68009100258SXin LI test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. 68109100258SXin LI refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. 68209100258SXin LI Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org 68309100258SXin LI Fix trivial warnings from 'make check'. perlinger@ntp.org 68409100258SXin LI Fix bug in the override portion of the compiler hardening macro. HStenn. 68509100258SXin LI record_raw_stats(): Log entire packet. Log writes. HStenn. 68609100258SXin LI AES-128-CMAC support. BInglis, HStenn, JPerlinger. 68709100258SXin LI sntp: tweak key file logging. HStenn. 68809100258SXin LI sntp: pkt_output(): Improve debug output. HStenn. 68909100258SXin LI update-leap: updates from Paul McMath. 69009100258SXin LI When using pkg-config, report --modversion. HStenn. 69109100258SXin LI Clean up libevent configure checks. HStenn. 69209100258SXin LI sntp: show the IP of who sent us a crypto-NAK. HStenn. 69309100258SXin LI Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. 69409100258SXin LI authistrustedip() - use it in more places. HStenn, JPerlinger. 69509100258SXin LI New sysstats: sys_lamport, sys_tsrounding. HStenn. 69609100258SXin LI Update ntp.keys .../N documentation. HStenn. 69709100258SXin LI Distribute testconf.yml. HStenn. 69809100258SXin LI Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. 69909100258SXin LI Rename the configuration flag fifo variables. HStenn. 70009100258SXin LI Improve saveconfig output. HStenn. 70109100258SXin LI Decode restrict flags on receive() debug output. HStenn. 70209100258SXin LI Decode interface flags on receive() debug output. HStenn. 70309100258SXin LI Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. 70409100258SXin LI Update the documentation in ntp.conf.def . HStenn. 70509100258SXin LI restrictions() must return restrict flags and ippeerlimit. HStenn. 70609100258SXin LI Update ntpq peer documentation to describe the 'p' type. HStenn. 70709100258SXin LI Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. 70809100258SXin LI Provide dump_restricts() for debugging. HStenn. 70909100258SXin LI Use consistent 4th arg type for [gs]etsockopt. JPerlinger. 71009100258SXin LI 71109100258SXin LI* Other items: 71209100258SXin LI 71309100258SXin LI* update-leap needs the following perl modules: 71409100258SXin LI Net::SSLeay 71509100258SXin LI IO::Socket::SSL 71609100258SXin LI 71709100258SXin LI* New sysstats variables: sys_lamport, sys_tsrounding 71809100258SXin LISee them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" 71909100258SXin LIsys_lamport counts the number of observed Lamport violations, while 72009100258SXin LIsys_tsrounding counts observed timestamp rounding events. 72109100258SXin LI 72209100258SXin LI* New ntp.conf items: 72309100258SXin LI 72409100258SXin LI- restrict ... noepeer 72509100258SXin LI- restrict ... ippeerlimit N 72609100258SXin LI 72709100258SXin LIThe 'noepeer' directive will disallow all ephemeral/passive peer 72809100258SXin LIrequests. 72909100258SXin LI 73009100258SXin LIThe 'ippeerlimit' directive limits the number of time associations 73109100258SXin LIfor each IP in the designated set of addresses. This limit does not 73209100258SXin LIapply to explicitly-configured associations. A value of -1, the current 73309100258SXin LIdefault, means an unlimited number of associations may connect from a 73409100258SXin LIsingle IP. 0 means "none", etc. Ordinarily the only way multiple 73509100258SXin LIassociations would come from the same IP would be if the remote side 73609100258SXin LIwas using a proxy. But a trusted machine might become compromised, 73709100258SXin LIin which case an attacker might spin up multiple authenticated sessions 73809100258SXin LIfrom different ports. This directive should be helpful in this case. 73909100258SXin LI 74009100258SXin LI* New ntp.keys feature: Each IP in the optional list of IPs in the 4th 74109100258SXin LIfield may contain a /subnetbits specification, which identifies the 74209100258SXin LIscope of IPs that may use this key. This IP/subnet restriction can be 74309100258SXin LIused to limit the IPs that may use the key in most all situations where 74409100258SXin LIa key is used. 74509100258SXin LI-- 746f0574f5cSXin LINTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) 747f0574f5cSXin LI 748f0574f5cSXin LIFocus: Security, Bug fixes, enhancements. 749f0574f5cSXin LI 750f0574f5cSXin LISeverity: MEDIUM 751f0574f5cSXin LI 752f0574f5cSXin LIThis release fixes 5 medium-, 6 low-, and 4 informational-severity 753f0574f5cSXin LIvulnerabilities, and provides 15 other non-security fixes and improvements: 754f0574f5cSXin LI 755f0574f5cSXin LI* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) 756f0574f5cSXin LI Date Resolved: 21 Mar 2017 757f0574f5cSXin LI References: Sec 3389 / CVE-2017-6464 / VU#325339 758f0574f5cSXin LI Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and 759f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 760f0574f5cSXin LI CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 761f0574f5cSXin LI CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 762f0574f5cSXin LI Summary: 763f0574f5cSXin LI A vulnerability found in the NTP server makes it possible for an 764f0574f5cSXin LI authenticated remote user to crash ntpd via a malformed mode 765f0574f5cSXin LI configuration directive. 766f0574f5cSXin LI Mitigation: 767f0574f5cSXin LI Implement BCP-38. 768f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 769f0574f5cSXin LI the NTP Public Services Project Download Page 770f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 771f0574f5cSXin LI ntpd (without -g) if it stops running. 772f0574f5cSXin LI Credit: 773f0574f5cSXin LI This weakness was discovered by Cure53. 774f0574f5cSXin LI 775f0574f5cSXin LI* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) 776f0574f5cSXin LI Date Resolved: 21 Mar 2017 777f0574f5cSXin LI References: Sec 3388 / CVE-2017-6462 / VU#325339 778f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. 779f0574f5cSXin LI CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 780f0574f5cSXin LI CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 781f0574f5cSXin LI Summary: 782f0574f5cSXin LI There is a potential for a buffer overflow in the legacy Datum 783f0574f5cSXin LI Programmable Time Server refclock driver. Here the packets are 784f0574f5cSXin LI processed from the /dev/datum device and handled in 785f0574f5cSXin LI datum_pts_receive(). Since an attacker would be required to 786f0574f5cSXin LI somehow control a malicious /dev/datum device, this does not 787f0574f5cSXin LI appear to be a practical attack and renders this issue "Low" in 788f0574f5cSXin LI terms of severity. 789f0574f5cSXin LI Mitigation: 790f0574f5cSXin LI If you have a Datum reference clock installed and think somebody 791f0574f5cSXin LI may maliciously change the device, upgrade to 4.2.8p10, or 792f0574f5cSXin LI later, from the NTP Project Download Page or the NTP Public 793f0574f5cSXin LI Services Project Download Page 794f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 795f0574f5cSXin LI ntpd (without -g) if it stops running. 796f0574f5cSXin LI Credit: 797f0574f5cSXin LI This weakness was discovered by Cure53. 798f0574f5cSXin LI 799f0574f5cSXin LI* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) 800f0574f5cSXin LI Date Resolved: 21 Mar 2017 801f0574f5cSXin LI References: Sec 3387 / CVE-2017-6463 / VU#325339 802f0574f5cSXin LI Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and 803f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 804f0574f5cSXin LI CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 805f0574f5cSXin LI CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 806f0574f5cSXin LI Summary: 807f0574f5cSXin LI A vulnerability found in the NTP server allows an authenticated 808f0574f5cSXin LI remote attacker to crash the daemon by sending an invalid setting 809f0574f5cSXin LI via the :config directive. The unpeer option expects a number or 810f0574f5cSXin LI an address as an argument. In case the value is "0", a 811f0574f5cSXin LI segmentation fault occurs. 812f0574f5cSXin LI Mitigation: 813f0574f5cSXin LI Implement BCP-38. 814f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 815f0574f5cSXin LI or the NTP Public Services Project Download Page 816f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 817f0574f5cSXin LI ntpd (without -g) if it stops running. 818f0574f5cSXin LI Credit: 819f0574f5cSXin LI This weakness was discovered by Cure53. 820f0574f5cSXin LI 821f0574f5cSXin LI* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) 822f0574f5cSXin LI Date Resolved: 21 Mar 2017 823f0574f5cSXin LI References: Sec 3386 824f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 825f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 826f0574f5cSXin LI CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) 827f0574f5cSXin LI CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N 828f0574f5cSXin LI Summary: 829f0574f5cSXin LI The NTP Mode 6 monitoring and control client, ntpq, uses the 830f0574f5cSXin LI function ntpq_stripquotes() to remove quotes and escape characters 831f0574f5cSXin LI from a given string. According to the documentation, the function 832f0574f5cSXin LI is supposed to return the number of copied bytes but due to 833f0574f5cSXin LI incorrect pointer usage this value is always zero. Although the 834f0574f5cSXin LI return value of this function is never used in the code, this 835f0574f5cSXin LI flaw could lead to a vulnerability in the future. Since relying 836f0574f5cSXin LI on wrong return values when performing memory operations is a 837f0574f5cSXin LI dangerous practice, it is recommended to return the correct value 838f0574f5cSXin LI in accordance with the documentation pertinent to the code. 839f0574f5cSXin LI Mitigation: 840f0574f5cSXin LI Implement BCP-38. 841f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 842f0574f5cSXin LI or the NTP Public Services Project Download Page 843f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 844f0574f5cSXin LI ntpd (without -g) if it stops running. 845f0574f5cSXin LI Credit: 846f0574f5cSXin LI This weakness was discovered by Cure53. 847f0574f5cSXin LI 848f0574f5cSXin LI* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) 849f0574f5cSXin LI Date Resolved: 21 Mar 2017 850f0574f5cSXin LI References: Sec 3385 851f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 852f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 853f0574f5cSXin LI Summary: 854f0574f5cSXin LI NTP makes use of several wrappers around the standard heap memory 855f0574f5cSXin LI allocation functions that are provided by libc. This is mainly 856f0574f5cSXin LI done to introduce additional safety checks concentrated on 857f0574f5cSXin LI several goals. First, they seek to ensure that memory is not 858f0574f5cSXin LI accidentally freed, secondly they verify that a correct amount 859f0574f5cSXin LI is always allocated and, thirdly, that allocation failures are 860f0574f5cSXin LI correctly handled. There is an additional implementation for 861f0574f5cSXin LI scenarios where memory for a specific amount of items of the 862f0574f5cSXin LI same size needs to be allocated. The handling can be found in 863f0574f5cSXin LI the oreallocarray() function for which a further number-of-elements 864f0574f5cSXin LI parameter needs to be provided. Although no considerable threat 865f0574f5cSXin LI was identified as tied to a lack of use of this function, it is 866f0574f5cSXin LI recommended to correctly apply oreallocarray() as a preferred 867f0574f5cSXin LI option across all of the locations where it is possible. 868f0574f5cSXin LI Mitigation: 869f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 870f0574f5cSXin LI or the NTP Public Services Project Download Page 871f0574f5cSXin LI Credit: 872f0574f5cSXin LI This weakness was discovered by Cure53. 873f0574f5cSXin LI 874f0574f5cSXin LI* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS 875f0574f5cSXin LI PPSAPI ONLY) (Low) 876f0574f5cSXin LI Date Resolved: 21 Mar 2017 877f0574f5cSXin LI References: Sec 3384 / CVE-2017-6455 / VU#325339 878f0574f5cSXin LI Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but 879f0574f5cSXin LI not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not 880f0574f5cSXin LI including ntp-4.3.94. 881f0574f5cSXin LI CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 882f0574f5cSXin LI CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 883f0574f5cSXin LI Summary: 884f0574f5cSXin LI The Windows NT port has the added capability to preload DLLs 885f0574f5cSXin LI defined in the inherited global local environment variable 886f0574f5cSXin LI PPSAPI_DLLS. The code contained within those libraries is then 887f0574f5cSXin LI called from the NTPD service, usually running with elevated 888f0574f5cSXin LI privileges. Depending on how securely the machine is setup and 889f0574f5cSXin LI configured, if ntpd is configured to use the PPSAPI under Windows 890f0574f5cSXin LI this can easily lead to a code injection. 891f0574f5cSXin LI Mitigation: 892f0574f5cSXin LI Implement BCP-38. 893f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 894f0574f5cSXin LI or the NTP Public Services Project Download Page 895f0574f5cSXin LI Credit: 896f0574f5cSXin LI This weakness was discovered by Cure53. 897f0574f5cSXin LI 898f0574f5cSXin LI* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS 899f0574f5cSXin LI installer ONLY) (Low) 900f0574f5cSXin LI Date Resolved: 21 Mar 2017 901f0574f5cSXin LI References: Sec 3383 / CVE-2017-6452 / VU#325339 902f0574f5cSXin LI Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows 903f0574f5cSXin LI installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up 904f0574f5cSXin LI to, but not including ntp-4.3.94. 905f0574f5cSXin LI CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 906f0574f5cSXin LI CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 907f0574f5cSXin LI Summary: 908f0574f5cSXin LI The Windows installer for NTP calls strcat(), blindly appending 909f0574f5cSXin LI the string passed to the stack buffer in the addSourceToRegistry() 910f0574f5cSXin LI function. The stack buffer is 70 bytes smaller than the buffer 911f0574f5cSXin LI in the calling main() function. Together with the initially 912f0574f5cSXin LI copied Registry path, the combination causes a stack buffer 913f0574f5cSXin LI overflow and effectively overwrites the stack frame. The 914f0574f5cSXin LI passed application path is actually limited to 256 bytes by the 915f0574f5cSXin LI operating system, but this is not sufficient to assure that the 916f0574f5cSXin LI affected stack buffer is consistently protected against 917f0574f5cSXin LI overflowing at all times. 918f0574f5cSXin LI Mitigation: 919f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 920f0574f5cSXin LI or the NTP Public Services Project Download Page 921f0574f5cSXin LI Credit: 922f0574f5cSXin LI This weakness was discovered by Cure53. 923f0574f5cSXin LI 924f0574f5cSXin LI* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS 925f0574f5cSXin LI installer ONLY) (Low) 926f0574f5cSXin LI Date Resolved: 21 Mar 2017 927f0574f5cSXin LI References: Sec 3382 / CVE-2017-6459 / VU#325339 928f0574f5cSXin LI Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows 929f0574f5cSXin LI installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 930f0574f5cSXin LI up to, but not including ntp-4.3.94. 931f0574f5cSXin LI CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 932f0574f5cSXin LI CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 933f0574f5cSXin LI Summary: 934f0574f5cSXin LI The Windows installer for NTP calls strcpy() with an argument 935f0574f5cSXin LI that specifically contains multiple null bytes. strcpy() only 936f0574f5cSXin LI copies a single terminating null character into the target 937f0574f5cSXin LI buffer instead of copying the required double null bytes in the 938f0574f5cSXin LI addKeysToRegistry() function. As a consequence, a garbage 939f0574f5cSXin LI registry entry can be created. The additional arsize parameter 940f0574f5cSXin LI is erroneously set to contain two null bytes and the following 941f0574f5cSXin LI call to RegSetValueEx() claims to be passing in a multi-string 942f0574f5cSXin LI value, though this may not be true. 943f0574f5cSXin LI Mitigation: 944f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 945f0574f5cSXin LI or the NTP Public Services Project Download Page 946f0574f5cSXin LI Credit: 947f0574f5cSXin LI This weakness was discovered by Cure53. 948f0574f5cSXin LI 949f0574f5cSXin LI* NTP-01-006 NTP: Copious amounts of Unused Code (Informational) 950f0574f5cSXin LI References: Sec 3381 951f0574f5cSXin LI Summary: 952f0574f5cSXin LI The report says: Statically included external projects 953f0574f5cSXin LI potentially introduce several problems and the issue of having 954f0574f5cSXin LI extensive amounts of code that is "dead" in the resulting binary 955f0574f5cSXin LI must clearly be pointed out. The unnecessary unused code may or 956f0574f5cSXin LI may not contain bugs and, quite possibly, might be leveraged for 957f0574f5cSXin LI code-gadget-based branch-flow redirection exploits. Analogically, 958f0574f5cSXin LI having source trees statically included as well means a failure 959f0574f5cSXin LI in taking advantage of the free feature for periodical updates. 960f0574f5cSXin LI This solution is offered by the system's Package Manager. The 961f0574f5cSXin LI three libraries identified are libisc, libevent, and libopts. 962f0574f5cSXin LI Resolution: 963f0574f5cSXin LI For libisc, we already only use a portion of the original library. 964f0574f5cSXin LI We've found and fixed bugs in the original implementation (and 965f0574f5cSXin LI offered the patches to ISC), and plan to see what has changed 966f0574f5cSXin LI since we last upgraded the code. libisc is generally not 967f0574f5cSXin LI installed, and when it it we usually only see the static libisc.a 968f0574f5cSXin LI file installed. Until we know for sure that the bugs we've found 969f0574f5cSXin LI and fixed are fixed upstream, we're better off with the copy we 970f0574f5cSXin LI are using. 971f0574f5cSXin LI 972f0574f5cSXin LI Version 1 of libevent was the only production version available 973f0574f5cSXin LI until recently, and we've been requiring version 2 for a long time. 974f0574f5cSXin LI But if the build system has at least version 2 of libevent 975f0574f5cSXin LI installed, we'll use the version that is installed on the system. 976f0574f5cSXin LI Otherwise, we provide a copy of libevent that we know works. 977f0574f5cSXin LI 978f0574f5cSXin LI libopts is provided by GNU AutoGen, and that library and package 979f0574f5cSXin LI undergoes frequent API version updates. The version of autogen 980f0574f5cSXin LI used to generate the tables for the code must match the API 981f0574f5cSXin LI version in libopts. AutoGen can be ... difficult to build and 982f0574f5cSXin LI install, and very few developers really need it. So we have it 983f0574f5cSXin LI on our build and development machines, and we provide the 984f0574f5cSXin LI specific version of the libopts code in the distribution to make 985f0574f5cSXin LI sure that the proper API version of libopts is available. 986f0574f5cSXin LI 987f0574f5cSXin LI As for the point about there being code in these libraries that 988f0574f5cSXin LI NTP doesn't use, OK. But other packages used these libraries as 989f0574f5cSXin LI well, and it is reasonable to assume that other people are paying 990f0574f5cSXin LI attention to security and code quality issues for the overall 991f0574f5cSXin LI libraries. It takes significant resources to analyze and 992f0574f5cSXin LI customize these libraries to only include what we need, and to 993f0574f5cSXin LI date we believe the cost of this effort does not justify the benefit. 994f0574f5cSXin LI Credit: 995f0574f5cSXin LI This issue was discovered by Cure53. 996f0574f5cSXin LI 997f0574f5cSXin LI* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) 998f0574f5cSXin LI Date Resolved: 21 Mar 2017 999f0574f5cSXin LI References: Sec 3380 1000f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1001f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1002f0574f5cSXin LI CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) 1003f0574f5cSXin LI CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N 1004f0574f5cSXin LI Summary: 1005f0574f5cSXin LI There is a fencepost error in a "recovery branch" of the code for 1006f0574f5cSXin LI the Oncore GPS receiver if the communication link to the ONCORE 1007f0574f5cSXin LI is weak / distorted and the decoding doesn't work. 1008f0574f5cSXin LI Mitigation: 1009f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or 1010f0574f5cSXin LI the NTP Public Services Project Download Page 1011f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 1012f0574f5cSXin LI ntpd (without -g) if it stops running. 1013f0574f5cSXin LI Credit: 1014f0574f5cSXin LI This weakness was discovered by Cure53. 1015f0574f5cSXin LI 1016f0574f5cSXin LI* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) 1017f0574f5cSXin LI Date Resolved: 21 Mar 2017 1018f0574f5cSXin LI References: Sec 3379 / CVE-2017-6458 / VU#325339 1019f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1020f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1021f0574f5cSXin LI CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) 1022f0574f5cSXin LI CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1023f0574f5cSXin LI Summary: 1024f0574f5cSXin LI ntpd makes use of different wrappers around ctl_putdata() to 1025f0574f5cSXin LI create name/value ntpq (mode 6) response strings. For example, 1026f0574f5cSXin LI ctl_putstr() is usually used to send string data (variable names 1027f0574f5cSXin LI or string data). The formatting code was missing a length check 1028f0574f5cSXin LI for variable names. If somebody explicitly created any unusually 1029f0574f5cSXin LI long variable names in ntpd (longer than 200-512 bytes, depending 1030f0574f5cSXin LI on the type of variable), then if any of these variables are 1031f0574f5cSXin LI added to the response list it would overflow a buffer. 1032f0574f5cSXin LI Mitigation: 1033f0574f5cSXin LI Implement BCP-38. 1034f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1035f0574f5cSXin LI or the NTP Public Services Project Download Page 1036f0574f5cSXin LI If you don't want to upgrade, then don't setvar variable names 1037f0574f5cSXin LI longer than 200-512 bytes in your ntp.conf file. 1038f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 1039f0574f5cSXin LI ntpd (without -g) if it stops running. 1040f0574f5cSXin LI Credit: 1041f0574f5cSXin LI This weakness was discovered by Cure53. 1042f0574f5cSXin LI 1043f0574f5cSXin LI* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) 1044f0574f5cSXin LI Date Resolved: 21 Mar 2017 1045f0574f5cSXin LI References: Sec 3378 / CVE-2017-6451 / VU#325339 1046f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1047f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1048f0574f5cSXin LI CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) 1049f0574f5cSXin LI CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 1050f0574f5cSXin LI Summary: 1051f0574f5cSXin LI The legacy MX4200 refclock is only built if is specifically 1052f0574f5cSXin LI enabled, and furthermore additional code changes are required to 1053f0574f5cSXin LI compile and use it. But it uses the libc functions snprintf() 1054f0574f5cSXin LI and vsnprintf() incorrectly, which can lead to an out-of-bounds 1055f0574f5cSXin LI memory write due to an improper handling of the return value of 1056f0574f5cSXin LI snprintf()/vsnprintf(). Since the return value is used as an 1057f0574f5cSXin LI iterator and it can be larger than the buffer's size, it is 1058f0574f5cSXin LI possible for the iterator to point somewhere outside of the 1059f0574f5cSXin LI allocated buffer space. This results in an out-of-bound memory 1060f0574f5cSXin LI write. This behavior can be leveraged to overwrite a saved 1061f0574f5cSXin LI instruction pointer on the stack and gain control over the 1062f0574f5cSXin LI execution flow. During testing it was not possible to identify 1063f0574f5cSXin LI any malicious usage for this vulnerability. Specifically, no 1064f0574f5cSXin LI way for an attacker to exploit this vulnerability was ultimately 1065f0574f5cSXin LI unveiled. However, it has the potential to be exploited, so the 1066f0574f5cSXin LI code should be fixed. 1067f0574f5cSXin LI Mitigation, if you have a Magnavox MX4200 refclock: 1068f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1069f0574f5cSXin LI or the NTP Public Services Project Download Page. 1070f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 1071f0574f5cSXin LI ntpd (without -g) if it stops running. 1072f0574f5cSXin LI Credit: 1073f0574f5cSXin LI This weakness was discovered by Cure53. 1074f0574f5cSXin LI 1075f0574f5cSXin LI* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a 1076f0574f5cSXin LI malicious ntpd (Medium) 1077f0574f5cSXin LI Date Resolved: 21 Mar 2017 1078f0574f5cSXin LI References: Sec 3377 / CVE-2017-6460 / VU#325339 1079f0574f5cSXin LI Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and 1080f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1081f0574f5cSXin LI CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 1082f0574f5cSXin LI CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1083f0574f5cSXin LI Summary: 1084f0574f5cSXin LI A stack buffer overflow in ntpq can be triggered by a malicious 1085f0574f5cSXin LI ntpd server when ntpq requests the restriction list from the server. 1086f0574f5cSXin LI This is due to a missing length check in the reslist() function. 1087f0574f5cSXin LI It occurs whenever the function parses the server's response and 1088f0574f5cSXin LI encounters a flagstr variable of an excessive length. The string 1089f0574f5cSXin LI will be copied into a fixed-size buffer, leading to an overflow on 1090f0574f5cSXin LI the function's stack-frame. Note well that this problem requires 1091f0574f5cSXin LI a malicious server, and affects ntpq, not ntpd. 1092f0574f5cSXin LI Mitigation: 1093f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1094f0574f5cSXin LI or the NTP Public Services Project Download Page 1095f0574f5cSXin LI If you can't upgrade your version of ntpq then if you want to know 1096f0574f5cSXin LI the reslist of an instance of ntpd that you do not control, 1097f0574f5cSXin LI know that if the target ntpd is malicious that it can send back 1098f0574f5cSXin LI a response that intends to crash your ntpq process. 1099f0574f5cSXin LI Credit: 1100f0574f5cSXin LI This weakness was discovered by Cure53. 1101f0574f5cSXin LI 1102f0574f5cSXin LI* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) 1103f0574f5cSXin LI Date Resolved: 21 Mar 2017 1104f0574f5cSXin LI References: Sec 3376 1105f0574f5cSXin LI Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 1106f0574f5cSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1107f0574f5cSXin LI CVSS2: N/A 1108f0574f5cSXin LI CVSS3: N/A 1109f0574f5cSXin LI Summary: 1110f0574f5cSXin LI The build process for NTP has not, by default, provided compile 1111f0574f5cSXin LI or link flags to offer "hardened" security options. Package 1112f0574f5cSXin LI maintainers have always been able to provide hardening security 1113f0574f5cSXin LI flags for their builds. As of ntp-4.2.8p10, the NTP build 1114f0574f5cSXin LI system has a way to provide OS-specific hardening flags. Please 1115f0574f5cSXin LI note that this is still not a really great solution because it 1116f0574f5cSXin LI is specific to NTP builds. It's inefficient to have every 1117f0574f5cSXin LI package supply, track and maintain this information for every 1118f0574f5cSXin LI target build. It would be much better if there was a common way 1119f0574f5cSXin LI for OSes to provide this information in a way that arbitrary 1120f0574f5cSXin LI packages could benefit from it. 1121f0574f5cSXin LI Mitigation: 1122f0574f5cSXin LI Implement BCP-38. 1123f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1124f0574f5cSXin LI or the NTP Public Services Project Download Page 1125f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 1126f0574f5cSXin LI ntpd (without -g) if it stops running. 1127f0574f5cSXin LI Credit: 1128f0574f5cSXin LI This weakness was reported by Cure53. 1129f0574f5cSXin LI 1130f0574f5cSXin LI* 0rigin DoS (Medium) 1131f0574f5cSXin LI Date Resolved: 21 Mar 2017 1132f0574f5cSXin LI References: Sec 3361 / CVE-2016-9042 / VU#325339 1133f0574f5cSXin LI Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 1134f0574f5cSXin LI CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) 1135f0574f5cSXin LI CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) 1136f0574f5cSXin LI Summary: 1137f0574f5cSXin LI An exploitable denial of service vulnerability exists in the 1138f0574f5cSXin LI origin timestamp check functionality of ntpd 4.2.8p9. A specially 1139f0574f5cSXin LI crafted unauthenticated network packet can be used to reset the 1140f0574f5cSXin LI expected origin timestamp for target peers. Legitimate replies 1141f0574f5cSXin LI from targeted peers will fail the origin timestamp check (TEST2) 1142f0574f5cSXin LI causing the reply to be dropped and creating a denial of service 1143f0574f5cSXin LI condition. This vulnerability can only be exploited if the 1144f0574f5cSXin LI attacker can spoof all of the servers. 1145f0574f5cSXin LI Mitigation: 1146f0574f5cSXin LI Implement BCP-38. 1147f0574f5cSXin LI Configure enough servers/peers that an attacker cannot target 1148f0574f5cSXin LI all of your time sources. 1149f0574f5cSXin LI Upgrade to 4.2.8p10, or later, from the NTP Project Download Page 1150f0574f5cSXin LI or the NTP Public Services Project Download Page 1151f0574f5cSXin LI Properly monitor your ntpd instances, and auto-restart 1152f0574f5cSXin LI ntpd (without -g) if it stops running. 1153f0574f5cSXin LI Credit: 1154f0574f5cSXin LI This weakness was discovered by Matthew Van Gundy of Cisco. 1155f0574f5cSXin LI 1156f0574f5cSXin LIOther fixes: 1157f0574f5cSXin LI 1158f0574f5cSXin LI* [Bug 3393] clang scan-build findings <perlinger@ntp.org> 1159f0574f5cSXin LI* [Bug 3363] Support for openssl-1.1.0 without compatibility modes 1160f0574f5cSXin LI - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org> 1161f0574f5cSXin LI* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org> 1162f0574f5cSXin LI* [Bug 3216] libntp audio ioctl() args incorrectly cast to int 1163f0574f5cSXin LI on 4.4BSD-Lite derived platforms <perlinger@ntp.org> 1164f0574f5cSXin LI - original patch by Majdi S. Abbas 1165f0574f5cSXin LI* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org> 1166f0574f5cSXin LI* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org> 1167f0574f5cSXin LI - initial patch by Christos Zoulas 1168f0574f5cSXin LI* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org> 1169f0574f5cSXin LI - move loader API from 'inline' to proper source 1170f0574f5cSXin LI - augment pathless dlls with absolute path to NTPD 1171f0574f5cSXin LI - use 'msyslog()' instead of 'printf() 'for reporting trouble 1172f0574f5cSXin LI* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org> 1173f0574f5cSXin LI - applied patch by Matthew Van Gundy 1174f0574f5cSXin LI* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org> 1175f0574f5cSXin LI - applied some of the patches provided by Havard. Not all of them 1176f0574f5cSXin LI still match the current code base, and I did not touch libopt. 1177f0574f5cSXin LI* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org> 1178f0574f5cSXin LI - applied patch by Reinhard Max. See bugzilla for limitations. 1179f0574f5cSXin LI* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org> 1180f0574f5cSXin LI - fixed dependency inversion from [Bug 2837] 1181f0574f5cSXin LI* [Bug 2896] Nothing happens if minsane < maxclock < minclock 1182f0574f5cSXin LI - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org> 1183f0574f5cSXin LI* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org> 1184f0574f5cSXin LI - applied patch by Miroslav Lichvar for ntp4.2.6 compat 1185f0574f5cSXin LI* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags 1186f0574f5cSXin LI - Fixed these and some more locations of this pattern. 1187f0574f5cSXin LI Probably din't get them all, though. <perlinger@ntp.org> 1188f0574f5cSXin LI* Update copyright year. 1189f0574f5cSXin LI 1190f0574f5cSXin LI-- 1191f0574f5cSXin LI(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org> 1192f0574f5cSXin LI 1193f0574f5cSXin LI* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org> 1194f0574f5cSXin LI - added missed changeset for automatic openssl lib detection 1195f0574f5cSXin LI - fixed some minor warning issues 1196f0574f5cSXin LI* [Bug 3095] More compatibility with openssl 1.1. <perlinger@ntp.org> 1197f0574f5cSXin LI* configure.ac cleanup. stenn@ntp.org 1198f0574f5cSXin LI* openssl configure cleanup. stenn@ntp.org 1199f0574f5cSXin LI 1200f0574f5cSXin LI-- 1201f391d6bcSXin LINTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 1202f391d6bcSXin LI 1203f391d6bcSXin LIFocus: Security, Bug fixes, enhancements. 1204f391d6bcSXin LI 1205f391d6bcSXin LISeverity: HIGH 1206f391d6bcSXin LI 1207f391d6bcSXin LIIn addition to bug fixes and enhancements, this release fixes the 1208f391d6bcSXin LIfollowing 1 high- (Windows only), 2 medium-, 2 medium-/low, and 1209f391d6bcSXin LI5 low-severity vulnerabilities, and provides 28 other non-security 1210f391d6bcSXin LIfixes and improvements: 1211f391d6bcSXin LI 1212f391d6bcSXin LI* Trap crash 1213f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1214f391d6bcSXin LI References: Sec 3119 / CVE-2016-9311 / VU#633847 1215f391d6bcSXin LI Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1216f391d6bcSXin LI including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1217f391d6bcSXin LI CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 1218f391d6bcSXin LI CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 1219f391d6bcSXin LI Summary: 1220f391d6bcSXin LI ntpd does not enable trap service by default. If trap service 1221f391d6bcSXin LI has been explicitly enabled, an attacker can send a specially 1222f391d6bcSXin LI crafted packet to cause a null pointer dereference that will 1223f391d6bcSXin LI crash ntpd, resulting in a denial of service. 1224f391d6bcSXin LI Mitigation: 1225f391d6bcSXin LI Implement BCP-38. 1226f391d6bcSXin LI Use "restrict default noquery ..." in your ntp.conf file. Only 1227f391d6bcSXin LI allow mode 6 queries from trusted networks and hosts. 1228f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1229f391d6bcSXin LI or the NTP Public Services Project Download Page 1230f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1231f391d6bcSXin LI (without -g) if it stops running. 1232f391d6bcSXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1233f391d6bcSXin LI 1234f391d6bcSXin LI* Mode 6 information disclosure and DDoS vector 1235f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1236f391d6bcSXin LI References: Sec 3118 / CVE-2016-9310 / VU#633847 1237f391d6bcSXin LI Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not 1238f391d6bcSXin LI including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94. 1239f391d6bcSXin LI CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1240f391d6bcSXin LI CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1241f391d6bcSXin LI Summary: 1242f391d6bcSXin LI An exploitable configuration modification vulnerability exists 1243f391d6bcSXin LI in the control mode (mode 6) functionality of ntpd. If, against 1244f391d6bcSXin LI long-standing BCP recommendations, "restrict default noquery ..." 1245f391d6bcSXin LI is not specified, a specially crafted control mode packet can set 1246f391d6bcSXin LI ntpd traps, providing information disclosure and DDoS 1247f391d6bcSXin LI amplification, and unset ntpd traps, disabling legitimate 1248f391d6bcSXin LI monitoring. A remote, unauthenticated, network attacker can 1249f391d6bcSXin LI trigger this vulnerability. 1250f391d6bcSXin LI Mitigation: 1251f391d6bcSXin LI Implement BCP-38. 1252f391d6bcSXin LI Use "restrict default noquery ..." in your ntp.conf file. 1253f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1254f391d6bcSXin LI or the NTP Public Services Project Download Page 1255f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1256f391d6bcSXin LI (without -g) if it stops running. 1257f391d6bcSXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1258f391d6bcSXin LI 1259f391d6bcSXin LI* Broadcast Mode Replay Prevention DoS 1260f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1261f391d6bcSXin LI References: Sec 3114 / CVE-2016-7427 / VU#633847 1262f391d6bcSXin LI Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1263f391d6bcSXin LI ntp-4.3.90 up to, but not including ntp-4.3.94. 1264f391d6bcSXin LI CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1265f391d6bcSXin LI CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1266f391d6bcSXin LI Summary: 1267f391d6bcSXin LI The broadcast mode of NTP is expected to only be used in a 1268f391d6bcSXin LI trusted network. If the broadcast network is accessible to an 1269f391d6bcSXin LI attacker, a potentially exploitable denial of service 1270f391d6bcSXin LI vulnerability in ntpd's broadcast mode replay prevention 1271f391d6bcSXin LI functionality can be abused. An attacker with access to the NTP 1272f391d6bcSXin LI broadcast domain can periodically inject specially crafted 1273f391d6bcSXin LI broadcast mode NTP packets into the broadcast domain which, 1274f391d6bcSXin LI while being logged by ntpd, can cause ntpd to reject broadcast 1275f391d6bcSXin LI mode packets from legitimate NTP broadcast servers. 1276f391d6bcSXin LI Mitigation: 1277f391d6bcSXin LI Implement BCP-38. 1278f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1279f391d6bcSXin LI or the NTP Public Services Project Download Page 1280f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1281f391d6bcSXin LI (without -g) if it stops running. 1282f391d6bcSXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1283f391d6bcSXin LI 1284f391d6bcSXin LI* Broadcast Mode Poll Interval Enforcement DoS 1285f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1286f391d6bcSXin LI References: Sec 3113 / CVE-2016-7428 / VU#633847 1287f391d6bcSXin LI Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 1288f391d6bcSXin LI ntp-4.3.90 up to, but not including ntp-4.3.94 1289f391d6bcSXin LI CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) 1290f391d6bcSXin LI CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 1291f391d6bcSXin LI Summary: 1292f391d6bcSXin LI The broadcast mode of NTP is expected to only be used in a 1293f391d6bcSXin LI trusted network. If the broadcast network is accessible to an 1294f391d6bcSXin LI attacker, a potentially exploitable denial of service 1295f391d6bcSXin LI vulnerability in ntpd's broadcast mode poll interval enforcement 1296f391d6bcSXin LI functionality can be abused. To limit abuse, ntpd restricts the 1297f391d6bcSXin LI rate at which each broadcast association will process incoming 1298f391d6bcSXin LI packets. ntpd will reject broadcast mode packets that arrive 1299f391d6bcSXin LI before the poll interval specified in the preceding broadcast 1300f391d6bcSXin LI packet expires. An attacker with access to the NTP broadcast 1301f391d6bcSXin LI domain can send specially crafted broadcast mode NTP packets to 1302f391d6bcSXin LI the broadcast domain which, while being logged by ntpd, will 1303f391d6bcSXin LI cause ntpd to reject broadcast mode packets from legitimate NTP 1304f391d6bcSXin LI broadcast servers. 1305f391d6bcSXin LI Mitigation: 1306f391d6bcSXin LI Implement BCP-38. 1307f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1308f391d6bcSXin LI or the NTP Public Services Project Download Page 1309f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1310f391d6bcSXin LI (without -g) if it stops running. 1311f391d6bcSXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco. 1312f391d6bcSXin LI 1313f391d6bcSXin LI* Windows: ntpd DoS by oversized UDP packet 1314f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1315f391d6bcSXin LI References: Sec 3110 / CVE-2016-9312 / VU#633847 1316f391d6bcSXin LI Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9, 1317f391d6bcSXin LI and ntp-4.3.0 up to, but not including ntp-4.3.94. 1318f391d6bcSXin LI CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1319f391d6bcSXin LI CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1320f391d6bcSXin LI Summary: 1321f391d6bcSXin LI If a vulnerable instance of ntpd on Windows receives a crafted 1322f391d6bcSXin LI malicious packet that is "too big", ntpd will stop working. 1323f391d6bcSXin LI Mitigation: 1324f391d6bcSXin LI Implement BCP-38. 1325f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1326f391d6bcSXin LI or the NTP Public Services Project Download Page 1327f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1328f391d6bcSXin LI (without -g) if it stops running. 1329f391d6bcSXin LI Credit: This weakness was discovered by Robert Pajak of ABB. 1330f391d6bcSXin LI 1331f391d6bcSXin LI* 0rigin (zero origin) issues 1332f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1333f391d6bcSXin LI References: Sec 3102 / CVE-2016-7431 / VU#633847 1334f391d6bcSXin LI Affects: ntp-4.2.8p8, and ntp-4.3.93. 1335f391d6bcSXin LI CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 1336f391d6bcSXin LI CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 1337f391d6bcSXin LI Summary: 1338f391d6bcSXin LI Zero Origin timestamp problems were fixed by Bug 2945 in 1339f391d6bcSXin LI ntp-4.2.8p6. However, subsequent timestamp validation checks 1340f391d6bcSXin LI introduced a regression in the handling of some Zero origin 1341f391d6bcSXin LI timestamp checks. 1342f391d6bcSXin LI Mitigation: 1343f391d6bcSXin LI Implement BCP-38. 1344f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1345f391d6bcSXin LI or the NTP Public Services Project Download Page 1346f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1347f391d6bcSXin LI (without -g) if it stops running. 1348f391d6bcSXin LI Credit: This weakness was discovered by Sharon Goldberg and Aanchal 1349f391d6bcSXin LI Malhotra of Boston University. 1350f391d6bcSXin LI 1351f391d6bcSXin LI* read_mru_list() does inadequate incoming packet checks 1352f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1353f391d6bcSXin LI References: Sec 3082 / CVE-2016-7434 / VU#633847 1354f391d6bcSXin LI Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and 1355f391d6bcSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. 1356f391d6bcSXin LI CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C) 1357f391d6bcSXin LI CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 1358f391d6bcSXin LI Summary: 1359f391d6bcSXin LI If ntpd is configured to allow mrulist query requests from a 1360f391d6bcSXin LI server that sends a crafted malicious packet, ntpd will crash 1361f391d6bcSXin LI on receipt of that crafted malicious mrulist query packet. 1362f391d6bcSXin LI Mitigation: 1363f391d6bcSXin LI Only allow mrulist query packets from trusted hosts. 1364f391d6bcSXin LI Implement BCP-38. 1365f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1366f391d6bcSXin LI or the NTP Public Services Project Download Page 1367f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1368f391d6bcSXin LI (without -g) if it stops running. 1369f391d6bcSXin LI Credit: This weakness was discovered by Magnus Stubman. 1370f391d6bcSXin LI 1371f391d6bcSXin LI* Attack on interface selection 1372f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1373f391d6bcSXin LI References: Sec 3072 / CVE-2016-7429 / VU#633847 1374f391d6bcSXin LI Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1375f391d6bcSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94 1376f391d6bcSXin LI CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1377f391d6bcSXin LI CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1378f391d6bcSXin LI Summary: 1379f391d6bcSXin LI When ntpd receives a server response on a socket that corresponds 1380f391d6bcSXin LI to a different interface than was used for the request, the peer 1381f391d6bcSXin LI structure is updated to use the interface for new requests. If 1382f391d6bcSXin LI ntpd is running on a host with multiple interfaces in separate 1383f391d6bcSXin LI networks and the operating system doesn't check source address in 1384f391d6bcSXin LI received packets (e.g. rp_filter on Linux is set to 0), an 1385f391d6bcSXin LI attacker that knows the address of the source can send a packet 1386f391d6bcSXin LI with spoofed source address which will cause ntpd to select wrong 1387f391d6bcSXin LI interface for the source and prevent it from sending new requests 1388f391d6bcSXin LI until the list of interfaces is refreshed, which happens on 1389f391d6bcSXin LI routing changes or every 5 minutes by default. If the attack is 1390f391d6bcSXin LI repeated often enough (once per second), ntpd will not be able to 1391f391d6bcSXin LI synchronize with the source. 1392f391d6bcSXin LI Mitigation: 1393f391d6bcSXin LI Implement BCP-38. 1394f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1395f391d6bcSXin LI or the NTP Public Services Project Download Page 1396f391d6bcSXin LI If you are going to configure your OS to disable source address 1397f391d6bcSXin LI checks, also configure your firewall configuration to control 1398f391d6bcSXin LI what interfaces can receive packets from what networks. 1399f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1400f391d6bcSXin LI (without -g) if it stops running. 1401f391d6bcSXin LI Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1402f391d6bcSXin LI 1403f391d6bcSXin LI* Client rate limiting and server responses 1404f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1405f391d6bcSXin LI References: Sec 3071 / CVE-2016-7426 / VU#633847 1406f391d6bcSXin LI Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and 1407f391d6bcSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94 1408f391d6bcSXin LI CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1409f391d6bcSXin LI CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 1410f391d6bcSXin LI Summary: 1411f391d6bcSXin LI When ntpd is configured with rate limiting for all associations 1412f391d6bcSXin LI (restrict default limited in ntp.conf), the limits are applied 1413f391d6bcSXin LI also to responses received from its configured sources. An 1414f391d6bcSXin LI attacker who knows the sources (e.g., from an IPv4 refid in 1415f391d6bcSXin LI server response) and knows the system is (mis)configured in this 1416f391d6bcSXin LI way can periodically send packets with spoofed source address to 1417f391d6bcSXin LI keep the rate limiting activated and prevent ntpd from accepting 1418f391d6bcSXin LI valid responses from its sources. 1419f391d6bcSXin LI 1420f391d6bcSXin LI While this blanket rate limiting can be useful to prevent 1421f391d6bcSXin LI brute-force attacks on the origin timestamp, it allows this DoS 1422f391d6bcSXin LI attack. Similarly, it allows the attacker to prevent mobilization 1423f391d6bcSXin LI of ephemeral associations. 1424f391d6bcSXin LI Mitigation: 1425f391d6bcSXin LI Implement BCP-38. 1426f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1427f391d6bcSXin LI or the NTP Public Services Project Download Page 1428f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1429f391d6bcSXin LI (without -g) if it stops running. 1430f391d6bcSXin LI Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1431f391d6bcSXin LI 1432f391d6bcSXin LI* Fix for bug 2085 broke initial sync calculations 1433f391d6bcSXin LI Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016 1434f391d6bcSXin LI References: Sec 3067 / CVE-2016-7433 / VU#633847 1435f391d6bcSXin LI Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and 1436f391d6bcSXin LI ntp-4.3.0 up to, but not including ntp-4.3.94. But the 1437f391d6bcSXin LI root-distance calculation in general is incorrect in all versions 1438f391d6bcSXin LI of ntp-4 until this release. 1439f391d6bcSXin LI CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1440f391d6bcSXin LI CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 1441f391d6bcSXin LI Summary: 1442f391d6bcSXin LI Bug 2085 described a condition where the root delay was included 1443f391d6bcSXin LI twice, causing the jitter value to be higher than expected. Due 1444f391d6bcSXin LI to a misinterpretation of a small-print variable in The Book, the 1445f391d6bcSXin LI fix for this problem was incorrect, resulting in a root distance 1446f391d6bcSXin LI that did not include the peer dispersion. The calculations and 1447f391d6bcSXin LI formulae have been reviewed and reconciled, and the code has been 1448f391d6bcSXin LI updated accordingly. 1449f391d6bcSXin LI Mitigation: 1450f391d6bcSXin LI Upgrade to 4.2.8p9, or later, from the NTP Project Download Page 1451f391d6bcSXin LI or the NTP Public Services Project Download Page 1452f391d6bcSXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1453f391d6bcSXin LI (without -g) if it stops running. 1454f391d6bcSXin LI Credit: This weakness was discovered independently by Brian Utterback of 1455f391d6bcSXin LI Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 1456f391d6bcSXin LI 1457f391d6bcSXin LIOther fixes: 1458f391d6bcSXin LI 1459f391d6bcSXin LI* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org> 1460f391d6bcSXin LI* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org 1461f391d6bcSXin LI* [Bug 3129] Unknown hosts can put resolver thread into a hard loop 1462f391d6bcSXin LI - moved retry decision where it belongs. <perlinger@ntp.org> 1463f391d6bcSXin LI* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order 1464f391d6bcSXin LI using the loopback-ppsapi-provider.dll <perlinger@ntp.org> 1465f391d6bcSXin LI* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org> 1466f391d6bcSXin LI* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org> 1467f391d6bcSXin LI - fixed extended sysvar lookup (bug introduced with bug 3008 fix) 1468f391d6bcSXin LI* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org> 1469f391d6bcSXin LI - applied patches by Kurt Roeckx <kurt@roeckx.be> to source 1470f391d6bcSXin LI - added shim layer for SSL API calls with issues (both directions) 1471f391d6bcSXin LI* [Bug 3089] Serial Parser does not work anymore for hopfser like device 1472f391d6bcSXin LI - simplified / refactored hex-decoding in driver. <perlinger@ntp.org> 1473f391d6bcSXin LI* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. 1474f391d6bcSXin LI* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org 1475f391d6bcSXin LI - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com> 1476f391d6bcSXin LI* [Bug 3067] Root distance calculation needs improvement. HStenn 1477f391d6bcSXin LI* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org 1478f391d6bcSXin LI - PPS-HACK works again. 1479f391d6bcSXin LI* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org> 1480f391d6bcSXin LI - applied patch by Brian Utterback <brian.utterback@oracle.com> 1481f391d6bcSXin LI* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. 1482f391d6bcSXin LI* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. 1483f391d6bcSXin LI <perlinger@ntp.org> 1484f391d6bcSXin LI - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no> 1485f391d6bcSXin LI* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org 1486f391d6bcSXin LI - Patch provided by Kuramatsu. 1487f391d6bcSXin LI* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org> 1488f391d6bcSXin LI - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' 1489f391d6bcSXin LI* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer 1490f391d6bcSXin LI* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger 1491f391d6bcSXin LI* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. 1492f391d6bcSXin LI* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org> 1493f391d6bcSXin LI - fixed GPS week expansion to work based on build date. Special thanks 1494f391d6bcSXin LI to Craig Leres for initial patch and testing. 1495f391d6bcSXin LI* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' 1496f391d6bcSXin LI - fixed Makefile.am <perlinger@ntp.org> 1497f391d6bcSXin LI* [Bug 2689] ATOM driver processes last PPS pulse at startup, 1498f391d6bcSXin LI even if it is very old <perlinger@ntp.org> 1499f391d6bcSXin LI - make sure PPS source is alive before processing samples 1500f391d6bcSXin LI - improve stability close to the 500ms phase jump (phase gate) 1501f391d6bcSXin LI* Fix typos in include/ntp.h. 1502f391d6bcSXin LI* Shim X509_get_signature_nid() if needed 1503f391d6bcSXin LI* git author attribution cleanup 1504f391d6bcSXin LI* bk ignore file cleanup 1505f391d6bcSXin LI* remove locks in Windows IO, use rpc-like thread synchronisation instead 1506f391d6bcSXin LI 1507f391d6bcSXin LI--- 1508e27abb66SXin LINTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02) 1509e27abb66SXin LI 1510e27abb66SXin LIFocus: Security, Bug fixes, enhancements. 1511e27abb66SXin LI 1512e27abb66SXin LISeverity: HIGH 1513e27abb66SXin LI 1514e27abb66SXin LIIn addition to bug fixes and enhancements, this release fixes the 1515e27abb66SXin LIfollowing 1 high- and 4 low-severity vulnerabilities: 1516e27abb66SXin LI 1517e27abb66SXin LI* CRYPTO_NAK crash 1518e27abb66SXin LI Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1519e27abb66SXin LI References: Sec 3046 / CVE-2016-4957 / VU#321640 1520e27abb66SXin LI Affects: ntp-4.2.8p7, and ntp-4.3.92. 1521e27abb66SXin LI CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 1522e27abb66SXin LI CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1523e27abb66SXin LI Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 1524e27abb66SXin LI could cause ntpd to crash. 1525e27abb66SXin LI Mitigation: 1526e27abb66SXin LI Implement BCP-38. 1527e27abb66SXin LI Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1528e27abb66SXin LI or the NTP Public Services Project Download Page 1529e27abb66SXin LI If you cannot upgrade from 4.2.8p7, the only other alternatives 1530e27abb66SXin LI are to patch your code or filter CRYPTO_NAK packets. 1531e27abb66SXin LI Properly monitor your ntpd instances, and auto-restart ntpd 1532e27abb66SXin LI (without -g) if it stops running. 1533e27abb66SXin LI Credit: This weakness was discovered by Nicolas Edet of Cisco. 1534e27abb66SXin LI 1535e27abb66SXin LI* Bad authentication demobilizes ephemeral associations 1536e27abb66SXin LI Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1537e27abb66SXin LI References: Sec 3045 / CVE-2016-4953 / VU#321640 1538e27abb66SXin LI Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1539e27abb66SXin LI ntp-4.3.0 up to, but not including ntp-4.3.93. 1540e27abb66SXin LI CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1541e27abb66SXin LI CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1542e27abb66SXin LI Summary: An attacker who knows the origin timestamp and can send a 1543e27abb66SXin LI spoofed packet containing a CRYPTO-NAK to an ephemeral peer 1544e27abb66SXin LI target before any other response is sent can demobilize that 1545e27abb66SXin LI association. 1546e27abb66SXin LI Mitigation: 1547e27abb66SXin LI Implement BCP-38. 1548e27abb66SXin LI Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1549e27abb66SXin LI or the NTP Public Services Project Download Page 1550e27abb66SXin LI Properly monitor your ntpd instances. 1551e27abb66SXin LI Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1552e27abb66SXin LI 1553e27abb66SXin LI* Processing spoofed server packets 1554e27abb66SXin LI Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1555e27abb66SXin LI References: Sec 3044 / CVE-2016-4954 / VU#321640 1556e27abb66SXin LI Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1557e27abb66SXin LI ntp-4.3.0 up to, but not including ntp-4.3.93. 1558e27abb66SXin LI CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1559e27abb66SXin LI CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1560e27abb66SXin LI Summary: An attacker who is able to spoof packets with correct origin 1561e27abb66SXin LI timestamps from enough servers before the expected response 1562e27abb66SXin LI packets arrive at the target machine can affect some peer 1563e27abb66SXin LI variables and, for example, cause a false leap indication to be set. 1564e27abb66SXin LI Mitigation: 1565e27abb66SXin LI Implement BCP-38. 1566e27abb66SXin LI Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1567e27abb66SXin LI or the NTP Public Services Project Download Page 1568e27abb66SXin LI Properly monitor your ntpd instances. 1569e27abb66SXin LI Credit: This weakness was discovered by Jakub Prokes of Red Hat. 1570e27abb66SXin LI 1571e27abb66SXin LI* Autokey association reset 1572e27abb66SXin LI Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1573e27abb66SXin LI References: Sec 3043 / CVE-2016-4955 / VU#321640 1574e27abb66SXin LI Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1575e27abb66SXin LI ntp-4.3.0 up to, but not including ntp-4.3.93. 1576e27abb66SXin LI CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1577e27abb66SXin LI CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1578e27abb66SXin LI Summary: An attacker who is able to spoof a packet with a correct 1579e27abb66SXin LI origin timestamp before the expected response packet arrives at 1580e27abb66SXin LI the target machine can send a CRYPTO_NAK or a bad MAC and cause 1581e27abb66SXin LI the association's peer variables to be cleared. If this can be 1582e27abb66SXin LI done often enough, it will prevent that association from working. 1583e27abb66SXin LI Mitigation: 1584e27abb66SXin LI Implement BCP-38. 1585e27abb66SXin LI Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1586e27abb66SXin LI or the NTP Public Services Project Download Page 1587e27abb66SXin LI Properly monitor your ntpd instances. 1588e27abb66SXin LI Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1589e27abb66SXin LI 1590e27abb66SXin LI* Broadcast interleave 1591e27abb66SXin LI Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 1592e27abb66SXin LI References: Sec 3042 / CVE-2016-4956 / VU#321640 1593e27abb66SXin LI Affects: ntp-4, up to but not including ntp-4.2.8p8, and 1594e27abb66SXin LI ntp-4.3.0 up to, but not including ntp-4.3.93. 1595e27abb66SXin LI CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 1596e27abb66SXin LI CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1597e27abb66SXin LI Summary: The fix for NtpBug2978 does not cover broadcast associations, 1598e27abb66SXin LI so broadcast clients can be triggered to flip into interleave mode. 1599e27abb66SXin LI Mitigation: 1600e27abb66SXin LI Implement BCP-38. 1601e27abb66SXin LI Upgrade to 4.2.8p8, or later, from the NTP Project Download Page 1602e27abb66SXin LI or the NTP Public Services Project Download Page 1603e27abb66SXin LI Properly monitor your ntpd instances. 1604e27abb66SXin LI Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 1605e27abb66SXin LI 1606e27abb66SXin LIOther fixes: 1607e27abb66SXin LI* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org 1608e27abb66SXin LI - provide build environment 1609e27abb66SXin LI - 'wint_t' and 'struct timespec' defined by VS2015 1610e27abb66SXin LI - fixed print()/scanf() format issues 1611e27abb66SXin LI* [Bug 3052] Add a .gitignore file. Edmund Wong. 1612e27abb66SXin LI* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. 1613e27abb66SXin LI* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, 1614e27abb66SXin LI JPerlinger, HStenn. 1615e27abb66SXin LI* Fix typo in ntp-wait and plot_summary. HStenn. 1616e27abb66SXin LI* Make sure we have an "author" file for git imports. HStenn. 1617e27abb66SXin LI* Update the sntp problem tests for MacOS. HStenn. 1618e27abb66SXin LI 1619e27abb66SXin LI--- 16204990d495SXin LINTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) 16213311ff84SXin LI 16224990d495SXin LIFocus: Security, Bug fixes, enhancements. 16234990d495SXin LI 16244990d495SXin LISeverity: MEDIUM 16254990d495SXin LI 16264990d495SXin LIWhen building NTP from source, there is a new configure option 16274990d495SXin LIavailable, --enable-dynamic-interleave. More information on this below. 16284990d495SXin LI 16294990d495SXin LIAlso note that ntp-4.2.8p7 logs more "unexpected events" than previous 16304990d495SXin LIversions of ntp. These events have almost certainly happened in the 16314990d495SXin LIpast, it's just that they were silently counted and not logged. With 16324990d495SXin LIthe increasing awareness around security, we feel it's better to clearly 16334990d495SXin LIlog these events to help detect abusive behavior. This increased 16344990d495SXin LIlogging can also help detect other problems, too. 16354990d495SXin LI 16364990d495SXin LIIn addition to bug fixes and enhancements, this release fixes the 16374990d495SXin LIfollowing 9 low- and medium-severity vulnerabilities: 16384990d495SXin LI 16394990d495SXin LI* Improve NTP security against buffer comparison timing attacks, 16404990d495SXin LI AKA: authdecrypt-timing 16414990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 16424990d495SXin LI References: Sec 2879 / CVE-2016-1550 16434990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 16444990d495SXin LI 4.3.0 up to, but not including 4.3.92 16454990d495SXin LI CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) 16464990d495SXin LI CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 16474990d495SXin LI Summary: Packet authentication tests have been performed using 16484990d495SXin LI memcmp() or possibly bcmp(), and it is potentially possible 16494990d495SXin LI for a local or perhaps LAN-based attacker to send a packet with 16504990d495SXin LI an authentication payload and indirectly observe how much of 16514990d495SXin LI the digest has matched. 16524990d495SXin LI Mitigation: 16534990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 16544990d495SXin LI or the NTP Public Services Project Download Page. 16554990d495SXin LI Properly monitor your ntpd instances. 16564990d495SXin LI Credit: This weakness was discovered independently by Loganaden 16574990d495SXin LI Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. 16584990d495SXin LI 16594990d495SXin LI* Zero origin timestamp bypass: Additional KoD checks. 16604990d495SXin LI References: Sec 2945 / Sec 2901 / CVE-2015-8138 16614990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, 16624990d495SXin LI Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. 16634990d495SXin LI 16644990d495SXin LI* peer associations were broken by the fix for NtpBug2899 16654990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 16664990d495SXin LI References: Sec 2952 / CVE-2015-7704 16674990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 16684990d495SXin LI 4.3.0 up to, but not including 4.3.92 16694990d495SXin LI CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 16704990d495SXin LI Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer 16714990d495SXin LI associations did not address all of the issues. 16724990d495SXin LI Mitigation: 16734990d495SXin LI Implement BCP-38. 16744990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 16754990d495SXin LI or the NTP Public Services Project Download Page 16764990d495SXin LI If you can't upgrade, use "server" associations instead of 16774990d495SXin LI "peer" associations. 16784990d495SXin LI Monitor your ntpd instances. 16794990d495SXin LI Credit: This problem was discovered by Michael Tatarinov. 16804990d495SXin LI 16814990d495SXin LI* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS 16824990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 16834990d495SXin LI References: Sec 3007 / CVE-2016-1547 / VU#718152 16844990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 16854990d495SXin LI 4.3.0 up to, but not including 4.3.92 16864990d495SXin LI CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) 16874990d495SXin LI CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 16884990d495SXin LI Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an 16894990d495SXin LI off-path attacker can cause a preemptable client association to 16904990d495SXin LI be demobilized by sending a crypto NAK packet to a victim client 16914990d495SXin LI with a spoofed source address of an existing associated peer. 16924990d495SXin LI This is true even if authentication is enabled. 16934990d495SXin LI 16944990d495SXin LI Furthermore, if the attacker keeps sending crypto NAK packets, 16954990d495SXin LI for example one every second, the victim never has a chance to 16964990d495SXin LI reestablish the association and synchronize time with that 16974990d495SXin LI legitimate server. 16984990d495SXin LI 16994990d495SXin LI For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more 17004990d495SXin LI stringent checks are performed on incoming packets, but there 17014990d495SXin LI are still ways to exploit this vulnerability in versions before 17024990d495SXin LI ntp-4.2.8p7. 17034990d495SXin LI Mitigation: 17044990d495SXin LI Implement BCP-38. 17054990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 17064990d495SXin LI or the NTP Public Services Project Download Page 170709100258SXin LI Properly monitor your ntpd instances 17084990d495SXin LI Credit: This weakness was discovered by Stephen Gray and 17094990d495SXin LI Matthew Van Gundy of Cisco ASIG. 17104990d495SXin LI 17114990d495SXin LI* ctl_getitem() return value not always checked 17124990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 17134990d495SXin LI References: Sec 3008 / CVE-2016-2519 17144990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 17154990d495SXin LI 4.3.0 up to, but not including 4.3.92 17164990d495SXin LI CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 17174990d495SXin LI CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 17184990d495SXin LI Summary: ntpq and ntpdc can be used to store and retrieve information 17194990d495SXin LI in ntpd. It is possible to store a data value that is larger 17204990d495SXin LI than the size of the buffer that the ctl_getitem() function of 17214990d495SXin LI ntpd uses to report the return value. If the length of the 17224990d495SXin LI requested data value returned by ctl_getitem() is too large, 17234990d495SXin LI the value NULL is returned instead. There are 2 cases where the 17244990d495SXin LI return value from ctl_getitem() was not directly checked to make 17254990d495SXin LI sure it's not NULL, but there are subsequent INSIST() checks 17264990d495SXin LI that make sure the return value is not NULL. There are no data 17274990d495SXin LI values ordinarily stored in ntpd that would exceed this buffer 17284990d495SXin LI length. But if one has permission to store values and one stores 17294990d495SXin LI a value that is "too large", then ntpd will abort if an attempt 17304990d495SXin LI is made to read that oversized value. 17314990d495SXin LI Mitigation: 17324990d495SXin LI Implement BCP-38. 17334990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 17344990d495SXin LI or the NTP Public Services Project Download Page 17354990d495SXin LI Properly monitor your ntpd instances. 17364990d495SXin LI Credit: This weakness was discovered by Yihan Lian of the Cloud 17374990d495SXin LI Security Team, Qihoo 360. 17384990d495SXin LI 17394990d495SXin LI* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC 17404990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 17414990d495SXin LI References: Sec 3009 / CVE-2016-2518 / VU#718152 17424990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 17434990d495SXin LI 4.3.0 up to, but not including 4.3.92 17444990d495SXin LI CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) 17454990d495SXin LI CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 17464990d495SXin LI Summary: Using a crafted packet to create a peer association with 17474990d495SXin LI hmode > 7 causes the MATCH_ASSOC() lookup to make an 17484990d495SXin LI out-of-bounds reference. 17494990d495SXin LI Mitigation: 17504990d495SXin LI Implement BCP-38. 17514990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 17524990d495SXin LI or the NTP Public Services Project Download Page 17534990d495SXin LI Properly monitor your ntpd instances 17544990d495SXin LI Credit: This weakness was discovered by Yihan Lian of the Cloud 17554990d495SXin LI Security Team, Qihoo 360. 17564990d495SXin LI 17574990d495SXin LI* remote configuration trustedkey/requestkey/controlkey values are not 17584990d495SXin LI properly validated 17594990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 17604990d495SXin LI References: Sec 3010 / CVE-2016-2517 / VU#718152 17614990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 17624990d495SXin LI 4.3.0 up to, but not including 4.3.92 17634990d495SXin LI CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) 17644990d495SXin LI CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 17654990d495SXin LI Summary: If ntpd was expressly configured to allow for remote 17664990d495SXin LI configuration, a malicious user who knows the controlkey for 17674990d495SXin LI ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 17684990d495SXin LI can create a session with ntpd and then send a crafted packet to 17694990d495SXin LI ntpd that will change the value of the trustedkey, controlkey, 17704990d495SXin LI or requestkey to a value that will prevent any subsequent 17714990d495SXin LI authentication with ntpd until ntpd is restarted. 17724990d495SXin LI Mitigation: 17734990d495SXin LI Implement BCP-38. 17744990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 17754990d495SXin LI or the NTP Public Services Project Download Page 177609100258SXin LI Properly monitor your ntpd instances 17774990d495SXin LI Credit: This weakness was discovered by Yihan Lian of the Cloud 17784990d495SXin LI Security Team, Qihoo 360. 17794990d495SXin LI 17804990d495SXin LI* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd 17814990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 17824990d495SXin LI References: Sec 3011 / CVE-2016-2516 / VU#718152 17834990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 17844990d495SXin LI 4.3.0 up to, but not including 4.3.92 17854990d495SXin LI CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) 17864990d495SXin LI CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H 17874990d495SXin LI Summary: If ntpd was expressly configured to allow for remote 17884990d495SXin LI configuration, a malicious user who knows the controlkey for 17894990d495SXin LI ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) 17904990d495SXin LI can create a session with ntpd and if an existing association is 17914990d495SXin LI unconfigured using the same IP twice on the unconfig directive 17924990d495SXin LI line, ntpd will abort. 17934990d495SXin LI Mitigation: 17944990d495SXin LI Implement BCP-38. 17954990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 17964990d495SXin LI or the NTP Public Services Project Download Page 17974990d495SXin LI Properly monitor your ntpd instances 17984990d495SXin LI Credit: This weakness was discovered by Yihan Lian of the Cloud 17994990d495SXin LI Security Team, Qihoo 360. 18004990d495SXin LI 18014990d495SXin LI* Refclock impersonation vulnerability 18024990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 18034990d495SXin LI References: Sec 3020 / CVE-2016-1551 18044990d495SXin LI Affects: On a very limited number of OSes, all NTP releases up to but 18054990d495SXin LI not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. 18064990d495SXin LI By "very limited number of OSes" we mean no general-purpose OSes 18074990d495SXin LI have yet been identified that have this vulnerability. 18084990d495SXin LI CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) 18094990d495SXin LI CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 18104990d495SXin LI Summary: While most OSes implement martian packet filtering in their 18114990d495SXin LI network stack, at least regarding 127.0.0.0/8, some will allow 18124990d495SXin LI packets claiming to be from 127.0.0.0/8 that arrive over a 18134990d495SXin LI physical network. On these OSes, if ntpd is configured to use a 18144990d495SXin LI reference clock an attacker can inject packets over the network 18154990d495SXin LI that look like they are coming from that reference clock. 18164990d495SXin LI Mitigation: 18174990d495SXin LI Implement martian packet filtering and BCP-38. 18184990d495SXin LI Configure ntpd to use an adequate number of time sources. 18194990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 18204990d495SXin LI or the NTP Public Services Project Download Page 18214990d495SXin LI If you are unable to upgrade and if you are running an OS that 18224990d495SXin LI has this vulnerability, implement martian packet filters and 18234990d495SXin LI lobby your OS vendor to fix this problem, or run your 18244990d495SXin LI refclocks on computers that use OSes that are not vulnerable 18254990d495SXin LI to these attacks and have your vulnerable machines get their 18264990d495SXin LI time from protected resources. 18274990d495SXin LI Properly monitor your ntpd instances. 18284990d495SXin LI Credit: This weakness was discovered by Matt Street and others of 18294990d495SXin LI Cisco ASIG. 18304990d495SXin LI 18314990d495SXin LIThe following issues were fixed in earlier releases and contain 18324990d495SXin LIimprovements in 4.2.8p7: 18334990d495SXin LI 18344990d495SXin LI* Clients that receive a KoD should validate the origin timestamp field. 18354990d495SXin LI References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 18364990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, 18374990d495SXin LI Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. 18384990d495SXin LI 18394990d495SXin LI* Skeleton key: passive server with trusted key can serve time. 18404990d495SXin LI References: Sec 2936 / CVE-2015-7974 18414990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, 18424990d495SXin LI Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. 18434990d495SXin LI 18444990d495SXin LITwo other vulnerabilities have been reported, and the mitigations 18454990d495SXin LIfor these are as follows: 18464990d495SXin LI 18474990d495SXin LI* Interleave-pivot 18484990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 18494990d495SXin LI References: Sec 2978 / CVE-2016-1548 18504990d495SXin LI Affects: All ntp-4 releases. 18514990d495SXin LI CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) 18524990d495SXin LI CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 18534990d495SXin LI Summary: It is possible to change the time of an ntpd client or deny 18544990d495SXin LI service to an ntpd client by forcing it to change from basic 18554990d495SXin LI client/server mode to interleaved symmetric mode. An attacker 18564990d495SXin LI can spoof a packet from a legitimate ntpd server with an origin 18574990d495SXin LI timestamp that matches the peer->dst timestamp recorded for that 18584990d495SXin LI server. After making this switch, the client will reject all 18594990d495SXin LI future legitimate server responses. It is possible to force the 18604990d495SXin LI victim client to move time after the mode has been changed. 18614990d495SXin LI ntpq gives no indication that the mode has been switched. 18624990d495SXin LI Mitigation: 18634990d495SXin LI Implement BCP-38. 18644990d495SXin LI Upgrade to 4.2.8p7, or later, from the NTP Project Download Page 18654990d495SXin LI or the NTP Public Services Project Download Page. These 18664990d495SXin LI versions will not dynamically "flip" into interleave mode 18674990d495SXin LI unless configured to do so. 18684990d495SXin LI Properly monitor your ntpd instances. 18694990d495SXin LI Credit: This weakness was discovered by Miroslav Lichvar of RedHat 18704990d495SXin LI and separately by Jonathan Gardner of Cisco ASIG. 18714990d495SXin LI 18724990d495SXin LI* Sybil vulnerability: ephemeral association attack 18734990d495SXin LI Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 18744990d495SXin LI References: Sec 3012 / CVE-2016-1549 18754990d495SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 18764990d495SXin LI 4.3.0 up to, but not including 4.3.92 18774990d495SXin LI CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) 18784990d495SXin LI CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 18794990d495SXin LI Summary: ntpd can be vulnerable to Sybil attacks. If one is not using 18804990d495SXin LI the feature introduced in ntp-4.2.8p6 allowing an optional 4th 18814990d495SXin LI field in the ntp.keys file to specify which IPs can serve time, 18824990d495SXin LI a malicious authenticated peer can create arbitrarily-many 18834990d495SXin LI ephemeral associations in order to win the clock selection of 18844990d495SXin LI ntpd and modify a victim's clock. 18854990d495SXin LI Mitigation: 18864990d495SXin LI Implement BCP-38. 18874990d495SXin LI Use the 4th field in the ntp.keys file to specify which IPs 18884990d495SXin LI can be time servers. 18894990d495SXin LI Properly monitor your ntpd instances. 18904990d495SXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 18914990d495SXin LI 18924990d495SXin LIOther fixes: 18934990d495SXin LI 18944990d495SXin LI* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org 18954990d495SXin LI - fixed yet another race condition in the threaded resolver code. 18964990d495SXin LI* [Bug 2858] bool support. Use stdbool.h when available. HStenn. 18974990d495SXin LI* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org 18984990d495SXin LI - integrated patches by Loganaden Velvidron <logan@ntp.org> 18994990d495SXin LI with some modifications & unit tests 19004990d495SXin LI* [Bug 2960] async name resolution fixes for chroot() environments. 19014990d495SXin LI Reinhard Max. 19024990d495SXin LI* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org 19034990d495SXin LI* [Bug 2995] Fixes to compile on Windows 19044990d495SXin LI* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org 19054990d495SXin LI* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org 19064990d495SXin LI - Patch provided by Ch. Weisgerber 19074990d495SXin LI* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" 19084990d495SXin LI - A change related to [Bug 2853] forbids trailing white space in 19094990d495SXin LI remote config commands. perlinger@ntp.org 19104990d495SXin LI* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE 19114990d495SXin LI - report and patch from Aleksandr Kostikov. 19124990d495SXin LI - Overhaul of Windows IO completion port handling. perlinger@ntp.org 19134990d495SXin LI* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org 19144990d495SXin LI - fixed memory leak in access list (auth[read]keys.c) 19154990d495SXin LI - refactored handling of key access lists (auth[read]keys.c) 19164990d495SXin LI - reduced number of error branches (authreadkeys.c) 19174990d495SXin LI* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org 19184990d495SXin LI* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. 19194990d495SXin LI* [Bug 3031] ntp broadcastclient unable to synchronize to an server 19204990d495SXin LI when the time of server changed. perlinger@ntp.org 19214990d495SXin LI - Check the initial delay calculation and reject/unpeer the broadcast 19224990d495SXin LI server if the delay exceeds 50ms. Retry again after the next 19234990d495SXin LI broadcast packet. 19244990d495SXin LI* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. 19254990d495SXin LI* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. 19264990d495SXin LI* Update html/xleave.html documentation. Harlan Stenn. 19274990d495SXin LI* Update ntp.conf documentation. Harlan Stenn. 19284990d495SXin LI* Fix some Credit: attributions in the NEWS file. Harlan Stenn. 19294990d495SXin LI* Fix typo in html/monopt.html. Harlan Stenn. 19304990d495SXin LI* Add README.pullrequests. Harlan Stenn. 19314990d495SXin LI* Cleanup to include/ntp.h. Harlan Stenn. 19324990d495SXin LI 19334990d495SXin LINew option to 'configure': 19344990d495SXin LI 19354990d495SXin LIWhile looking in to the issues around Bug 2978, the "interleave pivot" 19364990d495SXin LIissue, it became clear that there are some intricate and unresolved 19374990d495SXin LIissues with interleave operations. We also realized that the interleave 19384990d495SXin LIprotocol was never added to the NTPv4 Standard, and it should have been. 19394990d495SXin LI 19404990d495SXin LIInterleave mode was first released in July of 2008, and can be engaged 19414990d495SXin LIin two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may 19424990d495SXin LIcontain the 'xleave' option, which will expressly enable interlave mode 19434990d495SXin LIfor that association. Additionally, if a time packet arrives and is 19444990d495SXin LIfound inconsistent with normal protocol behavior but has certain 19454990d495SXin LIcharacteristics that are compatible with interleave mode, NTP will 19464990d495SXin LIdynamically switch to interleave mode. With sufficient knowledge, an 19474990d495SXin LIattacker can send a crafted forged packet to an NTP instance that 19484990d495SXin LItriggers only one side to enter interleaved mode. 19494990d495SXin LI 19504990d495SXin LITo prevent this attack until we can thoroughly document, describe, 19514990d495SXin LIfix, and test the dynamic interleave mode, we've added a new 19524990d495SXin LI'configure' option to the build process: 19534990d495SXin LI 19544990d495SXin LI --enable-dynamic-interleave 19554990d495SXin LI 19564990d495SXin LIThis option controls whether or not NTP will, if conditions are right, 19574990d495SXin LIengage dynamic interleave mode. Dynamic interleave mode is disabled by 19584990d495SXin LIdefault in ntp-4.2.8p7. 19594990d495SXin LI 19604990d495SXin LI--- 19614990d495SXin LINTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) 196268ba7e87SXin LI 196368ba7e87SXin LIFocus: Security, Bug fixes, enhancements. 196468ba7e87SXin LI 196568ba7e87SXin LISeverity: MEDIUM 196668ba7e87SXin LI 196768ba7e87SXin LIIn addition to bug fixes and enhancements, this release fixes the 19684990d495SXin LIfollowing 1 low- and 8 medium-severity vulnerabilities: 196968ba7e87SXin LI 197068ba7e87SXin LI* Potential Infinite Loop in 'ntpq' 197168ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 197268ba7e87SXin LI References: Sec 2548 / CVE-2015-8158 197368ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 197468ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 197568ba7e87SXin LI CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 197668ba7e87SXin LI CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 197768ba7e87SXin LI Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 197868ba7e87SXin LI The loop's only stopping conditions are receiving a complete and 197968ba7e87SXin LI correct response or hitting a small number of error conditions. 198068ba7e87SXin LI If the packet contains incorrect values that don't trigger one of 198168ba7e87SXin LI the error conditions, the loop continues to receive new packets. 198268ba7e87SXin LI Note well, this is an attack against an instance of 'ntpq', not 198368ba7e87SXin LI 'ntpd', and this attack requires the attacker to do one of the 198468ba7e87SXin LI following: 198568ba7e87SXin LI * Own a malicious NTP server that the client trusts 198668ba7e87SXin LI * Prevent a legitimate NTP server from sending packets to 198768ba7e87SXin LI the 'ntpq' client 198868ba7e87SXin LI * MITM the 'ntpq' communications between the 'ntpq' client 198968ba7e87SXin LI and the NTP server 199068ba7e87SXin LI Mitigation: 199168ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 199268ba7e87SXin LI or the NTP Public Services Project Download Page 199368ba7e87SXin LI Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 199468ba7e87SXin LI 199568ba7e87SXin LI* 0rigin: Zero Origin Timestamp Bypass 199668ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 199768ba7e87SXin LI References: Sec 2945 / CVE-2015-8138 199868ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 199968ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 200068ba7e87SXin LI CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 200168ba7e87SXin LI CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 200268ba7e87SXin LI (3.7 - LOW if you score AC:L) 200368ba7e87SXin LI Summary: To distinguish legitimate peer responses from forgeries, a 200468ba7e87SXin LI client attempts to verify a response packet by ensuring that the 200568ba7e87SXin LI origin timestamp in the packet matches the origin timestamp it 200668ba7e87SXin LI transmitted in its last request. A logic error exists that 200768ba7e87SXin LI allows packets with an origin timestamp of zero to bypass this 200868ba7e87SXin LI check whenever there is not an outstanding request to the server. 200968ba7e87SXin LI Mitigation: 201068ba7e87SXin LI Configure 'ntpd' to get time from multiple sources. 201168ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 201268ba7e87SXin LI or the NTP Public Services Project Download Page. 201309100258SXin LI Monitor your 'ntpd' instances. 20144990d495SXin LI Credit: This weakness was discovered by Matthey Van Gundy and 20154990d495SXin LI Jonathan Gardner of Cisco ASIG. 201668ba7e87SXin LI 201768ba7e87SXin LI* Stack exhaustion in recursive traversal of restriction list 201868ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016 201968ba7e87SXin LI References: Sec 2940 / CVE-2015-7978 202068ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 202168ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 202268ba7e87SXin LI CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 202368ba7e87SXin LI Summary: An unauthenticated 'ntpdc reslist' command can cause a 202468ba7e87SXin LI segmentation fault in ntpd by exhausting the call stack. 202568ba7e87SXin LI Mitigation: 202668ba7e87SXin LI Implement BCP-38. 202768ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 202868ba7e87SXin LI or the NTP Public Services Project Download Page. 202968ba7e87SXin LI If you are unable to upgrade: 203068ba7e87SXin LI In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 203168ba7e87SXin LI If you must enable mode 7: 203268ba7e87SXin LI configure the use of a 'requestkey' to control who can 203368ba7e87SXin LI issue mode 7 requests. 203468ba7e87SXin LI configure 'restrict noquery' to further limit mode 7 203568ba7e87SXin LI requests to trusted sources. 203668ba7e87SXin LI Monitor your ntpd instances. 203768ba7e87SXin LI Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 203868ba7e87SXin LI 203968ba7e87SXin LI* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 204068ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 204168ba7e87SXin LI References: Sec 2942 / CVE-2015-7979 204268ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 204368ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 204468ba7e87SXin LI CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 204568ba7e87SXin LI Summary: An off-path attacker can send broadcast packets with bad 204668ba7e87SXin LI authentication (wrong key, mismatched key, incorrect MAC, etc) 204768ba7e87SXin LI to broadcast clients. It is observed that the broadcast client 204868ba7e87SXin LI tears down the association with the broadcast server upon 204968ba7e87SXin LI receiving just one bad packet. 205068ba7e87SXin LI Mitigation: 205168ba7e87SXin LI Implement BCP-38. 205268ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 205368ba7e87SXin LI or the NTP Public Services Project Download Page. 205468ba7e87SXin LI Monitor your 'ntpd' instances. 205568ba7e87SXin LI If this sort of attack is an active problem for you, you have 205668ba7e87SXin LI deeper problems to investigate. In this case also consider 205768ba7e87SXin LI having smaller NTP broadcast domains. 205868ba7e87SXin LI Credit: This weakness was discovered by Aanchal Malhotra of Boston 205968ba7e87SXin LI University. 206068ba7e87SXin LI 206168ba7e87SXin LI* reslist NULL pointer dereference 206268ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 206368ba7e87SXin LI References: Sec 2939 / CVE-2015-7977 206468ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 206568ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 206668ba7e87SXin LI CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 206768ba7e87SXin LI Summary: An unauthenticated 'ntpdc reslist' command can cause a 206868ba7e87SXin LI segmentation fault in ntpd by causing a NULL pointer dereference. 206968ba7e87SXin LI Mitigation: 207068ba7e87SXin LI Implement BCP-38. 207168ba7e87SXin LI Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 207268ba7e87SXin LI the NTP Public Services Project Download Page. 207368ba7e87SXin LI If you are unable to upgrade: 207468ba7e87SXin LI mode 7 is disabled by default. Don't enable it. 207568ba7e87SXin LI If you must enable mode 7: 207668ba7e87SXin LI configure the use of a 'requestkey' to control who can 207768ba7e87SXin LI issue mode 7 requests. 207868ba7e87SXin LI configure 'restrict noquery' to further limit mode 7 207968ba7e87SXin LI requests to trusted sources. 208068ba7e87SXin LI Monitor your ntpd instances. 208168ba7e87SXin LI Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 208268ba7e87SXin LI 208368ba7e87SXin LI* 'ntpq saveconfig' command allows dangerous characters in filenames. 208468ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 208568ba7e87SXin LI References: Sec 2938 / CVE-2015-7976 208668ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 208768ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 208868ba7e87SXin LI CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 208968ba7e87SXin LI Summary: The ntpq saveconfig command does not do adequate filtering 209068ba7e87SXin LI of special characters from the supplied filename. 209168ba7e87SXin LI Note well: The ability to use the saveconfig command is controlled 209268ba7e87SXin LI by the 'restrict nomodify' directive, and the recommended default 209368ba7e87SXin LI configuration is to disable this capability. If the ability to 209468ba7e87SXin LI execute a 'saveconfig' is required, it can easily (and should) be 209568ba7e87SXin LI limited and restricted to a known small number of IP addresses. 209668ba7e87SXin LI Mitigation: 209768ba7e87SXin LI Implement BCP-38. 209868ba7e87SXin LI use 'restrict default nomodify' in your 'ntp.conf' file. 209968ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 210068ba7e87SXin LI If you are unable to upgrade: 210168ba7e87SXin LI build NTP with 'configure --disable-saveconfig' if you will 210268ba7e87SXin LI never need this capability, or 210368ba7e87SXin LI use 'restrict default nomodify' in your 'ntp.conf' file. Be 210468ba7e87SXin LI careful about what IPs have the ability to send 'modify' 210568ba7e87SXin LI requests to 'ntpd'. 210668ba7e87SXin LI Monitor your ntpd instances. 210768ba7e87SXin LI 'saveconfig' requests are logged to syslog - monitor your syslog files. 210868ba7e87SXin LI Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 210968ba7e87SXin LI 211068ba7e87SXin LI* nextvar() missing length check in ntpq 211168ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 211268ba7e87SXin LI References: Sec 2937 / CVE-2015-7975 211368ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 211468ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 211568ba7e87SXin LI CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 211668ba7e87SXin LI If you score A:C, this becomes 4.0. 211768ba7e87SXin LI CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 211868ba7e87SXin LI Summary: ntpq may call nextvar() which executes a memcpy() into the 211968ba7e87SXin LI name buffer without a proper length check against its maximum 212068ba7e87SXin LI length of 256 bytes. Note well that we're taking about ntpq here. 212168ba7e87SXin LI The usual worst-case effect of this vulnerability is that the 212268ba7e87SXin LI specific instance of ntpq will crash and the person or process 212368ba7e87SXin LI that did this will have stopped themselves. 212468ba7e87SXin LI Mitigation: 212568ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 212668ba7e87SXin LI or the NTP Public Services Project Download Page. 212768ba7e87SXin LI If you are unable to upgrade: 212868ba7e87SXin LI If you have scripts that feed input to ntpq make sure there are 212968ba7e87SXin LI some sanity checks on the input received from the "outside". 213068ba7e87SXin LI This is potentially more dangerous if ntpq is run as root. 213168ba7e87SXin LI Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 213268ba7e87SXin LI 213368ba7e87SXin LI* Skeleton Key: Any trusted key system can serve time 213468ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 213568ba7e87SXin LI References: Sec 2936 / CVE-2015-7974 213668ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 213768ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 213868ba7e87SXin LI CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 213968ba7e87SXin LI Summary: Symmetric key encryption uses a shared trusted key. The 214068ba7e87SXin LI reported title for this issue was "Missing key check allows 214168ba7e87SXin LI impersonation between authenticated peers" and the report claimed 214268ba7e87SXin LI "A key specified only for one server should only work to 214368ba7e87SXin LI authenticate that server, other trusted keys should be refused." 214468ba7e87SXin LI Except there has never been any correlation between this trusted 214568ba7e87SXin LI key and server v. clients machines and there has never been any 214668ba7e87SXin LI way to specify a key only for one server. We have treated this as 214768ba7e87SXin LI an enhancement request, and ntp-4.2.8p6 includes other checks and 214868ba7e87SXin LI tests to strengthen clients against attacks coming from broadcast 214968ba7e87SXin LI servers. 215068ba7e87SXin LI Mitigation: 215168ba7e87SXin LI Implement BCP-38. 215268ba7e87SXin LI If this scenario represents a real or a potential issue for you, 215368ba7e87SXin LI upgrade to 4.2.8p6, or later, from the NTP Project Download 215468ba7e87SXin LI Page or the NTP Public Services Project Download Page, and 215568ba7e87SXin LI use the new field in the ntp.keys file that specifies the list 215668ba7e87SXin LI of IPs that are allowed to serve time. Note that this alone 215768ba7e87SXin LI will not protect against time packets with forged source IP 215868ba7e87SXin LI addresses, however other changes in ntp-4.2.8p6 provide 215968ba7e87SXin LI significant mitigation against broadcast attacks. MITM attacks 216068ba7e87SXin LI are a different story. 216168ba7e87SXin LI If you are unable to upgrade: 216268ba7e87SXin LI Don't use broadcast mode if you cannot monitor your client 216368ba7e87SXin LI servers. 216468ba7e87SXin LI If you choose to use symmetric keys to authenticate time 216568ba7e87SXin LI packets in a hostile environment where ephemeral time 216668ba7e87SXin LI servers can be created, or if it is expected that malicious 216768ba7e87SXin LI time servers will participate in an NTP broadcast domain, 216868ba7e87SXin LI limit the number of participating systems that participate 216968ba7e87SXin LI in the shared-key group. 217068ba7e87SXin LI Monitor your ntpd instances. 217168ba7e87SXin LI Credit: This weakness was discovered by Matt Street of Cisco ASIG. 217268ba7e87SXin LI 217368ba7e87SXin LI* Deja Vu: Replay attack on authenticated broadcast mode 217468ba7e87SXin LI Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 217568ba7e87SXin LI References: Sec 2935 / CVE-2015-7973 217668ba7e87SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 217768ba7e87SXin LI 4.3.0 up to, but not including 4.3.90 217868ba7e87SXin LI CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 217968ba7e87SXin LI Summary: If an NTP network is configured for broadcast operations then 218068ba7e87SXin LI either a man-in-the-middle attacker or a malicious participant 218168ba7e87SXin LI that has the same trusted keys as the victim can replay time packets. 218268ba7e87SXin LI Mitigation: 218368ba7e87SXin LI Implement BCP-38. 218468ba7e87SXin LI Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 218568ba7e87SXin LI or the NTP Public Services Project Download Page. 218668ba7e87SXin LI If you are unable to upgrade: 218768ba7e87SXin LI Don't use broadcast mode if you cannot monitor your client servers. 218868ba7e87SXin LI Monitor your ntpd instances. 218968ba7e87SXin LI Credit: This weakness was discovered by Aanchal Malhotra of Boston 219068ba7e87SXin LI University. 219168ba7e87SXin LI 219268ba7e87SXin LIOther fixes: 219368ba7e87SXin LI 219468ba7e87SXin LI* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 219568ba7e87SXin LI* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 219668ba7e87SXin LI - applied patch by shenpeng11@huawei.com with minor adjustments 219768ba7e87SXin LI* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 219868ba7e87SXin LI* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 219968ba7e87SXin LI* [Bug 2892] Several test cases assume IPv6 capabilities even when 220068ba7e87SXin LI IPv6 is disabled in the build. perlinger@ntp.org 220168ba7e87SXin LI - Found this already fixed, but validation led to cleanup actions. 220268ba7e87SXin LI* [Bug 2905] DNS lookups broken. perlinger@ntp.org 220368ba7e87SXin LI - added limits to stack consumption, fixed some return code handling 220468ba7e87SXin LI* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 220568ba7e87SXin LI - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 220668ba7e87SXin LI - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 220768ba7e87SXin LI* [Bug 2980] reduce number of warnings. perlinger@ntp.org 220868ba7e87SXin LI - integrated several patches from Havard Eidnes (he@uninett.no) 220968ba7e87SXin LI* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 221068ba7e87SXin LI - implement 'auth_log2()' using integer bithack instead of float calculation 221168ba7e87SXin LI* Make leapsec_query debug messages less verbose. Harlan Stenn. 221268ba7e87SXin LI 221368ba7e87SXin LI--- 22144990d495SXin LINTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) 22153311ff84SXin LI 22163311ff84SXin LIFocus: Security, Bug fixes, enhancements. 22173311ff84SXin LI 22183311ff84SXin LISeverity: MEDIUM 22193311ff84SXin LI 22203311ff84SXin LIIn addition to bug fixes and enhancements, this release fixes the 22213311ff84SXin LIfollowing medium-severity vulnerability: 22223311ff84SXin LI 22233311ff84SXin LI* Small-step/big-step. Close the panic gate earlier. 22243311ff84SXin LI References: Sec 2956, CVE-2015-5300 22253311ff84SXin LI Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 22263311ff84SXin LI 4.3.0 up to, but not including 4.3.78 22273311ff84SXin LI CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 22283311ff84SXin LI Summary: If ntpd is always started with the -g option, which is 22293311ff84SXin LI common and against long-standing recommendation, and if at the 22303311ff84SXin LI moment ntpd is restarted an attacker can immediately respond to 22313311ff84SXin LI enough requests from enough sources trusted by the target, which 22323311ff84SXin LI is difficult and not common, there is a window of opportunity 22333311ff84SXin LI where the attacker can cause ntpd to set the time to an 22343311ff84SXin LI arbitrary value. Similarly, if an attacker is able to respond 22353311ff84SXin LI to enough requests from enough sources trusted by the target, 22363311ff84SXin LI the attacker can cause ntpd to abort and restart, at which 22373311ff84SXin LI point it can tell the target to set the time to an arbitrary 22383311ff84SXin LI value if and only if ntpd was re-started against long-standing 22393311ff84SXin LI recommendation with the -g flag, or if ntpd was not given the 22403311ff84SXin LI -g flag, the attacker can move the target system's time by at 22413311ff84SXin LI most 900 seconds' time per attack. 22423311ff84SXin LI Mitigation: 22433311ff84SXin LI Configure ntpd to get time from multiple sources. 22443311ff84SXin LI Upgrade to 4.2.8p5, or later, from the NTP Project Download 22453311ff84SXin LI Page or the NTP Public Services Project Download Page 22463311ff84SXin LI As we've long documented, only use the -g option to ntpd in 22473311ff84SXin LI cold-start situations. 22483311ff84SXin LI Monitor your ntpd instances. 22493311ff84SXin LI Credit: This weakness was discovered by Aanchal Malhotra, 22503311ff84SXin LI Isaac E. Cohen, and Sharon Goldberg at Boston University. 22513311ff84SXin LI 22523311ff84SXin LI NOTE WELL: The -g flag disables the limit check on the panic_gate 22533311ff84SXin LI in ntpd, which is 900 seconds by default. The bug identified by 22543311ff84SXin LI the researchers at Boston University is that the panic_gate 22553311ff84SXin LI check was only re-enabled after the first change to the system 22563311ff84SXin LI clock that was greater than 128 milliseconds, by default. The 22573311ff84SXin LI correct behavior is that the panic_gate check should be 22583311ff84SXin LI re-enabled after any initial time correction. 22593311ff84SXin LI 22603311ff84SXin LI If an attacker is able to inject consistent but erroneous time 22613311ff84SXin LI responses to your systems via the network or "over the air", 22623311ff84SXin LI perhaps by spoofing radio, cellphone, or navigation satellite 22633311ff84SXin LI transmissions, they are in a great position to affect your 22643311ff84SXin LI system's clock. There comes a point where your very best 22653311ff84SXin LI defenses include: 22663311ff84SXin LI 22673311ff84SXin LI Configure ntpd to get time from multiple sources. 22683311ff84SXin LI Monitor your ntpd instances. 22693311ff84SXin LI 22703311ff84SXin LIOther fixes: 22713311ff84SXin LI 22723311ff84SXin LI* Coverity submission process updated from Coverity 5 to Coverity 7. 22733311ff84SXin LI The NTP codebase has been undergoing regular Coverity scans on an 22743311ff84SXin LI ongoing basis since 2006. As part of our recent upgrade from 22753311ff84SXin LI Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 22763311ff84SXin LI the newly-written Unity test programs. These were fixed. 22773311ff84SXin LI* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 22783311ff84SXin LI* [Bug 2887] stratum -1 config results as showing value 99 22793311ff84SXin LI - fudge stratum should only accept values [0..16]. perlinger@ntp.org 22803311ff84SXin LI* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 22813311ff84SXin LI* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 22823311ff84SXin LI* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 22833311ff84SXin LI - applied patch by Christos Zoulas. perlinger@ntp.org 22843311ff84SXin LI* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 22853311ff84SXin LI* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 22863311ff84SXin LI - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 22873311ff84SXin LI - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 22883311ff84SXin LI* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 22893311ff84SXin LI - accept key file only if there are no parsing errors 22903311ff84SXin LI - fixed size_t/u_int format clash 22913311ff84SXin LI - fixed wrong use of 'strlcpy' 22923311ff84SXin LI* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 22933311ff84SXin LI* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 22943311ff84SXin LI - fixed several other warnings (cast-alignment, missing const, missing prototypes) 22953311ff84SXin LI - promote use of 'size_t' for values that express a size 22963311ff84SXin LI - use ptr-to-const for read-only arguments 22973311ff84SXin LI - make sure SOCKET values are not truncated (win32-specific) 22983311ff84SXin LI - format string fixes 22993311ff84SXin LI* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 23003311ff84SXin LI* [Bug 2967] ntpdate command suffers an assertion failure 23013311ff84SXin LI - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 23023311ff84SXin LI* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 23033311ff84SXin LI lots of clients. perlinger@ntp.org 23043311ff84SXin LI* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 23053311ff84SXin LI - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 23063311ff84SXin LI* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 23073311ff84SXin LI* Unity test cleanup. Harlan Stenn. 23083311ff84SXin LI* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 23093311ff84SXin LI* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 23103311ff84SXin LI* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 23113311ff84SXin LI* Quiet a warning from clang. Harlan Stenn. 23123311ff84SXin LI 23133311ff84SXin LI--- 23144990d495SXin LINTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) 23159034852cSGleb Smirnoff 23163311ff84SXin LIFocus: Security, Bug fixes, enhancements. 23179034852cSGleb Smirnoff 23189034852cSGleb SmirnoffSeverity: MEDIUM 23199034852cSGleb Smirnoff 23209034852cSGleb SmirnoffIn addition to bug fixes and enhancements, this release fixes the 23219034852cSGleb Smirnofffollowing 13 low- and medium-severity vulnerabilities: 23229034852cSGleb Smirnoff 23239034852cSGleb Smirnoff* Incomplete vallen (value length) checks in ntp_crypto.c, leading 23249034852cSGleb Smirnoff to potential crashes or potential code injection/information leakage. 23259034852cSGleb Smirnoff 23269034852cSGleb Smirnoff References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 23279034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, 23289034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 23299034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 23309034852cSGleb Smirnoff Summary: The fix for CVE-2014-9750 was incomplete in that there were 23319034852cSGleb Smirnoff certain code paths where a packet with particular autokey operations 23329034852cSGleb Smirnoff that contained malicious data was not always being completely 23339034852cSGleb Smirnoff validated. Receipt of these packets can cause ntpd to crash. 23349034852cSGleb Smirnoff Mitigation: 23359034852cSGleb Smirnoff Don't use autokey. 23369034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 23379034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page 23389034852cSGleb Smirnoff Monitor your ntpd instances. 23399034852cSGleb Smirnoff Credit: This weakness was discovered by Tenable Network Security. 23409034852cSGleb Smirnoff 23419034852cSGleb Smirnoff* Clients that receive a KoD should validate the origin timestamp field. 23429034852cSGleb Smirnoff 23439034852cSGleb Smirnoff References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 23449034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, 23459034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 23469034852cSGleb Smirnoff CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 23479034852cSGleb Smirnoff Summary: An ntpd client that honors Kiss-of-Death responses will honor 23489034852cSGleb Smirnoff KoD messages that have been forged by an attacker, causing it to 23499034852cSGleb Smirnoff delay or stop querying its servers for time updates. Also, an 23509034852cSGleb Smirnoff attacker can forge packets that claim to be from the target and 23519034852cSGleb Smirnoff send them to servers often enough that a server that implements 23529034852cSGleb Smirnoff KoD rate limiting will send the target machine a KoD response to 23539034852cSGleb Smirnoff attempt to reduce the rate of incoming packets, or it may also 23549034852cSGleb Smirnoff trigger a firewall block at the server for packets from the target 23559034852cSGleb Smirnoff machine. For either of these attacks to succeed, the attacker must 23569034852cSGleb Smirnoff know what servers the target is communicating with. An attacker 23579034852cSGleb Smirnoff can be anywhere on the Internet and can frequently learn the 23589034852cSGleb Smirnoff identity of the target's time source by sending the target a 23599034852cSGleb Smirnoff time query. 23609034852cSGleb Smirnoff Mitigation: 23619034852cSGleb Smirnoff Implement BCP-38. 23629034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 23639034852cSGleb Smirnoff or the NTP Public Services Project Download Page 23649034852cSGleb Smirnoff If you can't upgrade, restrict who can query ntpd to learn who 23659034852cSGleb Smirnoff its servers are, and what IPs are allowed to ask your system 23669034852cSGleb Smirnoff for the time. This mitigation is heavy-handed. 23679034852cSGleb Smirnoff Monitor your ntpd instances. 23689034852cSGleb Smirnoff Note: 23699034852cSGleb Smirnoff 4.2.8p4 protects against the first attack. For the second attack, 23709034852cSGleb Smirnoff all we can do is warn when it is happening, which we do in 4.2.8p4. 23719034852cSGleb Smirnoff Credit: This weakness was discovered by Aanchal Malhotra, 23729034852cSGleb Smirnoff Issac E. Cohen, and Sharon Goldberg of Boston University. 23739034852cSGleb Smirnoff 23749034852cSGleb Smirnoff* configuration directives to change "pidfile" and "driftfile" should 23759034852cSGleb Smirnoff only be allowed locally. 23769034852cSGleb Smirnoff 23779034852cSGleb Smirnoff References: Sec 2902 / CVE-2015-5196 23789034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, 23799034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 23809034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 23819034852cSGleb Smirnoff Summary: If ntpd is configured to allow for remote configuration, 23829034852cSGleb Smirnoff and if the (possibly spoofed) source IP address is allowed to 23839034852cSGleb Smirnoff send remote configuration requests, and if the attacker knows 23849034852cSGleb Smirnoff the remote configuration password, it's possible for an attacker 23859034852cSGleb Smirnoff to use the "pidfile" or "driftfile" directives to potentially 23869034852cSGleb Smirnoff overwrite other files. 23879034852cSGleb Smirnoff Mitigation: 23889034852cSGleb Smirnoff Implement BCP-38. 23899034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 23909034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page 23919034852cSGleb Smirnoff If you cannot upgrade, don't enable remote configuration. 23929034852cSGleb Smirnoff If you must enable remote configuration and cannot upgrade, 23939034852cSGleb Smirnoff remote configuration of NTF's ntpd requires: 23949034852cSGleb Smirnoff - an explicitly configured trustedkey, and you should also 23959034852cSGleb Smirnoff configure a controlkey. 23969034852cSGleb Smirnoff - access from a permitted IP. You choose the IPs. 23979034852cSGleb Smirnoff - authentication. Don't disable it. Practice secure key safety. 23989034852cSGleb Smirnoff Monitor your ntpd instances. 23999034852cSGleb Smirnoff Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 24009034852cSGleb Smirnoff 24019034852cSGleb Smirnoff* Slow memory leak in CRYPTO_ASSOC 24029034852cSGleb Smirnoff 24039034852cSGleb Smirnoff References: Sec 2909 / CVE-2015-7701 24049034852cSGleb Smirnoff Affects: All ntp-4 releases that use autokey up to, but not 24059034852cSGleb Smirnoff including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 24069034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 24079034852cSGleb Smirnoff 4.6 otherwise 24089034852cSGleb Smirnoff Summary: If ntpd is configured to use autokey, then an attacker can 24099034852cSGleb Smirnoff send packets to ntpd that will, after several days of ongoing 24109034852cSGleb Smirnoff attack, cause it to run out of memory. 24119034852cSGleb Smirnoff Mitigation: 24129034852cSGleb Smirnoff Don't use autokey. 24139034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 24149034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page 24159034852cSGleb Smirnoff Monitor your ntpd instances. 24169034852cSGleb Smirnoff Credit: This weakness was discovered by Tenable Network Security. 24179034852cSGleb Smirnoff 24189034852cSGleb Smirnoff* mode 7 loop counter underrun 24199034852cSGleb Smirnoff 24209034852cSGleb Smirnoff References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 24219034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, 24229034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 24239034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 24249034852cSGleb Smirnoff Summary: If ntpd is configured to enable mode 7 packets, and if the 24259034852cSGleb Smirnoff use of mode 7 packets is not properly protected thru the use of 24269034852cSGleb Smirnoff the available mode 7 authentication and restriction mechanisms, 24279034852cSGleb Smirnoff and if the (possibly spoofed) source IP address is allowed to 24289034852cSGleb Smirnoff send mode 7 queries, then an attacker can send a crafted packet 24299034852cSGleb Smirnoff to ntpd that will cause it to crash. 24309034852cSGleb Smirnoff Mitigation: 24319034852cSGleb Smirnoff Implement BCP-38. 24329034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 24339034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 24349034852cSGleb Smirnoff If you are unable to upgrade: 24359034852cSGleb Smirnoff In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 24369034852cSGleb Smirnoff If you must enable mode 7: 24379034852cSGleb Smirnoff configure the use of a requestkey to control who can issue 24389034852cSGleb Smirnoff mode 7 requests. 24399034852cSGleb Smirnoff configure restrict noquery to further limit mode 7 requests 24409034852cSGleb Smirnoff to trusted sources. 24419034852cSGleb Smirnoff Monitor your ntpd instances. 24429034852cSGleb SmirnoffCredit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 24439034852cSGleb Smirnoff 24449034852cSGleb Smirnoff* memory corruption in password store 24459034852cSGleb Smirnoff 24469034852cSGleb Smirnoff References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 24479034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 24489034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 24499034852cSGleb Smirnoff Summary: If ntpd is configured to allow remote configuration, and if 24509034852cSGleb Smirnoff the (possibly spoofed) source IP address is allowed to send 24519034852cSGleb Smirnoff remote configuration requests, and if the attacker knows the 24529034852cSGleb Smirnoff remote configuration password or if ntpd was configured to 24539034852cSGleb Smirnoff disable authentication, then an attacker can send a set of 24549034852cSGleb Smirnoff packets to ntpd that may cause a crash or theoretically 24559034852cSGleb Smirnoff perform a code injection attack. 24569034852cSGleb Smirnoff Mitigation: 24579034852cSGleb Smirnoff Implement BCP-38. 24589034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 24599034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 24609034852cSGleb Smirnoff If you are unable to upgrade, remote configuration of NTF's 24619034852cSGleb Smirnoff ntpd requires: 24629034852cSGleb Smirnoff an explicitly configured "trusted" key. Only configure 24639034852cSGleb Smirnoff this if you need it. 24649034852cSGleb Smirnoff access from a permitted IP address. You choose the IPs. 24659034852cSGleb Smirnoff authentication. Don't disable it. Practice secure key safety. 24669034852cSGleb Smirnoff Monitor your ntpd instances. 24679034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan of Cisco Talos. 24689034852cSGleb Smirnoff 24699034852cSGleb Smirnoff* Infinite loop if extended logging enabled and the logfile and 24709034852cSGleb Smirnoff keyfile are the same. 24719034852cSGleb Smirnoff 24729034852cSGleb Smirnoff References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 24739034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, 24749034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 24759034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 24769034852cSGleb Smirnoff Summary: If ntpd is configured to allow remote configuration, and if 24779034852cSGleb Smirnoff the (possibly spoofed) source IP address is allowed to send 24789034852cSGleb Smirnoff remote configuration requests, and if the attacker knows the 24799034852cSGleb Smirnoff remote configuration password or if ntpd was configured to 24809034852cSGleb Smirnoff disable authentication, then an attacker can send a set of 24819034852cSGleb Smirnoff packets to ntpd that will cause it to crash and/or create a 24829034852cSGleb Smirnoff potentially huge log file. Specifically, the attacker could 24839034852cSGleb Smirnoff enable extended logging, point the key file at the log file, 24849034852cSGleb Smirnoff and cause what amounts to an infinite loop. 24859034852cSGleb Smirnoff Mitigation: 24869034852cSGleb Smirnoff Implement BCP-38. 24879034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 24889034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 24899034852cSGleb Smirnoff If you are unable to upgrade, remote configuration of NTF's ntpd 24909034852cSGleb Smirnoff requires: 24919034852cSGleb Smirnoff an explicitly configured "trusted" key. Only configure this 24929034852cSGleb Smirnoff if you need it. 24939034852cSGleb Smirnoff access from a permitted IP address. You choose the IPs. 24949034852cSGleb Smirnoff authentication. Don't disable it. Practice secure key safety. 24959034852cSGleb Smirnoff Monitor your ntpd instances. 24969034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan of Cisco Talos. 24979034852cSGleb Smirnoff 24989034852cSGleb Smirnoff* Potential path traversal vulnerability in the config file saving of 24999034852cSGleb Smirnoff ntpd on VMS. 25009034852cSGleb Smirnoff 25019034852cSGleb Smirnoff References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 25029034852cSGleb Smirnoff Affects: All ntp-4 releases running under VMS up to, but not 25039034852cSGleb Smirnoff including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 25049034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 25059034852cSGleb Smirnoff Summary: If ntpd is configured to allow remote configuration, and if 25069034852cSGleb Smirnoff the (possibly spoofed) IP address is allowed to send remote 25079034852cSGleb Smirnoff configuration requests, and if the attacker knows the remote 25089034852cSGleb Smirnoff configuration password or if ntpd was configured to disable 25099034852cSGleb Smirnoff authentication, then an attacker can send a set of packets to 25109034852cSGleb Smirnoff ntpd that may cause ntpd to overwrite files. 25119034852cSGleb Smirnoff Mitigation: 25129034852cSGleb Smirnoff Implement BCP-38. 25139034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 25149034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 25159034852cSGleb Smirnoff If you are unable to upgrade, remote configuration of NTF's ntpd 25169034852cSGleb Smirnoff requires: 25179034852cSGleb Smirnoff an explicitly configured "trusted" key. Only configure 25189034852cSGleb Smirnoff this if you need it. 25199034852cSGleb Smirnoff access from permitted IP addresses. You choose the IPs. 25209034852cSGleb Smirnoff authentication. Don't disable it. Practice key security safety. 25219034852cSGleb Smirnoff Monitor your ntpd instances. 25229034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan of Cisco Talos. 25239034852cSGleb Smirnoff 25249034852cSGleb Smirnoff* ntpq atoascii() potential memory corruption 25259034852cSGleb Smirnoff 25269034852cSGleb Smirnoff References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 25279034852cSGleb Smirnoff Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 25289034852cSGleb Smirnoff and 4.3.0 up to, but not including 4.3.77 25299034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 25309034852cSGleb Smirnoff Summary: If an attacker can figure out the precise moment that ntpq 25319034852cSGleb Smirnoff is listening for data and the port number it is listening on or 25329034852cSGleb Smirnoff if the attacker can provide a malicious instance ntpd that 25339034852cSGleb Smirnoff victims will connect to then an attacker can send a set of 25349034852cSGleb Smirnoff crafted mode 6 response packets that, if received by ntpq, 25359034852cSGleb Smirnoff can cause ntpq to crash. 25369034852cSGleb Smirnoff Mitigation: 25379034852cSGleb Smirnoff Implement BCP-38. 25389034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 25399034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 25409034852cSGleb Smirnoff If you are unable to upgrade and you run ntpq against a server 25419034852cSGleb Smirnoff and ntpq crashes, try again using raw mode. Build or get a 25429034852cSGleb Smirnoff patched ntpq and see if that fixes the problem. Report new 25439034852cSGleb Smirnoff bugs in ntpq or abusive servers appropriately. 25449034852cSGleb Smirnoff If you use ntpq in scripts, make sure ntpq does what you expect 25459034852cSGleb Smirnoff in your scripts. 25469034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan and 25479034852cSGleb Smirnoff Aleksander Nikolich of Cisco Talos. 25489034852cSGleb Smirnoff 25499034852cSGleb Smirnoff* Invalid length data provided by a custom refclock driver could cause 25509034852cSGleb Smirnoff a buffer overflow. 25519034852cSGleb Smirnoff 25529034852cSGleb Smirnoff References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 25539034852cSGleb Smirnoff Affects: Potentially all ntp-4 releases running up to, but not 25549034852cSGleb Smirnoff including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 25559034852cSGleb Smirnoff that have custom refclocks 25569034852cSGleb Smirnoff CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 25579034852cSGleb Smirnoff 5.9 unusual worst case 25589034852cSGleb Smirnoff Summary: A negative value for the datalen parameter will overflow a 25599034852cSGleb Smirnoff data buffer. NTF's ntpd driver implementations always set this 25609034852cSGleb Smirnoff value to 0 and are therefore not vulnerable to this weakness. 25619034852cSGleb Smirnoff If you are running a custom refclock driver in ntpd and that 25629034852cSGleb Smirnoff driver supplies a negative value for datalen (no custom driver 25639034852cSGleb Smirnoff of even minimal competence would do this) then ntpd would 25649034852cSGleb Smirnoff overflow a data buffer. It is even hypothetically possible 25659034852cSGleb Smirnoff in this case that instead of simply crashing ntpd the attacker 25669034852cSGleb Smirnoff could effect a code injection attack. 25679034852cSGleb Smirnoff Mitigation: 25689034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 25699034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 25709034852cSGleb Smirnoff If you are unable to upgrade: 25719034852cSGleb Smirnoff If you are running custom refclock drivers, make sure 25729034852cSGleb Smirnoff the signed datalen value is either zero or positive. 25739034852cSGleb Smirnoff Monitor your ntpd instances. 25749034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan of Cisco Talos. 25759034852cSGleb Smirnoff 25769034852cSGleb Smirnoff* Password Length Memory Corruption Vulnerability 25779034852cSGleb Smirnoff 25789034852cSGleb Smirnoff References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 25799034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 25809034852cSGleb Smirnoff 4.3.0 up to, but not including 4.3.77 25819034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 25829034852cSGleb Smirnoff 1.7 usual case, 6.8, worst case 25839034852cSGleb Smirnoff Summary: If ntpd is configured to allow remote configuration, and if 25849034852cSGleb Smirnoff the (possibly spoofed) source IP address is allowed to send 25859034852cSGleb Smirnoff remote configuration requests, and if the attacker knows the 25869034852cSGleb Smirnoff remote configuration password or if ntpd was (foolishly) 25879034852cSGleb Smirnoff configured to disable authentication, then an attacker can 25889034852cSGleb Smirnoff send a set of packets to ntpd that may cause it to crash, 25899034852cSGleb Smirnoff with the hypothetical possibility of a small code injection. 25909034852cSGleb Smirnoff Mitigation: 25919034852cSGleb Smirnoff Implement BCP-38. 25929034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 25939034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 25949034852cSGleb Smirnoff If you are unable to upgrade, remote configuration of NTF's 25959034852cSGleb Smirnoff ntpd requires: 25969034852cSGleb Smirnoff an explicitly configured "trusted" key. Only configure 25979034852cSGleb Smirnoff this if you need it. 25989034852cSGleb Smirnoff access from a permitted IP address. You choose the IPs. 25999034852cSGleb Smirnoff authentication. Don't disable it. Practice secure key safety. 26009034852cSGleb Smirnoff Monitor your ntpd instances. 26019034852cSGleb Smirnoff Credit: This weakness was discovered by Yves Younan and 26029034852cSGleb Smirnoff Aleksander Nikolich of Cisco Talos. 26039034852cSGleb Smirnoff 26049034852cSGleb Smirnoff* decodenetnum() will ASSERT botch instead of returning FAIL on some 26059034852cSGleb Smirnoff bogus values. 26069034852cSGleb Smirnoff 26079034852cSGleb Smirnoff References: Sec 2922 / CVE-2015-7855 26089034852cSGleb Smirnoff Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 26099034852cSGleb Smirnoff 4.3.0 up to, but not including 4.3.77 26109034852cSGleb Smirnoff CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 26119034852cSGleb Smirnoff Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 26129034852cSGleb Smirnoff an unusually long data value where a network address is expected, 26139034852cSGleb Smirnoff the decodenetnum() function will abort with an assertion failure 26149034852cSGleb Smirnoff instead of simply returning a failure condition. 26159034852cSGleb Smirnoff Mitigation: 26169034852cSGleb Smirnoff Implement BCP-38. 26179034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 26189034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 26199034852cSGleb Smirnoff If you are unable to upgrade: 26209034852cSGleb Smirnoff mode 7 is disabled by default. Don't enable it. 26219034852cSGleb Smirnoff Use restrict noquery to limit who can send mode 6 26229034852cSGleb Smirnoff and mode 7 requests. 26239034852cSGleb Smirnoff Configure and use the controlkey and requestkey 26249034852cSGleb Smirnoff authentication directives to limit who can 26259034852cSGleb Smirnoff send mode 6 and mode 7 requests. 26269034852cSGleb Smirnoff Monitor your ntpd instances. 26279034852cSGleb Smirnoff Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 26289034852cSGleb Smirnoff 26299034852cSGleb Smirnoff* NAK to the Future: Symmetric association authentication bypass via 26309034852cSGleb Smirnoff crypto-NAK. 26319034852cSGleb Smirnoff 26329034852cSGleb Smirnoff References: Sec 2941 / CVE-2015-7871 26339034852cSGleb Smirnoff Affects: All ntp-4 releases between 4.2.5p186 up to but not including 26349034852cSGleb Smirnoff 4.2.8p4, and 4.3.0 up to but not including 4.3.77 26359034852cSGleb Smirnoff CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 26369034852cSGleb Smirnoff Summary: Crypto-NAK packets can be used to cause ntpd to accept time 26379034852cSGleb Smirnoff from unauthenticated ephemeral symmetric peers by bypassing the 26389034852cSGleb Smirnoff authentication required to mobilize peer associations. This 26399034852cSGleb Smirnoff vulnerability appears to have been introduced in ntp-4.2.5p186 26409034852cSGleb Smirnoff when the code handling mobilization of new passive symmetric 26419034852cSGleb Smirnoff associations (lines 1103-1165) was refactored. 26429034852cSGleb Smirnoff Mitigation: 26439034852cSGleb Smirnoff Implement BCP-38. 26449034852cSGleb Smirnoff Upgrade to 4.2.8p4, or later, from the NTP Project Download 26459034852cSGleb Smirnoff Page or the NTP Public Services Project Download Page. 26469034852cSGleb Smirnoff If you are unable to upgrade: 26479034852cSGleb Smirnoff Apply the patch to the bottom of the "authentic" check 26489034852cSGleb Smirnoff block around line 1136 of ntp_proto.c. 26499034852cSGleb Smirnoff Monitor your ntpd instances. 26504990d495SXin LI Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. 26519034852cSGleb Smirnoff 26529034852cSGleb SmirnoffBackward-Incompatible changes: 26539034852cSGleb Smirnoff* [Bug 2817] Default on Linux is now "rlimit memlock -1". 26549034852cSGleb Smirnoff While the general default of 32M is still the case, under Linux 26559034852cSGleb Smirnoff the default value has been changed to -1 (do not lock ntpd into 26569034852cSGleb Smirnoff memory). A value of 0 means "lock ntpd into memory with whatever 26579034852cSGleb Smirnoff memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 26589034852cSGleb Smirnoff value in it, that value will continue to be used. 26599034852cSGleb Smirnoff 26609034852cSGleb Smirnoff* [Bug 2886] Misspelling: "outlyer" should be "outlier". 26619034852cSGleb Smirnoff If you've written a script that looks for this case in, say, the 26629034852cSGleb Smirnoff output of ntpq, you probably want to change your regex matches 26639034852cSGleb Smirnoff from 'outlyer' to 'outl[iy]er'. 26649034852cSGleb Smirnoff 26659034852cSGleb SmirnoffNew features in this release: 26669034852cSGleb Smirnoff* 'rlimit memlock' now has finer-grained control. A value of -1 means 26679034852cSGleb Smirnoff "don't lock ntpd into memore". This is the default for Linux boxes. 26689034852cSGleb Smirnoff A value of 0 means "lock ntpd into memory" with no limits. Otherwise 26699034852cSGleb Smirnoff the value is the number of megabytes of memory to lock. The default 26709034852cSGleb Smirnoff is 32 megabytes. 26719034852cSGleb Smirnoff 26729034852cSGleb Smirnoff* The old Google Test framework has been replaced with a new framework, 26739034852cSGleb Smirnoff based on http://www.throwtheswitch.org/unity/ . 26749034852cSGleb Smirnoff 26759034852cSGleb SmirnoffBug Fixes and Improvements: 26769034852cSGleb Smirnoff* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 26779034852cSGleb Smirnoff privileges and limiting resources in NTPD removes the need to link 26789034852cSGleb Smirnoff forcefully against 'libgcc_s' which does not always work. J.Perlinger 26799034852cSGleb Smirnoff* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 26809034852cSGleb Smirnoff* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 26819034852cSGleb Smirnoff* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 26829034852cSGleb Smirnoff* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 26839034852cSGleb Smirnoff* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 26849034852cSGleb Smirnoff* [Bug 2849] Systems with more than one default route may never 26859034852cSGleb Smirnoff synchronize. Brian Utterback. Note that this patch might need to 26869034852cSGleb Smirnoff be reverted once Bug 2043 has been fixed. 26879034852cSGleb Smirnoff* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 26889034852cSGleb Smirnoff* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 26899034852cSGleb Smirnoff* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 26909034852cSGleb Smirnoff* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 26919034852cSGleb Smirnoff* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 26929034852cSGleb Smirnoff* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 26939034852cSGleb Smirnoff be configured for the distribution targets. Harlan Stenn. 26949034852cSGleb Smirnoff* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 26959034852cSGleb Smirnoff* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 26969034852cSGleb Smirnoff* [Bug 2888] streamline calendar functions. perlinger@ntp.org 26979034852cSGleb Smirnoff* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 26989034852cSGleb Smirnoff* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 26999034852cSGleb Smirnoff* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 27009034852cSGleb Smirnoff* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 27019034852cSGleb Smirnoff* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 27029034852cSGleb Smirnoff* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 27039034852cSGleb Smirnoff* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 27049034852cSGleb Smirnoff* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 27059034852cSGleb Smirnoff* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 27069034852cSGleb Smirnoff* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 27079034852cSGleb Smirnoff* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 27089034852cSGleb Smirnoff* sntp/tests/ function parameter list cleanup. Damir Tomić. 27099034852cSGleb Smirnoff* tests/libntp/ function parameter list cleanup. Damir Tomić. 27109034852cSGleb Smirnoff* tests/ntpd/ function parameter list cleanup. Damir Tomić. 27119034852cSGleb Smirnoff* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 27129034852cSGleb Smirnoff* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 27139034852cSGleb Smirnoff* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić. 27149034852cSGleb Smirnoff* tests/libntp/ improvements in code and fixed error printing. Damir Tomić. 27159034852cSGleb Smirnoff* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 27169034852cSGleb Smirnoff caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 27179034852cSGleb Smirnoff formatting; first declaration, then code (C90); deleted unnecessary comments; 27189034852cSGleb Smirnoff changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 27199034852cSGleb Smirnoff* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 27209034852cSGleb Smirnoff fix formatting, cleanup. Tomasz Flendrich 27219034852cSGleb Smirnoff* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 27229034852cSGleb Smirnoff Tomasz Flendrich 27239034852cSGleb Smirnoff* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 27249034852cSGleb Smirnoff fix formatting. Tomasz Flendrich 27259034852cSGleb Smirnoff* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 27269034852cSGleb Smirnoff* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 27279034852cSGleb Smirnoff* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 27289034852cSGleb Smirnoff Tomasz Flendrich 27299034852cSGleb Smirnoff* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 27309034852cSGleb Smirnoff* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 27319034852cSGleb Smirnoff* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 27329034852cSGleb Smirnoff* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 27339034852cSGleb Smirnoff* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 27349034852cSGleb Smirnoff* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 27359034852cSGleb Smirnoff* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 27369034852cSGleb Smirnofffixed formatting. Tomasz Flendrich 27379034852cSGleb Smirnoff* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 27389034852cSGleb Smirnoff removed unnecessary comments, cleanup. Tomasz Flendrich 27399034852cSGleb Smirnoff* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 27409034852cSGleb Smirnoff comments, cleanup. Tomasz Flendrich 27419034852cSGleb Smirnoff* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 27429034852cSGleb Smirnoff Tomasz Flendrich 27439034852cSGleb Smirnoff* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 27449034852cSGleb Smirnoff* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 27459034852cSGleb Smirnoff* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 27469034852cSGleb Smirnoff Tomasz Flendrich 27479034852cSGleb Smirnoff* sntp/tests/kodDatabase.c added consts, deleted empty function, 27489034852cSGleb Smirnoff fixed formatting. Tomasz Flendrich 27499034852cSGleb Smirnoff* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 27509034852cSGleb Smirnoff* sntp/tests/packetHandling.c is now using proper Unity's assertions, 27519034852cSGleb Smirnoff fixed formatting, deleted unused variable. Tomasz Flendrich 27529034852cSGleb Smirnoff* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 27539034852cSGleb Smirnoff Tomasz Flendrich 27549034852cSGleb Smirnoff* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 27559034852cSGleb Smirnoff fixed formatting. Tomasz Flendrich 27569034852cSGleb Smirnoff* sntp/tests/utilities.c is now using proper Unity's assertions, changed 27579034852cSGleb Smirnoff the order of includes, fixed formatting, removed unnecessary comments. 27589034852cSGleb Smirnoff Tomasz Flendrich 27599034852cSGleb Smirnoff* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 27609034852cSGleb Smirnoff* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 27619034852cSGleb Smirnoff made one function do its job, deleted unnecessary prints, fixed formatting. 27629034852cSGleb Smirnoff Tomasz Flendrich 27639034852cSGleb Smirnoff* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 27649034852cSGleb Smirnoff* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 27659034852cSGleb Smirnoff* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 27669034852cSGleb Smirnoff* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 27679034852cSGleb Smirnoff* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 27689034852cSGleb Smirnoff* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 27699034852cSGleb Smirnoff* Don't build sntp/libevent/sample/. Harlan Stenn. 27709034852cSGleb Smirnoff* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 27719034852cSGleb Smirnoff* br-flock: --enable-local-libevent. Harlan Stenn. 27729034852cSGleb Smirnoff* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 27739034852cSGleb Smirnoff* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 27749034852cSGleb Smirnoff* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 27759034852cSGleb Smirnoff* Code cleanup. Harlan Stenn. 27769034852cSGleb Smirnoff* libntp/icom.c: Typo fix. Harlan Stenn. 27779034852cSGleb Smirnoff* util/ntptime.c: initialization nit. Harlan Stenn. 27789034852cSGleb Smirnoff* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 27799034852cSGleb Smirnoff* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 27809034852cSGleb Smirnoff* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 27819034852cSGleb Smirnoff Tomasz Flendrich 27829034852cSGleb Smirnoff* Changed progname to be const in many files - now it's consistent. Tomasz 27839034852cSGleb Smirnoff Flendrich 27849034852cSGleb Smirnoff* Typo fix for GCC warning suppression. Harlan Stenn. 27859034852cSGleb Smirnoff* Added tests/ntpd/ntp_scanner.c test. Damir Tomić. 27869034852cSGleb Smirnoff* Added declarations to all Unity tests, and did minor fixes to them. 27879034852cSGleb Smirnoff Reduced the number of warnings by half. Damir Tomić. 27889034852cSGleb Smirnoff* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 27899034852cSGleb Smirnoff with the latest Unity updates from Mark. Damir Tomić. 27909034852cSGleb Smirnoff* Retire google test - phase I. Harlan Stenn. 27919034852cSGleb Smirnoff* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 27929034852cSGleb Smirnoff* Update the NEWS file. Harlan Stenn. 27939034852cSGleb Smirnoff* Autoconf cleanup. Harlan Stenn. 27949034852cSGleb Smirnoff* Unit test dist cleanup. Harlan Stenn. 27959034852cSGleb Smirnoff* Cleanup various test Makefile.am files. Harlan Stenn. 27969034852cSGleb Smirnoff* Pthread autoconf macro cleanup. Harlan Stenn. 27979034852cSGleb Smirnoff* Fix progname definition in unity runner scripts. Harlan Stenn. 27989034852cSGleb Smirnoff* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 27999034852cSGleb Smirnoff* Update the patch for bug 2817. Harlan Stenn. 28009034852cSGleb Smirnoff* More updates for bug 2817. Harlan Stenn. 28019034852cSGleb Smirnoff* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 28029034852cSGleb Smirnoff* gcc on older HPUX may need +allowdups. Harlan Stenn. 28039034852cSGleb Smirnoff* Adding missing MCAST protection. Harlan Stenn. 28049034852cSGleb Smirnoff* Disable certain test programs on certain platforms. Harlan Stenn. 28059034852cSGleb Smirnoff* Implement --enable-problem-tests (on by default). Harlan Stenn. 28069034852cSGleb Smirnoff* build system tweaks. Harlan Stenn. 28079034852cSGleb Smirnoff 28089034852cSGleb Smirnoff--- 2809276da39aSCy SchubertNTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 2810276da39aSCy Schubert 2811276da39aSCy SchubertFocus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 2812276da39aSCy Schubert 2813276da39aSCy SchubertSeverity: MEDIUM 2814276da39aSCy Schubert 2815276da39aSCy SchubertSecurity Fix: 2816276da39aSCy Schubert 2817276da39aSCy Schubert* [Sec 2853] Crafted remote config packet can crash some versions of 2818276da39aSCy Schubert ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 2819276da39aSCy Schubert 2820276da39aSCy SchubertUnder specific circumstances an attacker can send a crafted packet to 2821276da39aSCy Schubertcause a vulnerable ntpd instance to crash. This requires each of the 2822276da39aSCy Schubertfollowing to be true: 2823276da39aSCy Schubert 2824276da39aSCy Schubert1) ntpd set up to allow remote configuration (not allowed by default), and 2825276da39aSCy Schubert2) knowledge of the configuration password, and 2826276da39aSCy Schubert3) access to a computer entrusted to perform remote configuration. 2827276da39aSCy Schubert 2828276da39aSCy SchubertThis vulnerability is considered low-risk. 2829276da39aSCy Schubert 2830276da39aSCy SchubertNew features in this release: 2831276da39aSCy Schubert 2832276da39aSCy SchubertOptional (disabled by default) support to have ntpd provide smeared 2833276da39aSCy Schubertleap second time. A specially built and configured ntpd will only 2834276da39aSCy Schubertoffer smeared time in response to client packets. These response 2835276da39aSCy Schubertpackets will also contain a "refid" of 254.a.b.c, where the 24 bits 2836276da39aSCy Schubertof a, b, and c encode the amount of smear in a 2:22 integer:fraction 2837276da39aSCy Schubertformat. See README.leapsmear and http://bugs.ntp.org/2855 for more 2838276da39aSCy Schubertinformation. 2839276da39aSCy Schubert 2840276da39aSCy Schubert *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 2841276da39aSCy Schubert *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 2842276da39aSCy Schubert 2843276da39aSCy SchubertWe've imported the Unity test framework, and have begun converting 2844276da39aSCy Schubertthe existing google-test items to this new framework. If you want 2845276da39aSCy Schubertto write new tests or change old ones, you'll need to have ruby 2846276da39aSCy Schubertinstalled. You don't need ruby to run the test suite. 2847276da39aSCy Schubert 2848276da39aSCy SchubertBug Fixes and Improvements: 2849276da39aSCy Schubert 2850276da39aSCy Schubert* CID 739725: Fix a rare resource leak in libevent/listener.c. 2851276da39aSCy Schubert* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 2852276da39aSCy Schubert* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 2853276da39aSCy Schubert* CID 1269537: Clean up a line of dead code in getShmTime(). 2854276da39aSCy Schubert* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 2855276da39aSCy Schubert* [Bug 2590] autogen-5.18.5. 2856276da39aSCy Schubert* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 2857276da39aSCy Schubert of 'limited'. 2858276da39aSCy Schubert* [Bug 2650] fix includefile processing. 2859276da39aSCy Schubert* [Bug 2745] ntpd -x steps clock on leap second 2860276da39aSCy Schubert Fixed an initial-value problem that caused misbehaviour in absence of 2861276da39aSCy Schubert any leapsecond information. 2862276da39aSCy Schubert Do leap second stepping only of the step adjustment is beyond the 2863276da39aSCy Schubert proper jump distance limit and step correction is allowed at all. 2864276da39aSCy Schubert* [Bug 2750] build for Win64 2865276da39aSCy Schubert Building for 32bit of loopback ppsapi needs def file 2866276da39aSCy Schubert* [Bug 2776] Improve ntpq's 'help keytype'. 2867276da39aSCy Schubert* [Bug 2778] Implement "apeers" ntpq command to include associd. 2868276da39aSCy Schubert* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 2869276da39aSCy Schubert* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 2870276da39aSCy Schubert interface is ignored as long as this flag is not set since the 2871276da39aSCy Schubert interface is not usable (e.g., no link). 2872276da39aSCy Schubert* [Bug 2794] Clean up kernel clock status reports. 2873276da39aSCy Schubert* [Bug 2800] refclock_true.c true_debug() can't open debug log because 2874276da39aSCy Schubert of incompatible open/fdopen parameters. 2875276da39aSCy Schubert* [Bug 2804] install-local-data assumes GNU 'find' semantics. 2876276da39aSCy Schubert* [Bug 2805] ntpd fails to join multicast group. 2877276da39aSCy Schubert* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 2878276da39aSCy Schubert* [Bug 2808] GPSD_JSON driver enhancements, step 1. 2879276da39aSCy Schubert Fix crash during cleanup if GPS device not present and char device. 2880276da39aSCy Schubert Increase internal token buffer to parse all JSON data, even SKY. 2881276da39aSCy Schubert Defer logging of errors during driver init until the first unit is 2882276da39aSCy Schubert started, so the syslog is not cluttered when the driver is not used. 2883276da39aSCy Schubert Various improvements, see http://bugs.ntp.org/2808 for details. 2884276da39aSCy Schubert Changed libjsmn to a more recent version. 2885276da39aSCy Schubert* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 2886276da39aSCy Schubert* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 2887276da39aSCy Schubert* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 2888276da39aSCy Schubert* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 2889276da39aSCy Schubert* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 2890276da39aSCy Schubert* [Bug 2824] Convert update-leap to perl. (also see 2769) 2891276da39aSCy Schubert* [Bug 2825] Quiet file installation in html/ . 2892276da39aSCy Schubert* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 2893276da39aSCy Schubert NTPD transfers the current TAI (instead of an announcement) now. 2894276da39aSCy Schubert This might still needed improvement. 2895276da39aSCy Schubert Update autokey data ASAP when 'sys_tai' changes. 2896276da39aSCy Schubert Fix unit test that was broken by changes for autokey update. 2897276da39aSCy Schubert Avoid potential signature length issue and use DPRINTF where possible 2898276da39aSCy Schubert in ntp_crypto.c. 2899276da39aSCy Schubert* [Bug 2832] refclock_jjy.c supports the TDC-300. 2900276da39aSCy Schubert* [Bug 2834] Correct a broken html tag in html/refclock.html 2901276da39aSCy Schubert* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 2902276da39aSCy Schubert robust, and require 2 consecutive timestamps to be consistent. 2903276da39aSCy Schubert* [Bug 2837] Allow a configurable DSCP value. 2904276da39aSCy Schubert* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 2905276da39aSCy Schubert* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 2906276da39aSCy Schubert* [Bug 2842] Bug in mdoc2man. 2907276da39aSCy Schubert* [Bug 2843] make check fails on 4.3.36 2908276da39aSCy Schubert Fixed compiler warnings about numeric range overflow 2909276da39aSCy Schubert (The original topic was fixed in a byplay to bug#2830) 2910276da39aSCy Schubert* [Bug 2845] Harden memory allocation in ntpd. 2911276da39aSCy Schubert* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 2912276da39aSCy Schubert* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 2913276da39aSCy Schubert* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 2914276da39aSCy Schubert* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 2915276da39aSCy Schubert* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 2916276da39aSCy Schubert* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 2917276da39aSCy Schubert* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 2918276da39aSCy Schubert* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 2919276da39aSCy Schubert* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 2920276da39aSCy Schubert* html/drivers/driver22.html: typo fix. Harlan Stenn. 2921276da39aSCy Schubert* refidsmear test cleanup. Tomasz Flendrich. 2922276da39aSCy Schubert* refidsmear function support and tests. Harlan Stenn. 2923276da39aSCy Schubert* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 2924276da39aSCy Schubert something that was only in the 4.2.6 sntp. Harlan Stenn. 2925276da39aSCy Schubert* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 2926276da39aSCy Schubert Damir Tomić 2927276da39aSCy Schubert* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 2928276da39aSCy Schubert Damir Tomić 2929276da39aSCy Schubert* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 2930276da39aSCy Schubert Damir Tomić 2931276da39aSCy Schubert* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 2932276da39aSCy Schubert* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić 2933276da39aSCy Schubert* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 2934276da39aSCy Schubert atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 2935276da39aSCy Schubert calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 2936276da39aSCy Schubert numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 2937276da39aSCy Schubert timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 2938276da39aSCy Schubert Damir Tomić 2939276da39aSCy Schubert* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 2940276da39aSCy Schubert networking.c, keyFile.c, utilities.cpp, sntptest.h, 2941276da39aSCy Schubert fileHandlingTest.h. Damir Tomić 2942276da39aSCy Schubert* Initial support for experimental leap smear code. Harlan Stenn. 2943276da39aSCy Schubert* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 2944276da39aSCy Schubert* Report select() debug messages at debug level 3 now. 2945276da39aSCy Schubert* sntp/scripts/genLocInfo: treat raspbian as debian. 2946276da39aSCy Schubert* Unity test framework fixes. 2947276da39aSCy Schubert ** Requires ruby for changes to tests. 2948276da39aSCy Schubert* Initial support for PACKAGE_VERSION tests. 2949276da39aSCy Schubert* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 2950276da39aSCy Schubert* tests/bug-2803/Makefile.am must distribute bug-2803.h. 2951276da39aSCy Schubert* Add an assert to the ntpq ifstats code. 2952276da39aSCy Schubert* Clean up the RLIMIT_STACK code. 2953276da39aSCy Schubert* Improve the ntpq documentation around the controlkey keyid. 2954276da39aSCy Schubert* ntpq.c cleanup. 2955276da39aSCy Schubert* Windows port build cleanup. 2956276da39aSCy Schubert 2957276da39aSCy Schubert--- 2958276da39aSCy SchubertNTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 2959a25439b6SCy Schubert 2960a25439b6SCy SchubertFocus: Security and Bug fixes, enhancements. 2961a25439b6SCy Schubert 2962a25439b6SCy SchubertSeverity: MEDIUM 2963a25439b6SCy Schubert 2964a25439b6SCy SchubertIn addition to bug fixes and enhancements, this release fixes the 2965a25439b6SCy Schubertfollowing medium-severity vulnerabilities involving private key 2966a25439b6SCy Schubertauthentication: 2967a25439b6SCy Schubert 2968a25439b6SCy Schubert* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 2969a25439b6SCy Schubert 2970a25439b6SCy Schubert References: Sec 2779 / CVE-2015-1798 / VU#374268 2971a25439b6SCy Schubert Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 2972a25439b6SCy Schubert including ntp-4.2.8p2 where the installation uses symmetric keys 2973a25439b6SCy Schubert to authenticate remote associations. 2974a25439b6SCy Schubert CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 2975a25439b6SCy Schubert Date Resolved: Stable (4.2.8p2) 07 Apr 2015 2976a25439b6SCy Schubert Summary: When ntpd is configured to use a symmetric key to authenticate 2977a25439b6SCy Schubert a remote NTP server/peer, it checks if the NTP message 2978a25439b6SCy Schubert authentication code (MAC) in received packets is valid, but not if 2979a25439b6SCy Schubert there actually is any MAC included. Packets without a MAC are 2980a25439b6SCy Schubert accepted as if they had a valid MAC. This allows a MITM attacker to 2981a25439b6SCy Schubert send false packets that are accepted by the client/peer without 2982a25439b6SCy Schubert having to know the symmetric key. The attacker needs to know the 2983a25439b6SCy Schubert transmit timestamp of the client to match it in the forged reply 2984a25439b6SCy Schubert and the false reply needs to reach the client before the genuine 2985a25439b6SCy Schubert reply from the server. The attacker doesn't necessarily need to be 2986a25439b6SCy Schubert relaying the packets between the client and the server. 2987a25439b6SCy Schubert 2988a25439b6SCy Schubert Authentication using autokey doesn't have this problem as there is 2989a25439b6SCy Schubert a check that requires the key ID to be larger than NTP_MAXKEY, 2990a25439b6SCy Schubert which fails for packets without a MAC. 2991a25439b6SCy Schubert Mitigation: 2992a25439b6SCy Schubert Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 2993a25439b6SCy Schubert or the NTP Public Services Project Download Page 2994a25439b6SCy Schubert Configure ntpd with enough time sources and monitor it properly. 2995a25439b6SCy Schubert Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 2996a25439b6SCy Schubert 2997a25439b6SCy Schubert* [Sec 2781] Authentication doesn't protect symmetric associations against 2998a25439b6SCy Schubert DoS attacks. 2999a25439b6SCy Schubert 3000a25439b6SCy Schubert References: Sec 2781 / CVE-2015-1799 / VU#374268 3001a25439b6SCy Schubert Affects: All NTP releases starting with at least xntp3.3wy up to but 3002a25439b6SCy Schubert not including ntp-4.2.8p2 where the installation uses symmetric 3003a25439b6SCy Schubert key authentication. 3004a25439b6SCy Schubert CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 3005a25439b6SCy Schubert Note: the CVSS base Score for this issue could be 4.3 or lower, and 3006a25439b6SCy Schubert it could be higher than 5.4. 3007a25439b6SCy Schubert Date Resolved: Stable (4.2.8p2) 07 Apr 2015 3008a25439b6SCy Schubert Summary: An attacker knowing that NTP hosts A and B are peering with 3009a25439b6SCy Schubert each other (symmetric association) can send a packet to host A 3010a25439b6SCy Schubert with source address of B which will set the NTP state variables 3011a25439b6SCy Schubert on A to the values sent by the attacker. Host A will then send 3012a25439b6SCy Schubert on its next poll to B a packet with originate timestamp that 3013a25439b6SCy Schubert doesn't match the transmit timestamp of B and the packet will 3014a25439b6SCy Schubert be dropped. If the attacker does this periodically for both 3015a25439b6SCy Schubert hosts, they won't be able to synchronize to each other. This is 3016a25439b6SCy Schubert a known denial-of-service attack, described at 3017a25439b6SCy Schubert https://www.eecis.udel.edu/~mills/onwire.html . 3018a25439b6SCy Schubert 3019a25439b6SCy Schubert According to the document the NTP authentication is supposed to 3020a25439b6SCy Schubert protect symmetric associations against this attack, but that 3021a25439b6SCy Schubert doesn't seem to be the case. The state variables are updated even 3022a25439b6SCy Schubert when authentication fails and the peers are sending packets with 3023a25439b6SCy Schubert originate timestamps that don't match the transmit timestamps on 3024a25439b6SCy Schubert the receiving side. 3025a25439b6SCy Schubert 3026a25439b6SCy Schubert This seems to be a very old problem, dating back to at least 3027a25439b6SCy Schubert xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 3028a25439b6SCy Schubert specifications, so other NTP implementations with support for 3029a25439b6SCy Schubert symmetric associations and authentication may be vulnerable too. 3030a25439b6SCy Schubert An update to the NTP RFC to correct this error is in-process. 3031a25439b6SCy Schubert Mitigation: 3032a25439b6SCy Schubert Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 3033a25439b6SCy Schubert or the NTP Public Services Project Download Page 3034a25439b6SCy Schubert Note that for users of autokey, this specific style of MITM attack 3035a25439b6SCy Schubert is simply a long-known potential problem. 3036a25439b6SCy Schubert Configure ntpd with appropriate time sources and monitor ntpd. 3037a25439b6SCy Schubert Alert your staff if problems are detected. 3038a25439b6SCy Schubert Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 3039a25439b6SCy Schubert 3040a25439b6SCy Schubert* New script: update-leap 3041a25439b6SCy SchubertThe update-leap script will verify and if necessary, update the 3042a25439b6SCy Schubertleap-second definition file. 3043a25439b6SCy SchubertIt requires the following commands in order to work: 3044a25439b6SCy Schubert 3045a25439b6SCy Schubert wget logger tr sed shasum 3046a25439b6SCy Schubert 3047a25439b6SCy SchubertSome may choose to run this from cron. It needs more portability testing. 3048a25439b6SCy Schubert 3049a25439b6SCy SchubertBug Fixes and Improvements: 3050a25439b6SCy Schubert 3051a25439b6SCy Schubert* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 3052a25439b6SCy Schubert* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 3053a25439b6SCy Schubert* [Bug 2346] "graceful termination" signals do not do peer cleanup. 3054a25439b6SCy Schubert* [Bug 2728] See if C99-style structure initialization works. 3055a25439b6SCy Schubert* [Bug 2747] Upgrade libevent to 2.1.5-beta. 3056a25439b6SCy Schubert* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 3057a25439b6SCy Schubert* [Bug 2751] jitter.h has stale copies of l_fp macros. 3058a25439b6SCy Schubert* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 3059a25439b6SCy Schubert* [Bug 2757] Quiet compiler warnings. 3060a25439b6SCy Schubert* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 3061a25439b6SCy Schubert* [Bug 2763] Allow different thresholds for forward and backward steps. 3062a25439b6SCy Schubert* [Bug 2766] ntp-keygen output files should not be world-readable. 3063a25439b6SCy Schubert* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 3064a25439b6SCy Schubert* [Bug 2771] nonvolatile value is documented in wrong units. 3065a25439b6SCy Schubert* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 3066a25439b6SCy Schubert* [Bug 2774] Unreasonably verbose printout - leap pending/warning 3067a25439b6SCy Schubert* [Bug 2775] ntp-keygen.c fails to compile under Windows. 3068a25439b6SCy Schubert* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 3069a25439b6SCy Schubert Removed non-ASCII characters from some copyright comments. 3070a25439b6SCy Schubert Removed trailing whitespace. 3071a25439b6SCy Schubert Updated definitions for Meinberg clocks from current Meinberg header files. 3072a25439b6SCy Schubert Now use C99 fixed-width types and avoid non-ASCII characters in comments. 3073a25439b6SCy Schubert Account for updated definitions pulled from Meinberg header files. 3074a25439b6SCy Schubert Updated comments on Meinberg GPS receivers which are not only called GPS16x. 3075a25439b6SCy Schubert Replaced some constant numbers by defines from ntp_calendar.h 3076a25439b6SCy Schubert Modified creation of parse-specific variables for Meinberg devices 3077a25439b6SCy Schubert in gps16x_message(). 3078a25439b6SCy Schubert Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 3079a25439b6SCy Schubert Modified mbg_tm_str() which now expexts an additional parameter controlling 3080a25439b6SCy Schubert if the time status shall be printed. 3081a25439b6SCy Schubert* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 3082a25439b6SCy Schubert* [Sec 2781] Authentication doesn't protect symmetric associations against 3083a25439b6SCy Schubert DoS attacks. 3084a25439b6SCy Schubert* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 3085a25439b6SCy Schubert* [Bug 2789] Quiet compiler warnings from libevent. 3086a25439b6SCy Schubert* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 3087a25439b6SCy Schubert pause briefly before measuring system clock precision to yield 3088a25439b6SCy Schubert correct results. 3089a25439b6SCy Schubert* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 3090a25439b6SCy Schubert* Use predefined function types for parse driver functions 3091a25439b6SCy Schubert used to set up function pointers. 3092a25439b6SCy Schubert Account for changed prototype of parse_inp_fnc_t functions. 3093a25439b6SCy Schubert Cast parse conversion results to appropriate types to avoid 3094a25439b6SCy Schubert compiler warnings. 3095a25439b6SCy Schubert Let ioctl() for Windows accept a (void *) to avoid compiler warnings 3096a25439b6SCy Schubert when called with pointers to different types. 3097a25439b6SCy Schubert 3098a25439b6SCy Schubert--- 30992b15cb3dSCy SchubertNTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 31002b15cb3dSCy Schubert 31012b15cb3dSCy SchubertFocus: Security and Bug fixes, enhancements. 31022b15cb3dSCy Schubert 31032b15cb3dSCy SchubertSeverity: HIGH 31042b15cb3dSCy Schubert 31052b15cb3dSCy SchubertIn addition to bug fixes and enhancements, this release fixes the 31062b15cb3dSCy Schubertfollowing high-severity vulnerabilities: 31072b15cb3dSCy Schubert 31082b15cb3dSCy Schubert* vallen is not validated in several places in ntp_crypto.c, leading 31092b15cb3dSCy Schubert to a potential information leak or possibly a crash 31102b15cb3dSCy Schubert 31112b15cb3dSCy Schubert References: Sec 2671 / CVE-2014-9297 / VU#852879 31122b15cb3dSCy Schubert Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 31132b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 31142b15cb3dSCy Schubert Date Resolved: Stable (4.2.8p1) 04 Feb 2015 31152b15cb3dSCy Schubert Summary: The vallen packet value is not validated in several code 31162b15cb3dSCy Schubert paths in ntp_crypto.c which can lead to information leakage 31172b15cb3dSCy Schubert or perhaps a crash of the ntpd process. 31182b15cb3dSCy Schubert Mitigation - any of: 31192b15cb3dSCy Schubert Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 31202b15cb3dSCy Schubert or the NTP Public Services Project Download Page. 31212b15cb3dSCy Schubert Disable Autokey Authentication by removing, or commenting out, 31222b15cb3dSCy Schubert all configuration directives beginning with the "crypto" 31232b15cb3dSCy Schubert keyword in your ntp.conf file. 31242b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of the 31252b15cb3dSCy Schubert Google Security Team, with additional cases found by Sebastian 31262b15cb3dSCy Schubert Krahmer of the SUSE Security Team and Harlan Stenn of Network 31272b15cb3dSCy Schubert Time Foundation. 31282b15cb3dSCy Schubert 31292b15cb3dSCy Schubert* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 31302b15cb3dSCy Schubert can be bypassed. 31312b15cb3dSCy Schubert 31322b15cb3dSCy Schubert References: Sec 2672 / CVE-2014-9298 / VU#852879 31332b15cb3dSCy Schubert Affects: All NTP4 releases before 4.2.8p1, under at least some 31342b15cb3dSCy Schubert versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 31352b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 31362b15cb3dSCy Schubert Date Resolved: Stable (4.2.8p1) 04 Feb 2014 31372b15cb3dSCy Schubert Summary: While available kernels will prevent 127.0.0.1 addresses 31382b15cb3dSCy Schubert from "appearing" on non-localhost IPv4 interfaces, some kernels 31392b15cb3dSCy Schubert do not offer the same protection for ::1 source addresses on 31402b15cb3dSCy Schubert IPv6 interfaces. Since NTP's access control is based on source 31412b15cb3dSCy Schubert address and localhost addresses generally have no restrictions, 31422b15cb3dSCy Schubert an attacker can send malicious control and configuration packets 31432b15cb3dSCy Schubert by spoofing ::1 addresses from the outside. Note Well: This is 31442b15cb3dSCy Schubert not really a bug in NTP, it's a problem with some OSes. If you 31452b15cb3dSCy Schubert have one of these OSes where ::1 can be spoofed, ALL ::1 -based 31462b15cb3dSCy Schubert ACL restrictions on any application can be bypassed! 31472b15cb3dSCy Schubert Mitigation: 31482b15cb3dSCy Schubert Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 31492b15cb3dSCy Schubert or the NTP Public Services Project Download Page 31502b15cb3dSCy Schubert Install firewall rules to block packets claiming to come from 31512b15cb3dSCy Schubert ::1 from inappropriate network interfaces. 31522b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of 31532b15cb3dSCy Schubert the Google Security Team. 31542b15cb3dSCy Schubert 31552b15cb3dSCy SchubertAdditionally, over 30 bugfixes and improvements were made to the codebase. 31562b15cb3dSCy SchubertSee the ChangeLog for more information. 31572b15cb3dSCy Schubert 31582b15cb3dSCy Schubert--- 31592b15cb3dSCy SchubertNTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 31602b15cb3dSCy Schubert 31612b15cb3dSCy SchubertFocus: Security and Bug fixes, enhancements. 31622b15cb3dSCy Schubert 31632b15cb3dSCy SchubertSeverity: HIGH 31642b15cb3dSCy Schubert 31652b15cb3dSCy SchubertIn addition to bug fixes and enhancements, this release fixes the 31662b15cb3dSCy Schubertfollowing high-severity vulnerabilities: 31672b15cb3dSCy Schubert 31682b15cb3dSCy Schubert************************** vv NOTE WELL vv ***************************** 31692b15cb3dSCy Schubert 31702b15cb3dSCy SchubertThe vulnerabilities listed below can be significantly mitigated by 31712b15cb3dSCy Schubertfollowing the BCP of putting 31722b15cb3dSCy Schubert 31732b15cb3dSCy Schubert restrict default ... noquery 31742b15cb3dSCy Schubert 31752b15cb3dSCy Schubertin the ntp.conf file. With the exception of: 31762b15cb3dSCy Schubert 31772b15cb3dSCy Schubert receive(): missing return on error 31782b15cb3dSCy Schubert References: Sec 2670 / CVE-2014-9296 / VU#852879 31792b15cb3dSCy Schubert 31802b15cb3dSCy Schubertbelow (which is a limited-risk vulnerability), none of the recent 31812b15cb3dSCy Schubertvulnerabilities listed below can be exploited if the source IP is 31822b15cb3dSCy Schubertrestricted from sending a 'query'-class packet by your ntp.conf file. 31832b15cb3dSCy Schubert 31842b15cb3dSCy Schubert************************** ^^ NOTE WELL ^^ ***************************** 31852b15cb3dSCy Schubert 31862b15cb3dSCy Schubert* Weak default key in config_auth(). 31872b15cb3dSCy Schubert 31882b15cb3dSCy Schubert References: [Sec 2665] / CVE-2014-9293 / VU#852879 31892b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 31902b15cb3dSCy Schubert Vulnerable Versions: all releases prior to 4.2.7p11 31912b15cb3dSCy Schubert Date Resolved: 28 Jan 2010 31922b15cb3dSCy Schubert 31932b15cb3dSCy Schubert Summary: If no 'auth' key is set in the configuration file, ntpd 31942b15cb3dSCy Schubert would generate a random key on the fly. There were two 31952b15cb3dSCy Schubert problems with this: 1) the generated key was 31 bits in size, 31962b15cb3dSCy Schubert and 2) it used the (now weak) ntp_random() function, which was 31972b15cb3dSCy Schubert seeded with a 32-bit value and could only provide 32 bits of 31982b15cb3dSCy Schubert entropy. This was sufficient back in the late 1990s when the 31992b15cb3dSCy Schubert code was written. Not today. 32002b15cb3dSCy Schubert 32012b15cb3dSCy Schubert Mitigation - any of: 32022b15cb3dSCy Schubert - Upgrade to 4.2.7p11 or later. 32032b15cb3dSCy Schubert - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 32042b15cb3dSCy Schubert 32052b15cb3dSCy Schubert Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 32062b15cb3dSCy Schubert of the Google Security Team. 32072b15cb3dSCy Schubert 32082b15cb3dSCy Schubert* Non-cryptographic random number generator with weak seed used by 32092b15cb3dSCy Schubert ntp-keygen to generate symmetric keys. 32102b15cb3dSCy Schubert 32112b15cb3dSCy Schubert References: [Sec 2666] / CVE-2014-9294 / VU#852879 32122b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 32132b15cb3dSCy Schubert Vulnerable Versions: All NTP4 releases before 4.2.7p230 32142b15cb3dSCy Schubert Date Resolved: Dev (4.2.7p230) 01 Nov 2011 32152b15cb3dSCy Schubert 32162b15cb3dSCy Schubert Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 32172b15cb3dSCy Schubert prepare a random number generator that was of good quality back 32182b15cb3dSCy Schubert in the late 1990s. The random numbers produced was then used to 32192b15cb3dSCy Schubert generate symmetric keys. In ntp-4.2.8 we use a current-technology 32202b15cb3dSCy Schubert cryptographic random number generator, either RAND_bytes from 32212b15cb3dSCy Schubert OpenSSL, or arc4random(). 32222b15cb3dSCy Schubert 32232b15cb3dSCy Schubert Mitigation - any of: 32242b15cb3dSCy Schubert - Upgrade to 4.2.7p230 or later. 32252b15cb3dSCy Schubert - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 32262b15cb3dSCy Schubert 32272b15cb3dSCy Schubert Credit: This vulnerability was discovered in ntp-4.2.6 by 32282b15cb3dSCy Schubert Stephen Roettger of the Google Security Team. 32292b15cb3dSCy Schubert 32302b15cb3dSCy Schubert* Buffer overflow in crypto_recv() 32312b15cb3dSCy Schubert 32322b15cb3dSCy Schubert References: Sec 2667 / CVE-2014-9295 / VU#852879 32332b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 32342b15cb3dSCy Schubert Versions: All releases before 4.2.8 32352b15cb3dSCy Schubert Date Resolved: Stable (4.2.8) 18 Dec 2014 32362b15cb3dSCy Schubert 32372b15cb3dSCy Schubert Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 32382b15cb3dSCy Schubert file contains a 'crypto pw ...' directive) a remote attacker 32392b15cb3dSCy Schubert can send a carefully crafted packet that can overflow a stack 32402b15cb3dSCy Schubert buffer and potentially allow malicious code to be executed 32412b15cb3dSCy Schubert with the privilege level of the ntpd process. 32422b15cb3dSCy Schubert 32432b15cb3dSCy Schubert Mitigation - any of: 32442b15cb3dSCy Schubert - Upgrade to 4.2.8, or later, or 32452b15cb3dSCy Schubert - Disable Autokey Authentication by removing, or commenting out, 32462b15cb3dSCy Schubert all configuration directives beginning with the crypto keyword 32472b15cb3dSCy Schubert in your ntp.conf file. 32482b15cb3dSCy Schubert 32492b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of the 32502b15cb3dSCy Schubert Google Security Team. 32512b15cb3dSCy Schubert 32522b15cb3dSCy Schubert* Buffer overflow in ctl_putdata() 32532b15cb3dSCy Schubert 32542b15cb3dSCy Schubert References: Sec 2668 / CVE-2014-9295 / VU#852879 32552b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 32562b15cb3dSCy Schubert Versions: All NTP4 releases before 4.2.8 32572b15cb3dSCy Schubert Date Resolved: Stable (4.2.8) 18 Dec 2014 32582b15cb3dSCy Schubert 32592b15cb3dSCy Schubert Summary: A remote attacker can send a carefully crafted packet that 32602b15cb3dSCy Schubert can overflow a stack buffer and potentially allow malicious 32612b15cb3dSCy Schubert code to be executed with the privilege level of the ntpd process. 32622b15cb3dSCy Schubert 32632b15cb3dSCy Schubert Mitigation - any of: 32642b15cb3dSCy Schubert - Upgrade to 4.2.8, or later. 32652b15cb3dSCy Schubert - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 32662b15cb3dSCy Schubert 32672b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of the 32682b15cb3dSCy Schubert Google Security Team. 32692b15cb3dSCy Schubert 32702b15cb3dSCy Schubert* Buffer overflow in configure() 32712b15cb3dSCy Schubert 32722b15cb3dSCy Schubert References: Sec 2669 / CVE-2014-9295 / VU#852879 32732b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 32742b15cb3dSCy Schubert Versions: All NTP4 releases before 4.2.8 32752b15cb3dSCy Schubert Date Resolved: Stable (4.2.8) 18 Dec 2014 32762b15cb3dSCy Schubert 32772b15cb3dSCy Schubert Summary: A remote attacker can send a carefully crafted packet that 32782b15cb3dSCy Schubert can overflow a stack buffer and potentially allow malicious 32792b15cb3dSCy Schubert code to be executed with the privilege level of the ntpd process. 32802b15cb3dSCy Schubert 32812b15cb3dSCy Schubert Mitigation - any of: 32822b15cb3dSCy Schubert - Upgrade to 4.2.8, or later. 32832b15cb3dSCy Schubert - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 32842b15cb3dSCy Schubert 32852b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of the 32862b15cb3dSCy Schubert Google Security Team. 32872b15cb3dSCy Schubert 32882b15cb3dSCy Schubert* receive(): missing return on error 32892b15cb3dSCy Schubert 32902b15cb3dSCy Schubert References: Sec 2670 / CVE-2014-9296 / VU#852879 32912b15cb3dSCy Schubert CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 32922b15cb3dSCy Schubert Versions: All NTP4 releases before 4.2.8 32932b15cb3dSCy Schubert Date Resolved: Stable (4.2.8) 18 Dec 2014 32942b15cb3dSCy Schubert 32952b15cb3dSCy Schubert Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 32962b15cb3dSCy Schubert the code path where an error was detected, which meant 32972b15cb3dSCy Schubert processing did not stop when a specific rare error occurred. 32982b15cb3dSCy Schubert We haven't found a way for this bug to affect system integrity. 32992b15cb3dSCy Schubert If there is no way to affect system integrity the base CVSS 33002b15cb3dSCy Schubert score for this bug is 0. If there is one avenue through which 33012b15cb3dSCy Schubert system integrity can be partially affected, the base score 33022b15cb3dSCy Schubert becomes a 5. If system integrity can be partially affected 33032b15cb3dSCy Schubert via all three integrity metrics, the CVSS base score become 7.5. 33042b15cb3dSCy Schubert 33052b15cb3dSCy Schubert Mitigation - any of: 33062b15cb3dSCy Schubert - Upgrade to 4.2.8, or later, 33072b15cb3dSCy Schubert - Remove or comment out all configuration directives 33082b15cb3dSCy Schubert beginning with the crypto keyword in your ntp.conf file. 33092b15cb3dSCy Schubert 33102b15cb3dSCy Schubert Credit: This vulnerability was discovered by Stephen Roettger of the 33112b15cb3dSCy Schubert Google Security Team. 33122b15cb3dSCy Schubert 33132b15cb3dSCy SchubertSee http://support.ntp.org/security for more information. 33142b15cb3dSCy Schubert 33152b15cb3dSCy SchubertNew features / changes in this release: 33162b15cb3dSCy Schubert 33172b15cb3dSCy SchubertImportant Changes 33182b15cb3dSCy Schubert 33192b15cb3dSCy Schubert* Internal NTP Era counters 33202b15cb3dSCy Schubert 33212b15cb3dSCy SchubertThe internal counters that track the "era" (range of years) we are in 33222b15cb3dSCy Schubertrolls over every 136 years'. The current "era" started at the stroke of 33232b15cb3dSCy Schubertmidnight on 1 Jan 1900, and ends just before the stroke of midnight on 33242b15cb3dSCy Schubert1 Jan 2036. 33252b15cb3dSCy SchubertIn the past, we have used the "midpoint" of the range to decide which 33262b15cb3dSCy Schubertera we were in. Given the longevity of some products, it became clear 33272b15cb3dSCy Schubertthat it would be more functional to "look back" less, and "look forward" 33282b15cb3dSCy Schubertmore. We now compile a timestamp into the ntpd executable and when we 33292b15cb3dSCy Schubertget a timestamp we us the "built-on" to tell us what era we are in. 33302b15cb3dSCy SchubertThis check "looks back" 10 years, and "looks forward" 126 years. 33312b15cb3dSCy Schubert 33322b15cb3dSCy Schubert* ntpdc responses disabled by default 33332b15cb3dSCy Schubert 33342b15cb3dSCy SchubertDave Hart writes: 33352b15cb3dSCy Schubert 33362b15cb3dSCy SchubertFor a long time, ntpq and its mostly text-based mode 6 (control) 33372b15cb3dSCy Schubertprotocol have been preferred over ntpdc and its mode 7 (private 33382b15cb3dSCy Schubertrequest) protocol for runtime queries and configuration. There has 33392b15cb3dSCy Schubertbeen a goal of deprecating ntpdc, previously held back by numerous 33402b15cb3dSCy Schubertcapabilities exposed by ntpdc with no ntpq equivalent. I have been 33412b15cb3dSCy Schubertadding commands to ntpq to cover these cases, and I believe I've 33422b15cb3dSCy Schubertcovered them all, though I've not compared command-by-command 33432b15cb3dSCy Schubertrecently. 33442b15cb3dSCy Schubert 33452b15cb3dSCy SchubertAs I've said previously, the binary mode 7 protocol involves a lot of 33462b15cb3dSCy Schuberthand-rolled structure layout and byte-swapping code in both ntpd and 33472b15cb3dSCy Schubertntpdc which is hard to get right. As ntpd grows and changes, the 33482b15cb3dSCy Schubertchanges are difficult to expose via ntpdc while maintaining forward 33492b15cb3dSCy Schubertand backward compatibility between ntpdc and ntpd. In contrast, 33502b15cb3dSCy Schubertntpq's text-based, label=value approach involves more code reuse and 33512b15cb3dSCy Schubertallows compatible changes without extra work in most cases. 33522b15cb3dSCy Schubert 33532b15cb3dSCy SchubertMode 7 has always been defined as vendor/implementation-specific while 33542b15cb3dSCy Schubertmode 6 is described in RFC 1305 and intended to be open to interoperate 33552b15cb3dSCy Schubertwith other implementations. There is an early draft of an updated 33562b15cb3dSCy Schubertmode 6 description that likely will join the other NTPv4 RFCs 33572b15cb3dSCy Schuberteventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 33582b15cb3dSCy Schubert 33592b15cb3dSCy SchubertFor these reasons, ntpd 4.2.7p230 by default disables processing of 33602b15cb3dSCy Schubertntpdc queries, reducing ntpd's attack surface and functionally 33612b15cb3dSCy Schubertdeprecating ntpdc. If you are in the habit of using ntpdc for certain 33622b15cb3dSCy Schubertoperations, please try the ntpq equivalent. If there's no equivalent, 33632b15cb3dSCy Schubertplease open a bug report at http://bugs.ntp.org./ 33642b15cb3dSCy Schubert 33652b15cb3dSCy SchubertIn addition to the above, over 1100 issues have been resolved between 33662b15cb3dSCy Schubertthe 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 33672b15cb3dSCy Schubertlists these. 33682b15cb3dSCy Schubert 33692b15cb3dSCy Schubert--- 33702b15cb3dSCy SchubertNTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 33712b15cb3dSCy Schubert 33722b15cb3dSCy SchubertFocus: Bug fixes 33732b15cb3dSCy Schubert 33742b15cb3dSCy SchubertSeverity: Medium 33752b15cb3dSCy Schubert 33762b15cb3dSCy SchubertThis is a recommended upgrade. 33772b15cb3dSCy Schubert 33782b15cb3dSCy SchubertThis release updates sys_rootdisp and sys_jitter calculations to match the 33792b15cb3dSCy SchubertRFC specification, fixes a potential IPv6 address matching error for the 33802b15cb3dSCy Schubert"nic" and "interface" configuration directives, suppresses the creation of 33812b15cb3dSCy Schubertextraneous ephemeral associations for certain broadcastclient and 33822b15cb3dSCy Schubertmulticastclient configurations, cleans up some ntpq display issues, and 33832b15cb3dSCy Schubertincludes improvements to orphan mode, minor bugs fixes and code clean-ups. 33842b15cb3dSCy Schubert 33852b15cb3dSCy SchubertNew features / changes in this release: 33862b15cb3dSCy Schubert 33872b15cb3dSCy Schubertntpd 33882b15cb3dSCy Schubert 33892b15cb3dSCy Schubert * Updated "nic" and "interface" IPv6 address handling to prevent 33902b15cb3dSCy Schubert mismatches with localhost [::1] and wildcard [::] which resulted from 33912b15cb3dSCy Schubert using the address/prefix format (e.g. fe80::/64) 33922b15cb3dSCy Schubert * Fix orphan mode stratum incorrectly counting to infinity 33932b15cb3dSCy Schubert * Orphan parent selection metric updated to includes missing ntohl() 33942b15cb3dSCy Schubert * Non-printable stratum 16 refid no longer sent to ntp 33952b15cb3dSCy Schubert * Duplicate ephemeral associations suppressed for broadcastclient and 33962b15cb3dSCy Schubert multicastclient without broadcastdelay 33972b15cb3dSCy Schubert * Exclude undetermined sys_refid from use in loopback TEST12 33982b15cb3dSCy Schubert * Exclude MODE_SERVER responses from KoD rate limiting 33992b15cb3dSCy Schubert * Include root delay in clock_update() sys_rootdisp calculations 34002b15cb3dSCy Schubert * get_systime() updated to exclude sys_residual offset (which only 34012b15cb3dSCy Schubert affected bits "below" sys_tick, the precision threshold) 34022b15cb3dSCy Schubert * sys.peer jitter weighting corrected in sys_jitter calculation 34032b15cb3dSCy Schubert 34042b15cb3dSCy Schubertntpq 34052b15cb3dSCy Schubert 34062b15cb3dSCy Schubert * -n option extended to include the billboard "server" column 34072b15cb3dSCy Schubert * IPv6 addresses in the local column truncated to prevent overruns 34082b15cb3dSCy Schubert 34092b15cb3dSCy Schubert--- 34102b15cb3dSCy SchubertNTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 34112b15cb3dSCy Schubert 34122b15cb3dSCy SchubertFocus: Bug fixes and portability improvements 34132b15cb3dSCy Schubert 34142b15cb3dSCy SchubertSeverity: Medium 34152b15cb3dSCy Schubert 34162b15cb3dSCy SchubertThis is a recommended upgrade. 34172b15cb3dSCy Schubert 34182b15cb3dSCy SchubertThis release includes build infrastructure updates, code 34192b15cb3dSCy Schubertclean-ups, minor bug fixes, fixes for a number of minor 34202b15cb3dSCy Schubertref-clock issues, and documentation revisions. 34212b15cb3dSCy Schubert 34222b15cb3dSCy SchubertPortability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 34232b15cb3dSCy Schubert 34242b15cb3dSCy SchubertNew features / changes in this release: 34252b15cb3dSCy Schubert 34262b15cb3dSCy SchubertBuild system 34272b15cb3dSCy Schubert 34282b15cb3dSCy Schubert* Fix checking for struct rtattr 34292b15cb3dSCy Schubert* Update config.guess and config.sub for AIX 34302b15cb3dSCy Schubert* Upgrade required version of autogen and libopts for building 34312b15cb3dSCy Schubert from our source code repository 34322b15cb3dSCy Schubert 34332b15cb3dSCy Schubertntpd 34342b15cb3dSCy Schubert 34352b15cb3dSCy Schubert* Back-ported several fixes for Coverity warnings from ntp-dev 34362b15cb3dSCy Schubert* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 34372b15cb3dSCy Schubert* Allow "logconfig =allall" configuration directive 34382b15cb3dSCy Schubert* Bind tentative IPv6 addresses on Linux 34392b15cb3dSCy Schubert* Correct WWVB/Spectracom driver to timestamp CR instead of LF 34402b15cb3dSCy Schubert* Improved tally bit handling to prevent incorrect ntpq peer status reports 34412b15cb3dSCy Schubert* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 34422b15cb3dSCy Schubert candidate list unless they are designated a "prefer peer" 34432b15cb3dSCy Schubert* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 34442b15cb3dSCy Schubert selection during the 'tos orphanwait' period 34452b15cb3dSCy Schubert* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 34462b15cb3dSCy Schubert drivers 34472b15cb3dSCy Schubert* Improved support of the Parse Refclock trusttime flag in Meinberg mode 34482b15cb3dSCy Schubert* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 34492b15cb3dSCy Schubert* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 34502b15cb3dSCy Schubert clock slew on Microsoft Windows 34512b15cb3dSCy Schubert* Code cleanup in libntpq 34522b15cb3dSCy Schubert 34532b15cb3dSCy Schubertntpdc 34542b15cb3dSCy Schubert 34552b15cb3dSCy Schubert* Fix timerstats reporting 34562b15cb3dSCy Schubert 34572b15cb3dSCy Schubertntpdate 34582b15cb3dSCy Schubert 34592b15cb3dSCy Schubert* Reduce time required to set clock 34602b15cb3dSCy Schubert* Allow a timeout greater than 2 seconds 34612b15cb3dSCy Schubert 34622b15cb3dSCy Schubertsntp 34632b15cb3dSCy Schubert 34642b15cb3dSCy Schubert* Backward incompatible command-line option change: 34652b15cb3dSCy Schubert -l/--filelog changed -l/--logfile (to be consistent with ntpd) 34662b15cb3dSCy Schubert 34672b15cb3dSCy SchubertDocumentation 34682b15cb3dSCy Schubert 34692b15cb3dSCy Schubert* Update html2man. Fix some tags in the .html files 34702b15cb3dSCy Schubert* Distribute ntp-wait.html 34712b15cb3dSCy Schubert 34722b15cb3dSCy Schubert--- 34732b15cb3dSCy SchubertNTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 34742b15cb3dSCy Schubert 34752b15cb3dSCy SchubertFocus: Bug fixes and portability improvements 34762b15cb3dSCy Schubert 34772b15cb3dSCy SchubertSeverity: Medium 34782b15cb3dSCy Schubert 34792b15cb3dSCy SchubertThis is a recommended upgrade. 34802b15cb3dSCy Schubert 34812b15cb3dSCy SchubertThis release includes build infrastructure updates, code 34822b15cb3dSCy Schubertclean-ups, minor bug fixes, fixes for a number of minor 34832b15cb3dSCy Schubertref-clock issues, and documentation revisions. 34842b15cb3dSCy Schubert 34852b15cb3dSCy SchubertPortability improvements in this release affect AIX, Atari FreeMiNT, 34862b15cb3dSCy SchubertFreeBSD4, Linux and Microsoft Windows. 34872b15cb3dSCy Schubert 34882b15cb3dSCy SchubertNew features / changes in this release: 34892b15cb3dSCy Schubert 34902b15cb3dSCy SchubertBuild system 34912b15cb3dSCy Schubert* Use lsb_release to get information about Linux distributions. 34922b15cb3dSCy Schubert* 'test' is in /usr/bin (instead of /bin) on some systems. 34932b15cb3dSCy Schubert* Basic sanity checks for the ChangeLog file. 34942b15cb3dSCy Schubert* Source certain build files with ./filename for systems without . in PATH. 34952b15cb3dSCy Schubert* IRIX portability fix. 34962b15cb3dSCy Schubert* Use a single copy of the "libopts" code. 34972b15cb3dSCy Schubert* autogen/libopts upgrade. 34982b15cb3dSCy Schubert* configure.ac m4 quoting cleanup. 34992b15cb3dSCy Schubert 35002b15cb3dSCy Schubertntpd 35012b15cb3dSCy Schubert* Do not bind to IN6_IFF_ANYCAST addresses. 35022b15cb3dSCy Schubert* Log the reason for exiting under Windows. 35032b15cb3dSCy Schubert* Multicast fixes for Windows. 35042b15cb3dSCy Schubert* Interpolation fixes for Windows. 35052b15cb3dSCy Schubert* IPv4 and IPv6 Multicast fixes. 35062b15cb3dSCy Schubert* Manycast solicitation fixes and general repairs. 35072b15cb3dSCy Schubert* JJY refclock cleanup. 35082b15cb3dSCy Schubert* NMEA refclock improvements. 35092b15cb3dSCy Schubert* Oncore debug message cleanup. 35102b15cb3dSCy Schubert* Palisade refclock now builds under Linux. 35112b15cb3dSCy Schubert* Give RAWDCF more baud rates. 35122b15cb3dSCy Schubert* Support Truetime Satellite clocks under Windows. 35132b15cb3dSCy Schubert* Support Arbiter 1093C Satellite clocks under Windows. 35142b15cb3dSCy Schubert* Make sure that the "filegen" configuration command defaults to "enable". 35152b15cb3dSCy Schubert* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 35162b15cb3dSCy Schubert* Prohibit 'includefile' directive in remote configuration command. 35172b15cb3dSCy Schubert* Fix 'nic' interface bindings. 35182b15cb3dSCy Schubert* Fix the way we link with openssl if openssl is installed in the base 35192b15cb3dSCy Schubert system. 35202b15cb3dSCy Schubert 35212b15cb3dSCy Schubertntp-keygen 35222b15cb3dSCy Schubert* Fix -V coredump. 35232b15cb3dSCy Schubert* OpenSSL version display cleanup. 35242b15cb3dSCy Schubert 35252b15cb3dSCy Schubertntpdc 35262b15cb3dSCy Schubert* Many counters should be treated as unsigned. 35272b15cb3dSCy Schubert 35282b15cb3dSCy Schubertntpdate 35292b15cb3dSCy Schubert* Do not ignore replies with equal receive and transmit timestamps. 35302b15cb3dSCy Schubert 35312b15cb3dSCy Schubertntpq 35322b15cb3dSCy Schubert* libntpq warning cleanup. 35332b15cb3dSCy Schubert 35342b15cb3dSCy Schubertntpsnmpd 35352b15cb3dSCy Schubert* Correct SNMP type for "precision" and "resolution". 35362b15cb3dSCy Schubert* Update the MIB from the draft version to RFC-5907. 35372b15cb3dSCy Schubert 35382b15cb3dSCy Schubertsntp 35392b15cb3dSCy Schubert* Display timezone offset when showing time for sntp in the local 35402b15cb3dSCy Schubert timezone. 35412b15cb3dSCy Schubert* Pay proper attention to RATE KoD packets. 35422b15cb3dSCy Schubert* Fix a miscalculation of the offset. 35432b15cb3dSCy Schubert* Properly parse empty lines in the key file. 35442b15cb3dSCy Schubert* Logging cleanup. 35452b15cb3dSCy Schubert* Use tv_usec correctly in set_time(). 35462b15cb3dSCy Schubert* Documentation cleanup. 35472b15cb3dSCy Schubert 35482b15cb3dSCy Schubert--- 35492b15cb3dSCy SchubertNTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 35502b15cb3dSCy Schubert 35512b15cb3dSCy SchubertFocus: Bug fixes and portability improvements 35522b15cb3dSCy Schubert 35532b15cb3dSCy SchubertSeverity: Medium 35542b15cb3dSCy Schubert 35552b15cb3dSCy SchubertThis is a recommended upgrade. 35562b15cb3dSCy Schubert 35572b15cb3dSCy SchubertThis release includes build infrastructure updates, code 35582b15cb3dSCy Schubertclean-ups, minor bug fixes, fixes for a number of minor 35592b15cb3dSCy Schubertref-clock issues, improved KOD handling, OpenSSL related 35602b15cb3dSCy Schubertupdates and documentation revisions. 35612b15cb3dSCy Schubert 35622b15cb3dSCy SchubertPortability improvements in this release affect Irix, Linux, 35632b15cb3dSCy SchubertMac OS, Microsoft Windows, OpenBSD and QNX6 35642b15cb3dSCy Schubert 35652b15cb3dSCy SchubertNew features / changes in this release: 35662b15cb3dSCy Schubert 35672b15cb3dSCy Schubertntpd 35682b15cb3dSCy Schubert* Range syntax for the trustedkey configuration directive 35692b15cb3dSCy Schubert* Unified IPv4 and IPv6 restrict lists 35702b15cb3dSCy Schubert 35712b15cb3dSCy Schubertntpdate 35722b15cb3dSCy Schubert* Rate limiting and KOD handling 35732b15cb3dSCy Schubert 35742b15cb3dSCy Schubertntpsnmpd 35752b15cb3dSCy Schubert* default connection to net-snmpd via a unix-domain socket 35762b15cb3dSCy Schubert* command-line 'socket name' option 35772b15cb3dSCy Schubert 35782b15cb3dSCy Schubertntpq / ntpdc 35792b15cb3dSCy Schubert* support for the "passwd ..." syntax 35802b15cb3dSCy Schubert* key-type specific password prompts 35812b15cb3dSCy Schubert 35822b15cb3dSCy Schubertsntp 35832b15cb3dSCy Schubert* MD5 authentication of an ntpd 35842b15cb3dSCy Schubert* Broadcast and crypto 35852b15cb3dSCy Schubert* OpenSSL support 35862b15cb3dSCy Schubert 35872b15cb3dSCy Schubert--- 35882b15cb3dSCy SchubertNTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 35892b15cb3dSCy Schubert 35902b15cb3dSCy SchubertFocus: Bug fixes, portability fixes, and documentation improvements 35912b15cb3dSCy Schubert 35922b15cb3dSCy SchubertSeverity: Medium 35932b15cb3dSCy Schubert 35942b15cb3dSCy SchubertThis is a recommended upgrade. 35952b15cb3dSCy Schubert 35962b15cb3dSCy Schubert--- 35972b15cb3dSCy SchubertNTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 35982b15cb3dSCy Schubert 35992b15cb3dSCy SchubertFocus: enhancements and bug fixes. 36002b15cb3dSCy Schubert 36012b15cb3dSCy Schubert--- 3602eb6d21b4SOllivier RobertNTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 3603eb6d21b4SOllivier Robert 3604eb6d21b4SOllivier RobertFocus: Security Fixes 3605eb6d21b4SOllivier Robert 3606eb6d21b4SOllivier RobertSeverity: HIGH 3607eb6d21b4SOllivier Robert 3608eb6d21b4SOllivier RobertThis release fixes the following high-severity vulnerability: 3609eb6d21b4SOllivier Robert 3610eb6d21b4SOllivier Robert* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 3611eb6d21b4SOllivier Robert 3612eb6d21b4SOllivier Robert See http://support.ntp.org/security for more information. 3613eb6d21b4SOllivier Robert 3614eb6d21b4SOllivier Robert NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 3615eb6d21b4SOllivier Robert In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 3616eb6d21b4SOllivier Robert transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 3617eb6d21b4SOllivier Robert request or a mode 7 error response from an address which is not listed 3618eb6d21b4SOllivier Robert in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 3619eb6d21b4SOllivier Robert reply with a mode 7 error response (and log a message). In this case: 3620eb6d21b4SOllivier Robert 3621eb6d21b4SOllivier Robert * If an attacker spoofs the source address of ntpd host A in a 3622eb6d21b4SOllivier Robert mode 7 response packet sent to ntpd host B, both A and B will 3623eb6d21b4SOllivier Robert continuously send each other error responses, for as long as 3624eb6d21b4SOllivier Robert those packets get through. 3625eb6d21b4SOllivier Robert 3626eb6d21b4SOllivier Robert * If an attacker spoofs an address of ntpd host A in a mode 7 3627eb6d21b4SOllivier Robert response packet sent to ntpd host A, A will respond to itself 3628eb6d21b4SOllivier Robert endlessly, consuming CPU and logging excessively. 3629eb6d21b4SOllivier Robert 3630eb6d21b4SOllivier Robert Credit for finding this vulnerability goes to Robin Park and Dmitri 3631eb6d21b4SOllivier Robert Vinokurov of Alcatel-Lucent. 3632eb6d21b4SOllivier Robert 3633eb6d21b4SOllivier RobertTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3634eb6d21b4SOllivier Robert 3635eb6d21b4SOllivier Robert--- 36362b15cb3dSCy Schubertntpd now syncs to refclocks right away. 36372b15cb3dSCy Schubert 36382b15cb3dSCy SchubertBackward-Incompatible changes: 36392b15cb3dSCy Schubert 36402b15cb3dSCy Schubertntpd no longer accepts '-v name' or '-V name' to define internal variables. 36412b15cb3dSCy SchubertUse '--var name' or '--dvar name' instead. (Bug 817) 36422b15cb3dSCy Schubert 36432b15cb3dSCy Schubert--- 3644eb6d21b4SOllivier RobertNTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 3645eb6d21b4SOllivier Robert 3646eb6d21b4SOllivier RobertFocus: Security and Bug Fixes 3647eb6d21b4SOllivier Robert 3648eb6d21b4SOllivier RobertSeverity: HIGH 3649eb6d21b4SOllivier Robert 3650eb6d21b4SOllivier RobertThis release fixes the following high-severity vulnerability: 3651eb6d21b4SOllivier Robert 3652eb6d21b4SOllivier Robert* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 3653eb6d21b4SOllivier Robert 3654eb6d21b4SOllivier Robert See http://support.ntp.org/security for more information. 3655eb6d21b4SOllivier Robert 3656eb6d21b4SOllivier Robert If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 3657eb6d21b4SOllivier Robert line) then a carefully crafted packet sent to the machine will cause 3658eb6d21b4SOllivier Robert a buffer overflow and possible execution of injected code, running 3659eb6d21b4SOllivier Robert with the privileges of the ntpd process (often root). 3660eb6d21b4SOllivier Robert 3661eb6d21b4SOllivier Robert Credit for finding this vulnerability goes to Chris Ries of CMU. 3662eb6d21b4SOllivier Robert 3663eb6d21b4SOllivier RobertThis release fixes the following low-severity vulnerabilities: 3664eb6d21b4SOllivier Robert 3665eb6d21b4SOllivier Robert* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 3666eb6d21b4SOllivier Robert Credit for finding this vulnerability goes to Geoff Keating of Apple. 3667eb6d21b4SOllivier Robert 3668eb6d21b4SOllivier Robert* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 3669eb6d21b4SOllivier Robert Credit for finding this issue goes to Dave Hart. 3670eb6d21b4SOllivier Robert 3671eb6d21b4SOllivier RobertThis release fixes a number of bugs and adds some improvements: 3672eb6d21b4SOllivier Robert 3673eb6d21b4SOllivier Robert* Improved logging 3674eb6d21b4SOllivier Robert* Fix many compiler warnings 3675eb6d21b4SOllivier Robert* Many fixes and improvements for Windows 3676eb6d21b4SOllivier Robert* Adds support for AIX 6.1 3677eb6d21b4SOllivier Robert* Resolves some issues under MacOS X and Solaris 3678eb6d21b4SOllivier Robert 3679eb6d21b4SOllivier RobertTHIS IS A STRONGLY RECOMMENDED UPGRADE. 3680eb6d21b4SOllivier Robert 3681eb6d21b4SOllivier Robert--- 3682eb6d21b4SOllivier RobertNTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 3683eb6d21b4SOllivier Robert 3684eb6d21b4SOllivier RobertFocus: Security Fix 3685eb6d21b4SOllivier Robert 3686eb6d21b4SOllivier RobertSeverity: Low 3687eb6d21b4SOllivier Robert 3688eb6d21b4SOllivier RobertThis release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 3689eb6d21b4SOllivier Robertthe OpenSSL library relating to the incorrect checking of the return 3690eb6d21b4SOllivier Robertvalue of EVP_VerifyFinal function. 3691eb6d21b4SOllivier Robert 3692eb6d21b4SOllivier RobertCredit for finding this issue goes to the Google Security Team for 3693eb6d21b4SOllivier Robertfinding the original issue with OpenSSL, and to ocert.org for finding 3694eb6d21b4SOllivier Robertthe problem in NTP and telling us about it. 3695eb6d21b4SOllivier Robert 3696eb6d21b4SOllivier RobertThis is a recommended upgrade. 3697eb6d21b4SOllivier Robert--- 3698ea906c41SOllivier RobertNTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 3699ea906c41SOllivier Robert 3700ea906c41SOllivier RobertFocus: Minor Bugfixes 3701ea906c41SOllivier Robert 3702ea906c41SOllivier RobertThis release fixes a number of Windows-specific ntpd bugs and 3703ea906c41SOllivier Robertplatform-independent ntpdate bugs. A logging bugfix has been applied 3704ea906c41SOllivier Robertto the ONCORE driver. 3705ea906c41SOllivier Robert 3706ea906c41SOllivier RobertThe "dynamic" keyword and is now obsolete and deferred binding to local 3707ea906c41SOllivier Robertinterfaces is the new default. The minimum time restriction for the 3708ea906c41SOllivier Robertinterface update interval has been dropped. 3709ea906c41SOllivier Robert 3710ea906c41SOllivier RobertA number of minor build system and documentation fixes are included. 3711ea906c41SOllivier Robert 3712ea906c41SOllivier RobertThis is a recommended upgrade for Windows. 3713ea906c41SOllivier Robert 3714ea906c41SOllivier Robert--- 3715ea906c41SOllivier RobertNTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 3716ea906c41SOllivier Robert 3717ea906c41SOllivier RobertFocus: Minor Bugfixes 3718ea906c41SOllivier Robert 3719ea906c41SOllivier RobertThis release updates certain copyright information, fixes several display 3720ea906c41SOllivier Robertbugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 3721ea906c41SOllivier Robertshutdown in the parse refclock driver, removes some lint from the code, 3722ea906c41SOllivier Robertstops accessing certain buffers immediately after they were freed, fixes 3723ea906c41SOllivier Roberta problem with non-command-line specification of -6, and allows the loopback 3724ea906c41SOllivier Robertinterface to share addresses with other interfaces. 3725ea906c41SOllivier Robert 3726ea906c41SOllivier Robert--- 3727ea906c41SOllivier RobertNTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 3728ea906c41SOllivier Robert 3729ea906c41SOllivier RobertFocus: Minor Bugfixes 3730ea906c41SOllivier Robert 3731ea906c41SOllivier RobertThis release fixes a bug in Windows that made it difficult to 3732ea906c41SOllivier Robertterminate ntpd under windows. 3733ea906c41SOllivier RobertThis is a recommended upgrade for Windows. 3734ea906c41SOllivier Robert 3735ea906c41SOllivier Robert--- 3736ea906c41SOllivier RobertNTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 3737ea906c41SOllivier Robert 3738ea906c41SOllivier RobertFocus: Minor Bugfixes 3739ea906c41SOllivier Robert 3740ea906c41SOllivier RobertThis release fixes a multicast mode authentication problem, 3741ea906c41SOllivier Robertan error in NTP packet handling on Windows that could lead to 3742ea906c41SOllivier Robertntpd crashing, and several other minor bugs. Handling of 3743ea906c41SOllivier Robertmulticast interfaces and logging configuration were improved. 3744ea906c41SOllivier RobertThe required versions of autogen and libopts were incremented. 3745ea906c41SOllivier RobertThis is a recommended upgrade for Windows and multicast users. 3746ea906c41SOllivier Robert 3747ea906c41SOllivier Robert--- 3748ea906c41SOllivier RobertNTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 3749ea906c41SOllivier Robert 3750ea906c41SOllivier RobertFocus: enhancements and bug fixes. 3751ea906c41SOllivier Robert 3752ea906c41SOllivier RobertDynamic interface rescanning was added to simplify the use of ntpd in 3753ea906c41SOllivier Robertconjunction with DHCP. GNU AutoGen is used for its command-line options 3754ea906c41SOllivier Robertprocessing. Separate PPS devices are supported for PARSE refclocks, MD5 3755ea906c41SOllivier Robertsignatures are now provided for the release files. Drivers have been 3756ea906c41SOllivier Robertadded for some new ref-clocks and have been removed for some older 3757ea906c41SOllivier Robertref-clocks. This release also includes other improvements, documentation 3758ea906c41SOllivier Robertand bug fixes. 3759ea906c41SOllivier Robert 3760ea906c41SOllivier RobertK&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 3761ea906c41SOllivier RobertC support. 3762ea906c41SOllivier Robert 3763ea906c41SOllivier Robert--- 3764ea906c41SOllivier RobertNTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 3765ea906c41SOllivier Robert 3766ea906c41SOllivier RobertFocus: enhancements and bug fixes. 3767