mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-15 10:17:20 +00:00
276da39af9
Approved by: roberto, delphij Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0 Security: http://bugs.ntp.org/show_bug.cgi?id=2853 Security: https://www.kb.cert.org/vuls/id/668167 Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi
960 lines
38 KiB
Plaintext
960 lines
38 KiB
Plaintext
---
|
|
NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
|
|
|
|
Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
|
|
|
|
Severity: MEDIUM
|
|
|
|
Security Fix:
|
|
|
|
* [Sec 2853] Crafted remote config packet can crash some versions of
|
|
ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
|
|
|
|
Under specific circumstances an attacker can send a crafted packet to
|
|
cause a vulnerable ntpd instance to crash. This requires each of the
|
|
following to be true:
|
|
|
|
1) ntpd set up to allow remote configuration (not allowed by default), and
|
|
2) knowledge of the configuration password, and
|
|
3) access to a computer entrusted to perform remote configuration.
|
|
|
|
This vulnerability is considered low-risk.
|
|
|
|
New features in this release:
|
|
|
|
Optional (disabled by default) support to have ntpd provide smeared
|
|
leap second time. A specially built and configured ntpd will only
|
|
offer smeared time in response to client packets. These response
|
|
packets will also contain a "refid" of 254.a.b.c, where the 24 bits
|
|
of a, b, and c encode the amount of smear in a 2:22 integer:fraction
|
|
format. See README.leapsmear and http://bugs.ntp.org/2855 for more
|
|
information.
|
|
|
|
*IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
|
|
*BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
|
|
|
|
We've imported the Unity test framework, and have begun converting
|
|
the existing google-test items to this new framework. If you want
|
|
to write new tests or change old ones, you'll need to have ruby
|
|
installed. You don't need ruby to run the test suite.
|
|
|
|
Bug Fixes and Improvements:
|
|
|
|
* CID 739725: Fix a rare resource leak in libevent/listener.c.
|
|
* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
|
|
* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
|
|
* CID 1269537: Clean up a line of dead code in getShmTime().
|
|
* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
|
|
* [Bug 2590] autogen-5.18.5.
|
|
* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
|
|
of 'limited'.
|
|
* [Bug 2650] fix includefile processing.
|
|
* [Bug 2745] ntpd -x steps clock on leap second
|
|
Fixed an initial-value problem that caused misbehaviour in absence of
|
|
any leapsecond information.
|
|
Do leap second stepping only of the step adjustment is beyond the
|
|
proper jump distance limit and step correction is allowed at all.
|
|
* [Bug 2750] build for Win64
|
|
Building for 32bit of loopback ppsapi needs def file
|
|
* [Bug 2776] Improve ntpq's 'help keytype'.
|
|
* [Bug 2778] Implement "apeers" ntpq command to include associd.
|
|
* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
|
|
* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
|
|
interface is ignored as long as this flag is not set since the
|
|
interface is not usable (e.g., no link).
|
|
* [Bug 2794] Clean up kernel clock status reports.
|
|
* [Bug 2800] refclock_true.c true_debug() can't open debug log because
|
|
of incompatible open/fdopen parameters.
|
|
* [Bug 2804] install-local-data assumes GNU 'find' semantics.
|
|
* [Bug 2805] ntpd fails to join multicast group.
|
|
* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
|
|
* [Bug 2808] GPSD_JSON driver enhancements, step 1.
|
|
Fix crash during cleanup if GPS device not present and char device.
|
|
Increase internal token buffer to parse all JSON data, even SKY.
|
|
Defer logging of errors during driver init until the first unit is
|
|
started, so the syslog is not cluttered when the driver is not used.
|
|
Various improvements, see http://bugs.ntp.org/2808 for details.
|
|
Changed libjsmn to a more recent version.
|
|
* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
|
|
* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
|
|
* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
|
|
* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
|
|
* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
|
|
* [Bug 2824] Convert update-leap to perl. (also see 2769)
|
|
* [Bug 2825] Quiet file installation in html/ .
|
|
* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
|
|
NTPD transfers the current TAI (instead of an announcement) now.
|
|
This might still needed improvement.
|
|
Update autokey data ASAP when 'sys_tai' changes.
|
|
Fix unit test that was broken by changes for autokey update.
|
|
Avoid potential signature length issue and use DPRINTF where possible
|
|
in ntp_crypto.c.
|
|
* [Bug 2832] refclock_jjy.c supports the TDC-300.
|
|
* [Bug 2834] Correct a broken html tag in html/refclock.html
|
|
* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
|
|
robust, and require 2 consecutive timestamps to be consistent.
|
|
* [Bug 2837] Allow a configurable DSCP value.
|
|
* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
|
|
* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
|
|
* [Bug 2842] Bug in mdoc2man.
|
|
* [Bug 2843] make check fails on 4.3.36
|
|
Fixed compiler warnings about numeric range overflow
|
|
(The original topic was fixed in a byplay to bug#2830)
|
|
* [Bug 2845] Harden memory allocation in ntpd.
|
|
* [Bug 2852] 'make check' can't find unity.h. Hal Murray.
|
|
* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
|
|
* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
|
|
* [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
|
|
* [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
|
|
* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
|
|
* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
|
|
* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
|
|
* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
|
|
* html/drivers/driver22.html: typo fix. Harlan Stenn.
|
|
* refidsmear test cleanup. Tomasz Flendrich.
|
|
* refidsmear function support and tests. Harlan Stenn.
|
|
* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
|
|
something that was only in the 4.2.6 sntp. Harlan Stenn.
|
|
* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
|
|
* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
|
|
* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
|
|
atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
|
|
calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
|
|
numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
|
|
timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
|
|
Damir Tomić
|
|
* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
|
|
networking.c, keyFile.c, utilities.cpp, sntptest.h,
|
|
fileHandlingTest.h. Damir Tomić
|
|
* Initial support for experimental leap smear code. Harlan Stenn.
|
|
* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
|
|
* Report select() debug messages at debug level 3 now.
|
|
* sntp/scripts/genLocInfo: treat raspbian as debian.
|
|
* Unity test framework fixes.
|
|
** Requires ruby for changes to tests.
|
|
* Initial support for PACKAGE_VERSION tests.
|
|
* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
|
|
* tests/bug-2803/Makefile.am must distribute bug-2803.h.
|
|
* Add an assert to the ntpq ifstats code.
|
|
* Clean up the RLIMIT_STACK code.
|
|
* Improve the ntpq documentation around the controlkey keyid.
|
|
* ntpq.c cleanup.
|
|
* Windows port build cleanup.
|
|
|
|
---
|
|
NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: MEDIUM
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following medium-severity vulnerabilities involving private key
|
|
authentication:
|
|
|
|
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
|
|
|
|
References: Sec 2779 / CVE-2015-1798 / VU#374268
|
|
Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
|
|
including ntp-4.2.8p2 where the installation uses symmetric keys
|
|
to authenticate remote associations.
|
|
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
|
|
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
|
|
Summary: When ntpd is configured to use a symmetric key to authenticate
|
|
a remote NTP server/peer, it checks if the NTP message
|
|
authentication code (MAC) in received packets is valid, but not if
|
|
there actually is any MAC included. Packets without a MAC are
|
|
accepted as if they had a valid MAC. This allows a MITM attacker to
|
|
send false packets that are accepted by the client/peer without
|
|
having to know the symmetric key. The attacker needs to know the
|
|
transmit timestamp of the client to match it in the forged reply
|
|
and the false reply needs to reach the client before the genuine
|
|
reply from the server. The attacker doesn't necessarily need to be
|
|
relaying the packets between the client and the server.
|
|
|
|
Authentication using autokey doesn't have this problem as there is
|
|
a check that requires the key ID to be larger than NTP_MAXKEY,
|
|
which fails for packets without a MAC.
|
|
Mitigation:
|
|
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Configure ntpd with enough time sources and monitor it properly.
|
|
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
|
|
|
|
* [Sec 2781] Authentication doesn't protect symmetric associations against
|
|
DoS attacks.
|
|
|
|
References: Sec 2781 / CVE-2015-1799 / VU#374268
|
|
Affects: All NTP releases starting with at least xntp3.3wy up to but
|
|
not including ntp-4.2.8p2 where the installation uses symmetric
|
|
key authentication.
|
|
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
|
|
Note: the CVSS base Score for this issue could be 4.3 or lower, and
|
|
it could be higher than 5.4.
|
|
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
|
|
Summary: An attacker knowing that NTP hosts A and B are peering with
|
|
each other (symmetric association) can send a packet to host A
|
|
with source address of B which will set the NTP state variables
|
|
on A to the values sent by the attacker. Host A will then send
|
|
on its next poll to B a packet with originate timestamp that
|
|
doesn't match the transmit timestamp of B and the packet will
|
|
be dropped. If the attacker does this periodically for both
|
|
hosts, they won't be able to synchronize to each other. This is
|
|
a known denial-of-service attack, described at
|
|
https://www.eecis.udel.edu/~mills/onwire.html .
|
|
|
|
According to the document the NTP authentication is supposed to
|
|
protect symmetric associations against this attack, but that
|
|
doesn't seem to be the case. The state variables are updated even
|
|
when authentication fails and the peers are sending packets with
|
|
originate timestamps that don't match the transmit timestamps on
|
|
the receiving side.
|
|
|
|
This seems to be a very old problem, dating back to at least
|
|
xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
|
|
specifications, so other NTP implementations with support for
|
|
symmetric associations and authentication may be vulnerable too.
|
|
An update to the NTP RFC to correct this error is in-process.
|
|
Mitigation:
|
|
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Note that for users of autokey, this specific style of MITM attack
|
|
is simply a long-known potential problem.
|
|
Configure ntpd with appropriate time sources and monitor ntpd.
|
|
Alert your staff if problems are detected.
|
|
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
|
|
|
|
* New script: update-leap
|
|
The update-leap script will verify and if necessary, update the
|
|
leap-second definition file.
|
|
It requires the following commands in order to work:
|
|
|
|
wget logger tr sed shasum
|
|
|
|
Some may choose to run this from cron. It needs more portability testing.
|
|
|
|
Bug Fixes and Improvements:
|
|
|
|
* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
|
|
* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
|
|
* [Bug 2346] "graceful termination" signals do not do peer cleanup.
|
|
* [Bug 2728] See if C99-style structure initialization works.
|
|
* [Bug 2747] Upgrade libevent to 2.1.5-beta.
|
|
* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
|
|
* [Bug 2751] jitter.h has stale copies of l_fp macros.
|
|
* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
|
|
* [Bug 2757] Quiet compiler warnings.
|
|
* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
|
|
* [Bug 2763] Allow different thresholds for forward and backward steps.
|
|
* [Bug 2766] ntp-keygen output files should not be world-readable.
|
|
* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
|
|
* [Bug 2771] nonvolatile value is documented in wrong units.
|
|
* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
|
|
* [Bug 2774] Unreasonably verbose printout - leap pending/warning
|
|
* [Bug 2775] ntp-keygen.c fails to compile under Windows.
|
|
* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
|
|
Removed non-ASCII characters from some copyright comments.
|
|
Removed trailing whitespace.
|
|
Updated definitions for Meinberg clocks from current Meinberg header files.
|
|
Now use C99 fixed-width types and avoid non-ASCII characters in comments.
|
|
Account for updated definitions pulled from Meinberg header files.
|
|
Updated comments on Meinberg GPS receivers which are not only called GPS16x.
|
|
Replaced some constant numbers by defines from ntp_calendar.h
|
|
Modified creation of parse-specific variables for Meinberg devices
|
|
in gps16x_message().
|
|
Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
|
|
Modified mbg_tm_str() which now expexts an additional parameter controlling
|
|
if the time status shall be printed.
|
|
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
|
|
* [Sec 2781] Authentication doesn't protect symmetric associations against
|
|
DoS attacks.
|
|
* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
|
|
* [Bug 2789] Quiet compiler warnings from libevent.
|
|
* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
|
|
pause briefly before measuring system clock precision to yield
|
|
correct results.
|
|
* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
|
|
* Use predefined function types for parse driver functions
|
|
used to set up function pointers.
|
|
Account for changed prototype of parse_inp_fnc_t functions.
|
|
Cast parse conversion results to appropriate types to avoid
|
|
compiler warnings.
|
|
Let ioctl() for Windows accept a (void *) to avoid compiler warnings
|
|
when called with pointers to different types.
|
|
|
|
---
|
|
NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: HIGH
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following high-severity vulnerabilities:
|
|
|
|
* vallen is not validated in several places in ntp_crypto.c, leading
|
|
to a potential information leak or possibly a crash
|
|
|
|
References: Sec 2671 / CVE-2014-9297 / VU#852879
|
|
Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Date Resolved: Stable (4.2.8p1) 04 Feb 2015
|
|
Summary: The vallen packet value is not validated in several code
|
|
paths in ntp_crypto.c which can lead to information leakage
|
|
or perhaps a crash of the ntpd process.
|
|
Mitigation - any of:
|
|
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page.
|
|
Disable Autokey Authentication by removing, or commenting out,
|
|
all configuration directives beginning with the "crypto"
|
|
keyword in your ntp.conf file.
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team, with additional cases found by Sebastian
|
|
Krahmer of the SUSE Security Team and Harlan Stenn of Network
|
|
Time Foundation.
|
|
|
|
* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
|
|
can be bypassed.
|
|
|
|
References: Sec 2672 / CVE-2014-9298 / VU#852879
|
|
Affects: All NTP4 releases before 4.2.8p1, under at least some
|
|
versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
|
|
Date Resolved: Stable (4.2.8p1) 04 Feb 2014
|
|
Summary: While available kernels will prevent 127.0.0.1 addresses
|
|
from "appearing" on non-localhost IPv4 interfaces, some kernels
|
|
do not offer the same protection for ::1 source addresses on
|
|
IPv6 interfaces. Since NTP's access control is based on source
|
|
address and localhost addresses generally have no restrictions,
|
|
an attacker can send malicious control and configuration packets
|
|
by spoofing ::1 addresses from the outside. Note Well: This is
|
|
not really a bug in NTP, it's a problem with some OSes. If you
|
|
have one of these OSes where ::1 can be spoofed, ALL ::1 -based
|
|
ACL restrictions on any application can be bypassed!
|
|
Mitigation:
|
|
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Install firewall rules to block packets claiming to come from
|
|
::1 from inappropriate network interfaces.
|
|
Credit: This vulnerability was discovered by Stephen Roettger of
|
|
the Google Security Team.
|
|
|
|
Additionally, over 30 bugfixes and improvements were made to the codebase.
|
|
See the ChangeLog for more information.
|
|
|
|
---
|
|
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: HIGH
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following high-severity vulnerabilities:
|
|
|
|
************************** vv NOTE WELL vv *****************************
|
|
|
|
The vulnerabilities listed below can be significantly mitigated by
|
|
following the BCP of putting
|
|
|
|
restrict default ... noquery
|
|
|
|
in the ntp.conf file. With the exception of:
|
|
|
|
receive(): missing return on error
|
|
References: Sec 2670 / CVE-2014-9296 / VU#852879
|
|
|
|
below (which is a limited-risk vulnerability), none of the recent
|
|
vulnerabilities listed below can be exploited if the source IP is
|
|
restricted from sending a 'query'-class packet by your ntp.conf file.
|
|
|
|
************************** ^^ NOTE WELL ^^ *****************************
|
|
|
|
* Weak default key in config_auth().
|
|
|
|
References: [Sec 2665] / CVE-2014-9293 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
|
|
Vulnerable Versions: all releases prior to 4.2.7p11
|
|
Date Resolved: 28 Jan 2010
|
|
|
|
Summary: If no 'auth' key is set in the configuration file, ntpd
|
|
would generate a random key on the fly. There were two
|
|
problems with this: 1) the generated key was 31 bits in size,
|
|
and 2) it used the (now weak) ntp_random() function, which was
|
|
seeded with a 32-bit value and could only provide 32 bits of
|
|
entropy. This was sufficient back in the late 1990s when the
|
|
code was written. Not today.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.7p11 or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
|
|
of the Google Security Team.
|
|
|
|
* Non-cryptographic random number generator with weak seed used by
|
|
ntp-keygen to generate symmetric keys.
|
|
|
|
References: [Sec 2666] / CVE-2014-9294 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
|
|
Vulnerable Versions: All NTP4 releases before 4.2.7p230
|
|
Date Resolved: Dev (4.2.7p230) 01 Nov 2011
|
|
|
|
Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
|
|
prepare a random number generator that was of good quality back
|
|
in the late 1990s. The random numbers produced was then used to
|
|
generate symmetric keys. In ntp-4.2.8 we use a current-technology
|
|
cryptographic random number generator, either RAND_bytes from
|
|
OpenSSL, or arc4random().
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.7p230 or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered in ntp-4.2.6 by
|
|
Stephen Roettger of the Google Security Team.
|
|
|
|
* Buffer overflow in crypto_recv()
|
|
|
|
References: Sec 2667 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
|
|
file contains a 'crypto pw ...' directive) a remote attacker
|
|
can send a carefully crafted packet that can overflow a stack
|
|
buffer and potentially allow malicious code to be executed
|
|
with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later, or
|
|
- Disable Autokey Authentication by removing, or commenting out,
|
|
all configuration directives beginning with the crypto keyword
|
|
in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* Buffer overflow in ctl_putdata()
|
|
|
|
References: Sec 2668 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: A remote attacker can send a carefully crafted packet that
|
|
can overflow a stack buffer and potentially allow malicious
|
|
code to be executed with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* Buffer overflow in configure()
|
|
|
|
References: Sec 2669 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: A remote attacker can send a carefully crafted packet that
|
|
can overflow a stack buffer and potentially allow malicious
|
|
code to be executed with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* receive(): missing return on error
|
|
|
|
References: Sec 2670 / CVE-2014-9296 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
|
|
the code path where an error was detected, which meant
|
|
processing did not stop when a specific rare error occurred.
|
|
We haven't found a way for this bug to affect system integrity.
|
|
If there is no way to affect system integrity the base CVSS
|
|
score for this bug is 0. If there is one avenue through which
|
|
system integrity can be partially affected, the base score
|
|
becomes a 5. If system integrity can be partially affected
|
|
via all three integrity metrics, the CVSS base score become 7.5.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later,
|
|
- Remove or comment out all configuration directives
|
|
beginning with the crypto keyword in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
New features / changes in this release:
|
|
|
|
Important Changes
|
|
|
|
* Internal NTP Era counters
|
|
|
|
The internal counters that track the "era" (range of years) we are in
|
|
rolls over every 136 years'. The current "era" started at the stroke of
|
|
midnight on 1 Jan 1900, and ends just before the stroke of midnight on
|
|
1 Jan 2036.
|
|
In the past, we have used the "midpoint" of the range to decide which
|
|
era we were in. Given the longevity of some products, it became clear
|
|
that it would be more functional to "look back" less, and "look forward"
|
|
more. We now compile a timestamp into the ntpd executable and when we
|
|
get a timestamp we us the "built-on" to tell us what era we are in.
|
|
This check "looks back" 10 years, and "looks forward" 126 years.
|
|
|
|
* ntpdc responses disabled by default
|
|
|
|
Dave Hart writes:
|
|
|
|
For a long time, ntpq and its mostly text-based mode 6 (control)
|
|
protocol have been preferred over ntpdc and its mode 7 (private
|
|
request) protocol for runtime queries and configuration. There has
|
|
been a goal of deprecating ntpdc, previously held back by numerous
|
|
capabilities exposed by ntpdc with no ntpq equivalent. I have been
|
|
adding commands to ntpq to cover these cases, and I believe I've
|
|
covered them all, though I've not compared command-by-command
|
|
recently.
|
|
|
|
As I've said previously, the binary mode 7 protocol involves a lot of
|
|
hand-rolled structure layout and byte-swapping code in both ntpd and
|
|
ntpdc which is hard to get right. As ntpd grows and changes, the
|
|
changes are difficult to expose via ntpdc while maintaining forward
|
|
and backward compatibility between ntpdc and ntpd. In contrast,
|
|
ntpq's text-based, label=value approach involves more code reuse and
|
|
allows compatible changes without extra work in most cases.
|
|
|
|
Mode 7 has always been defined as vendor/implementation-specific while
|
|
mode 6 is described in RFC 1305 and intended to be open to interoperate
|
|
with other implementations. There is an early draft of an updated
|
|
mode 6 description that likely will join the other NTPv4 RFCs
|
|
eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
|
|
|
|
For these reasons, ntpd 4.2.7p230 by default disables processing of
|
|
ntpdc queries, reducing ntpd's attack surface and functionally
|
|
deprecating ntpdc. If you are in the habit of using ntpdc for certain
|
|
operations, please try the ntpq equivalent. If there's no equivalent,
|
|
please open a bug report at http://bugs.ntp.org./
|
|
|
|
In addition to the above, over 1100 issues have been resolved between
|
|
the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
|
|
lists these.
|
|
|
|
---
|
|
NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
|
|
|
|
Focus: Bug fixes
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release updates sys_rootdisp and sys_jitter calculations to match the
|
|
RFC specification, fixes a potential IPv6 address matching error for the
|
|
"nic" and "interface" configuration directives, suppresses the creation of
|
|
extraneous ephemeral associations for certain broadcastclient and
|
|
multicastclient configurations, cleans up some ntpq display issues, and
|
|
includes improvements to orphan mode, minor bugs fixes and code clean-ups.
|
|
|
|
New features / changes in this release:
|
|
|
|
ntpd
|
|
|
|
* Updated "nic" and "interface" IPv6 address handling to prevent
|
|
mismatches with localhost [::1] and wildcard [::] which resulted from
|
|
using the address/prefix format (e.g. fe80::/64)
|
|
* Fix orphan mode stratum incorrectly counting to infinity
|
|
* Orphan parent selection metric updated to includes missing ntohl()
|
|
* Non-printable stratum 16 refid no longer sent to ntp
|
|
* Duplicate ephemeral associations suppressed for broadcastclient and
|
|
multicastclient without broadcastdelay
|
|
* Exclude undetermined sys_refid from use in loopback TEST12
|
|
* Exclude MODE_SERVER responses from KoD rate limiting
|
|
* Include root delay in clock_update() sys_rootdisp calculations
|
|
* get_systime() updated to exclude sys_residual offset (which only
|
|
affected bits "below" sys_tick, the precision threshold)
|
|
* sys.peer jitter weighting corrected in sys_jitter calculation
|
|
|
|
ntpq
|
|
|
|
* -n option extended to include the billboard "server" column
|
|
* IPv6 addresses in the local column truncated to prevent overruns
|
|
|
|
---
|
|
NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, and documentation revisions.
|
|
|
|
Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
|
|
|
|
New features / changes in this release:
|
|
|
|
Build system
|
|
|
|
* Fix checking for struct rtattr
|
|
* Update config.guess and config.sub for AIX
|
|
* Upgrade required version of autogen and libopts for building
|
|
from our source code repository
|
|
|
|
ntpd
|
|
|
|
* Back-ported several fixes for Coverity warnings from ntp-dev
|
|
* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
|
|
* Allow "logconfig =allall" configuration directive
|
|
* Bind tentative IPv6 addresses on Linux
|
|
* Correct WWVB/Spectracom driver to timestamp CR instead of LF
|
|
* Improved tally bit handling to prevent incorrect ntpq peer status reports
|
|
* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
|
|
candidate list unless they are designated a "prefer peer"
|
|
* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
|
|
selection during the 'tos orphanwait' period
|
|
* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
|
|
drivers
|
|
* Improved support of the Parse Refclock trusttime flag in Meinberg mode
|
|
* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
|
|
* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
|
|
clock slew on Microsoft Windows
|
|
* Code cleanup in libntpq
|
|
|
|
ntpdc
|
|
|
|
* Fix timerstats reporting
|
|
|
|
ntpdate
|
|
|
|
* Reduce time required to set clock
|
|
* Allow a timeout greater than 2 seconds
|
|
|
|
sntp
|
|
|
|
* Backward incompatible command-line option change:
|
|
-l/--filelog changed -l/--logfile (to be consistent with ntpd)
|
|
|
|
Documentation
|
|
|
|
* Update html2man. Fix some tags in the .html files
|
|
* Distribute ntp-wait.html
|
|
|
|
---
|
|
NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, and documentation revisions.
|
|
|
|
Portability improvements in this release affect AIX, Atari FreeMiNT,
|
|
FreeBSD4, Linux and Microsoft Windows.
|
|
|
|
New features / changes in this release:
|
|
|
|
Build system
|
|
* Use lsb_release to get information about Linux distributions.
|
|
* 'test' is in /usr/bin (instead of /bin) on some systems.
|
|
* Basic sanity checks for the ChangeLog file.
|
|
* Source certain build files with ./filename for systems without . in PATH.
|
|
* IRIX portability fix.
|
|
* Use a single copy of the "libopts" code.
|
|
* autogen/libopts upgrade.
|
|
* configure.ac m4 quoting cleanup.
|
|
|
|
ntpd
|
|
* Do not bind to IN6_IFF_ANYCAST addresses.
|
|
* Log the reason for exiting under Windows.
|
|
* Multicast fixes for Windows.
|
|
* Interpolation fixes for Windows.
|
|
* IPv4 and IPv6 Multicast fixes.
|
|
* Manycast solicitation fixes and general repairs.
|
|
* JJY refclock cleanup.
|
|
* NMEA refclock improvements.
|
|
* Oncore debug message cleanup.
|
|
* Palisade refclock now builds under Linux.
|
|
* Give RAWDCF more baud rates.
|
|
* Support Truetime Satellite clocks under Windows.
|
|
* Support Arbiter 1093C Satellite clocks under Windows.
|
|
* Make sure that the "filegen" configuration command defaults to "enable".
|
|
* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
|
|
* Prohibit 'includefile' directive in remote configuration command.
|
|
* Fix 'nic' interface bindings.
|
|
* Fix the way we link with openssl if openssl is installed in the base
|
|
system.
|
|
|
|
ntp-keygen
|
|
* Fix -V coredump.
|
|
* OpenSSL version display cleanup.
|
|
|
|
ntpdc
|
|
* Many counters should be treated as unsigned.
|
|
|
|
ntpdate
|
|
* Do not ignore replies with equal receive and transmit timestamps.
|
|
|
|
ntpq
|
|
* libntpq warning cleanup.
|
|
|
|
ntpsnmpd
|
|
* Correct SNMP type for "precision" and "resolution".
|
|
* Update the MIB from the draft version to RFC-5907.
|
|
|
|
sntp
|
|
* Display timezone offset when showing time for sntp in the local
|
|
timezone.
|
|
* Pay proper attention to RATE KoD packets.
|
|
* Fix a miscalculation of the offset.
|
|
* Properly parse empty lines in the key file.
|
|
* Logging cleanup.
|
|
* Use tv_usec correctly in set_time().
|
|
* Documentation cleanup.
|
|
|
|
---
|
|
NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, improved KOD handling, OpenSSL related
|
|
updates and documentation revisions.
|
|
|
|
Portability improvements in this release affect Irix, Linux,
|
|
Mac OS, Microsoft Windows, OpenBSD and QNX6
|
|
|
|
New features / changes in this release:
|
|
|
|
ntpd
|
|
* Range syntax for the trustedkey configuration directive
|
|
* Unified IPv4 and IPv6 restrict lists
|
|
|
|
ntpdate
|
|
* Rate limiting and KOD handling
|
|
|
|
ntpsnmpd
|
|
* default connection to net-snmpd via a unix-domain socket
|
|
* command-line 'socket name' option
|
|
|
|
ntpq / ntpdc
|
|
* support for the "passwd ..." syntax
|
|
* key-type specific password prompts
|
|
|
|
sntp
|
|
* MD5 authentication of an ntpd
|
|
* Broadcast and crypto
|
|
* OpenSSL support
|
|
|
|
---
|
|
NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
|
|
|
|
Focus: Bug fixes, portability fixes, and documentation improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
---
|
|
NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
|
|
|
|
Focus: enhancements and bug fixes.
|
|
|
|
---
|
|
NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
|
|
|
|
Focus: Security Fixes
|
|
|
|
Severity: HIGH
|
|
|
|
This release fixes the following high-severity vulnerability:
|
|
|
|
* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
|
|
In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
|
|
transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
|
|
request or a mode 7 error response from an address which is not listed
|
|
in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
|
|
reply with a mode 7 error response (and log a message). In this case:
|
|
|
|
* If an attacker spoofs the source address of ntpd host A in a
|
|
mode 7 response packet sent to ntpd host B, both A and B will
|
|
continuously send each other error responses, for as long as
|
|
those packets get through.
|
|
|
|
* If an attacker spoofs an address of ntpd host A in a mode 7
|
|
response packet sent to ntpd host A, A will respond to itself
|
|
endlessly, consuming CPU and logging excessively.
|
|
|
|
Credit for finding this vulnerability goes to Robin Park and Dmitri
|
|
Vinokurov of Alcatel-Lucent.
|
|
|
|
THIS IS A STRONGLY RECOMMENDED UPGRADE.
|
|
|
|
---
|
|
ntpd now syncs to refclocks right away.
|
|
|
|
Backward-Incompatible changes:
|
|
|
|
ntpd no longer accepts '-v name' or '-V name' to define internal variables.
|
|
Use '--var name' or '--dvar name' instead. (Bug 817)
|
|
|
|
---
|
|
NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
|
|
|
|
Focus: Security and Bug Fixes
|
|
|
|
Severity: HIGH
|
|
|
|
This release fixes the following high-severity vulnerability:
|
|
|
|
* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
|
|
line) then a carefully crafted packet sent to the machine will cause
|
|
a buffer overflow and possible execution of injected code, running
|
|
with the privileges of the ntpd process (often root).
|
|
|
|
Credit for finding this vulnerability goes to Chris Ries of CMU.
|
|
|
|
This release fixes the following low-severity vulnerabilities:
|
|
|
|
* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
|
|
Credit for finding this vulnerability goes to Geoff Keating of Apple.
|
|
|
|
* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
|
|
Credit for finding this issue goes to Dave Hart.
|
|
|
|
This release fixes a number of bugs and adds some improvements:
|
|
|
|
* Improved logging
|
|
* Fix many compiler warnings
|
|
* Many fixes and improvements for Windows
|
|
* Adds support for AIX 6.1
|
|
* Resolves some issues under MacOS X and Solaris
|
|
|
|
THIS IS A STRONGLY RECOMMENDED UPGRADE.
|
|
|
|
---
|
|
NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
|
|
|
|
Focus: Security Fix
|
|
|
|
Severity: Low
|
|
|
|
This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
|
|
the OpenSSL library relating to the incorrect checking of the return
|
|
value of EVP_VerifyFinal function.
|
|
|
|
Credit for finding this issue goes to the Google Security Team for
|
|
finding the original issue with OpenSSL, and to ocert.org for finding
|
|
the problem in NTP and telling us about it.
|
|
|
|
This is a recommended upgrade.
|
|
---
|
|
NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a number of Windows-specific ntpd bugs and
|
|
platform-independent ntpdate bugs. A logging bugfix has been applied
|
|
to the ONCORE driver.
|
|
|
|
The "dynamic" keyword and is now obsolete and deferred binding to local
|
|
interfaces is the new default. The minimum time restriction for the
|
|
interface update interval has been dropped.
|
|
|
|
A number of minor build system and documentation fixes are included.
|
|
|
|
This is a recommended upgrade for Windows.
|
|
|
|
---
|
|
NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release updates certain copyright information, fixes several display
|
|
bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
|
|
shutdown in the parse refclock driver, removes some lint from the code,
|
|
stops accessing certain buffers immediately after they were freed, fixes
|
|
a problem with non-command-line specification of -6, and allows the loopback
|
|
interface to share addresses with other interfaces.
|
|
|
|
---
|
|
NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a bug in Windows that made it difficult to
|
|
terminate ntpd under windows.
|
|
This is a recommended upgrade for Windows.
|
|
|
|
---
|
|
NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a multicast mode authentication problem,
|
|
an error in NTP packet handling on Windows that could lead to
|
|
ntpd crashing, and several other minor bugs. Handling of
|
|
multicast interfaces and logging configuration were improved.
|
|
The required versions of autogen and libopts were incremented.
|
|
This is a recommended upgrade for Windows and multicast users.
|
|
|
|
---
|
|
NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
|
|
|
|
Focus: enhancements and bug fixes.
|
|
|
|
Dynamic interface rescanning was added to simplify the use of ntpd in
|
|
conjunction with DHCP. GNU AutoGen is used for its command-line options
|
|
processing. Separate PPS devices are supported for PARSE refclocks, MD5
|
|
signatures are now provided for the release files. Drivers have been
|
|
added for some new ref-clocks and have been removed for some older
|
|
ref-clocks. This release also includes other improvements, documentation
|
|
and bug fixes.
|
|
|
|
K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
|
|
C support.
|
|
|
|
---
|
|
NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
|
|
|
|
Focus: enhancements and bug fixes.
|