-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathNEWS
2260 lines (1952 loc) · 102 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
NTP 4.2.8p8 (Harlan Stenn <[email protected]>, 2016/06/02)
Focus: Security, Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following 1 high- and 4 low-severity vulnerabilities:
* CRYPTO_NAK crash
Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
References: Sec 3046 / CVE-2016-4957 / VU#321640
Affects: ntp-4.2.8p7, and ntp-4.3.92.
CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
could cause ntpd to crash.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you cannot upgrade from 4.2.8p7, the only other alternatives
are to patch your code or filter CRYPTO_NAK packets.
Properly monitor your ntpd instances, and auto-restart ntpd
(without -g) if it stops running.
Credit: This weakness was discovered by Nicolas Edet of Cisco.
* Bad authentication demobilizes ephemeral associations
Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
References: Sec 3045 / CVE-2016-4953 / VU#321640
Affects: ntp-4, up to but not including ntp-4.2.8p8, and
ntp-4.3.0 up to, but not including ntp-4.3.93.
CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary: An attacker who knows the origin timestamp and can send a
spoofed packet containing a CRYPTO-NAK to an ephemeral peer
target before any other response is sent can demobilize that
association.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
* Processing spoofed server packets
Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
References: Sec 3044 / CVE-2016-4954 / VU#321640
Affects: ntp-4, up to but not including ntp-4.2.8p8, and
ntp-4.3.0 up to, but not including ntp-4.3.93.
CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary: An attacker who is able to spoof packets with correct origin
timestamps from enough servers before the expected response
packets arrive at the target machine can affect some peer
variables and, for example, cause a false leap indication to be set.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Jakub Prokes of Red Hat.
* Autokey association reset
Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
References: Sec 3043 / CVE-2016-4955 / VU#321640
Affects: ntp-4, up to but not including ntp-4.2.8p8, and
ntp-4.3.0 up to, but not including ntp-4.3.93.
CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary: An attacker who is able to spoof a packet with a correct
origin timestamp before the expected response packet arrives at
the target machine can send a CRYPTO_NAK or a bad MAC and cause
the association's peer variables to be cleared. If this can be
done often enough, it will prevent that association from working.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
* Broadcast interleave
Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
References: Sec 3042 / CVE-2016-4956 / VU#321640
Affects: ntp-4, up to but not including ntp-4.2.8p8, and
ntp-4.3.0 up to, but not including ntp-4.3.93.
CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary: The fix for NtpBug2978 does not cover broadcast associations,
so broadcast clients can be triggered to flip into interleave mode.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
Other fixes:
* [Bug 3038] NTP fails to build in VS2015. [email protected]
- provide build environment
- 'wint_t' and 'struct timespec' defined by VS2015
- fixed print()/scanf() format issues
* [Bug 3052] Add a .gitignore file. Edmund Wong.
* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
JPerlinger, HStenn.
* Fix typo in ntp-wait and plot_summary. HStenn.
* Make sure we have an "author" file for git imports. HStenn.
* Update the sntp problem tests for MacOS. HStenn.
---
NTP 4.2.8p7 (Harlan Stenn <[email protected]>, 2016/04/26)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
When building NTP from source, there is a new configure option
available, --enable-dynamic-interleave. More information on this below.
Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
versions of ntp. These events have almost certainly happened in the
past, it's just that they were silently counted and not logged. With
the increasing awareness around security, we feel it's better to clearly
log these events to help detect abusive behavior. This increased
logging can also help detect other problems, too.
In addition to bug fixes and enhancements, this release fixes the
following 9 low- and medium-severity vulnerabilities:
* Improve NTP security against buffer comparison timing attacks,
AKA: authdecrypt-timing
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 2879 / CVE-2016-1550
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary: Packet authentication tests have been performed using
memcmp() or possibly bcmp(), and it is potentially possible
for a local or perhaps LAN-based attacker to send a packet with
an authentication payload and indirectly observe how much of
the digest has matched.
Mitigation:
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Properly monitor your ntpd instances.
Credit: This weakness was discovered independently by Loganaden
Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
* Zero origin timestamp bypass: Additional KoD checks.
References: Sec 2945 / Sec 2901 / CVE-2015-8138
Affects: All ntp-4 releases up to, but not including 4.2.8p7,
Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
* peer associations were broken by the fix for NtpBug2899
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 2952 / CVE-2015-7704
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
associations did not address all of the issues.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you can't upgrade, use "server" associations instead of
"peer" associations.
Monitor your ntpd instances.
Credit: This problem was discovered by Michael Tatarinov.
* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3007 / CVE-2016-1547 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
off-path attacker can cause a preemptable client association to
be demobilized by sending a crypto NAK packet to a victim client
with a spoofed source address of an existing associated peer.
This is true even if authentication is enabled.
Furthermore, if the attacker keeps sending crypto NAK packets,
for example one every second, the victim never has a chance to
reestablish the association and synchronize time with that
legitimate server.
For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
stringent checks are performed on incoming packets, but there
are still ways to exploit this vulnerability in versions before
ntp-4.2.8p7.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your =ntpd= instances
Credit: This weakness was discovered by Stephen Gray and
Matthew Van Gundy of Cisco ASIG.
* ctl_getitem() return value not always checked
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3008 / CVE-2016-2519
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary: ntpq and ntpdc can be used to store and retrieve information
in ntpd. It is possible to store a data value that is larger
than the size of the buffer that the ctl_getitem() function of
ntpd uses to report the return value. If the length of the
requested data value returned by ctl_getitem() is too large,
the value NULL is returned instead. There are 2 cases where the
return value from ctl_getitem() was not directly checked to make
sure it's not NULL, but there are subsequent INSIST() checks
that make sure the return value is not NULL. There are no data
values ordinarily stored in ntpd that would exceed this buffer
length. But if one has permission to store values and one stores
a value that is "too large", then ntpd will abort if an attempt
is made to read that oversized value.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Yihan Lian of the Cloud
Security Team, Qihoo 360.
* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3009 / CVE-2016-2518 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary: Using a crafted packet to create a peer association with
hmode > 7 causes the MATCH_ASSOC() lookup to make an
out-of-bounds reference.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances
Credit: This weakness was discovered by Yihan Lian of the Cloud
Security Team, Qihoo 360.
* remote configuration trustedkey/requestkey/controlkey values are not
properly validated
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3010 / CVE-2016-2517 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary: If ntpd was expressly configured to allow for remote
configuration, a malicious user who knows the controlkey for
ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
can create a session with ntpd and then send a crafted packet to
ntpd that will change the value of the trustedkey, controlkey,
or requestkey to a value that will prevent any subsequent
authentication with ntpd until ntpd is restarted.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your =ntpd= instances
Credit: This weakness was discovered by Yihan Lian of the Cloud
Security Team, Qihoo 360.
* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3011 / CVE-2016-2516 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary: If ntpd was expressly configured to allow for remote
configuration, a malicious user who knows the controlkey for
ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
can create a session with ntpd and if an existing association is
unconfigured using the same IP twice on the unconfig directive
line, ntpd will abort.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances
Credit: This weakness was discovered by Yihan Lian of the Cloud
Security Team, Qihoo 360.
* Refclock impersonation vulnerability
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3020 / CVE-2016-1551
Affects: On a very limited number of OSes, all NTP releases up to but
not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
By "very limited number of OSes" we mean no general-purpose OSes
have yet been identified that have this vulnerability.
CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary: While most OSes implement martian packet filtering in their
network stack, at least regarding 127.0.0.0/8, some will allow
packets claiming to be from 127.0.0.0/8 that arrive over a
physical network. On these OSes, if ntpd is configured to use a
reference clock an attacker can inject packets over the network
that look like they are coming from that reference clock.
Mitigation:
Implement martian packet filtering and BCP-38.
Configure ntpd to use an adequate number of time sources.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you are unable to upgrade and if you are running an OS that
has this vulnerability, implement martian packet filters and
lobby your OS vendor to fix this problem, or run your
refclocks on computers that use OSes that are not vulnerable
to these attacks and have your vulnerable machines get their
time from protected resources.
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Matt Street and others of
Cisco ASIG.
The following issues were fixed in earlier releases and contain
improvements in 4.2.8p7:
* Clients that receive a KoD should validate the origin timestamp field.
References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
Affects: All ntp-4 releases up to, but not including 4.2.8p7,
Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
* Skeleton key: passive server with trusted key can serve time.
References: Sec 2936 / CVE-2015-7974
Affects: All ntp-4 releases up to, but not including 4.2.8p7,
Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
Two other vulnerabilities have been reported, and the mitigations
for these are as follows:
* Interleave-pivot
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 2978 / CVE-2016-1548
Affects: All ntp-4 releases.
CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Summary: It is possible to change the time of an ntpd client or deny
service to an ntpd client by forcing it to change from basic
client/server mode to interleaved symmetric mode. An attacker
can spoof a packet from a legitimate ntpd server with an origin
timestamp that matches the peer->dst timestamp recorded for that
server. After making this switch, the client will reject all
future legitimate server responses. It is possible to force the
victim client to move time after the mode has been changed.
ntpq gives no indication that the mode has been switched.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page. These
versions will not dynamically "flip" into interleave mode
unless configured to do so.
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of RedHat
and separately by Jonathan Gardner of Cisco ASIG.
* Sybil vulnerability: ephemeral association attack
Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
References: Sec 3012 / CVE-2016-1549
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92
CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
the feature introduced in ntp-4.2.8p6 allowing an optional 4th
field in the ntp.keys file to specify which IPs can serve time,
a malicious authenticated peer can create arbitrarily-many
ephemeral associations in order to win the clock selection of
ntpd and modify a victim's clock.
Mitigation:
Implement BCP-38.
Use the 4th field in the ntp.keys file to specify which IPs
can be time servers.
Properly monitor your ntpd instances.
Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
Other fixes:
* [Bug 2831] Segmentation Fault in DNS lookup during startup. [email protected]
- fixed yet another race condition in the threaded resolver code.
* [Bug 2858] bool support. Use stdbool.h when available. HStenn.
* [Bug 2879] Improve NTP security against timing attacks. [email protected]
- integrated patches by Loganaden Velvidron <[email protected]>
with some modifications & unit tests
* [Bug 2960] async name resolution fixes for chroot() environments.
Reinhard Max.
* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. [email protected]
* [Bug 2995] Fixes to compile on Windows
* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. [email protected]
* [Bug 3013] Fix for ssl_init.c SHA1 test. [email protected]
- Patch provided by Ch. Weisgerber
* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
- A change related to [Bug 2853] forbids trailing white space in
remote config commands. [email protected]
* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
- report and patch from Aleksandr Kostikov.
- Overhaul of Windows IO completion port handling. [email protected]
* [Bug 3022] authkeys.c should be refactored. [email protected]
- fixed memory leak in access list (auth[read]keys.c)
- refactored handling of key access lists (auth[read]keys.c)
- reduced number of error branches (authreadkeys.c)
* [Bug 3023] ntpdate cannot correct dates in the future. [email protected]
* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
* [Bug 3031] ntp broadcastclient unable to synchronize to an server
when the time of server changed. [email protected]
- Check the initial delay calculation and reject/unpeer the broadcast
server if the delay exceeds 50ms. Retry again after the next
broadcast packet.
* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
* Update html/xleave.html documentation. Harlan Stenn.
* Update ntp.conf documentation. Harlan Stenn.
* Fix some Credit: attributions in the NEWS file. Harlan Stenn.
* Fix typo in html/monopt.html. Harlan Stenn.
* Add README.pullrequests. Harlan Stenn.
* Cleanup to include/ntp.h. Harlan Stenn.
New option to 'configure':
While looking in to the issues around Bug 2978, the "interleave pivot"
issue, it became clear that there are some intricate and unresolved
issues with interleave operations. We also realized that the interleave
protocol was never added to the NTPv4 Standard, and it should have been.
Interleave mode was first released in July of 2008, and can be engaged
in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may
contain the 'xleave' option, which will expressly enable interlave mode
for that association. Additionally, if a time packet arrives and is
found inconsistent with normal protocol behavior but has certain
characteristics that are compatible with interleave mode, NTP will
dynamically switch to interleave mode. With sufficient knowledge, an
attacker can send a crafted forged packet to an NTP instance that
triggers only one side to enter interleaved mode.
To prevent this attack until we can thoroughly document, describe,
fix, and test the dynamic interleave mode, we've added a new
'configure' option to the build process:
--enable-dynamic-interleave
This option controls whether or not NTP will, if conditions are right,
engage dynamic interleave mode. Dynamic interleave mode is disabled by
default in ntp-4.2.8p7.
---
NTP 4.2.8p6 (Harlan Stenn <[email protected]>, 2016/01/20)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following 1 low- and 8 medium-severity vulnerabilities:
* Potential Infinite Loop in 'ntpq'
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2548 / CVE-2015-8158
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
The loop's only stopping conditions are receiving a complete and
correct response or hitting a small number of error conditions.
If the packet contains incorrect values that don't trigger one of
the error conditions, the loop continues to receive new packets.
Note well, this is an attack against an instance of 'ntpq', not
'ntpd', and this attack requires the attacker to do one of the
following:
* Own a malicious NTP server that the client trusts
* Prevent a legitimate NTP server from sending packets to
the 'ntpq' client
* MITM the 'ntpq' communications between the 'ntpq' client
and the NTP server
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
* 0rigin: Zero Origin Timestamp Bypass
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2945 / CVE-2015-8138
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
(3.7 - LOW if you score AC:L)
Summary: To distinguish legitimate peer responses from forgeries, a
client attempts to verify a response packet by ensuring that the
origin timestamp in the packet matches the origin timestamp it
transmitted in its last request. A logic error exists that
allows packets with an origin timestamp of zero to bypass this
check whenever there is not an outstanding request to the server.
Mitigation:
Configure 'ntpd' to get time from multiple sources.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Monitor your 'ntpd= instances.
Credit: This weakness was discovered by Matthey Van Gundy and
Jonathan Gardner of Cisco ASIG.
* Stack exhaustion in recursive traversal of restriction list
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2940 / CVE-2015-7978
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by exhausting the call stack.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2942 / CVE-2015-7979
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
Summary: An off-path attacker can send broadcast packets with bad
authentication (wrong key, mismatched key, incorrect MAC, etc)
to broadcast clients. It is observed that the broadcast client
tears down the association with the broadcast server upon
receiving just one bad packet.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Monitor your 'ntpd' instances.
If this sort of attack is an active problem for you, you have
deeper problems to investigate. In this case also consider
having smaller NTP broadcast domains.
Credit: This weakness was discovered by Aanchal Malhotra of Boston
University.
* reslist NULL pointer dereference
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2939 / CVE-2015-7977
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by causing a NULL pointer dereference.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
the NTP Public Services Project Download Page.
If you are unable to upgrade:
mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
* 'ntpq saveconfig' command allows dangerous characters in filenames.
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2938 / CVE-2015-7976
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
Summary: The ntpq saveconfig command does not do adequate filtering
of special characters from the supplied filename.
Note well: The ability to use the saveconfig command is controlled
by the 'restrict nomodify' directive, and the recommended default
configuration is to disable this capability. If the ability to
execute a 'saveconfig' is required, it can easily (and should) be
limited and restricted to a known small number of IP addresses.
Mitigation:
Implement BCP-38.
use 'restrict default nomodify' in your 'ntp.conf' file.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
If you are unable to upgrade:
build NTP with 'configure --disable-saveconfig' if you will
never need this capability, or
use 'restrict default nomodify' in your 'ntp.conf' file. Be
careful about what IPs have the ability to send 'modify'
requests to 'ntpd'.
Monitor your ntpd instances.
'saveconfig' requests are logged to syslog - monitor your syslog files.
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
* nextvar() missing length check in ntpq
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2937 / CVE-2015-7975
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
If you score A:C, this becomes 4.0.
CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
Summary: ntpq may call nextvar() which executes a memcpy() into the
name buffer without a proper length check against its maximum
length of 256 bytes. Note well that we're taking about ntpq here.
The usual worst-case effect of this vulnerability is that the
specific instance of ntpq will crash and the person or process
that did this will have stopped themselves.
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
If you have scripts that feed input to ntpq make sure there are
some sanity checks on the input received from the "outside".
This is potentially more dangerous if ntpq is run as root.
Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
* Skeleton Key: Any trusted key system can serve time
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2936 / CVE-2015-7974
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
Summary: Symmetric key encryption uses a shared trusted key. The
reported title for this issue was "Missing key check allows
impersonation between authenticated peers" and the report claimed
"A key specified only for one server should only work to
authenticate that server, other trusted keys should be refused."
Except there has never been any correlation between this trusted
key and server v. clients machines and there has never been any
way to specify a key only for one server. We have treated this as
an enhancement request, and ntp-4.2.8p6 includes other checks and
tests to strengthen clients against attacks coming from broadcast
servers.
Mitigation:
Implement BCP-38.
If this scenario represents a real or a potential issue for you,
upgrade to 4.2.8p6, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page, and
use the new field in the ntp.keys file that specifies the list
of IPs that are allowed to serve time. Note that this alone
will not protect against time packets with forged source IP
addresses, however other changes in ntp-4.2.8p6 provide
significant mitigation against broadcast attacks. MITM attacks
are a different story.
If you are unable to upgrade:
Don't use broadcast mode if you cannot monitor your client
servers.
If you choose to use symmetric keys to authenticate time
packets in a hostile environment where ephemeral time
servers can be created, or if it is expected that malicious
time servers will participate in an NTP broadcast domain,
limit the number of participating systems that participate
in the shared-key group.
Monitor your ntpd instances.
Credit: This weakness was discovered by Matt Street of Cisco ASIG.
* Deja Vu: Replay attack on authenticated broadcast mode
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2935 / CVE-2015-7973
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
Summary: If an NTP network is configured for broadcast operations then
either a man-in-the-middle attacker or a malicious participant
that has the same trusted keys as the victim can replay time packets.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
Don't use broadcast mode if you cannot monitor your client servers.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra of Boston
University.
Other fixes:
* [Bug 2772] adj_systime overflows tv_usec. [email protected]
* [Bug 2814] msyslog deadlock when signaled. [email protected]
- applied patch by [email protected] with minor adjustments
* [Bug 2882] Look at ntp_request.c:list_peers_sum(). [email protected]
* [Bug 2891] Deadlock in deferred DNS lookup framework. [email protected]
* [Bug 2892] Several test cases assume IPv6 capabilities even when
IPv6 is disabled in the build. [email protected]
- Found this already fixed, but validation led to cleanup actions.
* [Bug 2905] DNS lookups broken. [email protected]
- added limits to stack consumption, fixed some return code handling
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. [email protected]
- make CTRL-C work for retrieval and printing od MRU list. [email protected]
* [Bug 2980] reduce number of warnings. [email protected]
- integrated several patches from Havard Eidnes ([email protected])
* [Bug 2985] bogus calculation in authkeys.c [email protected]
- implement 'auth_log2()' using integer bithack instead of float calculation
* Make leapsec_query debug messages less verbose. Harlan Stenn.
---
NTP 4.2.8p5 (Harlan Stenn <[email protected]>, 2016/01/07)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerability:
* Small-step/big-step. Close the panic gate earlier.
References: Sec 2956, CVE-2015-5300
Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
4.3.0 up to, but not including 4.3.78
CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
Summary: If ntpd is always started with the -g option, which is
common and against long-standing recommendation, and if at the
moment ntpd is restarted an attacker can immediately respond to
enough requests from enough sources trusted by the target, which
is difficult and not common, there is a window of opportunity
where the attacker can cause ntpd to set the time to an
arbitrary value. Similarly, if an attacker is able to respond
to enough requests from enough sources trusted by the target,
the attacker can cause ntpd to abort and restart, at which
point it can tell the target to set the time to an arbitrary
value if and only if ntpd was re-started against long-standing
recommendation with the -g flag, or if ntpd was not given the
-g flag, the attacker can move the target system's time by at
most 900 seconds' time per attack.
Mitigation:
Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p5, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
As we've long documented, only use the -g option to ntpd in
cold-start situations.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra,
Isaac E. Cohen, and Sharon Goldberg at Boston University.
NOTE WELL: The -g flag disables the limit check on the panic_gate
in ntpd, which is 900 seconds by default. The bug identified by
the researchers at Boston University is that the panic_gate
check was only re-enabled after the first change to the system
clock that was greater than 128 milliseconds, by default. The
correct behavior is that the panic_gate check should be
re-enabled after any initial time correction.
If an attacker is able to inject consistent but erroneous time
responses to your systems via the network or "over the air",
perhaps by spoofing radio, cellphone, or navigation satellite
transmissions, they are in a great position to affect your
system's clock. There comes a point where your very best
defenses include:
Configure ntpd to get time from multiple sources.
Monitor your ntpd instances.
Other fixes:
* Coverity submission process updated from Coverity 5 to Coverity 7.
The NTP codebase has been undergoing regular Coverity scans on an
ongoing basis since 2006. As part of our recent upgrade from
Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
the newly-written Unity test programs. These were fixed.
* [Bug 2829] Clean up pipe_fds in ntpd.c [email protected]
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. [email protected]
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. [email protected]
* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
- fixed data race conditions in threaded DNS worker. [email protected]
- limit threading warm-up to linux; FreeBSD bombs on it. [email protected]
* [Bug 2957] 'unsigned int' vs 'size_t' format clash. [email protected]
- accept key file only if there are no parsing errors
- fixed size_t/u_int format clash
- fixed wrong use of 'strlcpy'
* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. [email protected]
- fixed several other warnings (cast-alignment, missing const, missing prototypes)
- promote use of 'size_t' for values that express a size
- use ptr-to-const for read-only arguments
- make sure SOCKET values are not truncated (win32-specific)
- format string fixes
* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
* [Bug 2967] ntpdate command suffers an assertion failure
- fixed ntp_rfc2553.c to return proper address length. [email protected]
* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
lots of clients. [email protected]
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. [email protected]
* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
* Unity test cleanup. Harlan Stenn.
* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.
---
NTP 4.2.8p4 (Harlan Stenn <[email protected]>, 2015/10/21)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following 13 low- and medium-severity vulnerabilities:
* Incomplete vallen (value length) checks in ntp_crypto.c, leading
to potential crashes or potential code injection/information leakage.
References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
Summary: The fix for CVE-2014-9750 was incomplete in that there were
certain code paths where a packet with particular autokey operations
that contained malicious data was not always being completely
validated. Receipt of these packets can cause ntpd to crash.
Mitigation:
Don't use autokey.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
Monitor your ntpd instances.
Credit: This weakness was discovered by Tenable Network Security.
* Clients that receive a KoD should validate the origin timestamp field.
References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
Summary: An ntpd client that honors Kiss-of-Death responses will honor
KoD messages that have been forged by an attacker, causing it to
delay or stop querying its servers for time updates. Also, an
attacker can forge packets that claim to be from the target and
send them to servers often enough that a server that implements
KoD rate limiting will send the target machine a KoD response to
attempt to reduce the rate of incoming packets, or it may also
trigger a firewall block at the server for packets from the target
machine. For either of these attacks to succeed, the attacker must
know what servers the target is communicating with. An attacker
can be anywhere on the Internet and can frequently learn the
identity of the target's time source by sending the target a
time query.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you can't upgrade, restrict who can query ntpd to learn who
its servers are, and what IPs are allowed to ask your system
for the time. This mitigation is heavy-handed.
Monitor your ntpd instances.
Note:
4.2.8p4 protects against the first attack. For the second attack,
all we can do is warn when it is happening, which we do in 4.2.8p4.
Credit: This weakness was discovered by Aanchal Malhotra,
Issac E. Cohen, and Sharon Goldberg of Boston University.
* configuration directives to change "pidfile" and "driftfile" should
only be allowed locally.
References: Sec 2902 / CVE-2015-5196
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
Summary: If ntpd is configured to allow for remote configuration,
and if the (possibly spoofed) source IP address is allowed to
send remote configuration requests, and if the attacker knows
the remote configuration password, it's possible for an attacker
to use the "pidfile" or "driftfile" directives to potentially
overwrite other files.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
If you cannot upgrade, don't enable remote configuration.
If you must enable remote configuration and cannot upgrade,
remote configuration of NTF's ntpd requires:
- an explicitly configured trustedkey, and you should also
configure a controlkey.
- access from a permitted IP. You choose the IPs.
- authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
* Slow memory leak in CRYPTO_ASSOC
References: Sec 2909 / CVE-2015-7701
Affects: All ntp-4 releases that use autokey up to, but not
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
4.6 otherwise
Summary: If ntpd is configured to use autokey, then an attacker can
send packets to ntpd that will, after several days of ongoing
attack, cause it to run out of memory.
Mitigation:
Don't use autokey.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
Monitor your ntpd instances.
Credit: This weakness was discovered by Tenable Network Security.
* mode 7 loop counter underrun
References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
Summary: If ntpd is configured to enable mode 7 packets, and if the
use of mode 7 packets is not properly protected thru the use of
the available mode 7 authentication and restriction mechanisms,
and if the (possibly spoofed) source IP address is allowed to
send mode 7 queries, then an attacker can send a crafted packet
to ntpd that will cause it to crash.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade:
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a requestkey to control who can issue
mode 7 requests.
configure restrict noquery to further limit mode 7 requests
to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
* memory corruption in password store
References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password or if ntpd was configured to
disable authentication, then an attacker can send a set of
packets to ntpd that may cause a crash or theoretically
perform a code injection attack.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's
ntpd requires:
an explicitly configured "trusted" key. Only configure
this if you need it.
access from a permitted IP address. You choose the IPs.
authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* Infinite loop if extended logging enabled and the logfile and
keyfile are the same.
References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password or if ntpd was configured to
disable authentication, then an attacker can send a set of
packets to ntpd that will cause it to crash and/or create a
potentially huge log file. Specifically, the attacker could
enable extended logging, point the key file at the log file,
and cause what amounts to an infinite loop.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's ntpd
requires:
an explicitly configured "trusted" key. Only configure this
if you need it.
access from a permitted IP address. You choose the IPs.
authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* Potential path traversal vulnerability in the config file saving of
ntpd on VMS.
References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
Affects: All ntp-4 releases running under VMS up to, but not
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) IP address is allowed to send remote