NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/xx)
Focus: Security and Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerabilities involving private key
authentication:
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
References: Sec 2779 / CVE-2015-1798 / VU#374268
Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
including ntp-4.2.8p2 where the installation uses symmetric keys
to authenticate remote associations.
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
Summary: When ntpd is configured to use a symmetric key to authenticate
a remote NTP server/peer, it checks if the NTP message
authentication code (MAC) in received packets is valid, but not if
there actually is any MAC included. Packets without a MAC are
accepted as if they had a valid MAC. This allows a MITM attacker to
send false packets that are accepted by the client/peer without
having to know the symmetric key. The attacker needs to know the
transmit timestamp of the client to match it in the forged reply
and the false reply needs to reach the client before the genuine
reply from the server. The attacker doesn't necessarily need to be
relaying the packets between the client and the server.
Authentication using autokey doesn't have this problem as there is
a check that requires the key ID to be larger than NTP_MAXKEY,
which fails for packets without a MAC.
Mitigation:
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Configure ntpd with enough time sources and monitor it properly.
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
* [Sec 2781] Authentication doesn't protect symmetric associations against
DoS attacks.
References: Sec 2781 / CVE-2015-1799 / VU#374268
Affects: All NTP releases starting with at least xntp3.3wy up to but
not including ntp-4.2.8p2 where the installation uses symmetric
key authentication.
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
Note: the CVSS base Score for this issue could be 4.3 or lower, and
it could be higher than 5.4.
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
Summary: An attacker knowing that NTP hosts A and B are peering with
each other (symmetric association) can send a packet to host A
with source address of B which will set the NTP state variables
on A to the values sent by the attacker. Host A will then send
on its next poll to B a packet with originate timestamp that
doesn't match the transmit timestamp of B and the packet will
be dropped. If the attacker does this periodically for both
hosts, they won't be able to synchronize to each other. This is
a known denial-of-service attack, described at
https://www.eecis.udel.edu/~mills/onwire.html .
According to the document the NTP authentication is supposed to
protect symmetric associations against this attack, but that
doesn't seem to be the case. The state variables are updated even
when authentication fails and the peers are sending packets with
originate timestamps that don't match the transmit timestamps on
the receiving side.
This seems to be a very old problem, dating back to at least
xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
specifications, so other NTP implementations with support for
symmetric associations and authentication may be vulnerable too.
An update to the NTP RFC to correct this error is in-process.
Mitigation:
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Note that for users of autokey, this specific style of MITM attack
is simply a long-known potential problem.
Configure ntpd with appropriate time sources and monitor ntpd.
Alert your staff if problems are detected.
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
* New script: update-leap
The update-leap script will verify and if necessary, update the
leap-second definition file.
It requires the following commands in order to work:
wget logger tr sed shasum
Some may choose to run this from cron. It needs more portability testing.
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
Focus: Security and Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
* Weak default key in config_auth().
References: [Sec 2665] / CVE-2014-9293 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: all releases prior to 4.2.7p11
Date Resolved: 28 Jan 2010
Summary: If no 'auth' key is set in the configuration file, ntpd
would generate a random key on the fly. There were two
problems with this: 1) the generated key was 31 bits in size,
and 2) it used the (now weak) ntp_random() function, which was
seeded with a 32-bit value and could only provide 32 bits of
entropy. This was sufficient back in the late 1990s when the
code was written. Not today.
Mitigation: Upgrade to 4.2.7p11 or later.
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
of the Google Security Team.
* Non-cryptographic random number generator with weak seed used by
ntp-keygen to generate symmetric keys.
References: [Sec 2666] / CVE-2014-9294 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: All NTP4 releases before 4.2.7p230
Date Resolved: Dev (4.2.7p230) 01 Nov 2011
Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
prepare a random number generator that was of good quality back
in the late 1990s. The random numbers produced was then used to
generate symmetric keys. In ntp-4.2.8 we use a current-technology
cryptographic random number generator, either RAND_bytes from
OpenSSL, or arc4random().
Mitigation: Upgrade to 4.2.7p230 or later.
Credit: This vulnerability was discovered in ntp-4.2.6 by
Stephen Roettger of the Google Security Team.
* Buffer overflow in crypto_recv()
References: Sec 2667 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
file contains a 'crypto pw ...' directive) a remote attacker
can send a carefully crafted packet that can overflow a stack
buffer and potentially allow malicious code to be executed
with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later, or
Disable Autokey Authentication by removing, or commenting out,
all configuration directives beginning with the crypto keyword
in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in ctl_putdata()
References: Sec 2668 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in configure()
References: Sec 2669 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
the code path where an error was detected, which meant
processing did not stop when a specific rare error occurred.
We haven't found a way for this bug to affect system integrity.
If there is no way to affect system integrity the base CVSS
score for this bug is 0. If there is one avenue through which
system integrity can be partially affected, the base score
becomes a 5. If system integrity can be partially affected
via all three integrity metrics, the CVSS base score become 7.5.
Mitigation:
Upgrade to 4.2.8, or later,
or Remove or comment out all configuration directives
beginning with the crypto keyword in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
See http://support.ntp.org/security for more information.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
implementation in MirBSD enforces this.
Use ${MKDIR} to create the target directory before running pax.
This does not actually fix the build on MirBSD (it needs some more
work in the configure), it is at least a start.
Focus: Security and Bug Fixes
Severity: HIGH
This release fixes the following high-severity vulnerability:
* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
See http://support.ntp.org/security for more information.
If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
line) then a carefully crafted packet sent to the machine will cause
a buffer overflow and possible execution of injected code, running
with the privileges of the ntpd process (often root).
Credit for finding this vulnerability goes to Chris Ries of CMU.
This release fixes the following low-severity vulnerabilities:
* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
Credit for finding this vulnerability goes to Geoff Keating of Apple.
* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
Credit for finding this issue goes to Dave Hart.
This release fixes a number of bugs and adds some improvements:
* Improved logging
* Fix many compiler warnings
* Many fixes and improvements for Windows
* Adds support for AIX 6.1
* Resolves some issues under MacOS X and Solaris
---
(4.2.4p4) Released by Harlan Stenn <stenn@ntp.org>
* [Bug 902] Fix problems with the -6 flag.
* Updated include/copyright.def (owner and year).
* [Bug 878] Avoid ntpdc use of refid value as unterminated string.
* [Bug 881] Corrected display of pll offset on 64bit systems.
* [Bug 886] Corrected sign handling on 64bit in ntpdc loopinfo command.
* [Bug 889] avoid malloc() interrupted by SIGIO risk
* ntpd/refclock_parse.c: cleanup shutdown while the file descriptor is still open.
* [Bug 885] use emalloc() to get a message at the end of the memory
unsigned types cannot be less than 0
default_ai_family is a short
lose trailing , from enum list
clarify ntp_restrict.c for easier automated analysis
* [Bug 884] don't access recv buffers after having them passed to the free list.
* [Bug 882] allow loopback interfaces to share addresses with other interfaces.
---
(4.2.4p3) Released by Harlan Stenn <stenn@ntp.org>
* [Bug 863] unable to stop ntpd on Windows as the handle reference for events
changed
---
(4.2.4p2) Released by Harlan Stenn <stenn@ntp.org>
* [Bug 854] Broadcast address was not correctly set for interface addresses
* [Bug 829] reduce syslog noise, while there fix Enabled/Disable logging
to reflect the actual configuration.
* [Bug 795] Moved declaration of variable to top of function.
* [Bug 789] Fix multicast client crypto authentication and make sure arriving
multicast packets do not disturb the autokey dance.
* [Bug 785] improve handling of multicast interfaces
(multicast routers still need to run a multicast routing
software/daemon)
* [Bug 527] Don't write from source address length to wrong location
* Upgraded autogen and libopts.
* [Bug 811] ntpd should not read a .ntprc file.
---
(4.2.4p1) (skipped)
---
(4.2.4p0) Released by Harlan Stenn <stenn@ntp.org>
* [Bug 793] Update Hans Lambermont's email address in ntpsweep.
* [Bug 776] Remove unimplemented "rate" flag from ntpdate.
* [Bug 586] Avoid lookups if AI_NUMERICHOST is set.
* [Bug 770] Fix numeric parameters to ntp-keygen (Alain Guibert).
* [Bug 768] Fix io_setbclient() error message.
* [Bug 765] Use net_bind_service capability on linux.
* [Bug 760] The background resolver must be aware of the 'dynamic' keyword.
* [Bug 753] make union timestamp anonymous (Philip Prindeville).
* confopt.html: move description for "dynamic" keyword into the right section.
* pick the right type for the recv*() length argument.
---
(4.2.4) Released by Harlan Stenn <stenn@ntp.org>
* monopt.html fixes from Dave Mills.
* [Bug 452] Do not report kernel PLL/FLL flips.
* [Bug 746] Expert mouseCLOCK USB v2.0 support added.'
* driver8.html updates.
* [Bug 747] Drop <NOBR> tags from ntpdc.html.
* sntp now uses the returned precision to control decimal places.
* sntp -u will use an unprivileged port for its queries.
* [Bug 741] "burst" doesn't work with !unfit peers.
* [Bug 735] Fix a make/gmake VPATH issue on Solaris.
* [Bug 739] ntpd -x should not take an argument.
* [Bug 737] Some systems need help providing struct iovec.
* [Bug 717] Fix libopts compile problem.
* [Bug 728] parse documentation fixes.
* [Bug 734] setsockopt(..., IP_MULTICAST_IF, ...) fails on 64-bit platforms.
* [Bug 732] C-DEX JST2000 patch from Hideo Kuramatsu.
* [Bug 721] check for __ss_family and __ss_len separately.
* [Bug 666] ntpq opeers displays jitter rather than dispersion.
* [Bug 718] Use the recommended type for the saddrlen arg to getsockname().
* [Bug 715] Fix a multicast issue under Linux.
* [Bug 690] Fix a Windows DNS lookup buffer overflow.
* [Bug 670] Resolved a Windows issue with the dynamic interface rescan code.
* K&R C support is being deprecated.
* [Bug 714] ntpq -p should conflict with -i, not -c.
* WWV refclock improvements from Dave Mills.
* [Bug 708] Use thread affinity only for the clock interpolation thread.
* [Bug 706] ntpd can be running several times in parallel.
* [Bug 704] Documentation typos.
* [Bug 701] coverity: NULL dereference in ntp_peer.c
* [Bug 695] libopts does not protect against macro collisions.
* [Bug 693] __adjtimex is independent of ntp_{adj,get}time.
* [Bug 692] sys_limitrejected was not being incremented.
* [Bug 691] restrictions() assumption not always valid.
* [Bug 689] Deprecate HEATH GC-1001 II; the driver never worked.
* [Bug 688] Fix documentation typos.
* [Bug 686] Handle leap seconds better under Windows.
* [Bug 685] Use the Windows multimedia timer.
* [Bug 684] Only allow debug options if debugging is enabled.
* [Bug 683] Use the right version string.
* [Bug 680] Fix the generated version string on Windows.
* [Bug 678] Use the correct size for control messages.
* [Bug 677] Do not check uint_t in configure.ac.
* [Bug 676] Use the right value for msg_namelen.
* [Bug 675] Make sure ntpd builds without debugging.
* [Bug 672] Fix cross-platform structure padding/size differences.
* [Bug 660] New TIMESTAMP code fails tp build on Solaris Express.
* [Bug 659] libopts does not build under Windows.
* [Bug 658] HP-UX with cc needs -Wp,-H8166 in CFLAGS.
* [Bug 656] ntpdate doesn't work with multicast address.
* [Bug 638] STREAMS_TLI is deprecated - remove it.
* [Bug 635] Fix tOptions definition.
* [Bug 628] Fallback to ntp discipline not working for large offsets.
* [Bug 622] Dynamic interface tracking for ntpd.
* [Bug 603] Don't link with libelf if it's not needed.
* [Bug 523] ntpd service under Windows does't shut down properly.
* [Bug 500] sntp should always be built.
* [Bug 479] Fix the -P option.
* [Bug 421] Support the bc637PCI-U card.
* [Bug 342] Deprecate broken TRAK refclock driver.
* [Bug 340] Deprecate broken MSF EES refclock driver.
* [Bug 153] Don't do DNS lookups on address masks.
* [Bug 143] Fix interrupted system call on HP-UX.
* [Bug 42] Distribution tarballs should be signed.
* Support separate PPS devices for PARSE refclocks.
* [Bug 637, 51?] Dynamic interface scanning can now be done.
* Options processing now uses GNU AutoGen.
---
(4.2.2p4) Released by Harlan Stenn <stenn@ntp.org>
* [Bug 710] compat getnameinfo() has off-by-one error
* [Bug 690] Buffer overflow in Windows when doing DNS Lookups
---
(4.2.2p3) Released by Harlan Stenn <stenn@ntp.org>
* Make the ChangeLog file cleaner and easier to read
* [Bug 601] ntpq's decodeint uses an extra level of indirection
* [Bug 657] Different OSes need different sized args for IP_MULTICAST_LOOP
* release engineering/build changes
* Documentation fixes
* Get sntp working under AIX-5
---
(4.2.2p2) (broken)
* Get sntp working under AIX-5
---
(4.2.2p1)
* [Bug 661] Use environment variable to specify the base path to openssl.
* Resolve an ambiguity in the copyright notice
* Added some new documentation files
* URL cleanup in the documentation
* [Bug 657]: IP_MULTICAST_LOOP uses a u_char value/size
* quiet gcc4 complaints
* more Coverity fixes
* [Bug 614] manage file descriptors better
* [Bug 632] update kernel PPS offsets when PPS offset is re-configured
* [Bug 637] Ignore UP in*addr_any interfaces
* [Bug 633] Avoid writing files in srcdir
* release engineering/build changes
---
(4.2.2)
* SNTP
* Many bugfixes
* Implements the current "goal state" of NTPv4
* Autokey improvements
* Much better IPv6 support
* [Bug 360] ntpd loses handles with LAN connection disabled.
* [Bug 239] Fix intermittent autokey failure with multicast clients.
* Rewrite of the multicast code
* New version numbering scheme
