As part of the Mozilla Foundation’s Secure Open Source (SOS) program they conducted a security audit of the NTP codebase. This release addresses the issues found along with a zero origin security bug.

NTF’s Network Time Protocol (NTP) Project released ntp-428p10 on 21 March 2016. This latest version addresses the following:

• 6 MEDIUM security vulnerabilities

• 4 LOW security vulnerabilities

• 5 INFORMATIONAL security vulnerabilities

• 15 non-security fixes and improvements

Fixed Security Vulnerabilities:

• Sec 3389 / CVE-2017-6464 / MEDIUM: Denial of Service via Malformed Config

• Sec 3388 / CVE-2017-6462 / LOW: Buffer Overflow in DPTS Clock

• Sec 3387 / CVE-2017-6463 / MEDIUM: Authenticated DoS via Malicious Config Option

• Sec 3384 / CVE-2017-6455 / MEDIUM: Windows: Privileged execution of User Library code

• Sec 3383 / CVE-2017-6452 / LOW: Windows Installer: Stack Buffer Overflow from Command Line

• Sec 3382 / CVE-2017-6459 / LOW: Windows Installer: Data Structure terminated insufficiently

• Sec 3379 / CVE-2017-6458 / MEDIUM: Potential Overflows in ctl_put() functions

• Sec 3378 / CVE-2017-6451 / LOW: Improper use of snprintf() in mx4200_send()

• Sec 3377 / CVE-2017-6460 / MEDIUM: Buffer Overflow in ntpq when fetching reslist

• Sec 3361 / CVE-2016-9042 / MEDIUM: 0rigin DoS

Security Informational fixes:

• Sec 3386: ntpq_stripquotes() returns incorrect Value

• Sec 3385: ereallocarray()/eallocarray() underused

• Sec 3381: Copious amounts of Unused Code

• Sec 3380: Off-by-one in Oncore GPS Receiver

• Sec 3376: Makefile does not enforce Security Flags

Timeline:

• 2017 Mar 21 - Public Release

• 2017 Mar 13 - CERT Notified

• 2017 Mar 06 - All of NTF’s NTP Consortium members were notified. Partner and Premier levels received access to the patches as well

• 2017 Feb 10 - Mozilla/Cure53 completed audit received

We wish to thank the Mozilla Foundation for funding this audit of the NTP codebase. We would have preferred to give much more notice to our members and CERT, however, NTF’s NTP project remains severely under-funded. We sincerely appreciate the support of our members and donors; much more support is needed to continue to improve NTP, complete the Network Time Security (NTS) project, continue our standards work, improve documentation, start on General Timestamp API and so much more. If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member. Thank you!