Network Time Foundation Publishes NTP 4.2.8p11

February 27, 2018 by Sue Graves

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p11 on Tuesday, 27 February 2018.
This release addresses five low and medium security issues in ntpd:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#718152: Sybil vulnerability: ephemeral association attack
- While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11.
- Reported by Matt Van Gundy of Cisco.
INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#718152: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak
- Reported by Yihan Lian of Qihoo 360.
LOW: Sec 3415 / CVE-2018-7170 / VU#718152: Multiple authenticated ephemeral associations
- Reported on the questions@ list.
LOW: Sec 3453 / CVE-2018-7184 / VU#718152: Interleaved symmetric mode cannot recover from bad state
- Reported by Miroslav Lichvar of Red Hat.
LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#718152: Unauthenticated packet can reset authenticated interleaved association
- Reported by Miroslav Lichvar of Red Hat.

and one security issue in ntpq:

MEDIUM: Sec 3414 / CVE-2018-7183 / VU#718152: ntpq:decodearr() can write beyond its buffer limit
- Reported by Michael Macnair of Thales-esecurity.com.

and provides 33 bugfixes and 32 other improvements.

E-Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

2018 Feb 27: Public release
2018 Feb 21: VU number assigned. NEWS file updated.
2018 Feb 20: CVE numbers assigned. NEWS file updated. Tarball updated. CERT notified.
2018 Feb 12: Release to Advance Security Partners containing security fixes for Bugs 3453 and 3454, and FIPS and multicast regressions.
2018 Feb 07: Regressions reported for FIPS and multicast mode.
2018 Feb 05: Bugs 3453 and 3454 reported.
2018 Jan 23: Initial release to Advance Security Partners.

Please review our NTP Security Policy and Procedure page for details on this latest announcement as well as our security patch policy, issue reporting instructions and past security advisories.

Please Note:
Our next major release will be ntp-4.4.0. Once released, people who want to remain on 4.2.6 or 4.2.8 will be able to purchase a support contract from us. Premier and Partner Institutional Members are eligible for discounted support agreements on older, stable releases.

We would have preferred to give much more notice to our members and to CERT, however, NTF’s NTP project remains severely under-funded. We sincerely appreciate the support of our members and donors; but, much more support and funding is needed to continue to improve NTP, complete the Network Time Security (NTS) project, continue our standards work, improve documentation, start on General Timestamp API and so much more. If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member.

Thank you!

Share on: