NTP-4.2.8p14 Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p14 on Tuesday, 03 March 2020.

This release fixes three security issues in ntpd:

• NONE: Sec 3610: process_control() should bail earlier on short packets.

  • Reported by Philippe Antoine (Catena cyber with oss-fuzz).

• MEDIUM: Sec 3596: Unauthenticated ntpd may be susceptible to IPv4 spoof attack from highly predictable transmit timestamps.

  • Reported by Miroslav Lichvar.

• MEDIUM: Sec 3592: DoS Attack on unauthenticated client.

  • The fix for Bug 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 (possibly earlier) or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.

  • Reported by Miroslav Lichvar.

and provides 46 bugfixes and addresses 4 other issues.

ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

• 2020 Mar 03: Public release (barring as yet unforeseen issues)

• 2020 Feb 17: Release to Advance Security Partners

• 2019 Jun 05: Notification to Institutional Members

• 2019 May 30: Notification of Sec 3592 from reporter