Network Time Foundation (NTF) releases ntp-4.2.8p4 containing several security patches.
NTF’s NTP Project has released ntp-4.2.8p4, which fixes thirteen (13) low- and medium-severity security bugs and also includes about 100 bug fixes and code improvements since 4.2.8p3, which was released on the 29th of June, 2015.
Here is a summary, and see NTF’s NTP Project’s Security Notice page for details. Download the latest version.
- Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG)
- Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA)
- Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS)
- Bug 2920 CVE-2015-7853 ntp_io.c data conversion Memory Corruption Vulnerability. (Cisco TALOS)
- Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS)
- Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (Cisco TALOS)
- Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
- Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
- Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
- Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
- Bug 2902: CVE-2015-7703 configuration directives “pidfile” and “driftfile” should only be allowed locally. (RedHat)
- Bug 2901: CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University)
- Bug 2899: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)
The most significant security vulnerability above is the “NAK to the Future” vulnerability, which has a CVSSv2 score of 6.4. The KoD issue has a CVSSv2 score between 4.3 and 5.0. The other issues all require specific configurations and are low to medium severity.
Normal monitoring of the status of ntpd on your systems will alert you to any problems by attacks based on the above vulnerabilities.
We want to thank Boston University, Cisco, Institute for Defense Analyses, RedHat and Tenable for finding and reporting these security issues. These were all found by security research teams that went deep into the code base and offered a level of scrutiny that can’t be achieved with today’s automated tools.
For years NTF’s NTP Project has routinely submitted the NTP code base through Coverity’s security analysis scans and went from several hundred issues found down to nine. That gives us a “defect density” rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code. These remaining 9 bugs are considered to be very low-risk, and effectively “noise”. We’ll be fixing them anyway, as soon as we can.
NTF’s NTP Project code base has also been run through Veracode and HP’s Fortify on Demand (FoD). HP’s FoD found eight problems, all with path manipulation. Seven of these are with a script our QA developers use when generating test runner framework modules. This code is never used in production and only run under control of the developer so there is no danger. The last instance is a path manipulation problem with an RPC generation script that we also don’t use. In a nutshell, HP’s FoD project found no errors in our code.
We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.
Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.
We appreciate organizations reporting their discoveries to us, and please realize it’s difficult to find competent and collegial volunteers with spare time to help us sort out these issues so we continue to look for funding to hire full time developers. We’ve put together some projects for funding and if you are interested in helping please contact firstname.lastname@example.org.
You are welcomed and encouraged to join our Consortium or Donate.