Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
For more information about our NTP Consortium and how to become a member, see (http://www.nwtime.org/membership/benefits/)

Reporting Security Issues

Security related bugs, confirmed or suspected, are to be reported by e-mail to security@ntp.org.
Do not disclose details with unencrypted email-we will exchange PGP keys for further discussion.

You can also use our NTP Security Officer Key, for reporting issues you have verified are security related.

Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, bugs@ntp.org, or any other mailing-list.

Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), replacing Autokey, and will soon be announcing the first production release of the NTP "leaf node" client from the Ntimed Project.

For years NTF's NTP Project has routinely submitted the NTP code base through Coverity's security analysis scans and in 2015 we went from several hundred issues found -- down to nine. That gives us a "defect density" rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code.
NTF's NTP Project code base has also been run through Veracode and HP's Fortify on Demand (FoD).

We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.

Latest Resolved Issues

March 2020 ntp-4.2.8p14 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p14 on Tuesday, 03 March 2020.

This release fixes three security issues in ntpd:

NONE: Sec 3610: process_control() should bail earlier on short packets.
- Reported by Philippe Antoine (Catena cyber with oss-fuzz).
MEDIUM: Sec 3596: Unauthenticated ntpd may be susceptible to IPv4 spoof attack from highly predictable transmit timestamps.
- Reported by Miroslav Lichvar.
MEDIUM: Sec 3592: DoS Attack on unauthenticated client.
- The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 (possibly earlier) or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim's next poll to its source to be delayed, for as long as the attack is maintained.
- Reported by Miroslav Lichvar.

and provides 46 bugfixes and addresses 4 other issues.

ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

2020 Mar 03: Public release (barring as yet unforeseen issues)
2020 Feb 17: Release to Advance Security Partners
2019 Jun 05: Notification to Institutional Members
2019 May 30: Notification of Sec 3592 from reporter

March 2019 ntp-4.2.8p13 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p13 on Thursday, 07 March 2019.

This release fixes one security issue in ntpd:

MEDIUM: Sec 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet
- A crafted malicious authenticated mode 6 (ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing ntpd. Note that for this attack to work, the sending system must be on an address that the target's ntpd accepts mode 6 packets from, and must properly authenticate the packet with a private key that is specifically listed as being used for mode 6 authorization.
- Reported by Magnus Stubman.

and provides 17 bugfixes and 1 other improvement.

ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

2019 Mar 07: Public release
2019 Feb 20: Release to Advance Security Partners
2019 Jan 16: Notification to Institutional Members
2019 Jan 15: Notification from reporter

August 2018 ntp-4.2.8p12 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p12 on Tuesday, 14 August 2018. This release improves on one security issue in ntpd:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / CVE-2018-7170 /: Sybil vulnerability: ephemeral association attack
- Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p11. Improved in 4.2.8p12 and 4.3.94.
- CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
- CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
- Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. Two additional protections are offered in ntp-4.2.8p11. One is the noepeer directive, which disables symmetric passive ephemeral peering. The other extends the functionality of the 4th field in the ntp.keys file to include specifying a subnet range.
- Mitigation:
  - Implement BCP-38.
  - Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  - Use the noepeer directive to prohibit symmetric passive ephemeral associations.
  - Use the ippeerlimit directive to limit the number of peer associations from an IP.
  - Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
  - Properly monitor your ntpd instances.
- Credit: This weakness was originally discovered by Matthew Van Gundy of Cisco ASIG. The edge-case hole in the noepeer processing was reported by Martin Burnicki of Meinberg.

And one security issue in ntpq and ntpdc:

LOW: Sec 3505 / CVE-2018-12327 /: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit.
Affects: All ntp-4 releases up to, but not including 4.2.8p12, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p12 and 4.3.94.
CVSS2: LOW 1.7 - (AV:L/AC:L/Au:S/C:P/I:N/A:N)
CVSS3: LOW 2.8 - (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Summary: The openhost() function used by ntpq and ntpdc is vulnerable to a buffer overflow. This means that if one is able to provide ntpq or ntpdc with an excessively large hostname on the command line or a carefully-crafted byte stream, ntpq or ntpdc will suffer from the usual stack overflow problems.
Mitigation: Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
Credit: Reported by Fakhri Zulkifli.