March 2020 ntp-4.2.8p14 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p14 on Tuesday, 03 March 2020.

This release fixes three security issues in ntpd:

• NONE: Sec 3610: process_control() should bail earlier on short packets.
  • Reported by Philippe Antoine (Catena cyber with oss-fuzz).
• MEDIUM: Sec 3596: Unauthenticated ntpd may be susceptible to IPv4 spoof attack from highly predictable transmit timestamps.
  • Reported by Miroslav Lichvar.
• MEDIUM: Sec 3592: DoS Attack on unauthenticated client.
  • The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 (possibly earlier) or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim's next poll to its source to be delayed, for as long as the attack is maintained.
  • Reported by Miroslav Lichvar.

and provides 46 bugfixes and addresses 4 other issues.

ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

• 2020 Mar 03: Public release (barring as yet unforeseen issues)
• 2020 Feb 17: Release to Advance Security Partners
• 2019 Jun 05: Notification to Institutional Members
• 2019 May 30: Notification of Sec 3592 from reporter

March 2019 ntp-4.2.8p13 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p13 on Thursday, 07 March 2019.

This release fixes one security issue in ntpd:

• MEDIUM: Sec 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet
  • A crafted malicious authenticated mode 6 (ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing ntpd. Note that for this attack to work, the sending system must be on an address that the target's ntpd accepts mode 6 packets from, and must properly authenticate the packet with a private key that is specifically listed as being used for mode 6 authorization.
  • Reported by Magnus Stubman.

and provides 17 bugfixes and 1 other improvement.

ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

• 2019 Mar 07: Public release
• 2019 Feb 20: Release to Advance Security Partners
• 2019 Jan 16: Notification to Institutional Members
• 2019 Jan 15: Notification from reporter

August 2018 ntp-4.2.8p12 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p12 on Tuesday, 14 August 2018. This release improves on one security issue in ntpd:

• LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / CVE-2018-7170 /: Sybil vulnerability: ephemeral association attack
  • Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p11. Improved in 4.2.8p12 and 4.3.94.
  • CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
  • CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
  • Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. Two additional protections are offered in ntp-4.2.8p11. One is the noepeer directive, which disables symmetric passive ephemeral peering. The other extends the functionality of the 4th field in the ntp.keys file to include specifying a subnet range.
  • Mitigation:
    • Implement BCP-38.
    • Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
    • Use the noepeer directive to prohibit symmetric passive ephemeral associations.
    • Use the ippeerlimit directive to limit the number of peer associations from an IP.
    • Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
    • Properly monitor your ntpd instances.
  • Credit: This weakness was originally discovered by Matthew Van Gundy of Cisco ASIG. The edge-case hole in the noepeer processing was reported by Martin Burnicki of Meinberg.

And one security issue in ntpq and ntpdc:

• LOW: Sec 3505 / CVE-2018-12327 /: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit.
• Affects: All ntp-4 releases up to, but not including 4.2.8p12, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p12 and 4.3.94.
• CVSS2: LOW 1.7 - (AV:L/AC:L/Au:S/C:P/I:N/A:N)
• CVSS3: LOW 2.8 - (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
• Summary: The openhost() function used by ntpq and ntpdc is vulnerable to a buffer overflow. This means that if one is able to provide ntpq or ntpdc with an excessively large hostname on the command line or a carefully-crafted byte stream, ntpq or ntpdc will suffer from the usual stack overflow problems.
• Mitigation: Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
• Credit: Reported by Fakhri Zulkifli.

This release also provides 27 minor bug and documentation fixes and 4 other improvements.

E-Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

• 2018 Aug 29: Added CVE-2018-7170 to Bug Sec3012
• 2018 Aug 14: Public release
• 2018 Jul 25: Release to Advance Security Partners
• 2018 Jun 6: Sec 3505 reported
• 2018 May 25: Sec 3012 noepeer reported