Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
For more information about our NTP Consortium and how to become a member, see (http://www.nwtime.org/membership/benefits/)

Reporting Security Issues

Security related bugs, confirmed or suspected, are to be reported by e-mail to security@ntp.org.
Do not disclose details with unencrypted email-we will exchange PGP keys for further discussion.

You can also use our NTP Security Officer Key, for reporting issues you have verified are security related.

Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, bugs@ntp.org, or any other mailing-list.

Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), replacing Autokey, and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.

For years NTF’s NTP Project has routinely submitted the NTP code base through Coverity’s security analysis scans and in 2015 we went from several hundred issues found — down to nine. That gives us a “defect density” rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code.
NTF’s NTP Project code base has also been run through Veracode and HP’s Fortify on Demand (FoD).

We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.

Latest Resolved Issues

August 2018 ntp-4.2.8p12 NTP Release and Security Vulnerability Announcement

The NTP Project at Network Time Foundation publicly released ntp-4.2.8p12 on Tuesday, 14 August 2018. This release improves on one security issue in ntpd:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / CVE-2018-7170 /: Sybil vulnerability: ephemeral association attack
- Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p11. Improved in 4.2.8p12 and 4.3.94.
- CVSS2: LOW 3.5 – (AV:N/AC:M/Au:S/C:N/I:P/A:N)
- CVSS3: MED 5.3 – (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
- Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer — i.e. one where the attacker knows the private symmetric key — can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim’s clock. Two additional protections are offered in ntp-4.2.8p11. One is the noepeer directive, which disables symmetric passive ephemeral peering. The other extends the functionality of the 4th field in the ntp.keys file to include specifying a subnet range.
- Mitigation:
  - Implement BCP-38.
  - Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  - Use the noepeer directive to prohibit symmetric passive ephemeral associations.
  - Use the ippeerlimit directive to limit the number of peer associations from an IP.
  - Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
  - Properly monitor your ntpd instances.
- Credit: This weakness was originally discovered by Matthew Van Gundy of Cisco ASIG. The edge-case hole in the noepeer processing was reported by Martin Burnicki of Meinberg.

And one security issue in ntpq and ntpdc:

LOW: Sec 3505 / CVE-2018-12327 /: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit.
Affects: All ntp-4 releases up to, but not including 4.2.8p12, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p12 and 4.3.94.
CVSS2: LOW 1.7 – (AV:L/AC:L/Au:S/C:P/I:N/A:N)
CVSS3: LOW 2.8 – (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Summary: The openhost() function used by ntpq and ntpdc is vulnerable to a buffer overflow. This means that if one is able to provide ntpq or ntpdc with an excessively large hostname on the command line or a carefully-crafted byte stream, ntpq or ntpdc will suffer from the usual stack overflow problems.
Mitigation: Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
Credit: Reported by Fakhri Zulkifli.

This release also provides 27 minor bug and documentation fixes and 4 other improvements.

E-Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

2018 Aug 29: Added CVE-2018-7170 to Bug Sec3012
2018 Aug 14: Public release
2018 Jul 25: Release to Advance Security Partners
2018 Jun 6: Sec 3505 reported
2018 May 25: Sec 3012 noepeer reported

Network Time Foundation is Improving its NTP Project Security with NTS – Network Time Security Project – read our latest blog

Previous Vulnerabilities

February 2018 ntp-4.2.8p11

March 2017 ntp-4.2.8p10

November 2016 ntp-4.2.8p9

June 2016 ntp-4.2.8p8

April 2016 ntp-4.2.8p7

January 2016 -p6

January 2016 -p5

October 2015

June 2015

April 2015

December 2014

2010 and Older