NTF Security Policy and Procedures for NTP

Latest Resolved Issues March 2017 ntp-4.2.8p10 Security Announcement Released on 21 March 2017 This latest version addresses the following: 6 MEDIUM security vulnerabilities 4 LOW security vulnerabilities 5 INFORMATIONAL security vulnerabilities 15 non-security fixes and improvements All of the security issues in the release are included in VU#325539. All the Cure53 discovered bugs used Pentest report 01.2017. Sec 3389 / CVE-2017-6464 / MEDIUM: Denial of Service via Malformed Config Reported by Cure53. Sec 3388 / CVE-2017-6462 / LOW: Buffer Overflow in DPTS Clock Reported by Cure53. Sec 3387 / CVE-2017-6463 / MEDIUM: Authenticated DoS via Malicious Config Option Reported by Cure53. Sec 3384 / CVE-2017-6455 / MEDIUM: Windows: Privileged execution of User Library code Reported by Cure53. Sec 3383 / CVE-2017-6452 / LOW: Windows Installer: Stack Buffer Overflow from Command Line Reported by Cure53. Sec 3382 / CVE-2017-6459 / LOW: Windows Installer: Data Structure terminated insufficiently Reported by Cure53. Sec 3379 / CVE-2017-6458 / MEDIUM: Potential Overflows in ctl_put() functions Reported by Cure53. Sec 3378 / CVE-2017-6451 / LOW: Improper use of snprintf() in mx4200_send() Reported by Cure53. Sec 3377 / CVE-2017-6460 / MEDIUM: Buffer Overflow in ntpq when fetching reslist Reported by Cure53. Sec 3361 / CVE-2016-9042 / MEDIUM: 0rigin DoS Reported by Matthew Van Gundy of Cisco ASIG.

Network Time Foundation is Improving its NTP Project Security with NTS – Network Time Security Project – read our latest blog

Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
For more information about our NTP Consortium and how to become a member, see (http://www.nwtime.org/membership/benefits/)

Reporting Security Issues

Security related bugs, confirmed or suspected, are to be reported by e-mail to security@ntp.org.
Do not disclose details with unencrypted email-we will exchange PGP keys for further discussion.

You can also use our NTP Security Officer Key, for reporting issues you have verified are security related.

Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, bugs@ntp.org, or any other mailing-list.

Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), replacing Autokey, and will soon be announcing the first production release of the NTP  “leaf node” client from the Ntimed Project.

For years NTF’s NTP Project has routinely submitted the NTP code base through Coverity’s security analysis scans and in 2015 we went from several hundred issues found — down to nine. That gives us a “defect density” rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code.
NTF’s NTP Project code base has also been run through Veracode and HP’s Fortify on Demand (FoD).

We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.

Previous Vulnerabilities

November 2016 ntp-4.2.8p9

June 2016 ntp-4.2.8p8

April 2016 ntp-4.2.8p7

January 2016 -p6

January 2016 -p5

October 2015

June 2015

April 2015

December 2014

2010 and Older