Security

Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally making a public announcement.

Institutional Members receive advanced notification of security vulnerabilities.





Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.

Premier and Partner Members receive early access to security patches.





Reporting Security Issues

If you find a security vulnerability in the NTP codebase, please report it by PGP-encrypted email to the NTF Security Officer Team. You can use our NTF Security Officer PGP Key. Please refrain from discussing potential security issues in any mailing lists or public forums.

NOTE: Non-code vulnerabilities (such as a website issue) should instead be reported to webmaster. Issues for subdomains of "pool.ntp.org" should be reported to the NTP Pool Project.


Known Vulnerabilities by Release Version

The following releases provided fixes for at least one security vulnerability. The table for each release provides an entry for each security issue (click its hyperlink to read the details for the vulnerability), indicates the issue’s severity, and provides the dates of advance notification to institutional members, advance release to premier and partner institutional members, and public release.

Refer to the Release Timeline for a complete list of all releases, their public release dates, release announcements, and changelogs.

Release Version:

4.2.8p16

Security Issue Severity
3808: ntpq will abort with an assertion failure given a malformed RT-11 date NONE
3807: praecis_parse() in ntpd/refclock_palisade.c can write out-of-bounds LOW
3806: libntp/mstolfp() needs bounds checking LOW
3767: An out-of-bounds KoD RATE ppoll value triggers an assertion abort in debug-enabled ntpd LOW

4.2.8p15

Security Issue Severity
3661: Memory leak with CMAC keys MEDIUM

4.2.8p14

Security Issue Severity
3610: process_control() should bail earlier on short packets NONE
3596: Unauthenticated and unmonitored ntpd may be susceptible to IPv4 attack from highly predictable transmit timestamps MEDIUM
3592: DoS Attack on Unauthenticated Client MEDIUM

4.2.8p13

Security Issue Severity
3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet MEDIUM

4.2.8p12

Security Issue Severity
3505: NTPQ/NTPDC: Buffer Overflow in openhost() LOW
3012: Sybil vulnerability: ephemeral association attack LOW/MEDIUM

4.2.8p11

Security Issue Severity
3454: Unauthenticated packet can reset authenticated interleaved association LOW/MEDIUM
3453: Interleaved symmetric mode cannot recover from bad state LOW
3415: Provide a way to prevent authenticated symmetric passive peering LOW
3414: ntpq: decodearr() can write beyond its ‘buf’ limits MEDIUM
3412: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak INFO/MEDIUM
3012: Sybil vulnerability: ephemeral association attack LOW/MEDIUM

4.2.8p10

Security Issue Severity
3389: Denial of Service via Malformed Config MEDIUM
3388: Buffer Overflow in DPTS Clock LOW
3387: Authenticated DoS via Malicious Config Option MEDIUM
3386: ntpq_stripquotes() returns incorrect value INFO
3385: ereallocarray() / eallocarray() underused INFO
3384: Privileged execution of User Library code (Windows PPSAPI Only) LOW
3383: Stack Buffer Overflow from Command Line (Windows Installer Only) LOW
3382: Data Structure terminated insufficiently (Windows Installer Only) LOW
3381: Copious amounts of Unused Code INFO
3380: Off-by-one in Oncore GPS Receiver LOW
3379: Potential Overflows in ctl_put() functions MEDIUM
3378: Improper use of snprintf() in mx4200_send() LOW
3377: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd MEDIUM
3376: Makefile does not enforce Security Flags INFO
3361: 0rigin DoS MEDIUM

4.2.8p9

Security Issue Severity
3119: Mode 6 unauthenticated trap information disclosure and DDoS vector MEDIUM
3118: Mode 6 unauthenticated trap information disclosure and DDoS vector MEDIUM
3114: Broadcast Mode Replay Prevention DoS LOW/MEDIUM
3113: Broadcast Mode Poll Interval Enforcement DoS LOW/MEDIUM
3110: Windows: ntpd DoS by oversized UDP packet HIGH
3102: Zero Origin timestamp regression MEDIUM
3082: read_mru_list() does inadequate incoming packet checks LOW
3072: Attack on interface selection LOW
3071: Client rate limiting and server responses LOW
3067: Fix for bug 2085 broke initial sync calculations LOW

4.2.8p8

Public Release: 2016 Jun 02

Security Issue Severity
3046: CRYPTO_NAK crash HIGH
3045: Bad authentication demobilizes ephemeral associations LOW
3044: Processing spoofed server packets LOW
3043: Autokey association reset LOW
3042: Broadcast interleave LOW

4.2.8p7

Security Issue Severity
3020: Refclock impersonation vulnerability LOW
3011: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd MEDIUM
3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated MEDIUM
3009: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC LOW
3008: ctl_getitem() return value not always checked MEDIUM
3007: CRYPTO-NAK DoS MEDIUM/LOW
2978: Interleave-pivot MEDIUM
2952: Original fix for NTP Bug 2901 broke peer associations MEDIUM
2946: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients MEDIUM
2879: Improve NTP security against buffer comparison timing attacks LOW/MEDIUM

4.2.8p6

Security Issue Severity
2948: Potential Infinite Loop in ntpq MEDIUM
2947: ntpq protocol vulnerable to replay attacks MEDIUM
2945: 0rigin: Zero Origin Timestamp Bypass MEDIUM
2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode MEDIUM
2940: Stack exhaustion in recursive traversal of restriction list MEDIUM
2939: reslist NULL pointer dereference MEDIUM
2938: ntpq saveconfig command allows dangerous characters in filenames MEDIUM
2937: nextvar() missing length check in ntpq LOW
2936: Skeleton Key: Any trusted key system can serve time HIGH
2935: Deja Vu: Replay attack on authenticated broadcast mode MEDIUM

4.2.8p5

Security Issue Severity
2956: Small-step/big-step MEDIUM

4.2.8p4

Security Issue Severity
2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK LOW
2922: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values HIGH
2921: TALOS-CAN-0065: Password Length Memory Corruption Vulnerability HIGH
2920: TALOS-CAN-0064: Invalid length data provided by a custom refclock driver could cause a buffer overflow HIGH
2919: TALOS-CAN-0063: ntpq atoascii() potential memory corruption HIGH
2918: TALOS-CAN-0062: Potential path traversal vulnerability in the config file saving of ntpd on VMS HIGH
2917: TALOS-CAN-0055: Infinite loop if extended logging enabled and the logfile and keyfile are the same HIGH
2916: TALOS-CAN-0054: memory corruption in password store HIGH
2913: TALOS-CAN-0052: mode 7 loop counter underrun HIGH
2909: Slow memory leak in CRYPTO_ASSOC HIGH
2902: Configuration directives to change “pidfile” and “driftfile” should only be allowed locally HIGH
2901: Clients that receive a KoD should validate the origin timestamp field MEDIUM
2899: Incomplete autokey data packet length checks HIGH

4.2.8p3

Security Issue Severity
2853: ntpd control message crash: Crafted NUL-byte in configuration directive LOW

4.2.8p2

Security Issue Severity
2781: Authentication doesn’t protect symmetric associations against DoS attacks MEDIUM
2779: ntpd accepts unauthenticated packets with symmetric key crypto LOW

4.2.8p1

Security Issue Severity
2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed MEDIUM
2671: vallen is not validated in several places in ntp_crypto.c, leading to a potential info leak or possibly crashing ntpd LOW

4.2.8

Security Issue Severity
2670: receive(): missing return on error MEDIUM
2669: Buffer overflow in configure() HIGH
2668: Buffer overflow in ctl_putdata() HIGH
2667: Buffer overflow in crypto_recv() HIGH

4.2.7p230

Security Issue Severity
2666: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys HIGH

4.2.7p26

Security Issue Severity
1532: DRDoS / Amplification Attack using ntpdc monlist command MEDIUM

4.2.7p11

Security Issue Severity
2665 :Weak default key in config_auth() HIGH

4.2.6

Security Issue Severity
1331: DoS attack from certain NTP mode 7 packets MEDIUM

4.2.4p7

Security Issue Severity
1151: Remote exploit if autokey is enabled MEDIUM

4.2.4p5

Security Issue Severity
Multiple OpenSSL signature verification API misuse MEDIUM