This release fixes 5 medium-, 6 low-, and 4 informational-severity
vulnerabilities, and provides 15 other non-security fixes and improvements:
NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3389 / CVE-2017-6464 / VU#325339
Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server makes it possible for an
authenticated remote user to crash ntpd via a malformed mode
configuration directive.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
Date Resolved: 21 Mar 2017
References: Sec 3388 / CVE-2017-6462 / VU#325339
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
There is a potential for a buffer overflow in the legacy Datum
Programmable Time Server refclock driver. Here the packets are
processed from the /dev/datum device and handled in
datum_pts_receive(). Since an attacker would be required to
somehow control a malicious /dev/datum device, this does not
appear to be a practical attack and renders this issue "Low" in
terms of severity.
Mitigation:
If you have a Datum reference clock installed and think somebody
may maliciously change the device, upgrade to 4.2.8p10, or
later, from the NTP Project Download Page or the NTP Public
Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3387 / CVE-2017-6463 / VU#325339
Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server allows an authenticated
remote attacker to crash the daemon by sending an invalid setting
via the :config directive. The unpeer option expects a number or
an address as an argument. In case the value is "0", a
segmentation fault occurs.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
Date Resolved: 21 Mar 2017
References: Sec 3386
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
Summary:
The NTP Mode 6 monitoring and control client, ntpq, uses the
function ntpq_stripquotes() to remove quotes and escape characters
from a given string. According to the documentation, the function
is supposed to return the number of copied bytes but due to
incorrect pointer usage this value is always zero. Although the
return value of this function is never used in the code, this
flaw could lead to a vulnerability in the future. Since relying
on wrong return values when performing memory operations is a
dangerous practice, it is recommended to return the correct value
in accordance with the documentation pertinent to the code.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
Date Resolved: 21 Mar 2017
References: Sec 3385
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
Summary:
NTP makes use of several wrappers around the standard heap memory
allocation functions that are provided by libc. This is mainly
done to introduce additional safety checks concentrated on
several goals. First, they seek to ensure that memory is not
accidentally freed, secondly they verify that a correct amount
is always allocated and, thirdly, that allocation failures are
correctly handled. There is an additional implementation for
scenarios where memory for a specific amount of items of the
same size needs to be allocated. The handling can be found in
the oreallocarray() function for which a further number-of-elements
parameter needs to be provided. Although no considerable threat
was identified as tied to a lack of use of this function, it is
recommended to correctly apply oreallocarray() as a preferred
option across all of the locations where it is possible.
Mitigation:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.
NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
PPSAPI ONLY) (Low)
Date Resolved: 21 Mar 2017
References: Sec 3384 / CVE-2017-6455 / VU#325339
Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
including ntp-4.3.94.
CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
The Windows NT port has the added capability to preload DLLs
defined in the inherited global local environment variable
PPSAPI_DLLS. The code contained within those libraries is then
called from the NTPD service, usually running with elevated
privileges. Depending on how securely the machine is setup and
configured, if ntpd is configured to use the PPSAPI under Windows
this can easily lead to a code injection.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.
NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
installer ONLY) (Low)
Date Resolved: 21 Mar 2017
References: Sec 3383 / CVE-2017-6452 / VU#325339
Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
The Windows installer for NTP calls strcat(), blindly appending
the string passed to the stack buffer in the addSourceToRegistry()
function. The stack buffer is 70 bytes smaller than the buffer
in the calling main() function. Together with the initially
copied Registry path, the combination causes a stack buffer
overflow and effectively overwrites the stack frame. The
passed application path is actually limited to 256 bytes by the
operating system, but this is not sufficient to assure that the
affected stack buffer is consistently protected against
overflowing at all times.
Mitigation:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.
NTP 4.2.8p10 (Harlan Stenn <stenn@…>, 2017/03/21)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes 5 medium-, 6 low-, and 4 informational-severity vulnerabilities, and provides 15 other non-security fixes and improvements:
Plus others. See the NEWS file.