Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pogo.udel.edu:../perlinger/ntp-stable-2891
into  psp-at1.ntp.org:/a/local/amd/amd.stage/thump2-g3/export/ntp/home/stenn/ntp-stable-p6+
  • Loading branch information
Unknown committed Jan 14, 2016
2 parents 6947f38 + 33af7da commit 5e16a06
Show file tree
Hide file tree
Showing 121 changed files with 1,253 additions and 584 deletions.
29 changes: 24 additions & 5 deletions ChangeLog
@@ -1,5 +1,24 @@
---

* [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn.
* [Sec 2937] ntpq: nextvar() missing length check. perlinger@ntp.org
* [Sec 2938] ntpq saveconfig command allows dangerous characters
in filenames. perlinger@ntp.org
* [Sec 2939] reslist NULL pointer dereference. perlinger@ntp.org
* [Sec 2940] Stack exhaustion in recursive traversal of restriction
list. perlinger@ntp.org
* [Sec 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org
* [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org
* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
- applied patch by shenpeng11@huawei.com with minor adjustments
* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
* Make leapsec_query debug messages less verbose. Harlan Stenn.

---
(4.2.8p5) 2016/01/07 Released by Harlan Stenn <stenn@ntp.org>

* [Sec 2956] small-step/big-step. Close the panic gate earlier. HStenn.
* CID 1339955: Free allocated memory in caljulian test. HStenn.
* CID 1339962: Explicitly initialize variable in caljulian test. HStenn.
Expand All @@ -17,16 +36,15 @@
* CID 1341681: Nits in sntp/tests/keyFile.c. HStenn.
* CID 1341682: Nit in libntp/authreadkeys.c. HStenn.
* CID 1341684: Nit in tests/ntpd/t-ntp_signd.c. HStenn.
* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
- applied patch by shenpeng11@huawei.com with minor adjustments
* [Bug 2829] Look at pipe_fds in ntpd.c (did so. perlinger@ntp.org)
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. perlinger@ntp.org
- fudge stratum only accepts values [0..16]. perlinger@ntp.org
* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. perlinger@ntp.org
* [Bug 2952] Symmetric active/passive mode is broken. HStenn.
* [Bug 2954] Version 4.2.8p4 crashes on startup with sig fault
- fixed data race conditions in threaded DNS worker. perlinger@ntp.org
- limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
Expand Down Expand Up @@ -54,9 +72,10 @@
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.
* Update the NEWS file. Harlan Stenn.
* Update scripts/calc_tickadj/Makefile.am. Harlan Stenn.

---
(4.2.8p4) 2015/10/21 Released by Harlan Stenn <stenn@ntp.org>
(4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn <stenn@ntp.org>

* [Sec 2899] CVE-2014-9297 perlinger@ntp.org
* [Sec 2901] Drop invalid packet before checking KoD. Check for all KoD's.
Expand Down
277 changes: 274 additions & 3 deletions NEWS
@@ -1,7 +1,278 @@
---

NTP 4.2.8p6

Focus: Security, Bug fixes, enhancements.

Severity: MEDIUM

In addition to bug fixes and enhancements, this release fixes the
following X low- and Y medium-severity vulnerabilities:

* Potential Infinite Loop in 'ntpq'
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.XX) 19 Jan 2016
References: Sec 2548 / CVE-2015-8158
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
The loop's only stopping conditions are receiving a complete and
correct response or hitting a small number of error conditions.
If the packet contains incorrect values that don't trigger one of
the error conditions, the loop continues to receive new packets.
Note well, this is an attack against an instance of 'ntpq', not
'ntpd', and this attack requires the attacker to do one of the
following:
* Own a malicious NTP server that the client trusts
* Prevent a legitimate NTP server from sending packets to
the 'ntpq' client
* MITM the 'ntpq' communications between the 'ntpq' client
and the NTP server
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.

* 0rigin: Zero Origin Timestamp Bypass
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.XX) 19 Jan 2016
References: Sec 2545 / CVE-2015-8138
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
(3.7 - LOW if you score AC:L)
Summary: To distinguish legitimate peer responses from forgeries, a
client attempts to verify a response packet by ensuring that the
origin timestamp in the packet matches the origin timestamp it
transmitted in its last request. A logic error exists that
allows packets with an origin timestamp of zero to bypass this
check whenever there is not an outstanding request to the server.
Mitigation:
Configure 'ntpd' to get time from multiple sources.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Monitor your 'ntpd= instances.
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.

* Stack exhaustion in recursive traversal of restriction list
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2940 / CVE-2015-7978
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by exhausting the call stack.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.

* reslist NULL pointer dereference
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2939 / CVE-2015-7977
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by causing a NULL pointer dereference.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
the NTP Public Services Project Download Page.
If you are unable to upgrade:
mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.

* 'ntpq saveconfig' command allows dangerous characters in filenames.
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2938 / CVE-2015-7976
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
Summary: The ntpq saveconfig command does not do adequate filtering
of special characters from the supplied filename.
Note well: The ability to use the saveconfig command is controlled
by the 'restrict nomodify' directive, and the recommended default
configuration is to disable this capability. If the ability to
execute a 'saveconfig' is required, it can easily (and should) be
limited and restricted to a known small number of IP addresses.
Mitigation:
Implement BCP-38.
use 'restrict default nomodify' in your 'ntp.conf' file.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
If you are unable to upgrade:
build NTP with 'configure --disable-saveconfig' if you will
never need this capability, or
use 'restrict default nomodify' in your 'ntp.conf' file. Be
careful about what IPs have the ability to send 'modify'
requests to 'ntpd'.
Monitor your ntpd instances.
'saveconfig' requests are logged to syslog - monitor your syslog files.
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.

* nextvar() missing length check in ntpq
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2937 / CVE-2015-7975
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
If you score A:C, this becomes 4.0.
CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
Summary: ntpq may call nextvar() which executes a memcpy() into the
name buffer without a proper length check against its maximum
length of 256 bytes. Note well that we're taking about ntpq here.
The usual worst-case effect of this vulnerability is that the
specific instance of ntpq will crash and the person or process
that did this will have stopped themselves.
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
If you have scripts that feed input to ntpq make sure there are
some sanity checks on the input received from the "outside".
This is potentially more dangerous if ntpq is run as root.
Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.

* Deja Vu: Replay attack on authenticated broadcast mode
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2935 / CVE-2015-7973
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.XX
CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
Summary: If an NTP network is configured for broadcast operations then
either a man-in-the-middle attacker or a malicious participant
that has the same trusted keys as the victim can replay time packets.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
Don't use broadcast mode if you cannot monitor your client servers.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra of Boston
University.

---

NTP 4.2.8p5

Focus: Security, Bug fixes, enhancements.

Severity: MEDIUM

In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerability:

* Small-step/big-step. Close the panic gate earlier.
References: Sec 2956, CVE-2015-5300
Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
4.3.0 up to, but not including 4.3.78
CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
Summary: If ntpd is always started with the -g option, which is
common and against long-standing recommendation, and if at the
moment ntpd is restarted an attacker can immediately respond to
enough requests from enough sources trusted by the target, which
is difficult and not common, there is a window of opportunity
where the attacker can cause ntpd to set the time to an
arbitrary value. Similarly, if an attacker is able to respond
to enough requests from enough sources trusted by the target,
the attacker can cause ntpd to abort and restart, at which
point it can tell the target to set the time to an arbitrary
value if and only if ntpd was re-started against long-standing
recommendation with the -g flag, or if ntpd was not given the
-g flag, the attacker can move the target system's time by at
most 900 seconds' time per attack.
Mitigation:
Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p5, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
As we've long documented, only use the -g option to ntpd in
cold-start situations.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra,
Isaac E. Cohen, and Sharon Goldberg at Boston University.

NOTE WELL: The -g flag disables the limit check on the panic_gate
in ntpd, which is 900 seconds by default. The bug identified by
the researchers at Boston University is that the panic_gate
check was only re-enabled after the first change to the system
clock that was greater than 128 milliseconds, by default. The
correct behavior is that the panic_gate check should be
re-enabled after any initial time correction.

If an attacker is able to inject consistent but erroneous time
responses to your systems via the network or "over the air",
perhaps by spoofing radio, cellphone, or navigation satellite
transmissions, they are in a great position to affect your
system's clock. There comes a point where your very best
defenses include:

Configure ntpd to get time from multiple sources.
Monitor your ntpd instances.

Other fixes:

* Coverity submission process updated from Coverity 5 to Coverity 7.
The NTP codebase has been undergoing regular Coverity scans on an
ongoing basis since 2006. As part of our recent upgrade from
Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
the newly-written Unity test programs. These were fixed.
* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. perlinger@ntp.org
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. perlinger@ntp.org
* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
- fixed data race conditions in threaded DNS worker. perlinger@ntp.org
- limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
- accept key file only if there are no parsing errors
- fixed size_t/u_int format clash
- fixed wrong use of 'strlcpy'
* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
- fixed several other warnings (cast-alignment, missing const, missing prototypes)
- promote use of 'size_t' for values that express a size
- use ptr-to-const for read-only arguments
- make sure SOCKET values are not truncated (win32-specific)
- format string fixes
* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
* [Bug 2967] ntpdate command suffers an assertion failure
- fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
lots of clients. perlinger@ntp.org
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. perlinger@ntp.org
* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
* Unity test cleanup. Harlan Stenn.
* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.

---
NTP 4.2.8p4

Focus: Security, Bug fies, enhancements.
Focus: Security, Bug fixes, enhancements.

Severity: MEDIUM

Expand Down Expand Up @@ -339,8 +610,8 @@ Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.

Backward-Incompatible changes:
* [Bug 2817] Default on Linux is now "rlimit memlock -1".
While the general default of 32M is still the case, under Linux
the default value has been changed to -1 (do not lock ntpd into
While the general default of 32M is still the case, under Linux
the default value has been changed to -1 (do not lock ntpd into
memory). A value of 0 means "lock ntpd into memory with whatever
memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
value in it, that value will continue to be used.
Expand Down
4 changes: 3 additions & 1 deletion include/ntp.h
Expand Up @@ -350,6 +350,7 @@ struct peer {
l_fp dst; /* destination timestamp */
l_fp aorg; /* origin timestamp */
l_fp borg; /* alternate origin timestamp */
l_fp bxmt; /* most recent broadcast transmit timestamp */
double offset; /* peer clock offset */
double delay; /* peer roundtrip delay */
double jitter; /* peer jitter (squares) */
Expand Down Expand Up @@ -382,7 +383,8 @@ struct peer {
* Statistic counters
*/
u_long timereset; /* time stat counters were reset */
u_long timereceived; /* last packet received time */
u_long timelastrec; /* last packet received time */
u_long timereceived; /* last (clean) packet received time */
u_long timereachable; /* last reachable/unreachable time */

u_long sent; /* packets sent */
Expand Down
15 changes: 12 additions & 3 deletions libntp/systime.c
Expand Up @@ -323,9 +323,18 @@ adj_systime(
else
quant = 1e-6;
ticks = (long)(dtemp / quant + .5);
adjtv.tv_usec = (long)(ticks * quant * 1e6);
dtemp -= adjtv.tv_usec / 1e6;
sys_residual = dtemp;
adjtv.tv_usec = (long)(ticks * quant * 1.e6 + .5);
/* The rounding in the conversions could us push over the
* limits: make sure the result is properly normalised!
* note: sign comes later, all numbers non-negative here.
*/
if (adjtv.tv_usec >= 1000000) {
adjtv.tv_sec += 1;
adjtv.tv_usec -= 1000000;
dtemp -= 1.;
}
/* set the new residual with leftover from correction */
sys_residual = dtemp - adjtv.tv_usec * 1.e-6;

/*
* Convert to signed seconds and microseconds for the Unix
Expand Down
2 changes: 1 addition & 1 deletion ntpd/invoke-ntp.conf.texi
Expand Up @@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi)
#
# It has been AutoGen-ed October 21, 2015 at 12:38:16 PM by AutoGen 5.18.5
# It has been AutoGen-ed January 7, 2016 at 11:30:49 PM by AutoGen 5.18.5
# From the definitions ntp.conf.def
# and the template file agtexi-file.tpl
@end ignore
Expand Down

0 comments on commit 5e16a06

Please sign in to comment.