Security

Table of Contents

Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally making a public announcement.

Institutional Members receive advanced notification of security vulnerabilities.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.

Premier and Partner Members receive early access to security patches.

Reporting Security Issues

Security related bugs, confirmed or suspected, are to be reported by email to security@ntp.org.

Do not disclose details with unencrypted email. We will exchange PGP keys for further discussion.

You can use our NTP Security Officer Key for reporting issues you have verified as security-related.

Please refrain from discussing potential security issues in public fora such as comp.protocols.time.ntp, our Bug Tracking system, bugs@ntp.org, or any mailing list.

Known Vulnerabilities by Release Version

The following releases provided fixes for at least one security vulnerability. The table for each release provides an entry for each security issue (click its hyperlink to read the details for the vulnerability), indicates the issue’s severity, and provides the dates of advance notification to institutional members, advance release to premier and partner institutional members, and public release.

Refer to the Release Timeline for a complete list of all releases, their public release dates, release announcements, and changelogs.

Click to hide release list

4.2.8p15

Security Issue Severity Advance Notification Advance Release Public Release
3661: Memory leak with CMAC keys MEDIUM 2020 Apr 07 2020 Apr 12 2020 Jun 23

4.2.8p14

Security Issue Severity Advance Notification Advance Release Public Release
3610: process_control() should bail earlier on short packets NONE 2019 Jun 05 2020 Feb 17 2020 Mar 03
3596: Unauthenticated and unmonitored ntpd may be susceptible to IPv4 attack from highly predictable transmit timestamps MEDIUM
3592: DoS Attack on Unauthenticated Client MEDIUM

4.2.8p13

Security Issue Severity Advance Notification Advance Release Public Release
3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet MEDIUM 2019 Jan 16 2019 Feb 20 2019 Mar 07

4.2.8p12

Security Issue Severity Advance Notification Advance Release Public Release
3505: NTPQ/NTPDC: Buffer Overflow in openhost() LOW 2018 Jul 25 2018 Aug 14
3012: Sybil vulnerability: ephemeral association attack LOW/MEDIUM

4.2.8p11

Security Issue Severity Advance Notification Advance Release Public Release
3454: Unauthenticated packet can reset authenticated interleaved association LOW/MEDIUM 2018 Jan 23 2018 Feb 12 2018 Feb 27
3453: Interleaved symmetric mode cannot recover from bad state LOW
3415: Provide a way to prevent authenticated symmetric passive peering LOW
3414: ntpq: decodearr() can write beyond its ‘buf’ limits MEDIUM
3412: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak INFO/MEDIUM
3012: Sybil vulnerability: ephemeral association attack LOW/MEDIUM

4.2.8p10

Security Issue Severity Advance Notification Advance Release Public Release
3389: Denial of Service via Malformed Config MEDIUM 2017 Mar 21
3388: Buffer Overflow in DPTS Clock LOW
3387: Authenticated DoS via Malicious Config Option MEDIUM
3386: ntpq_stripquotes() returns incorrect value INFO
3385: ereallocarray() / eallocarray() underused INFO
3384: Privileged execution of User Library code (Windows PPSAPI Only) LOW
3383: Stack Buffer Overflow from Command Line (Windows Installer Only) LOW
3382: Data Structure terminated insufficiently (Windows Installer Only) LOW
3381: Copious amounts of Unused Code INFO
3380: Off-by-one in Oncore GPS Receiver LOW
3379: Potential Overflows in ctl_put() functions MEDIUM
3378: Improper use of snprintf() in mx4200_send() LOW
3377: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd MEDIUM
3376: Makefile does not enforce Security Flags INFO
3361: 0rigin DoS MEDIUM

4.2.8p9

Security Issue Severity Advance Notification Advance Release Public Release
3119: Mode 6 unauthenticated trap information disclosure and DDoS vector MEDIUM 2016 Nov 21
3118: Mode 6 unauthenticated trap information disclosure and DDoS vector MEDIUM
3114: Broadcast Mode Replay Prevention DoS LOW/MEDIUM
3113: Broadcast Mode Poll Interval Enforcement DoS LOW/MEDIUM
3110: Windows: ntpd DoS by oversized UDP packet HIGH
3102: Zero Origin timestamp regression MEDIUM
3082: read_mru_list() does inadequate incoming packet checks LOW
3072: Attack on interface selection LOW
3071: Client rate limiting and server responses LOW
3067: Fix for bug 2085 broke initial sync calculations LOW

4.2.8p8

Security Issue Severity Advance Notification Advance Release Public Release
3046: CRYPTO_NAK crash HIGH 2016 Jun 02
3045: Bad authentication demobilizes ephemeral associations LOW
3044: Processing spoofed server packets LOW
3043: Autokey association reset LOW
3042: Broadcast interleave LOW

4.2.8p7

Security Issue Severity Advance Notification Advance Release Public Release
3020: Refclock impersonation vulnerability LOW 2016 Apr 26
3011: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd MEDIUM
3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated MEDIUM
3009: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC LOW
3008: ctl_getitem() return value not always checked MEDIUM
3007: CRYPTO-NAK DoS MEDIUM/LOW
2978: Interleave-pivot MEDIUM
2952: Original fix for NTP Bug 2901 broke peer associations
2946: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients MEDIUM
2879: Improve NTP security against buffer comparison timing attacks LOW/MEDIUM

4.2.8p6

Security Issue Severity Advance Notification Advance Release Public Release
2948: Potential Infinite Loop in ntpq MEDIUM 2016 Jan 19
2947: ntpq protocol vulnerable to replay attacks MEDIUM
2945: 0rigin: Zero Origin Timestamp Bypass MEDIUM
2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode MEDIUM
2940: Stack exhaustion in recursive traversal of restriction list MEDIUM
2939: reslist NULL pointer dereference MEDIUM
2938: ntpq saveconfig command allows dangerous characters in filenames MEDIUM
2937: nextvar() missing length check in ntpq LOW
2936: Skeleton Key: Any trusted key system can serve time HIGH
2935: Deja Vu: Replay attack on authenticated broadcast mode MEDIUM

4.2.8p5

Security Issue Severity Advance Notification Advance Release Public Release
2956: Small-step/big-step MEDIUM 2016 Jan 07

4.2.8p4

Security Issue Severity Advance Notification Advance Release Public Release
2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK LOW 2015 Oct 21
2922: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values HIGH
2921: TALOS-CAN-0065: Password Length Memory Corruption Vulnerability HIGH
2920: TALOS-CAN-0064: Invalid length data provided by a custom refclock driver could cause a buffer overflow HIGH
2919: TALOS-CAN-0063: ntpq atoascii() potential memory corruption HIGH
2918: TALOS-CAN-0062: Potential path traversal vulnerability in the config file saving of ntpd on VMS HIGH
2917: TALOS-CAN-0055: Infinite loop if extended logging enabled and the logfile and keyfile are the same HIGH
2916: TALOS-CAN-0054: memory corruption in password store HIGH
2913: TALOS-CAN-0052: mode 7 loop counter underrun HIGH
2909: Slow memory leak in CRYPTO_ASSOC HIGH
2902: Configuration directives to change “pidfile” and “driftfile” should only be allowed locally HIGH
2901: Clients that receive a KoD should validate the origin timestamp field MEDIUM
2899: Incomplete autokey data packet length checks HIGH

4.2.8p3

Security Issue Severity Advance Notification Advance Release Public Release
2853: ntpd control message crash: Crafted NUL-byte in configuration directive 2015 Jun 22 2015 Jun 24 2015 Jun 29

4.2.8p2

Security Issue Severity Advance Notification Advance Release Public Release
2781: Authentication doesn’t protect symmetric associations against DoS attacks 2015 Mar 15 2015 Mar 22 2015 Apr 7
2779: ntpd accepts unauthenticated packets with symmetric key crypto

4.2.8p1

Security Issue Severity Advance Notification Advance Release Public Release
2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed 2015 Feb 04
2671: vallen is not validated in several places in ntp_crypto.c, leading to a potential info leak or possibly crashing ntpd LOW

4.2.8

Security Issue Severity Advance Notification Advance Release Public Release
2670: receive(): missing return on error 2014 Dec 18
2669: Buffer overflow in configure()
2668: Buffer overflow in ctl_putdata()
2667: Buffer overflow in crypto_recv()

4.2.7p230

Security Issue Severity Advance Notification Advance Release Public Release
2666: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys 2011 Nov 1

4.2.7p26

Security Issue Severity Advance Notification Advance Release Public Release
1532: DRDoS / Amplification Attack using ntpdc monlist command 2010 Apr 24

4.2.7p11

Security Issue Severity Advance Notification Advance Release Public Release
2665 :Weak default key in config_auth() 2010 Jan 28

4.2.6

Security Issue Severity Advance Notification Advance Release Public Release
1331: DoS attack from certain NTP mode 7 packets 2009 Dec 8

4.2.4p7

Security Issue Severity Advance Notification Advance Release Public Release
1151: Remote exploit if autokey is enabled 2009 Mar 4

4.2.4p5

Security Issue Severity Advance Notification Advance Release Public Release
Multiple OpenSSL signature verification API misuse 2009 Jan 8