NTP BUG 3067: Fix for bug 2085 broke initial sync calculations

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p9 21 Nov 2016
References Bug 3067 CVE-2016-7433
Affects ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94. But the root-distance calculation in general is incorrect in all versions of ntp-4 until this release. Resolved in 4.2.8p9.
CVSS2 Score LOW 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P
CVSS3 Score LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Description

Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly.


Mitigation


Credit

This weakness was discovered independently by Brian Utterback of Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.


Timeline