Security

Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally making a public announcement.

Institutional Members receive advanced notification of security vulnerabilities.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.

Premier and Partner Members receive early access to security patches.

Reporting Security Issues

Please report security related bugs by encrypted email to security@. You can use our NTP Security Officer Key.

Please refrain from discussing potential security issues in comp.protocols.time.ntp, our Bug Tracking system, bugs@ntp.org, or any mailing list.

Known Vulnerabilities by Release Version

The following releases provided fixes for at least one security vulnerability. The table for each release provides an entry for each security issue (click its hyperlink to read the details for the vulnerability), indicates the issue’s severity, and provides the dates of advance notification to institutional members, advance release to premier and partner institutional members, and public release.

Refer to the Release Timeline for a complete list of all releases, their public release dates, release announcements, and changelogs.

Release Version:

4.2.8p15
4.2.8p14
4.2.8p13
4.2.8p12
4.2.8p11
4.2.8p10
4.2.8p9
4.2.8p8
4.2.8p7
4.2.8p6
4.2.8p5
4.2.8p4
4.2.8p3
4.2.8p2
4.2.8p1
4.2.8
4.2.7p230
4.2.7p26
4.2.7p11
4.2.6
4.2.4p7
4.2.4p5

4.2.8p15

Security Issue	Severity	Advance Notification	Advance Release	Public Release
3661: Memory leak with CMAC keys	MEDIUM	2020 Apr 07	2020 Apr 12	2020 Jun 23

4.2.8p14

Security Issue	Severity	Advance Notification	Advance Release	Public Release
3610: `process_control()` should bail earlier on short packets	NONE	2019 Jun 05	2020 Feb 17	2020 Mar 03
3596: Unauthenticated and unmonitored `ntpd` may be susceptible to IPv4 attack from highly predictable transmit timestamps	MEDIUM
3592: DoS Attack on Unauthenticated Client	MEDIUM

4.2.8p13

Security Issue	Severity	Advance Notification	Advance Release	Public Release
3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet	MEDIUM	2019 Jan 16	2019 Feb 20	2019 Mar 07

4.2.8p12

Security Issue	Severity	Advance Notification	Advance Release	Public Release
3505: NTPQ/NTPDC: Buffer Overflow in `openhost()`	LOW		2018 Jul 25	2018 Aug 14
3012: Sybil vulnerability: ephemeral association attack	LOW/MEDIUM

4.2.8p11

Security Issue	Severity	Advance Notification	Advance Release	Public Release
3454: Unauthenticated packet can reset authenticated interleaved association	LOW/MEDIUM	2018 Jan 23	2018 Feb 12	2018 Feb 27
3453: Interleaved symmetric mode cannot recover from bad state	LOW
3415: Provide a way to prevent authenticated symmetric passive peering	LOW
3414: `ntpq: decodearr()` can write beyond its ‘buf’ limits	MEDIUM
3412: `ctl_getitem()`: buffer read overrun leads to undefined behavior and information leak	INFO/MEDIUM
3012: Sybil vulnerability: ephemeral association attack	LOW/MEDIUM

4.2.8p10

Security Issue	Severity	Public Release
3389: Denial of Service via Malformed Config	MEDIUM	2017 Mar 21
3388: Buffer Overflow in DPTS Clock	LOW
3387: Authenticated DoS via Malicious Config Option	MEDIUM
3386: `ntpq_stripquotes()` returns incorrect value	INFO
3385: `ereallocarray() / eallocarray()` underused	INFO
3384: Privileged execution of User Library code (Windows PPSAPI Only)	LOW
3383: Stack Buffer Overflow from Command Line (Windows Installer Only)	LOW
3382: Data Structure terminated insufficiently (Windows Installer Only)	LOW
3381: Copious amounts of Unused Code	INFO
3380: Off-by-one in Oncore GPS Receiver	LOW
3379: Potential Overflows in `ctl_put()` functions	MEDIUM
3378: Improper use of `snprintf()` in `mx4200_send()`	LOW
3377: Buffer Overflow in `ntpq` when fetching `reslist` from a malicious `ntpd`	MEDIUM
3376: `Makefile` does not enforce Security Flags	INFO
3361: 0rigin DoS	MEDIUM

4.2.8p9

Security Issue	Severity	Public Release
3119: Mode 6 unauthenticated trap information disclosure and DDoS vector	MEDIUM	2016 Nov 21
3118: Mode 6 unauthenticated trap information disclosure and DDoS vector	MEDIUM
3114: Broadcast Mode Replay Prevention DoS	LOW/MEDIUM
3113: Broadcast Mode Poll Interval Enforcement DoS	LOW/MEDIUM
3110: Windows: `ntpd` DoS by oversized UDP packet	HIGH
3102: Zero Origin timestamp regression	MEDIUM
3082: `read_mru_list()` does inadequate incoming packet checks	LOW
3072: Attack on interface selection	LOW
3071: Client rate limiting and server responses	LOW
3067: Fix for bug 2085 broke initial sync calculations	LOW

4.2.8p8

Security Issue	Severity	Public Release
3046: `CRYPTO_NAK` crash	HIGH	2016 Jun 02
3045: Bad authentication demobilizes ephemeral associations	LOW
3044: Processing spoofed server packets	LOW
3043: Autokey association reset	LOW
3042: Broadcast interleave	LOW

4.2.8p7

Security Issue	Severity	Public Release
3020: Refclock impersonation vulnerability	LOW	2016 Apr 26
3011: Duplicate IPs on unconfig directives will cause an assertion botch in `ntpd`	MEDIUM
3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated	MEDIUM
3009: Crafted `addpeer` with `hmode` > 7 causes array wraparound with `MATCH_ASSOC`	LOW
3008: `ctl_getitem()` return value not always checked	MEDIUM
3007: `CRYPTO-NAK` DoS	MEDIUM/LOW
2978: Interleave-pivot	MEDIUM
2952: Original fix for NTP Bug 2901 broke peer associations
2946: Origin Leak: `ntpq` and `ntpdc` Disclose Origin Timestamp to Unauthenticated Clients	MEDIUM
2879: Improve NTP security against buffer comparison timing attacks	LOW/MEDIUM

4.2.8p6

Security Issue	Severity	Public Release
2948: Potential Infinite Loop in `ntpq`	MEDIUM	2016 Jan 19
2947: `ntpq` protocol vulnerable to replay attacks	MEDIUM
2945: 0rigin: Zero Origin Timestamp Bypass	MEDIUM
2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode	MEDIUM
2940: Stack exhaustion in recursive traversal of restriction list	MEDIUM
2939: `reslist` NULL pointer dereference	MEDIUM
2938: `ntpq saveconfig` command allows dangerous characters in filenames	MEDIUM
2937: `nextvar()` missing length check in `ntpq`	LOW
2936: Skeleton Key: Any trusted key system can serve time	HIGH
2935: Deja Vu: Replay attack on authenticated broadcast mode	MEDIUM

4.2.8p5

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2956: Small-step/big-step	MEDIUM			2016 Jan 07

4.2.8p4

Security Issue	Severity	Public Release
2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK	LOW	2015 Oct 21
2922: `decodenetnum()` will ASSERT botch instead of returning FAIL on some bogus values	HIGH
2921: TALOS-CAN-0065: Password Length Memory Corruption Vulnerability	HIGH
2920: TALOS-CAN-0064: Invalid length data provided by a custom refclock driver could cause a buffer overflow	HIGH
2919: TALOS-CAN-0063: `ntpq atoascii()` potential memory corruption	HIGH
2918: TALOS-CAN-0062: Potential path traversal vulnerability in the config file saving of `ntpd` on VMS	HIGH
2917: TALOS-CAN-0055: Infinite loop if extended logging enabled and the logfile and keyfile are the same	HIGH
2916: TALOS-CAN-0054: memory corruption in password store	HIGH
2913: TALOS-CAN-0052: mode 7 loop counter underrun	HIGH
2909: Slow memory leak in `CRYPTO_ASSOC`	HIGH
2902: Configuration directives to change “pidfile” and “driftfile” should only be allowed locally	HIGH
2901: Clients that receive a KoD should validate the origin timestamp field	MEDIUM
2899: Incomplete autokey data packet length checks	HIGH

4.2.8p3

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2853: ntpd control message crash: Crafted NUL-byte in configuration directive		2015 Jun 22	2015 Jun 24	2015 Jun 29

4.2.8p2

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2781: Authentication doesn’t protect symmetric associations against DoS attacks		2015 Mar 15	2015 Mar 22	2015 Apr 7
2779: ntpd accepts unauthenticated packets with symmetric key crypto

4.2.8p1

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed				2015 Feb 04
2671: `vallen` is not validated in several places in `ntp_crypto.c`, leading to a potential info leak or possibly crashing `ntpd`	LOW

4.2.8

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2670: receive(): missing return on error				2014 Dec 18
2669: Buffer overflow in configure()
2668: Buffer overflow in ctl_putdata()
2667: Buffer overflow in crypto_recv()

4.2.7p230

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2666: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys				2011 Nov 1

4.2.7p26

Security Issue	Severity	Advance Notification	Advance Release	Public Release
1532: DRDoS / Amplification Attack using ntpdc monlist command				2010 Apr 24

4.2.7p11

Security Issue	Severity	Advance Notification	Advance Release	Public Release
2665 :Weak default key in config_auth()				2010 Jan 28

4.2.6

Security Issue	Severity	Advance Notification	Advance Release	Public Release
1331: DoS attack from certain NTP mode 7 packets				2009 Dec 8

4.2.4p7

Security Issue	Severity	Advance Notification	Advance Release	Public Release
1151: Remote exploit if autokey is enabled				2009 Mar 4

4.2.4p5

Security Issue	Severity	Advance Notification	Advance Release	Public Release
Multiple OpenSSL signature verification API misuse				2009 Jan 8