4.2.8p4 Release Announcement

Last update: March 28, 2023 21:06 UTC (4798c81ce)

NTF’s NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015:

• 2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK / CVE-2015-7871 (Cisco ASIG)
• 2922: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values / CVE-2015-7855 (IDA)
• 2921: Password Length Memory Corruption Vulnerability / CVE-2015-7854 (Cisco TALOS)
• 2920: Invalid length data provided by a custom refclock driver could cause a buffer overflow / CVE-2015-7853/ (Cisco TALOS)
• 2919: ntpq atoascii() Memory Corruption Vulnerability / CVE-2015-7852 (Cisco TALOS)
• 2918: saveconfig Directory Traversal Vulnerability / CVE-2015-7851 (OpenVMS) (Cisco TALOS)
• 2917: remote config logfile-keyfile / CVE-2015-7850 (Cisco TALOS)
• 2916: trusted key use-after-free / CVE-2015-7849 (Cisco TALOS)
• 2913: mode 7 loop counter underrun / CVE-2015-7848 (Cisco TALOS)
• 2909:Slow memory leak in CRYPTO_ASSOC / CVE-2015-7701 (Tenable)
• 2902: configuration directives “pidfile” and “driftfile” should only be allowed locally / CVE-2015-7703/ (RedHat)
• 2901: Clients that receive a KoD should validate the origin timestamp field / CVE-2015-7704, CVE-2015-7705 (Boston University)
• 2899: Incomplete autokey data packet length checks / CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 (Tenable)

The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4.

Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL’d have a security component, but are all below 1.8 CVSS score, so we’re reporting them here:

• 2382: Peer precision < -31 gives division by zero
• 1774: Segfaults if cryptostats enabled when built without OpenSSL
• 1593: ntpd abort in free() with logconfig syntax error

---

Timeline:

• 2015 Oct 21: Public release
• 2015 Oct 20: CERT & Mitre updated with final drafts of announcement
• 2015 Oct 19: NAK bug addition and new CVE#s announced to CERT
• 2015 Oct 17: Advance notification of NAK bug being added was sent to Institutional members
• 2015 Oct 14: pre-release patch availability announced to CERT
• 2015 Oct 9: notification of public release date change to 21 Oct sent to members and reporters and Mitre
• 2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Aug 26: Initial notification of 2909; analysis begins
• 2015 Aug 26: CVE number clarification requested from Mitre
• 2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
• 2015 Aug 20: Initial notification of 2902; analysis begins
• 2015 Aug 11: Initial notification of 2899; analysis begins