NTP BUG 3067: Fix for bug 2085 broke initial sync calculations

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved	4.2.8p9	21 Nov 2016
References	Bug 3067	CVE-2016-7433
Affects	ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94. But the root-distance calculation in general is incorrect in all versions of ntp-4 until this release.	Resolved in 4.2.8p9.
CVSS2 Score	LOW 1.2	AV:L/AC:H/Au:N/C:N/I:N/A:P
CVSS3 Score	LOW 1.6	CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Description

Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly.

Mitigation

Upgrade to 4.2.8p9 or later.
Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Credit

This weakness was discovered independently by Brian Utterback of Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.

Timeline

2016 Nov 21: Public release
2016 Nov 15: CERT given our software release notification
2016 Nov 14: Early Access Program Release: Premier and Partner Institutional Members
: Notification to Institutional Members
: Report received