Security Notice

Notification Policy

When we discover a security vulnerability in NTP we first notify Premium members of the NTP Forum, then CERT, and finally make a public announcement.

Security News

(4 Mar 2009) Chris Ries of CMU discovered that when Autokey Authentication is enabled (i.e. the ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

When the NTP Project learned about this vulnerability and had implemented a fix, the first people we notified were Premium Members of the NTP Forum. CERT was notified next, and we all agreed on the release date for the public announcement and the fix in the stable branch. The development branch (4.2.5p74) fix occurred as part of general cleanup before this vulnerability was reported.

Users are strongly encouraged to update to the current stable version of NTP which is available from the the NTP Project Download Page or the NTP Public Services Project Download Page.

Resolved Vulnerabilities

The following vulnerabilities have been reported for the Reference Implementation of NTP during the 20+ years that the NTP Project has existed.

Remote exploit if autokey is enabled

• References: Sec 1151 / CVE-2009-1252 / VU#853097
• Versions: All releases from 4.0.99m/4.1.70 (2001-08-15) through 4.2.4 before 4.2.4p7 and 4.2.5 before 4.2.5p74
• Date Resolved: Stable (4.2.4p7) 4 Mar 2009, Development (4.2.5p74) 10 Sep 2007
• Summary: When Autokey Authentication is enabled (i.e. the ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
• Mitigation:
  • Upgrade to 4.2.4p7 or 4.2.5p74, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
  • Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
• Credit: This vulnerability was discovered by Chis Ries of CMU.

Multiple OpenSSL signature verification API misuse

• References: oCERT #2008-016 / CVE-2009-0021
• Versions: 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150
• Date resolved: Stable (4.2.4p6) 8 Jan 2009, Development (4.2.5p151) 23 Dec 2008
• Summary: Affected versions do not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a different vulnerability than CVE-2008-5077 and CVE-2009-0025.

Buffer overflow in ntp_control:ctl_getitem() function

• References: CVE-2001-0414 / VU#970472 / BID:2450
• Versions affected: 4.0.99k and earlier (aka xntpd and xntp3)
• Date resolved: 13 Jun 2001
• Summary: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.

Internal overflow if date / time offset is greater than 34 years

• References: CAN-2004-0657 / VU#584606
• Versions affected: versions prior to 4.0
• Date resolved: July 1999
• Summary: Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time.

Reporting Security Issues

Security related bug may be reported by e-mail to security@ntp.org or via the NTP Bug Tracking System. Please refrain from discussion potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group.