Security Notice
Notification Policy
When we discover a security vulnerability in NTP we first notify Premium members of
the NTP Forum, then
CERT, and finally make a public announcement.
Security News
(4 Mar 2009) Chris Ries of CMU discovered that when Autokey Authentication is enabled (i.e. the
ntp.conf file contains a
crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
When the
NTP Project learned about this vulnerability and had implemented a fix, the first people we notified were Premium Members of the
NTP Forum.
CERT was notified next, and we all agreed on the release date for the public announcement and the fix in the stable branch. The development branch (4.2.5p74) fix occurred as part of general cleanup before this vulnerability was reported.

Users are
strongly encouraged to update to the current stable version of NTP which is available from the the
NTP Project Download Page or the
NTP Public Services Project Download Page.
Resolved Vulnerabilities
The following vulnerabilities have been reported for the Reference Implementation of NTP during the 20+ years that the
NTP Project has existed.
Remote exploit if autokey is enabled
- References: Sec 1151 / CVE-2009-1252 / VU#853097
- Versions: All releases from 4.0.99m/4.1.70 (2001-08-15) through 4.2.4 before 4.2.4p7 and 4.2.5 before 4.2.5p74
- Date Resolved: Stable (4.2.4p7) 4 Mar 2009, Development (4.2.5p74) 10 Sep 2007
- Summary: When Autokey Authentication is enabled (i.e. the
ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
- Mitigation:
- Credit: This vulnerability was discovered by Chis Ries of CMU.
Multiple OpenSSL signature verification API misuse
- References: oCERT #2008-016 / CVE-2009-0021
- Versions: 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150
- Date resolved: Stable (4.2.4p6) 8 Jan 2009, Development (4.2.5p151) 23 Dec 2008
- Summary: Affected versions do not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a different vulnerability than CVE-2008-5077 and CVE-2009-0025.
Buffer overflow in ntp_control:ctl_getitem() function
- References: CVE-2001-0414 / VU#970472 / BID:2450
- Versions affected: 4.0.99k and earlier (aka xntpd and xntp3)
- Date resolved: 13 Jun 2001
- Summary: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.
Internal overflow if date / time offset is greater than 34 years
- References: CAN-2004-0657 / VU#584606
- Versions affected: versions prior to 4.0
- Date resolved: July 1999
- Summary: Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time.
Reporting Security Issues
Security related bug may be reported by e-mail to
security@ntp.org or via the
NTP Bug Tracking System. Please refrain from discussion potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group.