Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NTP 4.2.6 Released

28 views
Skip to first unread message

NTP Public Services Project

unread,
Dec 12, 2009, 11:51:46 AM12/12/09
to anno...@ntp.org, Announce-only list for release and security-related issues regarding NTP
Redwood City, CA - 2009/12/12 - The NTP Public Services Project
(http://support.ntp.org/) is pleased to announce that NTP 4.2.6,
a Stable Release of the NTP Reference Implementation from the
NTP Project, is now available at http://www.ntp.org/downloads.html and
http://support.ntp.org/download.

File-size: 4322055 bytes

MD5 sum: 4d64a99592b818aa9419fc9dcb149746

Focus: Security Fixes

Severity: HIGH

This release fixes the following high-severity vulnerability:

* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
http://bugs.ntp.org/1331

See http://support.ntp.org/security for more information.

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control
utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine
NTP time transfers use modes 1 through 5. Upon receipt of an incorrect
mode 7 request or a mode 7 error response from an address which is not
listed in a "restrict ... noquery" or "restrict ... ignore" statement,
ntpd will reply with a mode 7 error response (and log a message). In
this case:

* If an attacker spoofs the source address of ntpd host A in a mode 7
response packet sent to ntpd host B, both A and B will continuously send
each other error responses, for as long as those packets get through.

* If an attacker spoofs an address of ntpd host A in a mode 7 response
packet sent to ntpd host A, A will respond to itself endlessly,
consuming CPU and logging excessively.

Credit for finding this vulnerability goes to Robin Park and Dmitri
Vinokurov of Alcatel-Lucent.

THIS IS A STRONGLY RECOMMENDED UPGRADE.

Please report any bugs, issues, or desired enhancements at
http://bugs.ntp.org/.

The NTP (Network Time Protocol) Public Services Project, which is
hosted by Internet Systems Consortium, Inc. (http://www.isc.org/),
provides support and additional development resources for the
Reference Implementation of NTP produced by the NTP Project
(http://www.ntp.org/).


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Martin Burnicki

unread,
Dec 15, 2009, 5:25:51 AM12/15/09
to
NTP Public Services Project wrote:
[...]

> This release fixes the following high-severity vulnerability:
>
> * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
> http://bugs.ntp.org/1331
>
> See http://support.ntp.org/security for more information.

This security fix is also in 4.2.4p8.

Even a though a 4.2.6 tarball has been rolled out I don't see a 4.2.6 tag in
the bitkeeper -stable repo. There's only a 4.2.6-RC tag as of 2009-12-09.

4.2.6 contains a real bunch of changes against 4.2.4p8 which have not been
mentioned here, but significantly change the way ntpd works, so users
should carefully check if they want to upgrade to 4.2.6 right now.

Martin
--
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany

Dave Hart

unread,
Dec 15, 2009, 5:55:43 AM12/15/09
to
On Dec 15, 10:25 UTC, Martin Burnicki wrote:
> 4.2.6 contains a real bunch of changes against 4.2.4p8 which have not been
> mentioned here, but significantly change the way ntpd works, so users
> should carefully check if they want to upgrade to 4.2.6 right now.

http://lists.ntp.org/pipermail/commitlogs/2009-December/002274.html

That sizable message spells out the three years of -dev changes
between 4.2.4 and 4.2.6 in terms of file and changeset comments.
There was no corresponding bk-ntp-st...@lists.ntp.org message,
which would have been truly gargantuan as it would have included all
the diffs. Harlan experienced a bk hiccup during the process that I
suspect was the failure of the attempted generation of that monster-
diff message.

A more succinct copy of the most of same information can be seen in
the ChangeLog file in the distribution, though it's maintained by hand
and incomplete by comparison. Since this is a unified file for both -
dev and -stable branches, new entries appear in two places, at the top
for -dev and somewhere in the middle (ahead of the most recent prior -
stable entries).

Cheers,
Dave Hart

Ronan Flood

unread,
Dec 17, 2009, 7:57:34 AM12/17/09
to
On Sat, 12 Dec 2009 11:51:46 -0500,
NTP Public Services Project <webm...@ntp.org> wrote:

> * If an attacker spoofs an address of ntpd host A in a mode 7 response
> packet sent to ntpd host A, A will respond to itself endlessly,

Academic, but is that true? I thought the "ntpport, interface, ignore"
restrictions which ntpd automatically puts on all interface addresses
were supposed to prevent it seeing traffic from itself -- with the aim
of stopping it synchronising to itself, but would affect this too.

--
Ronan Flood <use...@umbral.org.uk>

Martin Burnicki

unread,
Dec 17, 2009, 8:53:36 AM12/17/09
to
Dave Hart wrote:

What I've disliked is that the announcement of 4.2.6 emphasizes the latest
security fix only, which is also in 4.2.4p8.

There should be a simple summary of basic changes in 4.2.6 compared to
4.2.4, which are important for the default user, e.g. (from memory):

- the default logging mode does not include messages when the system time
has been stepped, or which source is selected as sys peer

- even if logging is explicitely configured to include this information, the
resulting messages are not really human-readable

- leap second handling has been changed such that a leap second announcement
is valid is accepted only if a majority of the upstream sources provide the
announcement

- evaluation of a leap second file does not depend anymore on having autokey
enabled, and IIRC the default location of the file has changed

- IIRC there have been changes to autokey which may prevent autokey
interactions of 4.2.6 nodes with 4.2.4 nodes

Harlan Stenn

unread,
Dec 18, 2009, 11:57:23 PM12/18/09
to
>>> In article <0oppv6-...@gateway.py.meinberg.de>, Martin Burnicki <martin....@meinberg.de> writes:

Martin> What I've disliked is that the announcement of 4.2.6 emphasizes the
Martin> latest security fix only, which is also in 4.2.4p8.

Agreed, and I was massively time-crunched and didn't have time to do it.

I will work on updating it.

Martin> There should be a simple summary of basic changes in 4.2.6 compared
Martin> to 4.2.4, which are important for the default user, e.g. (from
Martin> memory):

Martin> - the default logging mode does not include messages when the system
Martin> time has been stepped, or which source is selected as sys peer

Martin> - even if logging is explicitely configured to include this
Martin> information, the resulting messages are not really human-readable

Martin> - leap second handling has been changed such that a leap second
Martin> announcement is valid is accepted only if a majority of the upstream
Martin> sources provide the announcement

Martin> - evaluation of a leap second file does not depend anymore on having
Martin> autokey enabled, and IIRC the default location of the file has
Martin> changed

Martin> - IIRC there have been changes to autokey which may prevent autokey
Martin> interactions of 4.2.6 nodes with 4.2.4 nodes

Basically, it's every interesting change that is in the 4.2.5 portion of the
ChangeLog.

--
Harlan Stenn <st...@ntp.org>
http://ntpforum.isc.org - be a member!

0 new messages