Greetings,

We have received notification of a security update for ntpd to be released 21 March 2017. This notification will be redundant to NTP Consortium members.
Note that the following information has not yet been released to the public and should be treated confidentially.

Regards,

Trent Novelly
Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / cert@cert.org
======================================================================

----------

The following information should be considered confidential - it has not been released to the general public.
Network Time Foundations NTP Project has announced to it's Consortium members at the Partner and Premier levels and they have received embargoed patches under NDA on March 6th.

To arrange for access to these patches for your organization before the public release, please contact Sue Graves <sgraves@nwtime.org>.

We are currently planning a public release of ntp-4.2.8p10 for 21 March 2017, these may not be the final descriptions.

This release will fix the following security issues:

Severity: MEDIUM

This release fixes 5 medium and 6 low severity issues.

* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
Date Resolved: XX Mar 2017
References: Sec 3389 / CVE-2017-6464 / VU#325339
Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server makes it possible for an
authenticated remote user to crash ntpd via a malformed mode
configuration directive.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.


* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
Date Resolved: XX Mar 2017
References: Sec 3388 / CVE-2017-6462 / VU#325339
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and 
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
There is a potential for a buffer overflow in the legacy Datum
Programmable Time Server refclock driver.  Here the packets are
processed from the /dev/datum device and handled in
datum_pts_receive().  Since an attacker would be required to
somehow control a malicious /dev/datum device, this does not
appear to be a practical attack and renders this issue "Low" in
terms of severity.
Mitigation:
If you have a Datum reference clock installed and think somebody
may maliciously change the device, upgrade to 4.2.8p10, or
later, from the NTP Project Download Page or the NTP Public
Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.

* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3387 / CVE-2017-6463 / VU#325339
Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server allows an unauthenticated
remote attacker to crash the daemon by sending an invalid setting
via the :config directive.  The unpeer option expects a number or
an address as an argument.  In case the value is "0", a
segmentation fault occurs.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.



* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
PPSAPI ONLY) (Low)
Date Resolved: 21 Mar 2017
References: Sec 3384 / CVE-2017-6455 / VU#325339
Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
including ntp-4.3.94.
CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
The Windows NT port has the added capability to preload DLLs
defined in the inherited global local environment variable
PPSAPI_DLLS.  The code contained within those libraries is then
called from the NTPD service, usually running with elevated
privileges. Depending on how securely the machine is setup and
configured, if ntpd is configured to use the PPSAPI under Windows
this can easily lead to a code injection.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.


* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
installer ONLY) (Low)
Date Resolved: XX Mar 2017
References: Sec 3383 / CVE-2017-6452 / VU#325339
Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
The Windows installer for NTP calls strcat(), blindly appending
the string passed to the stack buffer in the addSourceToRegistry()
function.  The stack buffer is 70 bytes smaller than the buffer
in the calling main() function.  Together with the initially
copied Registry path, the combination causes a stack buffer
overflow and effectively overwrites the stack frame.  The
passed application path is actually limited to 256 bytes by the
operating system, but this is not sufficient to assure that the
affected stack buffer is consistently protected against
overflowing at all times.
Mitigation:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.

* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
installer ONLY) (Low)
Date Resolved: 21 Mar 2017
References: Sec 3382 / CVE-2017-6459 / VU#325339
Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
up to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
The Windows installer for NTP calls strcpy() with an argument
that specifically contains multiple null bytes.  strcpy() only
copies a single terminating null character into the target
buffer instead of copying the required double null bytes in the
addKeysToRegistry() function.  As a consequence, a garbage
registry entry can be created.  The additional arsize parameter
is erroneously set to contain two null bytes and the following
call to RegSetValueEx() claims to be passing in a multi-string
value, though this may not be true.
Mitigation:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit:
This weakness was discovered by Cure53.



* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3379 / CVE-2017-6458 / VU#325339
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
ntpd makes use of different wrappers around ctl_putdata() to
create name/value ntpq (mode 6) response strings.  For example,
ctl_putstr() is usually used to send string data (variable names
or string data).  The formatting code was missing a length check
for variable names.  If somebody explicitly created any unusually
long variable names in ntpd (longer than 200-512 bytes, depending
on the type of variable), then if any of these variables are
added to the response list it would overflow a buffer.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you don't want to upgrade, then don't setvar variable names
longer than 200-512 bytes in your ntp.conf file.
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.

* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
Date Resolved: 21 Mar 2017
References: Sec 3378 / CVE-2017-6451 / VU#325339
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Summary:
The legacy MX4200 refclock is only built if is specifically
enabled, and furthermore additional code changes are required to
compile and use it.  But it uses the libc functions snprintf()
and vsnprintf() incorrectly, which can lead to an out-of-bounds
memory write due to an improper handling of the return value of
snprintf()/vsnprintf().  Since the return value is used as an
iterator and it can be larger than the buffer's size, it is
possible for the iterator to point somewhere outside of the
allocated buffer space.  This results in an out-of-bound memory
write.  This behavior can be leveraged to overwrite a saved
instruction pointer on the stack and gain control over the
execution flow.  During testing it was not possible to identify
any malicious usage for this vulnerability.  Specifically, no
way for an attacker to exploit this vulnerability was ultimately
unveiled.  However, it has the potential to be exploited, so the
code should be fixed.
Mitigation, if you have a Magnavox MX4200 refclock:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.


* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
malicious ntpd (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3377 / CVE-2017-6460 / VU#325339
Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A stack buffer overflow in ntpq can be triggered by a malicious
ntpd server when ntpq requests the restriction list from the server.
This is due to a missing length check in the reslist() function.
It occurs whenever the function parses the server's response and
encounters a flagstr variable of an excessive length.  The string
will be copied into a fixed-size buffer, leading to an overflow on
the function's stack-frame.  Note well that this problem requires
a malicious server, and affects ntpq, not ntpd.
Mitigation:
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you can't upgrade your version of ntpq then if you want to know
the reslist of an instance of ntpd that you do not control,
know that if the target ntpd is malicious that it can send back
a response that intends to crash your ntpq process.
Credit:
This weakness was discovered by Cure53.



* 0rigin DoS (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3361 / CVE-2016-9042 / VU#325339
Affects: ntp-4.0.9 (DD MMM 201Y), up to but not including ntp-4.2.8p10
CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
Summary:
An exploitable denial of service vulnerability exists in the
origin timestamp check functionality of ntpd 4.2.8p9.  A specially
crafted unauthenticated network packet can be used to reset the
expected origin timestamp for target peers.  Legitimate replies
from targeted peers will fail the origin timestamp check (TEST2)
causing the reply to be dropped and creating a denial of service
condition.  This vulnerability can only be exploited if the
attacker can spoof all of the servers.
Mitigation:
Implement BCP-38.
Configure enough servers/peers that an attacker cannot target
all of your time sources.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Matthew Van Gundy of Cisco.