NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p11 was released on 27 February 2018. It addresses 2 low-/medium-, 1 informational-/medium-, and 2 low-severity security issues in ntpd, 1 medium-severity security issue in ntpq, and provides over 65 non-security bugfixes and other improvements over 4.2.8p10.

Please see the NTP Security Notice for vulnerability and mitigation details.

---

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

NTP Bug 3412

ctl_getitem(): buffer read overrun leads to undefined behavior and information leak (Info/Medium)

• Date Resolved: 27 Feb 2018
• References: Sec 3412 / CVE-2018-7182 / VU#961909
• Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
• CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
• CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.0 if C:N
• Summary: ctl_getitem() is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem() to read past the end of its buffer.
• Mitigation:
  • Implement BCP-38.
  • Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Have enough sources of time.
  • Properly monitor your ntpd instances.
  • If ntpd stops running, auto-restart it without -g .
• Credit: This weakness was discovered by Yihan Lian of Qihoo 360.