r1 - 2020-03-04 - 08:24:25 - HarlanStennYou are here: NTP >  Main Web > SecurityNotice > NtpBug3610
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

NTP Bug 3610

process_control() should bail earlier on short packets

  • Date Resolved: Stable (4.2.8p14) 03 Mar 2020
  • References: Sec 33610
  • Affects: All versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100. Resolved in ntp-4.2.8p14 and ntp-4.3.100.
  • CVSS2: 0.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:N)
  • CVSS3: 0.0 - (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
  • Summary: Fuzz testing detected that on systems that override the default and enable ntpdc (mode 7) packets, a short packet will cause ntpd to read uninitialized data.
  • Mitigation:
    • Leave mode7 disabled.
    • Pay attention to error messages logged by ntpd.
    • Monitor your ntpd instances.
  • Upgrade to 4.2.8p14, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Credit: Reported by Philippe Antoine (Catena cyber with oss-fuzz).

  • 2020 Mar 03: Public release
  • 2020 Feb 17: Release to Advance Security Partners
  • 2019 Jun 20: Reported to NTF
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback