Security

Notification Policy

When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally making a public announcement.

Institutional Members receive advanced notification of security vulnerabilities.

Security Patch Policy

When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.

Premier and Partner Members receive early access to security patches.

Reporting Security Issues

If you find a security vulnerability in the NTP codebase, please report it by PGP-encrypted email to the NTF Security Officer Team. You can use our NTF Security Officer PGP Key. Please refrain from discussing potential security issues in any mailing lists or public forums.

NOTE: Non-code vulnerabilities (such as a website issue) should instead be reported to webmaster. Issues for subdomains of "pool.ntp.org" should be reported to the NTP Pool Project.

Known Vulnerabilities by Release Version

The following releases provided fixes for at least one security vulnerability. The table for each release provides an entry for each security issue (click its hyperlink to read the details for the vulnerability), indicates the issue’s severity, and provides the dates of advance notification to institutional members, advance release to premier and partner institutional members, and public release.

Refer to the Release Timeline for a complete list of all releases, their public release dates, release announcements, and changelogs.

Release Version:

4.2.8p18

Public Release: 2024 May 25

No security fixes in this release.

4.2.8p17

Public Release: 2023 Jun 06

No security fixes in this release.

4.2.8p16

Advance Release: 2023 May 10
Public Release: 2023 May 30

Security Issue	Severity
3808: ntpq will abort with an assertion failure given a malformed RT-11 date	NONE
3807: praecis_parse() in ntpd/refclock_palisade.c can write out-of-bounds	LOW
3806: libntp/mstolfp() needs bounds checking	LOW
3767: An out-of-bounds KoD RATE ppoll value triggers an assertion abort in debug-enabled ntpd	LOW

4.2.8p15

Advance Notification: 2020 Apr 07
Advance Release: 2020 Apr 12
Public Release: 2020 Jun 23

Security Issue	Severity
3661: Memory leak with CMAC keys	MEDIUM

4.2.8p14

Advance Notification: 2019 Jun 05
Advance Release: 2020 Feb 17
Public Release: 2020 Mar 03

Security Issue	Severity
3610: `process_control()` should bail earlier on short packets	NONE
3596: Unauthenticated and unmonitored `ntpd` may be susceptible to IPv4 attack from highly predictable transmit timestamps	MEDIUM
3592: DoS Attack on Unauthenticated Client	MEDIUM

4.2.8p13

Advance Notification: 2019 Jan 16
Advance Release: 2019 Feb 20
Public Release: 2019 Mar 07

Security Issue	Severity
3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet	MEDIUM

4.2.8p12

Advance Release: 2018 Jul 25
Public Release: 2018 Aug 14

Security Issue	Severity
3505: NTPQ/NTPDC: Buffer Overflow in `openhost()`	LOW
3012: Sybil vulnerability: ephemeral association attack	LOW/MEDIUM

4.2.8p11

Advance Notification: 2018 Jan 23
Advance Release: 2018 Feb 12
Public Release: 2018 Feb 27

Security Issue	Severity
3454: Unauthenticated packet can reset authenticated interleaved association	LOW/MEDIUM
3453: Interleaved symmetric mode cannot recover from bad state	LOW
3415: Provide a way to prevent authenticated symmetric passive peering	LOW
3414: `ntpq: decodearr()` can write beyond its ‘buf’ limits	MEDIUM
3412: `ctl_getitem()`: buffer read overrun leads to undefined behavior and information leak	INFO/MEDIUM
3012: Sybil vulnerability: ephemeral association attack	LOW/MEDIUM

4.2.8p10

Public Release: 2017 Mar 21

Security Issue	Severity
3389: Denial of Service via Malformed Config	MEDIUM
3388: Buffer Overflow in DPTS Clock	LOW
3387: Authenticated DoS via Malicious Config Option	MEDIUM
3386: `ntpq_stripquotes()` returns incorrect value	INFO
3385: `ereallocarray() / eallocarray()` underused	INFO
3384: Privileged execution of User Library code (Windows PPSAPI Only)	LOW
3383: Stack Buffer Overflow from Command Line (Windows Installer Only)	LOW
3382: Data Structure terminated insufficiently (Windows Installer Only)	LOW
3381: Copious amounts of Unused Code	INFO
3380: Off-by-one in Oncore GPS Receiver	LOW
3379: Potential Overflows in `ctl_put()` functions	MEDIUM
3378: Improper use of `snprintf()` in `mx4200_send()`	LOW
3377: Buffer Overflow in `ntpq` when fetching `reslist` from a malicious `ntpd`	MEDIUM
3376: `Makefile` does not enforce Security Flags	INFO
3361: 0rigin DoS	MEDIUM

4.2.8p9

Public Release: 2016 Nov 21

Security Issue	Severity
3119: Mode 6 unauthenticated trap information disclosure and DDoS vector	MEDIUM
3118: Mode 6 unauthenticated trap information disclosure and DDoS vector	MEDIUM
3114: Broadcast Mode Replay Prevention DoS	LOW/MEDIUM
3113: Broadcast Mode Poll Interval Enforcement DoS	LOW/MEDIUM
3110: Windows: `ntpd` DoS by oversized UDP packet	HIGH
3102: Zero Origin timestamp regression	MEDIUM
3082: `read_mru_list()` does inadequate incoming packet checks	LOW
3072: Attack on interface selection	LOW
3071: Client rate limiting and server responses	LOW
3067: Fix for bug 2085 broke initial sync calculations	LOW

4.2.8p8

Public Release: 2016 Jun 02

Security Issue	Severity
3046: `CRYPTO_NAK` crash	HIGH
3045: Bad authentication demobilizes ephemeral associations	LOW
3044: Processing spoofed server packets	LOW
3043: Autokey association reset	LOW
3042: Broadcast interleave	LOW

4.2.8p7

Public Release: 2016 Apr 26

Security Issue	Severity
3020: Refclock impersonation vulnerability	LOW
3011: Duplicate IPs on unconfig directives will cause an assertion botch in `ntpd`	MEDIUM
3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated	MEDIUM
3009: Crafted `addpeer` with `hmode` > 7 causes array wraparound with `MATCH_ASSOC`	LOW
3008: `ctl_getitem()` return value not always checked	MEDIUM
3007: `CRYPTO-NAK` DoS	MEDIUM/LOW
2978: Interleave-pivot	MEDIUM
2952: Original fix for NTP Bug 2901 broke peer associations	MEDIUM
2946: Origin Leak: `ntpq` and `ntpdc` Disclose Origin Timestamp to Unauthenticated Clients	MEDIUM
2879: Improve NTP security against buffer comparison timing attacks	LOW/MEDIUM

4.2.8p6

Public Release: 2016 Jan 19

Security Issue	Severity
2948: Potential Infinite Loop in `ntpq`	MEDIUM
2947: `ntpq` protocol vulnerable to replay attacks	MEDIUM
2945: 0rigin: Zero Origin Timestamp Bypass	MEDIUM
2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode	MEDIUM
2940: Stack exhaustion in recursive traversal of restriction list	MEDIUM
2939: `reslist` NULL pointer dereference	MEDIUM
2938: `ntpq saveconfig` command allows dangerous characters in filenames	MEDIUM
2937: `nextvar()` missing length check in `ntpq`	LOW
2936: Skeleton Key: Any trusted key system can serve time	HIGH
2935: Deja Vu: Replay attack on authenticated broadcast mode	MEDIUM

4.2.8p5

Public Release: 2016 Jan 07

Security Issue	Severity
2956: Small-step/big-step	MEDIUM

4.2.8p4

Public Release: 2015 Oct 21

Security Issue	Severity
2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK	LOW
2922: `decodenetnum()` will ASSERT botch instead of returning FAIL on some bogus values	HIGH
2921: TALOS-CAN-0065: Password Length Memory Corruption Vulnerability	HIGH
2920: TALOS-CAN-0064: Invalid length data provided by a custom refclock driver could cause a buffer overflow	HIGH
2919: TALOS-CAN-0063: `ntpq atoascii()` potential memory corruption	HIGH
2918: TALOS-CAN-0062: Potential path traversal vulnerability in the config file saving of `ntpd` on VMS	HIGH
2917: TALOS-CAN-0055: Infinite loop if extended logging enabled and the logfile and keyfile are the same	HIGH
2916: TALOS-CAN-0054: memory corruption in password store	HIGH
2913: TALOS-CAN-0052: mode 7 loop counter underrun	HIGH
2909: Slow memory leak in `CRYPTO_ASSOC`	HIGH
2902: Configuration directives to change “pidfile” and “driftfile” should only be allowed locally	HIGH
2901: Clients that receive a KoD should validate the origin timestamp field	MEDIUM
2899: Incomplete autokey data packet length checks	HIGH

4.2.8p3

Advance Notification: 2015 Jun 22
Advance Release: 2015 Jun 24
Public Release: 2015 Jun 29

Security Issue	Severity
2853: ntpd control message crash: Crafted NUL-byte in configuration directive	LOW

4.2.8p2

Advance Notification: 2015 Mar 15
Advance Release: 2015 Mar 22
Public Release: 2015 Apr 7

Security Issue	Severity
2781: Authentication doesn’t protect symmetric associations against DoS attacks	MEDIUM
2779: ntpd accepts unauthenticated packets with symmetric key crypto	LOW

4.2.8p1

Public Release: 2015 Feb 04

Security Issue	Severity
2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed	MEDIUM
2671: `vallen` is not validated in several places in `ntp_crypto.c`, leading to a potential info leak or possibly crashing `ntpd`	LOW

4.2.8

Public Release: 2014 Dec 18

Security Issue	Severity
2670: receive(): missing return on error	MEDIUM
2669: Buffer overflow in configure()	HIGH
2668: Buffer overflow in ctl_putdata()	HIGH
2667: Buffer overflow in crypto_recv()	HIGH

4.2.7p230

Public Release: 2011 Nov 1

Security Issue	Severity
2666: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys	HIGH

4.2.7p26

Public Release: 2010 Apr 24

Security Issue	Severity
1532: DRDoS / Amplification Attack using ntpdc monlist command	MEDIUM

4.2.7p11

Public Release: 2010 Jan 28

Security Issue	Severity
2665 :Weak default key in config_auth()	HIGH

4.2.6

Public Release: 2009 Dec 8

Security Issue	Severity
1331: DoS attack from certain NTP mode 7 packets	MEDIUM

4.2.4p7

Public Release: 2009 Mar 4

Security Issue	Severity
1151: Remote exploit if autokey is enabled	MEDIUM

4.2.4p5

Public Release: 2009 Jan 8

Security Issue	Severity
Multiple OpenSSL signature verification API misuse	MEDIUM