NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

---

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

NTP Bug 3610

process_control() should bail earlier on short packets

• Date Resolved: Stable (4.2.8p14) 03 Mar 2020
• References: Sec 33610
• Affects: All versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100. Resolved in ntp-4.2.8p14 and ntp-4.3.100.
• CVSS2: 0.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:N)
• CVSS3: 0.0 - (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
• Summary: Fuzz testing detected that on systems that override the default and enable ntpdc (mode 7) packets, a short packet will cause ntpd to read uninitialized data.
• Mitigation:
  • Leave mode7 disabled.
  • Pay attention to error messages logged by ntpd.
  • Monitor your ntpd instances.
• Upgrade to 4.2.8p14, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
• Credit: Reported by Philippe Antoine (Catena cyber with oss-fuzz).

• 2020 Mar 03: Public release
• 2020 Feb 17: Release to Advance Security Partners
• 2019 Jun 20: Reported to NTF