NTP Project security vulnerabilities

Today the Network Time Foundation announced 6 security vulnerabilities in the reference NTP implementation, which serves as the NTP client and server in pfSense software. These are largely not applicable here, however we’re still investigating potential impact.

  1. Weak default key in config_auth() - this applies only to old NTP versions not used in any current or recent pfSense release, and is in an area that isn’t possible to enable in pfSense.
  2. non-cryptographic random number generator with weak seed used by ntp-keygen - this also applies only to old versions, and is in an area that isn’t possible to enable in pfSense.
  3. Buffer overflow in crypto_recv() - this applies only to an area that isn’t possible to enable in pfSense.
  4. Buffer overflow in ctl_putdata() - this applies only where control messages are allowed from untrusted hosts, which isn’t possible to configure in pfSense.
  5. receive(): missing return on error - this is a bug that doesn’t appear to have any ability to affect system integrity, hence has no security impact.
  6. Buffer overflow in configure() - this is applicable, however appears to be strictly denial of service. Where you have the NTP server enabled, clients that are permitted by your firewall rules (by default, and in general, only internal hosts) could crash the NTP service.

The bug reports on ntp.org are marked as private, leaving specific, authoritative details a bit lacking. If you have any information beyond the above, or that contradicts the above, please email us at security at pfsense.org. At this time, we don’t believe this poses any significant risk for pfSense users. We’ll update this post should anything change.