Statement on NTP Vulnerabilities Reported on April 12, 2023

Update 4/14/2023, 11:00 AM CEST: Please note that the ntpq implementation in LTOS, meinbergOS, and NTP for Windows as distributed by Meinberg is affected by these vulnerabilities, but there is no risk as long as ntpq is not used to manually query NTP servers over an insecure connection such as the internet. Meinberg devices running LTOS or meinbergOS do not query any remote server using ntpq in any automated fashion.

If users must use ntpq to query servers over such an insecure connection, the recommended workaround is to pass -c raw to ntpq.

For example, to query the list of peers using ntpq, enter: ntpq -c raw -c peers

This ensures that the data returned by the ntpd instance of the queried server is not formatted by ntpq, thus bypassing the vulnerable function entirely. Many thanks to Miroslav Lichvar for this tip.

LTOS and meinbergOS security updates will be issued and Meinberg's NTP for Windows package will be updated accordingly once the NTP Project has released its update.

Update 4/13/2023, 5:30 PM CEST: The Federal Office for Information Security (BSI) has lowered the classification to "medium" following a review of the report and has eliminated the risk of a remote attack in the process. Meinberg's own analysis has come to a similar conclusion that the vulnerabilities are non-critical and can be fixed quickly.

Meinberg is aware of the five vulnerabilities published on April 12, 2023 relating to ntp-4.2.8p15 that were collectively classified as "critical" by the German Federal Office for Information Security before later being lowered to "medium".

We have assessed the risk of exploits of these vulnerabilities for the ntpd and ntpq implementations in Meinberg systems and have found no risk of a remote attack on any Meinberg devices.

Four of the vulnerabilities (CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554) relate to ntpq, which is not a persistently running process and does not receive data directly from remote sources, but rather is executed by a system administrator to acquire data from ntpd. Therefore, an exploit for this vulnerability would require manipulated data to be sent by ntpd, which is not affected by this vulnerability.

The fifth vulnerability (CVE-2023-26555) relates to an obsolete NTP Project serial reference clock driver that is not used in Meinberg products.

More information and a discussion on the vulnerabilities is available under the following links:

https://github.com/spwpun/ntp-4.2.8p15-cves

https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1

Further Measures
We have been in contact with the developers of the NTP Project and a fix is in development.