[ntp:questions] Windows Time with NTPv4

David L. Mills mills at udel.edu
Mon Mar 10 15:53:41 UTC 2008


Thanks for the reminder. In the six years hence the code has gone 
through a number of securiy audits and defensive adjustments, one or 
more of which might have plugged the hole. The code at time.nist.gov is 
4.1.1b, which must be before 4.1.1c, dated 10 June 2003, and has the 
hole plugged, so the hole got plugged before that.

There is talk about the code being audited by someone other than me, in 
which case the hole might get plugged again.

Does the Meinberg workaround appear in Microsoft KB?


Martin Burnicki wrote:

> Dave,
> David L. Mills wrote:
>>I just poked around and discovered something interesting that affects
>>Windows clients, both XP and Vista.
>>Microsoft has broken the NTP specification in that the client sends a
>>request in symmetric active mode instead of client mode. According to
>>the NTP spec, both ancient and modern, this causes the server to launch
>>a symmetric passive association, which would be a serious security
>>The NTPv4 servers, including those at USNO and NIST, have specific means
>>to protect against this vulnerability, so as you might have noticed,
>>synchronizing XP or Vista clients to those servers fails.
>>However, I jimmied the code so that, while it will not launch an
>>association if denied, it will reply in symmetric passive mode. In other
>>words, the server behaves in the same way as with an ordinary
>>client/server mode. With this change, now in the development branch,
>>Windows XP and Vista now work correctly.
>>I'm not happy about this. I thought Microsoft had fixed this long ago in
>>a service pack. Now at least folks with 400 PCs don't all have to light
>>up Windows NTP.
> Huh? This has already been discussed back in 2002, and you had already
> introduced a workaround which should (and obviously did) work similar to
> what you write now.
> See your own posts from August 4, 2002:
> http://groups.google.de/group/comp.protocols.time.ntp/msg/51963f1da8a17cbe
> http://groups.google.de/group/comp.protocols.time.ntp/msg/199932ca96c5a9a7
> Had this workaround been removed intentionally or unintentionally in the
> mean time, or why should the current -dev version refuse to respond to the
> requests of those broken clients?
> BTW, there's a Meinberg FAQ which tells how to fix those brokeen Windows
> clients and let them send normal peer requests instead of symmetric active
> requests:
> "Why does my Windows Time Service (w32time) not synchronize with my NTP
> Server?"
> http://www.meinberg.de/english/faq/faq_28.htm
> Martin

More information about the questions mailing list