Securing the NTP Service Installation on Windows
In February 2021 we have received information
that existing installations of the NTP service (ntpd
) via the
Meinberg NTP installer for Windows
have a potential security problem as described on this web page:
- Nessus vulnerability 63155 - Microsoft Windows Unquoted Service Path Enumeration
https://www.tenable.com/plugins/nessus/63155
The problem is that the setup program writes the path to the NTP service binary to the Windows registry
without enclosing it in quotation marks, even if the path contains spaces.
Affected Software Versions
The problem exists in all versions of the setup programs for NTP for Windows
up to (and including) ntp-4.2.8p15-win32-setup.exe
.
It is fixed in ntp-4.2.8p15-v2-win32-setup.exe
and later versions, so the
easiest solution is to install the current version.
Fix by Installing the Current Version
The easiest fix is to install the current version of the NTP package.
Please note that if you are upgrading an older version, the setup program asks if you only
want to upgrade the existing files.
You should click No
here to make sure the service is first uninstalled, and then re-installed.
This makes sure the old registry settings are removed, and then properly created from scratch.
Just upgrading the executable files would keep the old registry settings, so a path not enclosed in quotation marks wouldn't get fixed.
Fixing an Existing Installation
A simple fix for an existing installation is to edit the registry settings. This has to be done only once, and can be done manually, or by importing a ''.reg'' file with the appropriate settings.
Please note:
The default path to the executable file differs on 64 bit and 32 bit versions of Windows.
Also, if the install path has been changed during installation, the path may be completely different
than in the examples below, but in any case it should be enclosed in quotation marks
if it contains any space character.
Manually Editing the Registry
Run the Registry Editor (regedit.exe
) and navigate to the path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTP
Then click on the ImagePath
key which contains the full path to the executable file ntpd.exe
as well as the parameters to be passed to the service, e.g.:
C:\Program Files (x86)\NTP\bin\ntpd.exe -U 3 -M -g -c “C:\Program Files (x86)\NTP\etc\ntp.conf”
Make sure the full path to the executable file is also enclosed in quotation marks, as in:
"C:\Program Files (x86)\NTP\bin\ntpd.exe" -U 3 -M -g -c “C:\Program Files (x86)\NTP\etc\ntp.conf”
The path in the example above is for 64 bit Windows versions. On 32 bit Windows the (x86)
extension in the path is missing.
Importing a '.reg' File with Appropriate Settings
Here are some .reg
files that can be used if the NTP software is installed to the default directory.
Just click on the appropriate link to download the required .reg
file.
When you click on the downloaded file, the settings from the file are imported to the registry,
and thus the ImagePath
in the settings for the NTP service is updated.
Here is the appropriate file for installations to the default directory on 64 bit Windows:
And this file is for installations to the default directory on 32 bit Windows:
— Martin Burnicki martin.burnicki@meinberg.de, last updated 2021-02-24