Securing the NTP Service Installation on Windows

In February 2021 we have received information that existing installations of the NTP service (ntpd) via the Meinberg NTP installer for Windows have a potential security problem as described on this web page:

• Nessus vulnerability 63155 - Microsoft Windows Unquoted Service Path Enumeration
  https://www.tenable.com/plugins/nessus/63155

The problem is that the setup program writes the path to the NTP service binary to the Windows registry without enclosing it in quotation marks, even if the path contains spaces.

The problem exists in all versions of the setup programs for NTP for Windows up to (and including) ntp-4.2.8p15-win32-setup.exe.

It is fixed in ntp-4.2.8p15-v2-win32-setup.exe and later versions, so the easiest solution is to install the current version.

The easiest fix is to install the current version of the NTP package.

Please note that if you are upgrading an older version, the setup program asks if you only want to upgrade the existing files. You should click No here to make sure the service is first uninstalled, and then re-installed. This makes sure the old registry settings are removed, and then properly created from scratch.

Just upgrading the executable files would keep the old registry settings, so a path not enclosed in quotation marks wouldn't get fixed.

A simple fix for an existing installation is to edit the registry settings. This has to be done only once, and can be done manually, or by importing a ''.reg'' file with the appropriate settings.

Please note: The default path to the executable file differs on 64 bit and 32 bit versions of Windows. Also, if the install path has been changed during installation, the path may be completely different than in the examples below, but in any case it should be enclosed in quotation marks if it contains any space character.

Run the Registry Editor (regedit.exe) and navigate to the path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTP

Then click on the ImagePath key which contains the full path to the executable file ntpd.exe as well as the parameters to be passed to the service, e.g.:

C:\Program Files (x86)\NTP\bin\ntpd.exe -U 3 -M -g -c “C:\Program Files (x86)\NTP\etc\ntp.conf”

Make sure the full path to the executable file is also enclosed in quotation marks, as in:

"C:\Program Files (x86)\NTP\bin\ntpd.exe" -U 3 -M -g -c “C:\Program Files (x86)\NTP\etc\ntp.conf”

The path in the example above is for 64 bit Windows versions. On 32 bit Windows the (x86) extension in the path is missing.

Here are some .reg files that can be used if the NTP software is installed to the default directory.

Just click on the appropriate link to download the required .reg file. When you click on the downloaded file, the settings from the file are imported to the registry, and thus the ImagePath in the settings for the NTP service is updated.

Here is the appropriate file for installations to the default directory on 64 bit Windows:

• service-ntp-imagepath-64-bit.reg

And this file is for installations to the default directory on 32 bit Windows:

• service-ntp-imagepath-32-bit.reg

— Martin Burnicki martin.burnicki@meinberg.de, last updated 2021-02-24