Summary
coreSNTP is a client library for the Simple Network Time Protocol (SNTP), to allow devices to synchronize their system clocks with time servers.
We identified an unintended script within a specific zip file available in the Releases page of the coreSNTP GitHub project. This issue only affects a zip file downloaded directly from the Releases page – not users who obtained files through Git commands.
When building the coreSNTP library on a Linux or MacOS based system, the script could have transmitted AWS account credentials if those credentials were stored in the user's home directory on a Linux or MacOS based operating system.
Out of an abundance of caution, users who downloaded the indicated release directly from the Releases page during the time frames referenced below should rotate AWS credentials present in their home directory's .aws/credentials file.
We have removed the indicated release to prevent further downloads. Users should also delete their copies of the indicated release. AWS customers who need further assistance should contact AWS Support.
Impact
This issue affected the following zipped release file between the specified time frame:
- coreSNTP release v1.3.1, asset coreSNTP-v1.3.1.zip between May 1, 2025 and May 8, 2025.
- SHA256:
0912a02d38672d95440a7ab45d7929f2621b8fb9c42d6e7e8df1feaa7959ecca
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
sweeneyirrigreen Reporter
Summary
coreSNTP is a client library for the Simple Network Time Protocol (SNTP), to allow devices to synchronize their system clocks with time servers.
We identified an unintended script within a specific zip file available in the Releases page of the coreSNTP GitHub project. This issue only affects a zip file downloaded directly from the Releases page – not users who obtained files through Git commands.
When building the coreSNTP library on a Linux or MacOS based system, the script could have transmitted AWS account credentials if those credentials were stored in the user's home directory on a Linux or MacOS based operating system.
Out of an abundance of caution, users who downloaded the indicated release directly from the Releases page during the time frames referenced below should rotate AWS credentials present in their home directory's .aws/credentials file.
We have removed the indicated release to prevent further downloads. Users should also delete their copies of the indicated release. AWS customers who need further assistance should contact AWS Support.
Impact
This issue affected the following zipped release file between the specified time frame:
0912a02d38672d95440a7ab45d7929f2621b8fb9c42d6e7e8df1feaa7959eccaIf you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.