NTP BUG 2952: Original fix for NTP Bug 2901 broke peer associations

Last update: January 15, 2024 18:03 UTC (83e32bc41)

---

Summary

Resolved	4.2.8p7	26 Apr 2016
References	Bug 2952	CVE-2015-7704
Affects	4.2.8p4 up to but not including 4.2.8p7, and 4.3.77 up to, but not including 4.3.92.	Resolved in 4.2.8p7.
CVSS2 Score	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3 Score	7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Description

The fix for NTP Bug 2901 in ntp-4.2.8p4 went too far, breaking peer associations.

---

Mitigation

• Upgrade to 4.2.8p7 or later.
• Don’t connect to ntp-4.2.8p4 thru p6 instances of ntpd using a peer association.
• If you are running ntp-4.2.8p4 thru p6 instances of ntpd don’t expect clients that connect to you with peer associations to work.
• Properly monitor your ntpd instances.

---

Credit

This weakness was discovered by Michael Tatarinov , NTP Project Developer Volunteer.

---

Timeline

• 2016 Apr 26: Public release
• 2016 Apr 12: Early Access Program Release: Premier and Partner Institutional Members
• 2016 Feb 14: Notification to Institutional Members
• 2016 Jan 12: Initial notification from Cisco