NTP BUG 3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated
Last update: May 9, 2023 14:31 UTC (f9b991261)
ntpd was expressly configured to allow for remote configuration, a malicious user who knows the
ntpq or the
mode7 is expressly enabled) can create a session with
ntpd and then send a crafted packet to
ntpd that will change the value of the
trustedkey, controlkey, or
requestkey to a value that will prevent any subsequent authentication with
ntpd is restarted.
This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.