NTP BUG 3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated
Last update: June 28, 2022 20:06 UTC (57417e17c)
ntpd was expressly configured to allow for remote configuration, a malicious user who knows the
ntpq or the
mode7 is expressly enabled) can create a session with
ntpd and then send a crafted packet to
ntpd that will change the value of the
trustedkey, controlkey, or
requestkey to a value that will prevent any subsequent authentication with
ntpd is restarted.
This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.