NTP BUG 3020: Refclock impersonation vulnerability

Last update: June 28, 2022 20:06 UTC (57417e17c)


Resolved 4.2.8p7 26 Apr 2016
References Bug 3020 CVE-2016-1551
Affects On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability. Resolved in 4.2.8p7.
CVSS2 Score LOW 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS3 Score LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N


While the majority OSes implement martian packet filtering in their network stack, at least regarding, a rare few will allow packets claiming to be from that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.



This weakness was discovered by Matt Street and others of Cisco ASIG.