NTP BUG 3044: Processing spoofed server packets

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved	4.2.8p8	02 June 2016
References	Bug 3044	CVE-2016-4954
Affects	ntp-4, up to but not including ntp-4.2.8p8, and ntp-4.3.0 up to, but not including ntp-4.3.93.	Resolved in 4.2.8p8
CVSS2 Score	LOW 2.6	AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSS3 Score	LOW 3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p8 or later.
Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Credit

This weakness was discovered by Jakub Prokes of Red Hat.

Timeline

2016 Jun 02: Public release
2016 May 24: Early Access Program Release: Premier and Partner Institutional Members
: Notification to Institutional Members
: Report received