NTP BUG 3592: DoS Attack on Unauthenticated Client

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

---

Summary

Resolved	4.2.8p14	03 Mar 2020
References	Bug 3592	CVE-2020-11868
Affects	ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13, and 4.3.98 up to, but not including 4.3.100.	Resolved in 4.2.8p14 and 4.3.100.
CVSS2 Score	5.4	AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSS3 Score	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Description

The fix for 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.

---

Mitigation

• Use authentication with symmetric peers.
• Have enough sources of time.
• Upgrade to 4.2.8p14 or later.

---

Credit

Reported by Miroslav Lichvar.

---

Timeline

• 2020 Mar 03: Public release
• 2020 Feb 17: Early Access Program Release: Premier and Partner Institutional Members
• 2019 Jun 05: Notification to Institutional Members
• 2019 May 30: Notification from reporter