NTP BUG 3592: DoS Attack on Unauthenticated Client

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p14 03 Mar 2020
References Bug 3592 CVE-2020-11868
Affects ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13,
and 4.3.98 up to, but not including 4.3.100.
Resolved in 4.2.8p14 and 4.3.100.
CVSS2 Score 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSS3 Score 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


The fix for 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.



Reported by Miroslav Lichvar.