The TEST2 check of the originate timestamp in received packets, which requires the timestamp to match the value of the peer->aorg variable and which is supposed to be random to prevent spoofing attacks has been found to be faulty.
When ntpd receives a reply, it clears the peer->aorg variable to prevent a replay attack. This makes the value known to the attacker and a spoofed packet with a zero originate timestamp will pass the TEST2.
This means an off-path attacker can disrupt the synchronization with KoD packets, similar to CVE-2015-7704, or they can push arbitrary offset/delay measurements to the client, taking full control over the clock or cause ntpd to exit with an offset larger than the panic threshold.
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1300277]
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5 as they do not include the affected code, which was introduced in version 4.2.6 of NTP.
The upstream fix for this issue is reported to be incomplete:
(In reply to Martin Prpic from comment #8)
> The upstream fix for this issue is reported to be incomplete:
Clarification: The patch proposed by upstream has been found not address the CVE-2015-8138 issue because it doesn't apply with a fix that was applied for a different issue. The problematic upstream merge is:
Red Hat has not included the patch to fix the previous issue and used a slightly modified version of the upstream patch to fix CVE-2015-8138.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2016:0063 https://rhn.redhat.com/errata/RHSA-2016-0063.html
ntp-4.2.6p5-36.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-36.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.