A flaw was found in the control mode functionality of ntpd. A remote attacker could send a crafted control mode packet which could lead to information disclosure or result in DDoS amplification attacks.
An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1397351]
Use "restrict default noquery ..." in your ntp.conf file.
Is an RPM released with fix for this. I haven't seen one @ http://mirror.centos.org.
If not released, what is ETA for same?
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2017:0252 https://rhn.redhat.com/errata/RHSA-2017-0252.html