An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers. Affects: ntp-4.0.9, up to but not including ntp-4.2.8p10 Mitigations: Implement BCP-38. Configure enough servers/peers that an attacker cannot target all of your time sources. Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.
Acknowledgments: Name: the NTP project Upstream: Matthew Van Gundy (Cisco)
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1435163]
External References: http://www.talosintelligence.com/reports/TALOS-2016-0260/
This flaw is due to an incorrect upstream fix of CVE-2015-8138. ntp as distributed with Fedora and Red Hat Enterprise Linux is not affected by this issue.