ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. After 8 or more successful attacks in a row, the attacker can either modify the victim's clock by a limited amount or cause ntpd to exit.
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1811628]
1. Have enough trustworthy sources of time.
2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
3. Use NTP packet authentication where appropriate.
4. Pay attention to error messages logged by ntpd.
5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.
All versions of ntp package shipped with Red Hat Enterprise Linux are affected by this flaw. However several mitigations exists, please refer to the mitigation section for more details.
Huzaifa, is CVE-2020-13816 a typo here and should it be CVE-2020-13817?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817 references the http://support.ntp.org/bin/view/Main/NtpBug3596 and https://bugs.ntp.org/show_bug.cgi?id=3596 whilst CVE-2020-13816 is yet RESERVED.
In reply to comment #12:
> Huzaifa, is CVE-2020-13816 a typo here and should it be CVE-2020-13817?
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817 references the
> http://support.ntp.org/bin/view/Main/NtpBug3596 and
> https://bugs.ntp.org/show_bug.cgi?id=3596 whilst CVE-2020-13816 is yet
i guess so, fixed now
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:2663 https://access.redhat.com/errata/RHSA-2020:2663
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):