An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1397351]
Use "restrict default noquery ..." in your ntp.conf file.
Is an RPM released with fix for this. I haven't seen one @ http://mirror.centos.org.
If not released, what is ETA for same?
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2017:0252 https://rhn.redhat.com/errata/RHSA-2017-0252.html