NTP BUG 2665: Weak default key in config_auth()
Last update: February 15, 2022 20:59 UTC (43fbd379b)
auth key is set in the configuration file,
ntpd would generate a random key on the fly. There were two problems with this: 1) the generated key was 31 bits in size, and 2) it used the (now weak)
ntp_random() function, which was seeded with a 32 bit value and can only provide 32 bits of entropy. This was sufficient back in the late 1990s when this code was written. Not today.
- Upgrade to 4.2.7p11 or later.
restrict ... noquery in your
ntp.conf file, for non-trusted senders.
This vulnerability was discovered in ntp-4.2.6 by Neel Mehta of the Google Security Team.