NTP BUG 2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK
Last update: March 2, 2022 17:28 UTC (616623bea)
Crypto-NAK packets can be used to cause
ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations (lines 1103-1165) was refactored.
- Implement BCP-38.
- Upgrade to 4.2.8p4 or later.
- If you are unable to upgrade:
- Apply the patch to the bottom of the
authentic check block around line 1136 of
- Monitor your
This weakness was discovered by Matthew Van Gundy of Cisco ASIG.