NTP BUG 3010: remote configuration trustedkey/requestkey/controlkey values are not properly validated
Last update: February 15, 2022 20:59 UTC (43fbd379b)
ntpd was expressly configured to allow for remote configuration, a malicious user who knows the
ntpq or the
mode7 is expressly enabled) can create a session with
ntpd and then send a crafted packet to
ntpd that will change the value of the
trustedkey, controlkey, or
requestkey to a value that will prevent any subsequent authentication with
ntpd is restarted.
This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.