NTP BUG 3045: Bad authentication demobilizes ephemeral associations
Last update: February 15, 2022 20:59 UTC (43fbd379b)
An attacker who knows the origin timestamp and can send a spoofed packet containing a
CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association.
- Implement BCP-38.
- Upgrade to 4.2.8p8 or later.
- Properly monitor your
ntpd instances, and auto-restart
-g) if it stops running.
This weakness was discovered by Miroslav Lichvar of Red Hat.