NTP BUG 3119: Mode 6 unauthenticated trap information disclosure and DDoS vector
Last update: February 15, 2022 20:59 UTC (43fbd379b)
ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash
ntpd, resulting in a denial of service.
- Implement BCP-38.
restrict default noquery ... in your
ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.
- Upgrade to 4.2.8p9 or later.
- Properly monitor your
ntpd instances, and auto-restart
-g) if it stops running.
This weakness was discovered by Matthew Van Gundy of Cisco.