NTP BUG 3361: 0rigin DoS
Last update: February 15, 2022 20:59 UTC (43fbd379b)
An exploitable denial of service vulnerability exists in the origin timestamp check functionality of
ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.
- Implement BCP-38.
- Configure enough servers/peers that an attacker cannot target all of your time sources.
- Upgrade to 4.2.8p10 or later.
- Properly monitor your
ntpd instances, and auto-restart
-g) if it stops running.
This weakness was discovered by Matthew Van Gundy of Cisco.