NTP BUG 3592: DoS Attack on Unauthenticated Client

Last update: February 15, 2022 15:25 UTC (b158e7036)


Summary

Resolved 4.2.8p14 03 Mar 2020
References Bug 3592 CVE-2020-11868
Affects ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13,
and 4.3.98 up to, but not including 4.3.100.
Resolved in 4.2.8p14 and 4.3.100.
CVSS2 Score 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSS3 Score 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

The fix for 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.


Mitigation


Credit

Reported by Miroslav Lichvar.


Timeline