NTP BUG 3592: DoS Attack on Unauthenticated Client

Last update: February 15, 2022 15:25 UTC (b158e7036)

Summary

Resolved	4.2.8p14	03 Mar 2020
References	Bug 3592	CVE-2020-11868
Affects	ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13, and 4.3.98 up to, but not including 4.3.100.	Resolved in 4.2.8p14 and 4.3.100.
CVSS2 Score	5.4	AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSS3 Score	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

The fix for 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.

Mitigation

Use authentication with symmetric peers.
Have enough sources of time.
Upgrade to 4.2.8p14 or later.

Credit

Reported by Miroslav Lichvar.

Timeline

2020 Mar 03: Public release
2020 Feb 17: Early Access Program Release: Premier and Partner Institutional Members
2019 Jun 05: Notification to Institutional Members
2019 May 30: Notification from reporter