NTP BUG 3596: Unauthenticated and unmonitored ntpd may be susceptible to IPv4 attack from highly predictable transmit timestamps

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p14 03 Mar 2020
References Bug 3596 CVE-2020-13817
Affects Likely all versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100. Resolved in ntp-4.2.8p14 and ntp-4.3.100.
CVSS2 Score 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSS3 Score 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim’s ntpd instance. The attacker must be able to send and the victim must be able to receive and process a large number of packets with the spoofed IPv4 address of the upstream server. After 8 or more successful attacks in a row, the attacker can either modify the victim’s clock by a limited amount or cause ntpd to exit. This attack is most effective in cases where an unusually short poll interval is expressly configured on the victim’s ntpd.



Reported by Miroslav Lichvar.