[ntp:security] (no subject)

刁造翔 zxdiao1992 at 163.com
Mon Jan 11 12:48:11 UTC 2016

when i use ntp autokey to build a local aero network.i found a bug from the source code of ntp-4.2.8p3.the  cookie request from client should be create by server through hash with server ip address,client ip address,and server seed.but in fact,server seed used here is zero when server' ntp service is start not to long.that is to same.another server with the same ip address will return a same cookie value,also it can be used as attacker to be used to provide wrong time to another client.

More information about the security mailing list