[ntp:security] Security Vulnerability in ntpd v4.2.8p10 and v4.2.8p11

Nikhil Tripathi phd1401101002 at iiti.ac.in
Fri Mar 23 11:17:47 UTC 2018


Dear NTP project team,

We found a vulnerability in the two most recent versions of ntpd -
v4.2.8p10 and v4.2.8p11 which can be exploited to prevent a broadcast
client from synchronizing itself with a broadcast server. In particular, by
exploiting this vulnerability, an adversary prevents a broadcast client
from calculating path propagation delay due to which client is not able to
synchronize its clock with the broadcast server.

We have also requested for a CVE ID allocation to this vulnerability.

Attached is a document in which we describe the procedure to exploit this
vulnerability.

I hope this will help to make the implementation more robust and secure.

Thanks..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20180323/4a43aefc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NTP attack.pdf
Type: application/pdf
Size: 83198 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20180323/4a43aefc/attachment.pdf>


More information about the security mailing list