Update your NTP servers


Content Contributer
NTF's NTP Project has been notified of a number of vulnerabilities from Neel Mehta and Stephen Roettger of Google's Security Team.

The two most serious of these issues and four less serious issues have been resolved as of ntp-4.2.8, which was released on 18 December 2014.

There are still two less significant issues to be addressed. We're expecting to fix these within the next month.

Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),

ctl_putdata(), and configure() functions. A remote attacker could use

either of these flaws to send a specially crafted request packet that could

crash ntpd or, potentially, execute arbitrary code with the privileges of

the ntp user. Note: the crypto_recv() flaw requires non-default

configurations to be active, while the ctl_putdata() flaw, by default, can

only be exploited via local attackers, and the configure() flaw requires

additional authentication to exploit. (CVE-2014-9295)

It was found that ntpd automatically generated weak keys for its internal

use if no ntpdc request authentication key was specified in the ntp.conf

configuration file. A remote attacker able to match the configured IP

restrictions could guess the generated key, and possibly use it to send

ntpdc query or configuration requests. (CVE-2014-9293)

It was found that ntp-keygen used a weak method for generating MD5 keys.

This could possibly allow an attacker to guess generated MD5 keys that

could then be used to spoof an NTP client or server. Note: it is

recommended to regenerate any MD5 keys that had explicitly been generated

with ntp-keygen; the default installation does not contain such keys).


A missing return statement in the receive() function could potentially

allow a remote attacker to bypass NTP's authentication mechanism.



Just a little bit crazy...
Verified Provider
Hopefully this decreases the number of people with MONLIST enabled...


New Member
Verified Provider
Lets bid how long it takes until someone writes a "NTP DDoS deflector" - i.e. something that when hit with an NTP reflection attack sends back specially crafted packets to the misconfigured NTP servers used to carry the attack, making them crash.


Just a little bit crazy...
Verified Provider
Not that I would encourage illegal activity but...

There is likely a high correlation between those administrators who have not disabled MONLIST and those not updated, or going to update... 

It could be even considered an act of garbage removal, a public service for the internet.

Of course this is satirical and not my opinion, nor the opinion or stance of X4B.