Jonathan Gardner

**Name of the Vulnerable Software and Affected Versions** NTP versions 4.2.8p4 and earlier NTPSec version aa48d001683e5b791a743ec9c575aaf7d867a2b0c **Description** An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the `peer->dst` timestamp recorded for that server. This allows the attacker to change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode. After making this switch, the client will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. **Recommendations** For NTP versions 4.2.8p4 and earlier, consider updating to a newer version to mitigate the risk. For NTPSec version aa48d001683e5b791a743ec9c575aaf7d867a2b0c, consider updating to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the `ntpd` server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NTP versions prior to 4.2.8p6 NTP versions 4.3.x prior to 4.3.90 **Description** The issue is related to the `nextvar` function, which does not properly validate the length of its input. This allows an attacker to cause a denial of service, resulting in an application crash. **Recommendations** For NTP versions prior to 4.2.8p6, update to version 4.2.8p6 or later. For NTP versions 4.3.x prior to 4.3.90, update to version 4.3.90 or later.

**Name of the Vulnerable Software and Affected Versions** NTP versions 4.1.2, 4.2.x through 4.2.8p5, 4.3, 4.3.25, 4.3.70, 4.3.77 **Description** The issue concerns the ntpq saveconfig command, which does not properly filter special characters. This allows attackers to cause unspecified impact via a crafted filename. **Recommendations** For NTP version 4.1.2, update to a version later than 4.1.2 to resolve the issue. For NTP versions 4.2.x through 4.2.8p5, update to version 4.2.8p6 or later. For NTP versions 4.3, 4.3.25, 4.3.70, 4.3.77, consider disabling the ntpq saveconfig command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NTP versions 4.2.8p6 and earlier, NTP versions 4.3.x before 4.3.90 NTP (affected versions not specified) in multiple Cisco products **Description** The issue allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero, potentially causing a denial of service (DoS) condition or modifying the time being advertised by a device acting as a Network Time Protocol (NTP) server. This vulnerability exposes the possibility of a logic error. **Recommendations** For NTP versions 4.2.8p6 and earlier, update to version 4.2.8p6 or later. For NTP versions 4.3.x before 4.3.90, update to version 4.3.90 or later. For NTP in multiple Cisco products, refer to the Cisco bug for each affected product for available workarounds. As a temporary workaround, consider restricting access to the NTP service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NTP versions prior to 4.2.8p9 NTP versions 4.3.x prior to 4.3.90 **Description** The issue allows remote attackers to cause a denial of service, specifically an infinite loop, via crafted packets with incorrect values. This is related to the `getresponse` function in `ntpq`. **Recommendations** For NTP versions prior to 4.2.8p9, update to version 4.2.8p9 or later. For NTP versions 4.3.x prior to 4.3.90, update to version 4.3.90 or later.