CVE-2016-4953

Name of the Vulnerable Software and Affected Versions NTP versions 4.x before 4.2.8p8

Description The issue allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. Multiple Cisco products that incorporate a version of the Network Time Protocol daemon (ntpd) package are affected, which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.

Recommendations For NTP versions 4.x before 4.2.8p8, update to version 4.2.8p8 or later to resolve the issue. As a temporary workaround, consider restricting access to the ntpd package to minimize the risk of exploitation. Avoid using the crypto-NAK packet in the affected NTP protocol until the issue is resolved. Restrict access to the vulnerable ntpd package to minimize the risk of exploitation.