Security Update:Multiple Vulnerabilities in Network Time Protocol (NTP) Server, NTPD
Date and Time
NTP.org's reference implementation of Network Time Protocol (NTP) server, ntpd, contains multiple vulnerabilities.
Advanced Users: For a complete description of the vulnerabilities visit NTP.org's security advisory alerts:
- April 2016 Security Advisory - http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8...
- January 2016 Security Advisory - http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2...
Users and administrators are encouraged to review the Security Advisories (listed above).
WHAT'S THE PROBLEM?
Unauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes.
WHAT DO I NEED TO DO?
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks.
- Complete patches for all of these issues are now available in version 4.2.8p7, released 2016-04-26 at http://www.ntp.org/downloads.html.
- Vulnerability Note VU#718152 (NTP.org ntpd contains multiple vulnerabilities) - https://www.kb.cert.org/vuls/id/718152
- NTP.ORG - http://www.ntp.org/
- IT Security at http://it.ucsf.edu/security