Three NTP vulnerabilities are addressed by this security advisory.
NTP Bug 3610: Process_control() should exit earlier on short packets.
On systems that override the default and enable ntpdc (mode 7), fuzz testing
detected a short packet will cause ntpd to read uninitialized data.
NTP Bug 3596: Due to highly predictable transmit timestamps, an
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
ntpd configured to receive time from an unauthenticated time source is
vulnerable to an off-path attacker with permission to query the victim. The
attacker must send from a spoofed IPv4 address of an upstream NTP server and
the victim must process a large number of packets with that spoofed IPv4
address. After eight or more successful attacks in a row, the attacker can
either modify the victim's clock by a small amount or cause ntpd to
terminate. The attack is especially effective when unusually short poll
intervals have been configured.
NTP Bug 3592: The fix for
https://bugs.ntp.org/3445 introduced a bug such
that an ntpd can be prevented from initiating a time volley to its peer
resulting in a DoS.
