Description
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. When an NTP client decrypted a secret received from an NTP
server, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)