FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Multiple ntp vulnerabilities

Affected packages
10.3 <= FreeBSD < 10.3_5
10.2 <= FreeBSD < 10.2_19
10.1 <= FreeBSD < 10.1_36
9.3 <= FreeBSD < 9.3_44


VuXML ID 7cfcea05-600a-11e6-a6c3-14dae9d210b8
Discovery 2016-06-04
Entry 2016-08-11

Problem Description:

Multiple vulnerabilities have been discovered in the NTP suite:

The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco]

An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat]

An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat]

An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat]

The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.]


Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash.


CVE Name CVE-2016-4953
CVE Name CVE-2016-4954
CVE Name CVE-2016-4955
CVE Name CVE-2016-4956
CVE Name CVE-2016-4957
FreeBSD Advisory SA-16:24.ntp