NTP BUG 2935: Deja Vu: Replay attack on authenticated broadcast mode

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2935	CVE-2015-7973
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6.
CVSS2 Score	MED 4.3	AV:A/AC:M/Au:N/C:N/I:P/A:P

---

Description

If an NTP network is configured for broadcast operations, then either a man-in-the-middle attacker or a malicious participant that has the same trusted keys as the victim can replay time packets.

---

Mitigation

• Implement BCP-38.
• Upgrade to 4.2.8p6 or later.
• If you are unable to upgrade:
  • Don’t use broadcast mode if you cannot monitor your client servers.
• Monitor your ntpd instances.

---

Credit

This weakness was discovered by Aanchal Malhotra of Boston University.

---

Timeline

• 2016 Jan 19: Public release
• 2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Nov 5: Notification to Institutional Members
• 2016 Oct 16: Initial notification from Cisco