Key Information About the Vulnerability Summary Resolved: 4.2.8p4 References: Bug 2918, CVE-2015-7851 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77. CVSS2 Score: 5.2, worst case Resolution Date: 21 Oct 2015 Description If ntpd is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, an attacker can send packets to ntpd that may cause ntpd to overwrite files. Mitigation Implement BCP-38. Upgrade to 4.2.8p4 or later. If unable to upgrade, remote configuration requires: - Explicit "trusted" key. - Access from permitted IP addresses. - Authentication. Ensure ntpq scripts act as expected. Credit Discovered by Yves Younan of Cisco Talos. Timeline 2015 Oct 21: Public release 2015 Oct 6: Early Access Program release for certain members 2015 Aug 26: Notification to certain members 2015 Aug 20: Initial notification of 2902; analysis begins 2015 Aug 11: Initial notification of 2899; analysis begins