[security at ntpsec.org] Bug#964395: Does CVE-2020-13817 affect ntpsec?

Richard Laager rlaager at wiktel.com
Fri Aug 14 08:52:58 UTC 2020

On 8/13/20 5:48 AM, Hal Murray via devel wrote:
>>>   https://bugs.ntp.org/show_bug.cgi?id=3596
> That bug talks about feeding bogus time to a system by guessing the transmit 
> time stamp.
> When ntpd gets a response, it drops responses where the time-stamp it sent 
> doesn't match the corresponding slot in the reply.  The idea is that most of 
> the bits in that slot are predictable so an off path attacker has a good 
> chance of getting a bogus response through by guessing the value the server is 
> expecting.
> There is a draft in the pipeline:
>   https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-04
> We implement that.

There is also this (which you forwarded to this list) which might help:

What's the status of that in NTPsec? I presume "not implemented", but is
it planned?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200814/4ce5f8cc/attachment.bin>

More information about the devel mailing list