CVE-2015-8139

Vulnerability

ntpq and ntpdc in NTP before 4.2.8p7 disclose the origin timestamp to unauthenticated clients. The origin timestamp is a critical value used by clients to validate that a response matches their last request; leaking it allows an off-path attacker to forge responses that pass this check. This affects all NTP 4.x releases up to but not including 4.2.8p7 [1][3][4].

Exploitation

An attacker with network access to an NTP client can send ntpq or ntpdc queries to obtain the origin timestamp. No authentication is required. With the origin timestamp in hand, the attacker can craft spoofed NTP response packets that include the correct origin timestamp, thereby impersonating a legitimate peer. Note that ntpdc queries are disabled by default, but ntpq queries are commonly enabled [4].

Impact

Successful exploitation allows an attacker to impersonate a legitimate NTP peer and inject forged time responses. This can shift the client's time, leading to incorrect time synchronization, or cause a denial of service by disrupting timekeeping. The vulnerability is classified as an information disclosure (CWE-200) that enables further attacks such as replay or time manipulation [1][3].

Mitigation

The vulnerability is fixed in NTP version 4.2.8p7, released on 26 April 2016 [4]. Users should upgrade to this version or later. Workarounds include configuring restrict statements to limit which hosts can issue ntpq and ntpdc queries, using multiple time sources to reduce the impact of a single compromised peer, and monitoring NTP instances for suspicious activity. Cisco and FreeBSD have released software updates addressing this issue [1][2].