CVE-2016-1551
Description
ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NTPd fails to filter packets spoofing reference clock IPs, allowing attackers to control system time on hosts without martian packet filtering.
Vulnerability
ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 treats reference clocks as peers and stores them in the same structure. Any packet with a source IP address of a reference clock (e.g., 127.127.1.1) that reaches the receive() function will match that reference clock's peer record and be treated as a trusted peer [2]. The vulnerability is exposed on systems that lack martian packet filtering, which would normally block packets claiming to be from loopback addresses arriving over physical network interfaces [1].
Exploitation
An attacker with network access can send crafted NTP packets with a spoofed source IP address of a configured reference clock (e.g., 127.127.x.x). No authentication is required. Because many reference clock drivers set their origin values to zero, it is trivial to control the target system's time [2]. The attack succeeds only if the target operating system does not filter martian packets (packets from 127.0.0.0/8 arriving on external interfaces) [1][2].
Impact
A successful attacker can manipulate the system's time, affecting time-sensitive protocols, certificate validation, and logging. The CVSS v3 score is 3.7 (Low) with integrity impact only [2]. The attacker gains the ability to control the time of the target system, which can be leveraged for further attacks [1][2].
Mitigation
Modern operating systems typically implement martian packet filtering, which mitigates this vulnerability [2]. For systems that cannot rely on OS-level filtering, additional firewall rules can block packets from 127.0.0.0/8 arriving on external interfaces [2]. FreeBSD is not affected [1]. Gentoo recommends upgrading to >=net-misc/ntp-4.2.8_p8 [3]. No specific NTP patch was released; the fix relies on OS or firewall filtering [2][3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20- Range: 4.2.8p3
- osv-coords15 versionspkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Manager%202.1pkg:rpm/suse/ntp&distro=SUSE%20Manager%20Proxy%202.1pkg:rpm/suse/ntp&distro=SUSE%20OpenStack%20Cloud%205
< 4.2.8p9-1.1+ 14 more
- (no CPE)range: < 4.2.8p9-1.1
- (no CPE)range: < 4.2.8p8-46.8.1
- (no CPE)range: < 4.2.8p7-11.1
- (no CPE)range: < 4.2.8p7-44.1
- (no CPE)range: < 4.2.8p7-44.1
- (no CPE)range: < 4.2.8p7-44.1
- (no CPE)range: < 4.2.8p7-11.1
- (no CPE)range: < 4.2.8p8-46.8.1
- (no CPE)range: < 4.2.8p7-11.1
- (no CPE)range: < 4.2.8p7-11.1
- (no CPE)range: < 4.2.8p8-46.8.1
- (no CPE)range: < 4.2.8p7-11.1
- (no CPE)range: < 4.2.8p7-44.1
- (no CPE)range: < 4.2.8p7-44.1
- (no CPE)range: < 4.2.8p7-44.1
- NTP Project/NTPv5Range: 4.2.8p3
- NTPsec Project/NTPSecv5Range: 3e160db8dc248a0bcb053b56a80167dc742d2b74
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/88219nvdThird Party AdvisoryVDB Entry
- www.talosintelligence.com/reports/TALOS-2016-0132/nvdThird Party Advisory
- www.securitytracker.com/id/1035705nvd
- security.freebsd.org/advisories/FreeBSD-SA-16:16.ntp.ascnvd
- security.gentoo.org/glsa/201607-15nvd
- security.netapp.com/advisory/ntap-20171004-0002/nvd
News mentions
0No linked articles in our index yet.