kb:time_sync:ntp:ntp_vulnerabilities_reported_2023-04

NTP Vulnerabilities Reported 2023-04

In April 2023, some vulnerabilities in the NTP software up to and including version 4.2.8p15 were reported and initially classified as high risk.

After detailed investigation, however, the risk was changed to low because it is almost impossible that the running NTP service (ntpd) can be compromised by a remote attacker.

Four of the 5 vulnerabilities only affect a single routine used by the ntpq utility to display formatted millisecond values.

The problem can only arise when ntpq is explicitly run to request data from a remote NTP server and the response contains specially crafted, manipulated data.

This, in turn, can only happen if the remote NTP server itself has already been compromised, or if a man-in-the-middle attack is possible and the network packets are specially manipulated.

The last of the vulnerabilities affects the ntpd service, but only a driver for some very old GPS receivers. If no such GPS receiver is connected and explicitly configured as a time source for ntpd, the problematic code will never run.

Meinberg has already pre-installed the appropriate patches, so the vulnerabilities are already fixed in programs of the NTP package with these version codes (or later):

  • 4.2.8p15a of the NTP package for Windows (2023-04-19)
  • 4.2.8p15-mbg-04 of the NTP programs used within the firmware of Meinberg devices (2023-04-19)


The official version where these fixes are included, is 4.2.8p16.


Collection of links related to the NTP vulnerabilities:





Martin Burnicki martin.burnicki@meinberg.de, last updated 2023-04-19

  • kb/time_sync/ntp/ntp_vulnerabilities_reported_2023-04.txt
  • Last modified: 2023-04-19 17:58
  • by 127.0.0.1