The Network Time Foundation (NTP) issued an alert that addresses a number of denial of service vulnerabilities in its ntpd platform used in devices that keep time.
Vulnerability Note VU#633847 from the developers behind the “protocol designed to synchronize the clocks of computers over a network,” issued fixes for versions of the Network Time Protocol daemon (ntpd) prior to v4.2.8p9.
In one instance, due to ntpd not enabling trap service by default, should an attacker gain access and enable it, they could then deliver a “crafted packet to cause a null pointer dereference that will crash ntpd.” A denial of service would result. This flaw affects Windows only, the alert stated.
Users are advised to upgrade to v4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page and to “properly monitor ntpd instances, and auto-restart ntpd (without -g) if it stops running.”