ntpd-rs Denial-of-Service Vulnerability in NTP Servers Allowing Non-NTS Traffic

A denial-of-service vulnerability has been identified in ntpd-rs, a tool for synchronizing computer clocks using the NTP and NTS protocols. This issue affects NTP servers running ntpd-rs versions 1.2.0 through 1.6.1, inclusive, that allow non-NTS traffic. The vulnerability arises because these servers improperly respond to all NTP messages with time replies, including those from other servers. This can create a message storm between two servers, consuming significant resources. Client-only configurations are not affected.

Impact

The vulnerability allows for a resource-consuming message storm between two NTP servers running ntpd-rs, when both are configured to allow non-NTS traffic.

Reproduction

To reproduce this vulnerability, set up two NTP servers running ntpd-rs versions 1.2.0 to 1.6.1 that allow non-NTS traffic. When one server sends a spoofed NTP message to the other, both servers will continuously respond to each other, creating a message storm that consumes resources.

Remediation

Users are advised to upgrade to ntpd-rs version 1.6.2. If an upgrade is not possible, the vulnerability can be mitigated by whitelisting client IP addresses, blocking non-request traffic on the NTP server port with a firewall, disabling public access to the NTP server, or removing server sections from the configuration.