Three ntp vulnerabilities, Depending on configuration, may have
little impact up to termination of the ntpd process.
NTP Bug 3610: Process_control() should exit earlier on short
packets. On systems that override the default and enable ntpdc
(mode 7) fuzz testing detected that a short packet will cause
ntpd to read uninitialized data.
NTP Bug 3596: An unauthenticated unmonitored ntpd is vulnerable
to attack on IPv4 with highly predictable transmit timestamps. An
off-path attacker who can query time from the victim's ntp which
receives time from an unauthenticated time source must be able to
send from a spoofed IPv4 address of upstream ntp server and and
the victim must be able to process a large number of packets with
the spoofed IPv4 address of the upstream server. After eight or
more successful attacks in a row the attacker can either modify
the victim's clock by a small amount or cause ntpd to terminate.
The attack is especially effective when unusually short poll
intervals have been configured.
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced
a bug such that a ntp can be prevented from initiating a time
volley to its peer resulting in a DoS.
All three NTP bugs may result in DoS or terimation of the ntp
daemon.