NTP Vulnerabilities Prior to Version 4.2.8p10
Several vulnerabilities were recently reported in ntpd currently used in application software version 5.6.0 or below. The 5.7.0 release resolves these vulnerabilities with the update to NTP version 4.2.8p10.
April 29, 2017
Several vulnerabilities were recently reported in ntpd currently used in SecureSync and NetClock 9400 application software version 5.6.0 or below. Several high severity vulnerabilities relate to Windows installations and some unused reference clock drivers and does not effect Spectracom products.
Two high severity vulnerabilities CVE-2017-6460 and CVE-2017-6458 relates to ntpq queries and can be mitigated in affected versions by disabling remote ntpq queries until a patched release is available. Several other vulnerabilities also do not apply or are mitigated by other network security mechanisms.
For more information see:
http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8…
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6460
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6458
It is expected that Spectracom products will be updated to NTP version 4.2.8p10 in the April 5.7.0 release
