Public Date:
1340852: CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations

The MITRE CVE dictionary describes this issue as:

ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time.

Find out more about CVE-2016-4953 from the MITRE CVE dictionary dictionary and NIST NVD.


This issue did not affect the versions of ntp as shipped with any Red Hat Enterprise Linux version as they already included a fix for this issue in the patch provided to fix the CVE-2015-7979 issue. The fix for this issue (developed by Red Hat) was different from the one provided by upstream, and thus ntp versions in RHEL are not affected by CVE-2016-4953.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 2.6
Base Metrics AV:N/AC:H/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 ntp Not affected
Red Hat Enterprise Linux 6 ntp Not affected
Red Hat Enterprise Linux 5 ntp Not affected


This issue was discovered by Miroslav Lichvar (Red Hat).

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation