CVE-2009-3563

ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.

Affected Software

Name	Vendor	Start Version	End Version
Ntp	Ntp	*	4.2.2p4 (including)
Ntp	Ntp	4.0.72 (including)	4.0.72 (including)
Ntp	Ntp	4.0.73 (including)	4.0.73 (including)
Ntp	Ntp	4.0.90 (including)	4.0.90 (including)
Ntp	Ntp	4.0.91 (including)	4.0.91 (including)
Ntp	Ntp	4.0.92 (including)	4.0.92 (including)
Ntp	Ntp	4.0.93 (including)	4.0.93 (including)
Ntp	Ntp	4.0.94 (including)	4.0.94 (including)
Ntp	Ntp	4.0.95 (including)	4.0.95 (including)
Ntp	Ntp	4.0.96 (including)	4.0.96 (including)
Ntp	Ntp	4.0.97 (including)	4.0.97 (including)
Ntp	Ntp	4.0.98 (including)	4.0.98 (including)
Ntp	Ntp	4.0.99 (including)	4.0.99 (including)
Ntp	Ntp	4.1.0 (including)	4.1.0 (including)
Ntp	Ntp	4.1.2 (including)	4.1.2 (including)
Ntp	Ntp	4.2.0 (including)	4.2.0 (including)
Ntp	Ntp	4.2.2 (including)	4.2.2 (including)
Ntp	Ntp	4.2.2p1 (including)	4.2.2p1 (including)
Ntp	Ntp	4.2.2p2 (including)	4.2.2p2 (including)
Ntp	Ntp	4.2.2p3 (including)	4.2.2p3 (including)
Ntp	Ntp	4.2.5 (including)	4.2.5 (including)
Red Hat Enterprise Linux 3	RedHat	ntp-0:4.1.2-6.el3	*
Red Hat Enterprise Linux 4	RedHat	ntp-0:4.2.0.a.20040617-8.el4_8.1	*
Red Hat Enterprise Linux 5	RedHat	ntp-0:4.2.2p1-9.el5_4.1	*
Ntp	Ubuntu	dapper	*
Ntp	Ubuntu	devel	*
Ntp	Ubuntu	hardy	*
Ntp	Ubuntu	intrepid	*
Ntp	Ubuntu	jaunty	*
Ntp	Ubuntu	karmic	*
Ntp	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-3563
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References