Vigil@nce - NTP.org: information disclosure via GET_RESTRICT
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the GET_RESTRICT private message of NTP.org,
in order to obtain sensitive information.
– Impacted products: BIG-IP Hardware, TMOS, Meinberg NTP Server,
NTP.org.
– Severity: 2/4.
– Creation date: 03/08/2016.
DESCRIPTION OF THE VULNERABILITY
The NTP.org product implements the GET_RESTRICT private query (on
XNTPD_OLD and XNTPD), which obtains the list of servers with
restrictions.
However, an attacker can use this list to obtain IP addresses.
An attacker can therefore use the GET_RESTRICT private message of
NTP.org, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/NTP-org-information-disclosure-via-GET-RESTRICT-20304