CVE-2020-13817 Overview
CVE-2020-13817 is a denial of service vulnerability in the Network Time Protocol daemon (ntpd) affecting versions before 4.2.8p14 and 4.3.x before 4.3.100. The vulnerability allows remote attackers to cause a denial of service condition resulting in daemon exit or unauthorized system time changes by predicting transmit timestamps for use in spoofed packets. Successful exploitation requires the victim to be relying on unauthenticated IPv4 time sources, and an off-path attacker must be able to query time from the victim's ntpd instance.
This vulnerability stems from insufficient randomness in transmit timestamp generation (CWE-330: Use of Insufficiently Random Values), which enables attackers to craft spoofed NTP packets that the victim's ntpd instance will accept as legitimate. The impact can be significant for systems that depend on accurate time synchronization for security protocols, logging, certificate validation, and distributed system coordination.
Critical Impact
Successful exploitation can cause ntpd daemon termination or allow attackers to manipulate system time, potentially breaking time-sensitive security mechanisms including certificate validation, Kerberos authentication, and audit log integrity.
Affected Products
- NTP ntpd versions before 4.2.8p14
- NTP ntpd versions 4.3.x before 4.3.100
- NetApp Cloud Backup, Clustered Data ONTAP, Data ONTAP 7-mode, Element Software
- NetApp HCI Management Node, ONTAP Tools for VMware vSphere, SolidFire
- NetApp HCI Compute Node and H-Series firmware (H410C, H300S, H500S, H700S, H300E, H500E, H700E, H410S)
- openSUSE Leap 15.1 and 15.2
- Fujitsu M10 and M12 series server firmware
Discovery Timeline
- June 4, 2020 - CVE-2020-13817 published to NVD
- May 5, 2025 - Last updated in NVD database
Technical Details for CVE-2020-13817
Vulnerability Analysis
The vulnerability exists in the ntpd daemon's handling of transmit timestamps used in NTP packet exchanges. NTP relies on precise timestamp values to calculate time offsets and synchronize clocks across networked systems. In vulnerable versions, the transmit timestamp values exhibit predictable patterns that an attacker can exploit.
When an off-path attacker can query the victim's NTP server, they can observe and analyze the transmit timestamp patterns. Due to the use of insufficiently random values in timestamp generation, the attacker can predict future transmit timestamps with reasonable accuracy. Armed with this knowledge, the attacker can craft spoofed NTP response packets that appear to originate from legitimate time sources.
The attack specifically targets systems configured to use unauthenticated IPv4 time sources, which is a common configuration in many deployments. When the spoofed packets are accepted, they can either crash the ntpd daemon (causing service interruption) or manipulate the victim's system clock (potentially causing security failures in time-dependent mechanisms).
Root Cause
The root cause of CVE-2020-13817 is the use of insufficiently random values (CWE-330) in the generation of transmit timestamps within the ntpd implementation. The timestamp generation algorithm did not incorporate adequate entropy, making the output values predictable to attackers who can observe NTP traffic from the target system.
This predictability undermines the integrity assumptions built into the NTP protocol, allowing spoofed packets to be crafted that the victim's system will accept as authentic responses from trusted time sources.
Attack Vector
The attack requires a network-accessible ntpd instance configured to accept unauthenticated time sources over IPv4. The attacker proceeds through the following stages:
- Reconnaissance: The attacker queries the victim's ntpd instance to observe transmit timestamp values
- Analysis: By collecting multiple timestamp samples, the attacker identifies patterns and predicts future values
- Spoofing: The attacker crafts NTP packets with predicted timestamps that appear to originate from the victim's configured time sources
- Exploitation: When the spoofed packets are processed, they can trigger daemon termination or time manipulation
The attack is described as requiring high complexity due to the need for timestamp prediction accuracy and the requirement that the attacker can query the victim's NTP server while not being on the direct network path between the victim and legitimate time sources.
Detection Methods for CVE-2020-13817
Indicators of Compromise
- Unexpected ntpd daemon crashes or restarts without apparent cause
- Sudden system time changes that deviate significantly from expected values
- Unusual NTP query patterns from external IP addresses not associated with configured time sources
- Log entries indicating NTP packet processing errors or timestamp validation failures
Detection Strategies
- Monitor ntpd process stability and alert on unexpected daemon restarts
- Implement anomaly detection for system time changes exceeding defined thresholds
- Analyze NTP traffic for packets from sources not in the configured server list
- Deploy network-level monitoring to detect NTP traffic patterns indicative of reconnaissance activity
Monitoring Recommendations
- Enable verbose NTP logging to capture timestamp processing details for forensic analysis
- Configure SIEM rules to correlate ntpd crashes with preceding NTP traffic anomalies
- Implement system time drift monitoring with alerts for deviations beyond acceptable tolerances
- Regularly audit NTP server configurations to ensure only authenticated sources are trusted
How to Mitigate CVE-2020-13817
Immediate Actions Required
- Upgrade ntpd to version 4.2.8p14 or later (for 4.2.x branch) or 4.3.100 or later (for 4.3.x branch)
- Configure NTP authentication using symmetric key or Autokey mechanisms to validate time source responses
- Restrict NTP query access using firewall rules to prevent unauthorized external hosts from querying ntpd
- Consider transitioning to IPv6 where feasible, as the documented attack vector specifically targets IPv4
Patch Information
The NTP Project has released patches addressing this vulnerability. Detailed information is available in NTP Bug 3596. Administrators should update to ntpd version 4.2.8p14 or 4.3.100 or later.
For affected NetApp products, refer to the NetApp Security Advisory NTAP-20200625-0004 for product-specific guidance.
For openSUSE Leap systems, apply updates through the standard package management system as outlined in the openSUSE Security Announcements.
Oracle customers should review the Oracle CPU January 2022 Security Alert for applicable patches.
Workarounds
- Enable NTP authentication (symmetric keys or Autokey) to validate responses from time sources
- Configure ntpd to use only trusted, authenticated time sources rather than public pools
- Implement firewall rules to restrict which hosts can send NTP packets to the server (port 123/UDP)
- Use restrict directives in ntp.conf to limit query access from untrusted networks
# Example ntp.conf configuration to restrict access
# Deny all by default, then allow specific trusted networks
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Allow localhost full access
restrict 127.0.0.1
restrict -6 ::1
# Allow queries only from trusted internal network
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Configure authenticated time sources
server time.example.com key 1
server time2.example.com key 1
# Enable authentication
keys /etc/ntp/keys
trustedkey 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
