NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
http://www.talosintel.com/reports/TALOS-2016-0071/
http://bugs.ntp.org/show_bug.cgi?id=2936
http://support.ntp.org/bin/view/Main/NtpBug2936
http://www.securityfocus.com/bid/81960
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us
https://security.gentoo.org/glsa/201607-15
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us
http://www.securitytracker.com/id/1034782
http://www.debian.org/security/2016/dsa-3629
https://security.netapp.com/advisory/ntap-20171031-0001/
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
http://rhn.redhat.com/errata/RHSA-2016-2583.html
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
Source: MITRE
Published: 2016-01-26
Updated: 2021-04-26
Type: CWE-287
Base Score: 4
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8
Severity: MEDIUM
Base Score: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Impact Score: 4
Exploitability Score: 3.1
Severity: HIGH