This script is Copyright (C) 2018 Tenable Network Security, Inc.
The remote device is missing a vendor-supplied security patch.
ntpd in ntp before 4.2.8p3 with remote configuration enabled allows
remote authenticated users with knowledge of the configuration
password and access to a computer entrusted to perform remote
configuration to cause a denial of service (service crash) via a NULL
byte in a crafted configuration directive packet. (CVE-2015-5146)
An attacker can use a specially crafted package to cause ntpd to
become unresponsive when all of the following conditions are met :
The ntpd configuration has enabled remote configuration.
The attacker has knowledge of the configuration password.
The attacker has access to a computer entrusted to perform remote
For BIG-IP systems using a default network time protocol (NTP)
configuration, there is no impact. However, BIG-IP systems with an NTP
configuration that is customized in line with the requirements of the
advisory may be vulnerable.
See also :
Upgrade to one of the non-vulnerable versions listed in the F5
Risk factor :
Low / CVSS Base Score : 3.5
CVSS Temporal Score : 2.9
Public Exploit Available : true