Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks. (CVE-2019-11331)
Impact
Using an off-path attack (not a man-in-the-middle attack), a remote attacker may more easily exploit unpatched NTP vulnerabilities, which could potentially allow an an attacker to access resources, modify files, or cause a denial of service (DoS) attack.
This vulnerability is inherent in RFC 5905, and thus F5 cannot affect a fix without breaking compatibility. IETF has drafted a port randomization RFC for future publication and adoption. For further information, refer see the Supplemental Information section in this article.