K51444934 : NTP vulnerability CVE-2016-7426

Security Advisory Description

NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. (CVE-2016-7426)
Impact
When the ntpdprocess is configured with rate limiting for all associations, the limits are also applied to responses received from its configured sources. An attacker who knows the sources (for example, from an IPv4 refid in a server response), and knows the system is configured in this way, can periodically send packets with spoofed source addresses to keep the rate limiting activated and prevent thentpdprocess from accepting valid responses from its sources, resulting in a denial of service (DoS).
This vulnerability can be exposed when ntpd configurations use thelimiteddirective. The BIG-IP system’s defaultntpd configuration does not specify the limited directive. Thelimited directive cannot be added to the configuration using the Configuration utility, but can be added using the TMOS Shell (tmsh).
Thelimited directive is most commonly used as part of the default restriction with other directives such as thenoquerydirective. For example,restrict default limited noquery nomodify.