NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression. (CVE-2016-2517)
Remote configuration trustedkey, requestkey, and controlkey values are not properly validated.
Impact
BIG-IP, BIG-IQ, and Enterprise Manager systems are not vulnerable to this vulnerability in default configurations. This vulnerability is only exploitable if the default network time protocol (NTP) configuration is modified to enable remote configuration, and the controlkey or requestkey values are known to the attacker.