[CentOS] NTP Vulnerability?

Sat Dec 20 03:35:04 UTC 2014
Dennis Jacobfeuerborn <dennisml at conversis.de>

On 20.12.2014 03:42, listmail wrote:
> I just saw this:
> 
> https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
> 
> which includes this:
> " A remote attacker can send a carefully crafted packet that can overflow a
> stack buffer and potentially allow malicious code to be executed with the
> privilege level of the ntpd process. All NTP4 releases before 4.2.8 are
> vulnerable."
> 
> "This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014."
> 
> I guess no one has had time to respond yet. Wonder if I should shut down my
> external NTP services as a precaution?

>From the description in the Red Hat advisory and this link
http://www.kb.cert.org/vuls/id/852879 it seems the buffer overflow
issues can only be exploitet with specific authentication settings that
are not part of the default configuration or am I interpreting this wrong?

Regards,
  Dennis