Security Update – Vulnerabilities ntp-4.2.8p15 library
MOBATIME is aware of newly published vulnerabilities of the ntp-4.2.8p15 library. The library is used in the MOBATIME DTS devices as indicated in the manuals.
The four Vulnerabilities CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554 are related to the ntpq service. ntpq is used to get the status information about the ntpd service. In our devices, this service can be limited to local access or disabled completely. Our security recommendation is to disable the NTP queries (As already described in our Security guideline). If the NTP queries are disabled the devices are not affected by the vulnerabilities.
The last vulnerability CVE-2023-26555 concerns a driver used for serial clock references, which we do not use in any of the MOBATIME timeservers or master clocks products.
Our NTP clocks (analogue and digital) are not affected by any of these vulnerabilities, as the affected NTP library is not used. Here you find our Security Recommendations
More information and a discussion of the vulnerabilities are available at the following links: