NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.”
bugs.ntp.org/show_bug.cgi?id=2936
rhn.redhat.com/errata/RHSA-2016-2583.html
support.ntp.org/bin/view/Main/NtpBug2936
www.debian.org/security/2016/dsa-3629
www.securityfocus.com/bid/81960
www.securitytracker.com/id/1034782
www.talosintel.com/reports/TALOS-2016-0071/
cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us
h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us
security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
security.gentoo.org/glsa/201607-15
security.netapp.com/advisory/ntap-20171031-0001/
us-cert.cisa.gov/ics/advisories/icsa-21-103-11