Is ntpd running purely as a client vulnerable to the recent ntp vulnerabilities?

Question

There's been 3 recent vulnerabilities in the NTP reference implementation. Namely:

CVE-2014-9296
CVE-2014-9295
CVE-2014-9294

Is ntpd, or ntpdate, running as a client vulnerable to any of these exploit if the server it's connected to can't be trusted? Assume ntpd is configured with the default configuration on most Linux server and thus doesn't use any sort of "cryptographic protection" and can't itself be queried by untrusted peers.

This means connecting to volunteer ntp servers provided by ntp.org, which can't be trusted.

Answer 1

"Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit." Source

If you're just doing server ntp.org in your ntp.conf, then no, you are not vulnerable.

As long as you have the default configuration and don't accept authenticated commands (sounds like you don't), then no. And if your ntp.conf file has no lines active starting with "crypto". (you said you didn't), then no.