CVE-2016-5117 Openntpd CVE debrief

Who should care

Administrators and operators running OpenNTPD versions before 6.0p1, especially environments that rely on HTTPS constraint requests as part of their time-synchronization trust model or MITM mitigation.

Technical summary

NVD describes the flaw as OpenNTPD failing to validate the certificate common name (CN) for HTTPS constraint requests. Because the request can be made with a valid certificate but an inappropriate constraint target, the normal MITM mitigation can be bypassed. NVD maps the weakness to CWE-254 and rates the issue CVSS v3.0 5.9/Medium (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Defensive priority

Medium priority. Patch promptly if you run affected OpenNTPD releases, but the issue is narrower than broad wormable vulnerabilities because exploitation requires specific HTTPS constraint handling and a crafted constraint request.

Recommended defensive actions

• Upgrade OpenNTPD to 6.0p1 or later as indicated by the vendor advisory and NVD description.
• Confirm whether your deployment uses HTTPS constraint requests and, if so, treat affected pre-6.0p1 systems as exposed until updated.
• Apply the vendor patch or equivalent fixed package referenced in the OpenBSD/OpenNTPD advisory materials.
• Review dependency and package inventories for embedded or appliance builds that may include older OpenNTPD versions.

Evidence notes

Supported by the NVD record and the referenced vendor materials. The NVD description states that OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, enabling bypass of MITM mitigations via a crafted timestamp constraint with a valid certificate. The record also lists a patch diff, a vendor advisory, and two OSS-security mailing list references. NVD assigns CVSS v3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N and CWE-254. The supplied CVE publish date is 2017-01-31; the NVD record was modified on 2026-05-13.

Official resources