Two other flaws were also found. In a type of denial-of-service attack, an attacker could spoof Kiss O'Death packets to look like they're coming from an NTP client. The time server then tries to slow down those queries, sending a response that causes the NTP client to stop updating its clock.
The third flaw could allow an attacker who interfering with unencrypted NTP traffic to shift a computer's clock forward or backwards on reboot.
Software fixes for the problems are available now, as the researchers privately disclosed their findings in August to the Network Time Foundation, and vendors including Red Hat and Cisco, which have patched their NTP implementations.
The latest version of NTP released on Tuesday is ntp-4.2.8p4, and administrators are advised to patch as soon as possible.
Goldberg said because NTP is viewed as robust, it hardly gets much attention these days. Their research showed that one of the most widely used versions of NPT is 4.1.1, which is more than a decade old.
"What that means is you've have these old clients, just sitting there," she said.
The research paper was co-authored by Aanchal Malhotra, Isaac E. Cohen and Erik Brakke, all of Boston University.
Sign up for CIO Asia eNewsletters.