NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.
CVE-2015-1798, bug 2779:
In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.
An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.
Apply an update
The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.