Today the DHS ICS-CERT updated their advisory for the previously reported set of vulnerabilities in the Network Time Protocol Daemon. It is a rather unusual update in that the previous version reported that there were publicly available exploits and the new version claims that there are no known publicly available exploits. The CERT-CC notice also currently says that there are no known exploits available (I didn’t save a copy of their original report so I can’t tell if it changed).
The NTP advisory does not address the issue at all.
BTW #1: I missed it last week, but NTP web site is (has been) reporting that two of these vulnerabilities were fixed quite some time ago (2010 for the weak default key, and 2011 for the weak random number generator). I guess you just fix some things without knowing that they need fixing.
BTW #2: The NTP web site is (has been) reporting that there are two other, as of yet unspecified vulnerabilities in the NTP that have yet to be fixed. They expect to fix them within the next month.