[ntp:questions] CVE-2013-5211 and xntpd

Danny Mayer mayer at pdmconsulting.net
Thu Feb 6 15:39:21 UTC 2014

On 2/6/2014 9:26 AM, Brian Utterback wrote:
> I recently received a question from a customer about CVE-201305211, the
> monlist amplification attack. Specifically they asked if the attack
> affected xntpd. They had another vendor that said no, that the attack
> only affects ntpd. This surprised me since as far as I know the monlist
> mechanism is the same in xntpd. I thought the vendor was merely
> incorrect. However, I then read the CERT and NIST versions of the CVE
> and there is no mention of xntpd. Indeed, a literal reading of the CVE
> does indeed imply that xntpd is not vulnerable.
> I don't think I am wrong about xntpd being vulnerable. If I am, please
> correct me. But if I am not, we should probably see about getting the
> CVE amended.

If this is about NTP v3 then that version hasn't been supported in
something like 15 years. I believe that it is very likely vulnerable but
noone is going to go into the code to look assuming that they can find
the source for something like that. I believe it was Dennis who wrote
the mode 7 code and tools, so NTP v2 is likely vulnerable as well but
that's not in the CERT either.

If someone wants support for such an old version then they need to be
willing to pay for support, something that could be arranged, but they
are better off upgrading to NTP V4. They advisory should remain as is.
If there needs to be one for NTP V3 then that should be done as a
separate advisory but it won't happen for free.


More information about the questions mailing list