[ntp:questions] CVE-2013-5211 and xntpd
unruh at invalid.ca
Thu Feb 6 17:25:54 UTC 2014
On 2014-02-06, Brian Utterback <brian.utterback at oracle.com> wrote:
> I recently received a question from a customer about CVE-201305211, the
> monlist amplification attack. Specifically they asked if the attack
> affected xntpd. They had another vendor that said no, that the attack
> only affects ntpd. This surprised me since as far as I know the monlist
> mechanism is the same in xntpd. I thought the vendor was merely
> incorrect. However, I then read the CERT and NIST versions of the CVE
> and there is no mention of xntpd. Indeed, a literal reading of the CVE
> does indeed imply that xntpd is not vulnerable.
Any system which returns a longer output to a query than the input can
be used in an amplification attack. If that difference is less than a
factor of 2 is probably not worth it for the attacker. If it is a factor
of 10 it is. So what is the length of the responses to a query as a
fraction of the query length. That will tell you.
chrony has just had a release in which the query is now intentially
padded to be at least as long as the response, and if it is not it is
> I don't think I am wrong about xntpd being vulnerable. If I am, please
> correct me. But if I am not, we should probably see about getting the
> CVE amended.
More information about the questions