[ntp:questions] CVE-2013-5211 and xntpd

William Unruh unruh at invalid.ca
Thu Feb 6 17:25:54 UTC 2014

On 2014-02-06, Brian Utterback <brian.utterback at oracle.com> wrote:
> I recently received a question from a customer about CVE-201305211, the 
> monlist amplification attack. Specifically they asked if the attack 
> affected xntpd. They had another vendor that said no, that the attack 
> only affects ntpd. This surprised me since as far as I know the monlist 
> mechanism is the same in xntpd. I thought the vendor was merely 
> incorrect. However, I then read the CERT and NIST versions of the CVE 
> and there is no mention of xntpd. Indeed, a literal reading of the CVE 
> does indeed imply that xntpd is not vulnerable.

Any system which returns a longer output to a query than the input can
be used in an amplification attack. If that difference is less than a
factor of 2 is probably not worth it for the attacker. If it is a factor
of 10 it is. So what is the length of the responses to a query as a
fraction of the query length. That will tell you. 

chrony has just had a release in which the query is now intentially
padded to be at least as long as the response, and if it is not it is

> I don't think I am wrong about xntpd being vulnerable. If I am, please 
> correct me. But if I am not, we should probably see about getting the 
> CVE amended.

More information about the questions mailing list