[ntp:questions] CVE-2013-5211 and xntpd

William Unruh unruh at invalid.ca
Thu Feb 6 22:35:47 UTC 2014

On 2014-02-06, Brian Utterback <brian.utterback at oracle.com> wrote:
> On 2/6/2014 10:31 AM, mike cook wrote:
>>     I think you are right. My reading of the CVE gives me to believe that xntpd is vulnerable. xntp is a full implementation of NTP V3 and the CVE indicates all versions of ntp earlier than 4.2.7 are vulnerable. It is very easy for you to test as xntpd is(or was) distributed with with Solaris.
> I did test it and saw indications that it would be vulnerable. I don't 
> have exploit code so I didn't actually get an exploit going, but I saw 
> enough to convince me.
> The problem is that the CVE doesn't say that all versions of ntp before 
> 4.2.7 are vulnerable, it says that all versions of *ntpd* before 4.2.7 
> are vulnerable.

Well, ntp is a protocol, while ntpd, xntpd are programs which have
version numbers.
chrony uses the ntp protocol, and it also had a vulnerability which has
been fixed in 1.29.1, the fix unfortunately makes chronyc incompatible
with earlier versions of chronyd. 

> Brian Utterback

More information about the questions mailing list