[ntp:questions] CVE-2013-5211 and xntpd

Martin Burnicki martin.burnicki at meinberg.de
Fri Feb 7 08:23:52 UTC 2014


Dennis,

Dennis Ferguson wrote:
>> If this is about NTP v3 then that version hasn't been supported in
>> something like 15 years. I believe that it is very likely vulnerable but
>> noone is going to go into the code to look assuming that they can find
>> the source for something like that. I believe it was Dennis who wrote
>> the mode 7 code and tools, so NTP v2 is likely vulnerable as well but
>> that's not in the CERT either.
>
> xntpd claimed to be NTP v3 from its inception, and had both xntpdc and ntpq
> by the time anyone other than me saw it.  It was implemented from a
> moving-target draft of the NTP version 3 standard that was available as
> early as 1988 (i.e. before the NTP version 2 RFC was published; that was
> done late since there was resistance to the postscript format).  Fuzzballs
> also claimed to be version 3 by then too, though there was an existing Unix
> daemon called "ntpd" implementing NTP v2 only, this being the reason that
> xntpd got an 'x'.  The mode 7 protocol was implemented as a debugging tool
> during development, the mode 6 protocol was implemented after that got added
> to the version 3 draft and supported by the fuzzball servers, so you could
> ask fuzzballs about their peers too.
>
> That said, when I stopped work on xntpd there was no "monlist" query since
> there was no monitor list.  If you wanted to know who your clients were it
> used a much heavier duty (but cheaper to implement) method, a knob telling
> it to keep peer state for all peers rather than just the configured ones.
> When I left it, I don't believe there were any queries in either protocol
> which would result in more than one response packet per query packet, and
> I had tried to keep responses under 520 bytes of payload (or whatever
> the number was which guaranteed no fragmentation then) for mode 7 since I
> lived at the end of a very overloaded Internet connection and it worked
> better with single packet request/responses.  I had less control over mode
> 6, though.
>
> If there's something called xntpd which supports monlist it must have been
> added after me, but before the name of the program was changed to ntpd.  I
> don't know when that was.

Thanks for the interesting historic details.

When I heard about (x)ntpd the first time it was xntp-3.5f, and later 
there were versions xntp3-5.93* where at the syntax for refclock 
configuration had changed, at least for the parse driver.

Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany



More information about the questions mailing list