[ntp:questions] CVE-2013-5211 and xntpd

Brian Utterback brian.utterback at oracle.com
Fri Feb 7 14:14:51 UTC 2014


On 2/7/2014 3:14 AM, Martin Burnicki wrote:
> Harlan Stenn schrieb:
>> Brian Utterback writes:
>>> I did test it and saw indications that it would be vulnerable. I don't
>>> have exploit code so I didn't actually get an exploit going, but I saw
>>> enough to convince me.
>>
>> If xntpd responds to the mode 7 monlist command it's vulnerable, and the
>> easy fix is to add a 'restrict default noquery' line to the config file.
>
> I agree xntpd is probably also vulnerable, but did it already support 
> the "restrict" keywords necessary to fix this?
>
> Martin

I just checked version 3.4y and yes, it has the necessary "restrict 
noquery" capability.


Brian Utterback


More information about the questions mailing list