[ntp:security] CVE for ntp monlist: CVE-2013-5211
christian.rossow at gmail.com
Mon Aug 19 13:27:01 UTC 2013
Hi Harlan, CCing ntp devs,
> If this is the same problem as http://bugs.ntp.org/show_bug.cgi?id=1331
> and CVE-2009-3563 it was fixed almost 4 years ago, in 4.2.4p8 and 4.2.6,
> on December 8th and 9th, 2009.
Not sure #1331 is too related. To me, #1532 sounds more related:
MITRE still waits for my response on what reference to add to the CVE.
Do you think #1532 would be an appropriate bug report (and changelog)?
Did you already have the chance to look for the exact ntpd version that
started to demand for a nonce for `monlist` requests?
I can tell that:
* ntpd 4.2.6p3 responds with peers to monlist (w/o nonce)
* ntpd 4.2.6p5 responds with peers to monlits (w/o nonce)
* ntpd 4.2.7p5 responds with peers to monlist (w/o nonce)
(i.e., for each version, I found at least one such server)
>From ntpd 4.2.7p81 onwards I didn't find any server supporting monlist.
More information about the security