[ntp:security] CVE for ntp monlist: CVE-2013-5211

Christian Rossow christian.rossow at gmail.com
Mon Aug 19 13:27:01 UTC 2013


Hi Harlan, CCing ntp devs,

> If this is the same problem as http://bugs.ntp.org/show_bug.cgi?id=1331
> and CVE-2009-3563 it was fixed almost 4 years ago, in 4.2.4p8 and 4.2.6,
> on December 8th and 9th, 2009.
Not sure #1331 is too related. To me, #1532 sounds more related:
 http://bugs.ntp.org/show_bug.cgi?id=1532

MITRE still waits for my response on what reference to add to the CVE.
Do you think #1532 would be an appropriate bug report (and changelog)?
Did you already have the chance to look for the exact ntpd version that
started to demand for a nonce for `monlist` requests?

I can tell that:
 * ntpd 4.2.6p3 responds with peers to monlist (w/o nonce)
 * ntpd 4.2.6p5 responds with peers to monlits (w/o nonce)
 * ntpd 4.2.7p5 responds with peers to monlist (w/o nonce)
 (i.e., for each version, I found at least one such server)

>From ntpd 4.2.7p81 onwards I didn't find any server supporting monlist.

Thanks,
Christian


More information about the security mailing list