[ntp:questions] CVE-2013-5211 and xntpd

Brian Utterback brian.utterback at oracle.com
Thu Feb 6 23:01:36 UTC 2014


On 02/06/14 17:05, Dennis Ferguson wrote:
> On 6 Feb, 2014, at 07:39 , Danny Mayer <mayer at pdmconsulting.net> wrote:
>> On 2/6/2014 9:26 AM, Brian Utterback wrote:
>>> I recently received a question from a customer about CVE-201305211, the
>>> monlist amplification attack. Specifically they asked if the attack
>>> affected xntpd. They had another vendor that said no, that the attack
>>> only affects ntpd. This surprised me since as far as I know the monlist
>>> mechanism is the same in xntpd. I thought the vendor was merely
>>> incorrect. However, I then read the CERT and NIST versions of the CVE
>>> and there is no mention of xntpd. Indeed, a literal reading of the CVE
>>> does indeed imply that xntpd is not vulnerable.
>>>
>>> I don't think I am wrong about xntpd being vulnerable. If I am, please
>>> correct me. But if I am not, we should probably see about getting the
>>> CVE amended.
>>>
>> If this is about NTP v3 then that version hasn't been supported in
>> something like 15 years. I believe that it is very likely vulnerable but
>> noone is going to go into the code to look assuming that they can find
>> the source for something like that. I believe it was Dennis who wrote
>> the mode 7 code and tools, so NTP v2 is likely vulnerable as well but
>> that's not in the CERT either.
> xntpd claimed to be NTP v3 from its inception, and had both xntpdc and ntpq
> by the time anyone other than me saw it.  It was implemented from a
> moving-target draft of the NTP version 3 standard that was available as
> early as 1988 (i.e. before the NTP version 2 RFC was published; that was
> done late since there was resistance to the postscript format).  Fuzzballs
> also claimed to be version 3 by then too, though there was an existing Unix
> daemon called "ntpd" implementing NTP v2 only, this being the reason that
> xntpd got an 'x'.  The mode 7 protocol was implemented as a debugging tool
> during development, the mode 6 protocol was implemented after that got added
> to the version 3 draft and supported by the fuzzball servers, so you could
> ask fuzzballs about their peers too.
>
> That said, when I stopped work on xntpd there was no "monlist" query since
> there was no monitor list.  If you wanted to know who your clients were it
> used a much heavier duty (but cheaper to implement) method, a knob telling
> it to keep peer state for all peers rather than just the configured ones.
> When I left it, I don't believe there were any queries in either protocol
> which would result in more than one response packet per query packet, and
> I had tried to keep responses under 520 bytes of payload (or whatever
> the number was which guaranteed no fragmentation then) for mode 7 since I
> lived at the end of a very overloaded Internet connection and it worked
> better with single packet request/responses.  I had less control over mode
> 6, though.
>
> If there's something called xntpd which supports monlist it must have been
> added after me, but before the name of the program was changed to ntpd.  I
> don't know when that was.
>
> Dennis Ferguson

The oldest NTP v3 distro I have around is 3.4y, and it has monlist. It 
looks to date from about 1994 or so.

-- 
blu

Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. - Martin Golding
-----------------------------------------------------------------------|
Brian Utterback - Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterback at oracle.com



More information about the questions mailing list