Bug 1047854 (CVE-2013-5211) - CVE-2013-5211 ntp: DoS in monlist feature in ntpd
Summary: CVE-2013-5211 ntp: DoS in monlist feature in ntpd
Alias: CVE-2013-5211
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1047855 1047856
Blocks: 1047857
TreeView+ depends on / blocked
Reported: 2014-01-02 11:53 UTC by Ratul Gupta
Modified: 2021-02-17 07:02 UTC (History)
19 users (show)

Fixed In Version: ntp 4.2.7p26
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-02-13 11:50:11 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 690293 0 None None None Never

Description Ratul Gupta 2014-01-02 11:53:08 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5211 to the following vulnerability:

Name: CVE-2013-5211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
Assigned: 20130815
Reference: http://openwall.com/lists/oss-security/2013/12/30/6
Reference: http://openwall.com/lists/oss-security/2013/12/30/7
Reference: http://lists.ntp.org/pipermail/pool/2011-December/005616.html
Reference: http://bugs.ntp.org/show_bug.cgi?id=1532
Reference: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

Comment 2 Ratul Gupta 2014-01-02 11:54:44 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1047855]

Comment 3 Miroslav Lichvar 2014-01-02 12:23:04 UTC
The default ntp.conf included in our ntp packages has noquery in the default restrict line, which blocks the monlist command.

Comment 5 Vincent Danen 2014-01-16 00:57:09 UTC
Further to what Miroslav noted in comment #3, this can be verified by checking that the following are set in /etc/ntp.conf, which is the default in Red Hat Enterprise Linux and Fedora:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

External References:


Comment 7 Vincent Danen 2014-01-16 01:19:09 UTC
Note also that this is corrected in the upstream 4.2.7p26 version, by the removal of the monlist command, as noted in the Changelog [1]:

* [Bug 1532] Remove ntpd support for ntpdc's monlist in favor of ntpq's

[1] http://archive.ntp.org/ntp4/ChangeLog-dev

The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and there's quite a few unrelated changes in p26 as well.  I am unsure what upstream plans to do (if anything) about the stable 4.2.6 version.

Comment 8 Tomas Hoger 2014-01-16 09:13:24 UTC
(In reply to Vincent Danen from comment #7)
> The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and
> there's quite a few unrelated changes in p26 as well.

This should be better, as it's link to relevant upstream bk commit:


Upstream security page has a note for this issue now:


Comment 27 Tomas Hoger 2014-02-11 15:15:59 UTC
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration.  The configuration defines the following default restrictions:

  restrict default kod nomodify notrap nopeer noquery
  restrict -6 default kod nomodify notrap nopeer noquery

These restrictions include 'noquery', which causes NTP daemon control command queries, including 'monlist' specifically pointed out by this CVE, to be rejected.  The query access is only allowed from localhost in the default configuration.

Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command).  Alternatively, users can disable monitor functionality using 'disable monitor' command in the /etc/ntp.conf.  Note that use of 'restrict' command with 'limited' flag also enables monitor functionality even when 'disable monitor' command is used.

Upstream fix implemented in version 4.2.7p26 is removal of support for 'monlist' ntpdc command, and introduction of replacement 'mrulist' ntpq command, for which additional verification is done to avoid request packet source address spoofing, and to limit the size of responses.  Note that version 4.2.7 is still the development version upstream.  The latest production release is 4.2.6 that does not include the above fix.

Additionally, the fix in 4.2.7p26 only addresses the 'monlist' command, which has the highest amplification ratio.  Other ntpdc (NTP mode 7) and ntpq (NTP mode 6) commands may be used in the future for amplification attacks with lower amplification ratio.  Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using other commands.

Red Hat currently does not plan to modify ntp packages in released versions of Red Hat Enterprise Linux to remove monlist support.  Future updates may change the default configuration to use 'disable monitor' in addition to 'restrict default noquery'.

For additional information on various ntp configuration commands, refer to the following manual pages: ntp_acc(5), ntp_misc(5), ntpdc(8) and ntpq(8).

Comment 29 Tomas Hoger 2014-02-13 11:50:11 UTC

This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries. User changing ntpd access control configuration should consider reviewing additional information provided via https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c27 to avoid exposing their systems to this traffic amplification issue.

Note You need to log in before you can comment on or make changes to this bug.