Vulnerability Details : CVE-2013-5211
Public exploit exists!
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2013-5211
Probability of exploitation activity in the next 30 days: 96.63%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2013-5211
-
SSDP ssdp:all M-SEARCH Amplification Scanner
First seen: 2020-04-26auxiliary/scanner/upnp/ssdp_ampDiscover SSDP amplification possibilities Authors: - xistence <xistence@0x90.nl> -
NTP Mode 7 PEER_LIST DoS Scanner
Disclosure Date: 2014-08-25First seen: 2020-04-26auxiliary/scanner/ntp/ntp_peer_list_dosThis module identifies NTP servers which permit "PEER_LIST" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplificat -
NTP Mode 7 PEER_LIST_SUM DoS Scanner
Disclosure Date: 2014-08-25First seen: 2020-04-26auxiliary/scanner/ntp/ntp_peer_list_sum_dosThis module identifies NTP servers which permit "PEER_LIST_SUM" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplif -
UDP Amplification Scanner
First seen: 2020-04-26auxiliary/scanner/udp/udp_amplificationDetect UDP endpoints with UDP amplification vulnerabilities Authors: - Jon Hart <jon_hart@rapid7.com> -
NTP Monitor List Scanner
First seen: 2020-04-26auxiliary/scanner/ntp/ntp_monlistThis module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the list, the -
NTP Mode 6 REQ_NONCE DRDoS Scanner
Disclosure Date: 2014-08-25First seen: 2020-04-26auxiliary/scanner/ntp/ntp_req_nonce_dosThis module identifies NTP servers which permit mode 6 REQ_NONCE requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to REQ_NONCE requests with a response larger than the request, allowing remote attackers to cause a d -
Portmapper Amplification Scanner
First seen: 2020-04-26auxiliary/scanner/portmap/portmap_ampThis module can be used to discover Portmapper services which can be used in an amplification DDoS attack against a third party. Authors: - xistence <xistence@0x90.nl> -
NTP Clock Variables Disclosure
First seen: 2020-04-26auxiliary/scanner/ntp/ntp_readvarThis module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more. Authors: - Ewerson Guimaraes(Crash) <crash@dclabs.com.br> - Jon Hart <jon_h -
NTP Mode 6 UNSETTRAP DRDoS Scanner
Disclosure Date: 2014-08-25First seen: 2020-04-26auxiliary/scanner/ntp/ntp_unsettrap_dosThis module identifies NTP servers which permit mode 6 UNSETTRAP requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to UNSETTRAP requests with multiple packets, allowing remote attackers to cause a distributed, refle -
NTP Mode 7 GET_RESTRICT DRDoS Scanner
Disclosure Date: 2014-08-25First seen: 2020-04-26auxiliary/scanner/ntp/ntp_reslist_dosThis module identifies NTP servers which permit "reslist" queries and obtains the list of restrictions placed on various network interfaces, networks or hosts. The reslist feature allows remote attackers to cause a distributed, reflected denial of service (aka, "DRDo
CVSS scores for CVE-2013-5211
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-5211
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-5211
-
http://bugs.ntp.org/show_bug.cgi?id=1532
Issue Tracking
-
http://openwall.com/lists/oss-security/2013/12/30/6
oss-security - CVE to the ntp monlist DDoS issue?Mailing List
-
http://secunia.com/advisories/59288
Sign inNot Applicable
-
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095892
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211)Broken Link
-
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc
Third Party Advisory
-
https://puppet.com/security/cve/puppetlabs-ntp-nov-2015-advisory
Advisory: puppetlabs-ntp default configuration does not fully mitigate CVE-2013-5211 | PuppetBroken Link
-
http://www.securitytracker.com/id/1030433
IBM AIX ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://lists.ntp.org/pipermail/pool/2011-December/005616.html
[Pool] Odd surge in traffic todayBroken Link
-
http://lists.opensuse.org/opensuse-updates/2014-09/msg00031.html
openSUSE-SU-2014:1149-1: moderate: Avoid ntp being used as a DDoS amplifThird Party Advisory
-
http://www.securityfocus.com/bid/64692
NTP 'ntp_request.c' Remote Denial of Service VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-04
NTP Reflection Attack | CISAThird Party Advisory;US Government Resource
-
http://www.kb.cert.org/vuls/id/348126
VU#348126 - NTP can be abused to amplify denial-of-service attack trafficThird Party Advisory;US Government Resource
-
http://marc.info/?l=bugtraq&m=144182594518755&w=2
'[security bulletin] HPSBOV03505 rev.1 - TCP/IP Services for OpenVMS running NTP, Remote Code Executi' - MARCMailing List;Third Party Advisory
-
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04790232
HPSBOV03505 rev.1 - TCP/IP Services for OpenVMS running NTP, Remote Code Execution, Denial of Service (DoS)Third Party Advisory
-
http://www.us-cert.gov/ncas/alerts/TA14-013A
NTP Amplification Attacks Using CVE-2013-5211 | CISAThird Party Advisory;US Government Resource
-
http://secunia.com/advisories/59726
Sign inNot Applicable
-
http://marc.info/?l=bugtraq&m=138971294629419&w=2
'[security bulletin] HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS)' - MARCMailing List
-
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz
Patch
-
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095861
IBM Security Bulletin: The IBM Chassis Management Module (CMM) is affected by a vulnerability in NTP server (CVE-2013-5211)Broken Link
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Oracle Linux Bulletin - July 2016Third Party Advisory
-
http://openwall.com/lists/oss-security/2013/12/30/7
oss-security - Re: CVE to the ntp monlist DDoS issue?Mailing List
Products affected by CVE-2013-5211
- cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:-:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p25:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p22:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p23:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p24:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p4:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p5:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p6:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p7:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p8:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p9:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p0:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p1:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p10:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p11:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p12:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p13:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p14:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p15:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p16:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p17:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p18:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p19:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p2:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p20:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p21:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:p3:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.7:-:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*