CVE-2013-5211
High PUBLISHEDThe monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification)...
Not yet in CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
- CVE Published
- Jan 02, 2014
- Exploitation Reported
- Jan 02, 2014
- CVSS
- 5.0 Medium
- EPSS
- —
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| n/a |
n/a
|
n/a |
Affected |
CVE References
- openSUSE-SU-2014:1149 lists.opensuse.org · Vendor Advisory http://lists.opensuse.org/opensuse-updates/2014-09/msg00031.html
- HPSBUX02960 marc.info · Vendor Advisory http://marc.info/?l=bugtraq&m=138971294629419&w=2
- HPSBOV03505 marc.info · Vendor Advisory http://marc.info/?l=bugtraq&m=144182594518755&w=2
- 59288 secunia.com · Third-Party Advisory http://secunia.com/advisories/59288
- TA14-013A us-cert.gov · Third-Party Advisory http://www.us-cert.gov/ncas/alerts/TA14-013A
Show 16 more references
- VU#348126 kb.cert.org · Third-Party Advisory http://www.kb.cert.org/vuls/id/348126
- 59726 secunia.com · Third-Party Advisory http://secunia.com/advisories/59726
- 64692 securityfocus.com · VDB Entry http://www.securityfocus.com/bid/64692
- 1030433 securitytracker.com · VDB Entry http://www.securitytracker.com/id/1030433
- [oss-security] 20131230 CVE to the ntp monlist DDoS issue? openwall.com · Mailing List http://openwall.com/lists/oss-security/2013/12/30/6
- [pool] 20111210 Odd surge in traffic today lists.ntp.org · Mailing List http://lists.ntp.org/pipermail/pool/2011-December/005616.html
- [oss-security] 20131230 Re: CVE to the ntp monlist DDoS issue? openwall.com · Mailing List http://openwall.com/lists/oss-security/2013/12/30/7
- h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay h20564.www2.hpe.com · CVE Record https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?doc...
- oracle.com/technetwork/topics/security/linuxbulletinjul... oracle.com · CVE Record http://www.oracle.com/technetwork/topics/security/linuxbulletinjul201...
- eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26... eecis.udel.edu · CVE Record http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p2...
- ics-cert.us-cert.gov/advisories/ICSA-14-051-04 ics-cert.us-cert.gov · CVE Record http://ics-cert.us-cert.gov/advisories/ICSA-14-051-04
- aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc aix.software.ibm.com · CVE Record http://aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc
- www-947.ibm.com/support/entry/portal/docdisplay www-947.ibm.com · CVE Record http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5...
- www-947.ibm.com/support/entry/portal/docdisplay www-947.ibm.com · CVE Record http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5...
- bugs.ntp.org/show_bug.cgi bugs.ntp.org · CVE Record http://bugs.ntp.org/show_bug.cgi?id=1532
- puppet.com/security/cve/puppetlabs-ntp-nov-2015-advisory puppet.com · CVE Record https://puppet.com/security/cve/puppetlabs-ntp-nov-2015-advisory
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CVE First | 2014-01-02 11:00 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
AV:N/AC:L/Au:N/C:N/I:N/A:P
Exploitation Status
Proof of concept available
Recorded 2023-05-03 17:20:51 UTC · GitHub
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-10-16 09:45:53 UTC · 0 stars
Exploit and check CVE-2013-5211
github · Created 2024-10-16 09:35:15 UTC · 0 stars
check and exploit for NTP vuln CVE-2013-5211
github · Created 2023-05-03 17:20:51 UTC · 3 stars
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
17:20 UTC about 3 years ago17:20 UTC · about 3 years ago
Public PoC available
Public proof-of-concept code published
-
11:00 UTC over 12 years ago11:00 UTC · over 12 years ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
11:00 UTC over 12 years ago11:00 UTC · over 12 years ago
CVE published
Vulnerability disclosed publicly
-
00:00 UTC almost 13 years ago00:00 UTC · almost 13 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2013-5211
{
"cve_id": "CVE-2013-5211",
"title": "The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows re...",
"affected_vendor": "NTP",
"affected_product": "NTP",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "High",
"cvss_score": 5.0,
"epss_score": null,
"exploit_status": {
"exploited_in_the_wild": false,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}