Spectracom - Essential Ingenuity

NTP Vulnerabilities Prior to Version 4.2.8

Question

What is the risk of the NTP vulnerabilities identified on December 18, 2014 on Spectracom products?

Answer

Similar to the Monlist vulnerability discovered in NTP about a year ago, the exploitation of these vulnerabilities requires external querying to the NTP server. By default we do not allow remote NTP queries to NetClock and SecureSync products.

We recommend that you verify NTP queries have not been enabled for your Spectracom product: If your implementation of our product requires remote queries, then you can update that method to only allow queries from trusted sources through NTP access restrictions.

These vulnerabilities have been patched in NTP version 4.2.8. We expect to update to v4.2.8 in a future release of SecureSync and NetClock 9400 software (estimated for the second quarter of 2015). We have no immediate plans to update NTP in NetClock 9200/9300 models.

Was this information helpful?

 Yes  No