Spectracom - Essential Ingenuity

NTP Vulnerabilities Prior to Version 4.2.8p4

Question

What is the risk of the NTP vulnerabilities identified on October 21, 2015?

Answer

Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier.  This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions. 

Exploitation of these vulnerabilities require network access to these products by an attacker. Since often these products are deployed within secure networks, the network itself may offer sufficient protection. For those who are concerned that a sophisticated attacker can access the product and exploit these vulnerabilities, then mitigation recommendations are explained in this article. It is recommended to update SecureSync and NetClock 9400 series to a future release with NTP 4.2.8p4 or later as expected in early 2016. The obsolete NetClock 9200/9300 is not planned to be updated so replacement is recommended.

 

These vulnerabilities can be mitigated by configuring NTP access restrictions to limit access to NTP to trusted IP subnets and addresses, and requiring authentication. See this article for more information on NTP access restrictions.

CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK
This vulnerability would allow unauthenticated attackers to cause vulnerable units to synchronize to time sources of the attacker’s choosing regardless of the configured time sources on the unit. 

CVE-2015-7704 / 7705: Clients that receive a KoD should validate the origin timestamp field
This vulnerability in Kiss-of-Death (KoD) packet processing would allow an attacker to spoof KoD messages from a client’s time server causing it to delay or stop querying the server for time.  An attacker could also spoof requests from a client to a server often enough that the server will send the client KoD rate limiting messages causing it to delay or stop querying the server for time.  This vulnerability can be mitigated using spoofing protection techniques like border ingress protections like those laid out in IETF RFC2827.  It is also recommended to configure NTP access restrictions to limit access to NTP to trusted IP subnets and addresses to prevent discovery of server or client IP addresses.

CVE-2015-7691 / 7692 / 7702: Incomplete autokey data packet length checks & CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC
These vulnerabilities apply to those using the autokey feature. They allow packets with particular autokey operations to cause the unit to run out of memory or crash NTP.  If your operation of the unit requires autokey, then it is recommended to configure NTP access restrictions to limit access to NTP to trusted IP subnets and addresses.
 

These vulnerabilities pertain to the remote querying and remote configuration functions of NTP. These functions are disabled by default so pose no threat in normal set up and operation.
These articles describe how to verify these functions are disabled or how to disable them if they have been enabled:

If your deployment requires remote NTP querying or configuration, then configure NTP access restrictions to limit access to NTP to trusted IP subnets and addresses, and requiring authentication. See this article for more information on NTP access restrictions.

CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values
CVE-2015-7854: Password Length Memory Corruption Vulnerability
CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability
CVE-2015-7851: saveconfig Directory Traversal Vulnerability
CVE-2015-7850: remote config logfile-keyfile
CVE-2015-7849: trusted key use-after-free
CVE-2015-7848: mode 7 loop counter underrun
CVE-2015-7703: configuration directives "pidfile" and "driftfile" should only be allowed locally

 

This vulnerability does not apply to Spectracom products and poses no threat

CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow.
 

Related Attachment

NTP CVEs Oct 2015.pdf

Was this information helpful?

 Yes  No