https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3375218#M902855 Thanks John.<BR /><BR />Regards<BR />Kris Mon, 30 Apr 2018 06:48:08 GMT krisvamcee 2018-04-30T06:48:08Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3373288#M902851 <P>Hi all,</P> <P>&nbsp;</P> <P>From the vulnerability scan, we got the below issue for NTP for Cisco 3850 switch. Could somebody please advise how to fix it.</P> <P>&nbsp;</P> <P>An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another non-error.</P> <P>Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service.</P> <P>&nbsp;</P> <P>The only config the switch have for NTP is&nbsp;</P> <P>ntp source loopback</P> <P>ntp server x.x.x.x</P> <P>&nbsp;</P> <P>Regards</P> <P>Kris</P> Fri, 21 Feb 2020 15:40:16 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3373288#M902851 krisvamcee 2020-02-21T15:40:16Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3373314#M902852 <P>Hi,</P> <P>If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists</P> <P>e.g.</P> <P>access-list 40 permit host 192.168.1.1</P> <P>access-list 50&nbsp; deny any</P> <P>&nbsp;</P> <P>ntp access-group peer 40</P> <P>ntp access-group serve-only 50</P> <P>ntp access-group query-only 50</P> <P>ntp server 192.168.1.1</P> <P>The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.</P> <P>The following doc provides more details:</P> <P><A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability</A></P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Thu, 26 Apr 2018 05:35:48 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3373314#M902852 johnd2310 2018-04-26T05:35:48Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3374213#M902853 <P>&nbsp;</P> <P>Hi John,</P> <P>&nbsp;</P> <P>Thanks a lot for the reply. So just to confirm in this case, access list 50 prevents the ntp client to respond to NTP queries and and it doesn't accept control queries.</P> <P>&nbsp;</P> <P>Regards</P> <P>Kris</P> <P>&nbsp;</P> Fri, 27 Apr 2018 03:18:54 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3374213#M902853 krisvamcee 2018-04-27T03:18:54Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3375152#M902854 <P>Hi,</P> <P>Yes, access-list 50 is to prevent the switch from being an ntp server and to prevent the switch responding to control queries.</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Sun, 29 Apr 2018 23:05:41 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3375152#M902854 johnd2310 2018-04-29T23:05:41Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3375218#M902855 Thanks John.<BR /><BR />Regards<BR />Kris Mon, 30 Apr 2018 06:48:08 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3375218#M902855 krisvamcee 2018-04-30T06:48:08Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3770678#M902856 I am also facing the same ntp 6 vulnerability in Cisco 7609 Router IOS Version 15.5(3)S5. Is it same configure in the router as well to close this vulnerability.. Pankaj Jain Mon, 31 Dec 2018 05:35:22 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/3770678#M902856 Pankaj1 2018-12-31T05:35:22Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/4999877#M1108135 <P>I know this is an old message, I was wondering what options can be done for a switch that is NTP Master for all your other switches.&nbsp;&nbsp; I found this:&nbsp; <A href="https://community.cisco.com/t5/network-management/ntp-allow-mode-control/td-p/4596164" target="_blank">https://community.cisco.com/t5/network-management/ntp-allow-mode-control/td-p/4596164</A></P><P>So I went with the ntp allow mode control 3 option and our Nessus scan no longer shows this switch having the NTP Mode 6 vulnerability.</P> Thu, 18 Jan 2024 14:31:53 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/4999877#M1108135 kkana 2024-01-18T14:31:53Z https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/5133203#M1113607 <P>thanks <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/183162">@kkana</a>&nbsp;</P><P>So many articles and posts on various forms to sift through, just to get this answer.</P><P>Much appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 18 Jun 2024 13:43:29 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability-issue/m-p/5133203#M1113607 rodonnell2 2024-06-18T13:43:29Z