Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
1
Replies

Conditions required for exposure under CSCuz92785

wduke
Level 1
Level 1

‎06-16-2016 05:34 AM

In previous NTP bugs some specific aspect of NTP had to be enabled (for example, in some cases ntp peer was required). Are there any particular NTP configuration entries required, or is a device exploitable just because NTP is enabled?

wd

2 people had this problem
Labels:
0 Helpful
1 Reply 1

lewislampkin
Level 1
Level 1

‎07-18-2016 05:53 AM

Now that you mentioned it, I was curious about this one also.

TLDR: The device is exploitable if it has NTP enabled. Note: You don't have to worry about CVE-2016-4956, if you don't have broadcast NTP clients.

If you want more details, read on:
From this referenced bug ID:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz92785

It references these as affecting:
* CVE-2016-4956: Network Time Protocol Broadcast Interleave Vulnerability
* CVE-2016-4953 - Network Time Protocol Bad Authentication Demobilizes Ephemeral Associations Vulnerability
* CVE-2016-4954 - Network Time Protocol Processing Spoofed Server Packets Vulnerability

I traced these back to ntp.org. From reading the bug info I cannot see how these are dependent upon the NTP client config, but are vulnerabilities inherent to NTP itself -- all of which seem to involve the processing of spoofed packets. There is one exception: If you weren't using broadcast clients, then NTP bug 3042 wouldn't apply, since it's specific to broadcast clients. As far as mitigations, if Network Ingress Filtering is implemented, that should cut down on spoofed packets until you can upload the protocol fix to your gear.

See links referenced below:

RFC 2827, BCP 38, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
https://tools.ietf.org/html/rfc2827.html

CVE-2016-4953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953
http://support.ntp.org/bin/view/Main/NtpBug3045
http://bugs.ntp.org/show_bug.cgi?id=3045


CVE-2016-4954:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954
http://support.ntp.org/bin/view/Main/NtpBug3044
http://bugs.ntp.org/show_bug.cgi?id=3044

CVE-2016-4956:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956
http://support.ntp.org/bin/view/Main/NtpBug3042
http://bugs.ntp.org/show_bug.cgi?id=3042

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents