Re: CISCO 7600 / Cisco IOS Software NTP Control Mode 7 vulnerability

loveandrew821 · ‎03-07-2016

Hi all,

one of my customer came with a issue about NTP Control Mode 7 vulnerability and I am investigating how to avoid DOS attack from it.

what I have found is, the NTP Control Mode 7 vulnerability is fixed in IOS that support NTPv4 so I tested some IOS versions on platform CISCO 7600 Series Router (RSP720 with MSFC4).

here are the fixed IOS versions by supporting NTPv4.

15.1(2)S

15.1(3)S6

15.2(1)S2

15.3(3)S

15.3(3)S6

15.4(3)S

15.5(3)S1

now I figured out 15.1(2)S and later versions are safe, because they support NTPv4 but the earlier version are not.

the problem is my customer is using the earlier versions than 15.1(2)S...

can you please provide the other options to prevent DOS attack on CISCO 7600 rather than IOS upgrade.

the IOS versions that my customer using below :

12.2(33)SRD4 , 12.2(33)SRE4, 12.2(33)SRD8, 12.2(33)SRE5, 12.2(33)SRE8 , 12.2(33)SRE13, 15.0(1)S6

ramkumar.ganeshan · ‎07-30-2018

Does this will get fixed in higher versions ?

Diana Karolina Rojas · ‎07-30-2018

Hello,

I recommend you apply access groups to your NTP configuration, here and example:

access-list 90 permit X.X.X.X (IP NTP server1)
access-list 90 permit X.X.X.X (IP NTP server2)

ntp access-group query-only 90

---Please do not forget to rate useful post---

Regards,

Also I recommend you read this post:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtd75033/?rfs=iqvred

ramkumar.ganeshan · ‎08-06-2018

Will this gets fix this issue, since this i need to apply on the backbone main router.