01-18-2014 02:33 AM - edited 03-03-2019 07:16 AM
Hi,
for obvious reasons the protection of NTP servers exposed to the Internet is currently getting some reinvestigation. On a fresh 4500-X running IOS-XE 03.04.03.SG (aka 151-2.SG3) I encountered that
access-list 12 permit x.y.z.123
access-list 12 permit a.b.c.123 access-list 12 deny any
[...]ntp access-group peer 12
ntp server x.y.z.123ntp server a.b.c.123
will not prevent certain control queries from getting answered by the switch. For instance, ntpq peer list queries (ntpq -p device-ip) from any source still get a reply, even though the deny any ACE counter (and only that) will increment. Legitimate control queries (from the configured sources) will work as well, but increment the appropriate permittive ACE counters. On other switches (non-XE, like 4900M), the exact same configuration works as expected and denies ntpq control queries. Now those queries (there are more than just peer list queries that bypass the ACL on XE, I haven't checked all of them) aren't as dangerous an amplification tool as monlist is, but there still is amplification - and even without amplification, there's at least an information leak, if not a capability for remote control.
Has anyone else encountered this issue? Is it present in XE generally, or specific to this platform? I don't have much hardware to test against currently
BTW, the ACL successfully blocks pure time queries, but in the context of NTP amp attacks, they are of least concern.
BTW^2, adding a pure deny-all ACL to the three other NTP ACL classes makes no difference - they increment counters, but answers still come back.
TIA,
Andre.
02-25-2014 09:24 AM
I'm seeing this same issue on ASR1K1 on IOS-XE 3.10.01.S and also 7200 NPE-G2 on 152-4.S so doesn't seem limit to the 4500X or IOS-XE either
02-25-2014 09:37 AM
I have 6 devices where the ntp access-group is not working:
5 x ASR1002 - IOS-XE 03.07.03.S 15.2(4)S3
1 x 4500X-32 - IOS-XE 03.04.02.SG 15.1(2)SG2
I have a few older ASR1000's running 03.04.05.S IOS-XE 15.1(3)S5, that do not have the problem.
Open TAC case. No resolution yet.
02-25-2017 01:35 PM
More about ntp access-groups at:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810
02-26-2014 09:55 AM
Spoke with TAC after 3 days of very little communiction.
They told me to use bug id: CSCUJ66318
That bug id is for vanilla IOS and marked as fixed.
I have escalated the issue to my account manager.
03-03-2014 03:24 PM
Another limited update...
TAC is moving forward with bug id CSCUJ66318.
They added "It will affect IOS-XE too" to the bug id. That is all. No additional info.
Recieved email today saying a bug fix for the ASR will be available with 15.3(3)S3 on 05/30/2014.
No update on the 4500x. They asked for my "show version", so I hope to get additional info soon.
03-07-2014 08:16 AM
Update from Cisco:
"For 4500 IOS-XE the next release dates are not planned yet .
Will cascade the info once I get a date from Release team."
07-15-2014 02:41 PM
Latest update from Cisco for the 4500X running IOS-XE:
I have been working with the Business Unit and the defect CSCuj66318 has been fixed in the interim releases for 4500X running IOS XE. The next release containing the fix should be 15.1(2)SG5 which is currently expected to post in Oct. on CCO.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide