NTP ACL on IOS-XE (4500-X) bugged?

abpsoft · ‎01-18-2014

Hi,

for obvious reasons the protection of NTP servers exposed to the Internet is currently getting some reinvestigation. On a fresh 4500-X running IOS-XE 03.04.03.SG (aka 151-2.SG3) I encountered that

access-list 12 permit x.y.z.123

access-list 12 permit a.b.c.123 access-list 12 deny any

[...]

ntp access-group peer 12

ntp server x.y.z.123

ntp server a.b.c.123

will not prevent certain control queries from getting answered by the switch. For instance, ntpq peer list queries (ntpq -p device-ip) from any source still get a reply, even though the deny any ACE counter (and only that) will increment. Legitimate control queries (from the configured sources) will work as well, but increment the appropriate permittive ACE counters. On other switches (non-XE, like 4900M), the exact same configuration works as expected and denies ntpq control queries. Now those queries (there are more than just peer list queries that bypass the ACL on XE, I haven't checked all of them) aren't as dangerous an amplification tool as monlist is, but there still is amplification - and even without amplification, there's at least an information leak, if not a capability for remote control.

Has anyone else encountered this issue? Is it present in XE generally, or specific to this platform? I don't have much hardware to test against currently

BTW, the ACL successfully blocks pure time queries, but in the context of NTP amp attacks, they are of least concern.

BTW^2, adding a pure deny-all ACL to the three other NTP ACL classes makes no difference - they increment counters, but answers still come back.

TIA,

Andre.

tim · ‎02-25-2014

I'm seeing this same issue on ASR1K1 on IOS-XE 3.10.01.S and also 7200 NPE-G2 on 152-4.S so doesn't seem limit to the 4500X or IOS-XE either

rhicks_cco · ‎02-25-2014

I have 6 devices where the ntp access-group is not working:

5 x ASR1002 - IOS-XE 03.07.03.S 15.2(4)S3

1 x 4500X-32 - IOS-XE 03.04.02.SG 15.1(2)SG2

I have a few older ASR1000's running 03.04.05.S IOS-XE 15.1(3)S5, that do not have the problem.

Open TAC case. No resolution yet.

Netmart · ‎02-25-2017

More about ntp access-groups at:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810

rhicks_cco · ‎02-26-2014

Spoke with TAC after 3 days of very little communiction.

They told me to use bug id: CSCUJ66318

That bug id is for vanilla IOS and marked as fixed.

I have escalated the issue to my account manager.

rhicks_cco · ‎03-03-2014

Another limited update...

TAC is moving forward with bug id CSCUJ66318.

They added "It will affect IOS-XE too" to the bug id. That is all. No additional info.

Recieved email today saying a bug fix for the ASR will be available with 15.3(3)S3 on 05/30/2014.

No update on the 4500x. They asked for my "show version", so I hope to get additional info soon.

rhicks_cco · ‎03-07-2014

Update from Cisco:

"For 4500 IOS-XE the next release dates are not planned yet .

Will cascade the info once I get a date from Release team."

rhicks_cco · ‎07-15-2014

Latest update from Cisco for the 4500X running IOS-XE:

I have been working with the Business Unit and the defect CSCuj66318 has been fixed in the interim releases for 4500X running IOS XE. The next release containing the fix should be 15.1(2)SG5 which is currently expected to post in Oct. on CCO.