Solved: Update Catalyst switch NTP version

MichaelBorg91237 · ‎01-13-2022

Hi,

I am currently working on an NTP penetration test resolution task. Many of our Cisco switches got flagged up as having a NTP vulnerability. The pen test results advises to upgrade to 4.2.8p9 or "add 'disable monitor' to the 'ntp.conf' configuration file and restart the service." but the latter sounds like a server resolution, not switch resolution.

Is the only way to update the NTP version of the switches to do a software upgrade? If so, so be it but it would be great if there is another way that doesn't affect the uptime of the switches.

The switches I need to update NTP for are:

Model SW Version SW Image
----- ---------- ----------
C9500-40X 16.9.1 CAT9K_IOSXE

Ntp Software Version : Cisco-ntpv4-1.0

Model SW Version SW Image
----- ---------- ----------
WS-C2960X-24PD-L 15.2(4)E6 C2960X-UNIVERSALK9-M

Ntp Software Version : Cisco-ntpv4-1.0

Model SW Version SW Image
----- ---------- ----------
C9300-48T 16.6.4a CAT9K_IOSXE

Ntp Software Version : Cisco-ntpv4-1.0

Seb Rupik · ‎01-13-2022

Hi there,

You cannot upgrade the ntp process in the same way you would a package on a server.

When faced with a vulneraibity, check here: https://tools.cisco.com/security/center/publicationListing.x , for the correspoinding advisory using the CVE number and platform you are running. Most adisovries will have mitigation steps you can take without needing to upgrade the switch software. In some cases the vulnerabilty is so severe that cisco will quickly publish software updates to address it, but in most cases it is a you must wait for a routine software release which will fix the vulnerablity.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎01-13-2022

Hi there,

You cannot upgrade the ntp process in the same way you would a package on a server.

When faced with a vulneraibity, check here: https://tools.cisco.com/security/center/publicationListing.x , for the correspoinding advisory using the CVE number and platform you are running. Most adisovries will have mitigation steps you can take without needing to upgrade the switch software. In some cases the vulnerabilty is so severe that cisco will quickly publish software updates to address it, but in most cases it is a you must wait for a routine software release which will fix the vulnerablity.

cheers,

Seb.

MichaelBorg91237 · ‎01-13-2022

Hi Seb,

Thank you very much for the quick and great answer. I was able to locate the CVE number of the NTP vulnerability and am currently through Cisco's documentation for the fix.

MichaelBorg91237 · ‎01-17-2022

Hi again Seb,

Thanks again for your help last week. I am however stuck again and was wondering if you can help?

As far as I can see, Cisco Catalyst switches only has NTP versions 1-4 available. The pen test results advises to upgrade NTP to NTP 4.2.8p9 or later. I can not find out how to upgrade NTP to this version on our Cisco Catalyst switches. I also updated an switch to image 15 2-7.E5 which was only realised about 4 months ago and the NTP version is still 4.1. Is this NTP upgrade to 4.2.8p9 or later perhaps only related to the NTP server and not the switches?

Seb Rupik · ‎01-17-2022

What is the CVE number you are looking at? Also can you share the current NTP configuration from the device in question?

cheers,

Seb.

MichaelBorg91237 · ‎01-17-2022

Hi,
I believe the CVE is CVE-2016-4953. It is this NTP vulnerability - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160603-ntpd
Regarding the NTP configuration, all I can see is the 'NTP server' IP and some 'NTP peer' IPs.

Seb Rupik · ‎01-17-2022

Looking a bit further at this, the cisco bug ID is : CSCuz92785 , but the website seems to be broken for me tonight, which may have revealed a mitigation in absence of a software upgrade.

As a configuration step I suggest you apply ACLs to your NTP config such that you are only communicating with known devices. Apply interface ACLs is necessary to stop NTP traffic destined for the switch which is orginating from unwanted subnets: users, the internet, etc.

It is disappointing to see that ntp-4.2.8p9 was released back on November 2016 and has still not made it onto IOS!

https://www.nwtime.org/ntp428p9_release/

As @Leo Laohoo points out, you should upgrade your switch software asap (15.2.7E5 and 17.3.4), as your pen testers currently have a long list of software vulnerabliteis to beat you over the head with!

cheers,

Seb.

MichaelBorg91237 · ‎01-18-2022

Hi Seb,

Many thanks for your quick reply again. OK, I'm glad I didn't just miss something obvious and that Cisco IOS doesn't have ntp-4.2.8p9 available. Just so I understand you correctly, the only way I can resolve this vulnerability is to apply ACLs to the NTP config to only allow NTP traffic from known trusted IPs?

Yes, we are upgrading the IOS of all of these switches very soon as they are very out of date. Thanks.

Seb Rupik · ‎01-18-2022

this link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz92785

... is working today! On reading it, there are mitigations for two of the four vulnerablites. Under this circumstance if a software upgrade still does not resolve the ntp verison, then you need to islate the device from these ntp queries as best is possible, whilst still allowing it to perform its designated ntp function in your network. If that is consider to be too greater risk then the only other option is to replace the hardware with a platform which hopefully has a fixed ntp process!

cheers,

Seb.

MichaelBorg91237 · ‎01-19-2022

Hi Seb,

Thanks for your reply again. I am now not able to load that link but thanks anyway.

I am applying an NTP ACL on the switches to only allow NTP traffic from our NTP server IPs. Fingers crossed this resolved the vulnerability.

Leo Laohoo · ‎01-17-2022

@MichaelBorg91237 wrote:

C9500-40X 16.9.1 CAT9K_IOSXE

ROFL.

NTP got flagged but no one bothered to look at this?

I ran a Cisco Software Checker against 16.9.1 and the result is very "impressive".