cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community

1336
Views
0
Helpful
5
Replies
Highlighted
Beginner

NTP vulnerability issue

Hi all,

 

From the vulnerability scan, we got the below issue for NTP for Cisco 3850 switch. Could somebody please advise how to fix it.

 

An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another non-error.

Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service.

 

The only config the switch have for NTP is 

ntp source loopback

ntp server x.x.x.x

 

Regards

Kris

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: NTP vulnerability issue

Hi,

If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists

e.g.

access-list 40 permit host 192.168.1.1

access-list 50  deny any

 

ntp access-group peer 40

ntp access-group serve-only 50

ntp access-group query-only 50

ntp server 192.168.1.1

The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.

The following doc provides more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability

 

Thanks

John

**Please rate posts you find helpful**
5 REPLIES
Rising star

Re: NTP vulnerability issue

Hi,

If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists

e.g.

access-list 40 permit host 192.168.1.1

access-list 50  deny any

 

ntp access-group peer 40

ntp access-group serve-only 50

ntp access-group query-only 50

ntp server 192.168.1.1

The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.

The following doc provides more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability

 

Thanks

John

**Please rate posts you find helpful**
Beginner

Re: NTP vulnerability issue

 

Hi John,

 

Thanks a lot for the reply. So just to confirm in this case, access list 50 prevents the ntp client to respond to NTP queries and and it doesn't accept control queries.

 

Regards

Kris

 

Rising star

Re: NTP vulnerability issue

Hi,

Yes, access-list 50 is to prevent the switch from being an ntp server and to prevent the switch responding to control queries.

 

Thanks

John

**Please rate posts you find helpful**
Beginner

Re: NTP vulnerability issue

Thanks John.

Regards
Kris
Beginner

Re: NTP vulnerability issue

I am also facing the same ntp 6 vulnerability in Cisco 7609 Router IOS Version 15.5(3)S5. Is it same configure in the router as well to close this vulnerability.. Pankaj Jain
CreatePlease to create content
Content for Community-Ad
This widget could not be displayed.