Solved: Re: NTP vulnerability issue

krisvamcee · ‎04-25-2018

Hi all,

From the vulnerability scan, we got the below issue for NTP for Cisco 3850 switch. Could somebody please advise how to fix it.

An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another non-error.

Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service.

The only config the switch have for NTP is

ntp source loopback

ntp server x.x.x.x

Regards

Kris

johnd2310 · ‎04-25-2018

Hi,

If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists

e.g.

access-list 40 permit host 192.168.1.1

access-list 50 deny any

ntp access-group peer 40

ntp access-group serve-only 50

ntp access-group query-only 50

ntp server 192.168.1.1

The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.

The following doc provides more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability

Thanks

John

**Please rate posts you find helpful**

View solution in original post

johnd2310 · ‎04-25-2018

Hi,

If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists

e.g.

access-list 40 permit host 192.168.1.1

access-list 50 deny any

ntp access-group peer 40

ntp access-group serve-only 50

ntp access-group query-only 50

ntp server 192.168.1.1

The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.

The following doc provides more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability

Thanks

John

**Please rate posts you find helpful**

krisvamcee · ‎04-26-2018

Hi John,

Thanks a lot for the reply. So just to confirm in this case, access list 50 prevents the ntp client to respond to NTP queries and and it doesn't accept control queries.

Regards

Kris

johnd2310 · ‎04-29-2018

Hi,

Yes, access-list 50 is to prevent the switch from being an ntp server and to prevent the switch responding to control queries.

Thanks

John

**Please rate posts you find helpful**

krisvamcee · ‎04-29-2018

Thanks John.

Regards
Kris

Pankaj1 · ‎12-30-2018

I am also facing the same ntp 6 vulnerability in Cisco 7609 Router IOS Version 15.5(3)S5. Is it same configure in the router as well to close this vulnerability.. Pankaj Jain

kkana · ‎01-18-2024

I know this is an old message, I was wondering what options can be done for a switch that is NTP Master for all your other switches. I found this: https://community.cisco.com/t5/network-management/ntp-allow-mode-control/td-p/4596164

So I went with the ntp allow mode control 3 option and our Nessus scan no longer shows this switch having the NTP Mode 6 vulnerability.