Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
14353
Views
0
Helpful
5
Replies
pankaj29in
Beginner
Beginner
‎03-27-2017 05:36 AM
‎03-27-2017 05:36 AM

Network Time Protocol (NTP) Mode 6 Scanner Vulnerability on Cisco Devices

Hi All,

Recently I came across this vulnerability on Cisco network switches of "Network Time Protocol (NTP) Mode 6 Scanner" which in description had "The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification
attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected
denial of service condition" this statement.

After checking this error online I realized IOS of the switches needs to be upgraded to 15.2 or greater. below that all will have this Vulnerability.

So is there any workaround which can be configured to get rid of this Vulnerability to be Compliant.

Regards

Mohit

Labels:
6 people had this problem
0 Helpful
5 REPLIES 5
Mark Malone
Mentor
Mentor
‎03-27-2017 05:58 AM
‎03-27-2017 05:58 AM

Hi does the bug ID give a workaround ? if not you probably need to upgrade or else it would have stated in there that there was another option , its always a good idea to keep your code up to date even though some v12 versions were very stable compared to v15

0 Helpful
lpassmore
Beginner
Beginner
‎03-27-2017 06:33 PM
‎03-27-2017 06:33 PM

Or implement NTP authentication

0 Helpful
csawest.dc
Participant
Participant
In response to lpassmore
‎11-21-2017 09:43 AM
‎11-21-2017 09:43 AM

hi lpassmore

i have same issue.

please help us...

 

 

XYZ#show running-config | include ntp

ntp authentication-key 1 md5 06031722444F071E00 7

ntp authenticate

ntp trusted-key 1

ntp source GigabitEthernet0/11

ntp server XX.XX.XX.XX key 1

ntp server vrf Mgmtvrf XX.XX.XX.XX

 

0 Helpful
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to csawest.dc
‎11-21-2017 10:28 AM
‎11-21-2017 10:28 AM

Hello,

 

the vulnerability exists only for unauthenticated, remote attackers. Since you have authentication configured, you are already protected...

 

Network Time Protocol Rate Limiting Denial of Service Vulnerability

 

https://tools.cisco.com/security/center/viewAlert.x?alertId=49828

0 Helpful
csawest.dc
Participant
Participant
In response to Georg Pauwen
‎11-21-2017 08:55 PM
‎11-21-2017 08:55 PM

Hello Georg,

thanks for the reply !!

 

The remote NTP server responds to mode 6 queries. Devices that respond
to these queries have the potential to be used in NTP amplification
attacks. An unauthenticated, remote attacker could potentially exploit
this, via a specially crafted mode 6 query.

 

this happens for  all Cisco  devices !!

 

0 Helpful
Latest Contents
AppDynamics
Created by mclymer on 06-30-2022 09:46 AM
0
0
0
0
Cisco Champion Radio: S9|E25 SD-WAN and Ubiquitous Cloud Sec...
Created by Amilee San Juan on 06-29-2022 02:35 PM
1
5
1
5
Listen: https://smarturl.it/CCRS9E25 Follow us: twitter.com/ciscochampions With applications and users everywhere, the networks are now, more than ever, being tasked with delivering consistent protection while providing an exceptional user exper... view more
Cisco Champion Radio: S9|E24 Cisco Radio Aware Routing
Created by Amilee San Juan on 06-28-2022 01:30 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E24 Follow us: https://twitter.com/CiscoChampion  Cisco Radio Aware Routing addresses several of the challenges faced when merging IP routing and radio communications in mobile networks, especially those exhibiti... view more
Cisco Champion Radio: S9|E23 The Cisco Catalyst 9136 Wi-Fi 6...
Created by Amilee San Juan on 06-28-2022 01:21 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E23 Follow us: https://twitter.com/CiscoChampion The Wi-Fi 6E Catalyst 9136 access point takes advantage of the 6-GHz band to produce a network that is more reliable and secure, with higher throughput, more ... view more
DR and the Type-2 LSA in OSPFv3 versus OSPFv2
Created by Meddane on 06-24-2022 04:35 PM
0
0
0
0
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes. L... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad