Reset Search
 

 

Article

Script to apply 'Workaround' for LEAP Second Security Vulnerability(VN-2015-002)

« Go Back

Information

 
TitleScript to apply 'Workaround' for LEAP Second Security Vulnerability(VN-2015-002)
Objective
This is the script to apply 'Workaround' for LEAP Second Security Vulnerability(VN-2015-002)
Environment
EXOS 16.1 and older​​
Procedure
How the script works:
  • This CLI script creates two UPM profiles to disable/enable NTP to address the ‘leap second’ security vulnerability workaround.
  • The UPM profiles created by the script will stop/disable NTP service at 23:59:30 06/28/2015 UTC and restart/enable NTP service at 00:00:30 07/01/2015 UTC globally.
  • Since the leap second will happen based on the UTC time, this script reads the timezone setting in a switch and UPM timers will be set to the local times converted according to the set timezone. 
Prerequisites to run the script:
  • This script works fine with 15.2.x and 15.3.x. (15.1.x and 15.4.x are not tested.) 
  • Only for a switch running 15.5.x or higher versions, please ensure the switch meet the below conditions since there are CRs which are detrimental to the proper execution of the script. (Please refer to the additional notes below for more detail.)
    1. EXOS versions supported: 15.5.3.4p1-5 and later, 15.6.2.12 and later and 15.7.1.4 and later.  
    2. Either configure timezone, or configure & revert back to the default setting of timezone which is UTC.
How to run the script:
  • Copy the script to a switch via tftp or usb drive, or you can just copy or paste the contents of the script to a newly created file in a switch.
  • # load script <script_name>
Example steps:

* BD-8810.12 # show switch | i "^Cur|^Time"
Current Time:     Fri Jun 26 02:52:31 2015
Timezone:         [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.
* BD-8810.12 # load script leap
* BD-8810.13 # show upm profile 
================================================================================
UPM Profile          Events                 Flags Ports
================================================================================
ntpdown              UPM-Timer(ntpdown)        e 
ntpup                UPM-Timer(ntpup)          e 
================================================================================
Number of UPM Profiles: 2
Number of UPM Events in Queue for execution: 0
Flags: d - disabled, e - enabled
Event name: log-message(Log filter name) - Truncated to 20 chars
* BD-8810.14 # show upm timers 
Current Time: 2015-06-26 02:53:02
--------------------------------------------------------------------------------
UPM               Profile       Flags              Next Execution
Timer             Name                             time              
--------------------------------------------------------------------------------
ntpdown          ntpdown        eo            2015-06-28 23:59:30
ntpup            ntpup          eo            2015-07-01 00:00:30
--------------------------------------------------------------------------------

Script: 
 
# Created by Matt Helm
# This turns of NTP to avoid the leap second crash in EXOS
# leap.xsf
# usage: load script leap
 
disable clip
set var downt "23:59:30 06/28/2015"
set var upt   "00:00:30 07/01/2015"
set var cdownt $TCL(clock scan $downt)
set var cupt $TCL(clock scan $upt)
set var cli.out 0
show switch
set var s $TCL(split ${cli.out} "\n")
set var i $TCL(lsearch $s *Timezone*)
set var tzl $TCL(lindex $s $i)
set var i ($i + 1)
set var dstl $TCL(lindex $s $i)
set var t $TCL(regexp {DST of \d+ minutes is currently in effect} $dstl)
set var dstm 0
set var i $TCL(lsearch $tzl *minutes*)
set var i ($i - 1)
set var o $TCL(lindex $tzl $i)
set var o ($o * 60)
if ($t == 1) then
   set var dstm $TCL(lindex $dstl 2)
   set var dstm ($dstm * 60)
endif
set var o ($o + $dstm)
set var cadownt ($cdownt + $o)
set var caupt ($cupt + $o)
set var hadownt $TCL(clock format $cadownt -format {%m %d %Y %H %M %S})
set var haupt $TCL(clock format $caupt -format {%m %d %Y %H %M %S})
create upm pro ntpdown
disable cli prompting
disable ntp
save
.
create upm pro ntpup
disable cli prompting
enable ntp
save
.
create upm timer ntpdown
create upm timer ntpup
config upm timer ntpdown pro ntpdown
config upm timer ntpup pro ntpup
config upm timer ntpdown at $hadownt
config upm timer ntpup at $haupt
enable clip
Additional notes
While this script was specifically created for the 30 June 2015 leap second, it can be used for other leap seconds by modifying the downt and upt variables before loading the script. upt should be 24 hours before the leap second, and downt should be 24 hours after the leap second.

TCL library was upgraded as part of 15.5.1GA, and it happened to introduce some problems related to the "clock" TCL function. 

Below are the CRs fixed in 15.5.3.4p1-5 and later, 15.6.2.12 and later and 15.7.1.4 and later.
xos0055958: In CLI scripting getting error while executing command "set var seconds $TCL(clock seconds)".
xos0058393: "clock format" TCL command is not available in CLIscripting.

Below is the CR which is scheduled to fix in the upcoming patch versions.
xos0061565: "clock scan" TCL function generates error with default switch configuration.

Additional Information: Official Notice: VN 2015 002 Leap Second
Are Extreme Networks products vulnerable to VN-2015-002 Leap Second?

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255