Reset Search
 

 

Article

VN 2014 005 NTP Threats

« Go Back

Vulnerability Notice

 
Vulnerability Summary
SUMMARY (From CERT)
The Network Time Protocol (NTP) provides network systems with a way to synchronize time for various services and applications. ntpd version 4.2.7 and previous versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys.

BACKGROUND
The ntpd implementation has multiple security weaknesses that affect various components. These weaknesses stem from several bugs where insecure random data is collected from the OS for key generation, a missing return statement for proper error handling, and two separate stack buffer overflows (in the ctl_putdata(), and configure() functions) have been discovered. For practical exploitation, the worst of these bugs are the buffer overflows, and would allow an attacker to achieve remote code execution (RCE) in the ntpd process as a result of sending carefully crafted malicious packets over the network. Additional background information may be found in the security notice from the NTP project:
 http://support.ntp.org/bin/view/Main/SecurityNotice
 
Published: 2014-12-19
CVSS Severity:       7.5 (from CERT)
6.8 (from NVD/NIST)
 
The following software, and software supported products by Extreme Networks will be analyzed for this vulnerability:
 
  1. ExtremeXOS
  2. X-Series Secure Core Router
  3. N, K, SSA, and S Modular Switches
  4. A, B, C, D, G, I & 800 Series Fixed Switches
  5. NetSight / NAC (IA) / Purview
  6. Ridgeline
  7. IDS/IPS
  8. Security Information & Event Manager
  9. IdentiFi Wireless
  10. Wireless Mobility
  11. XSR (X-Pedition Security Router)
  12. EWare
 
IMPACT (from CERT)
The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes.
NOTE: Information in RED, denotes new updated information since the last revision of this notice. 
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOSNo
X-Series Secure Core RouterInvestigating
N,K,SSA, and S Modular SwitchesNo 
A,B,C,D,G,I &800 Series Fixed SwitchesNo 
NetSight/NAC(IA)/PurviewYes
Ridgeline No
 IDS/IPSYes
Security Information & Event Manager InvestigatingNo 
IdentiFi WirelessNo
Wireless Mobility versions WM 5.5X Yes
XSR (X-Pedition Security Router)  No
ExtremeWareNo
Note: To our knowledge, no other Extreme products (including the Enterasys-branded products) have been determined to be vulnerable at this time.


 
 
 
Impact Details
ExtremeXOS (all products): 
  • No - EXOS NTP implementation is not vulnerable to the recent threats even though EXOS uses the vulnerable NTP version ntp-4.2.6p2.
  • EXOS NTP already blocks external (known/unknown) NTP server/client to query/modify EXOS NTP client/server. 
  • EXOS NTP supports authentication with MD5 key only. The “crypto” libraries are not part of the EXOS NTP executable hence we are not vulnerable to crypto [Sec 2670 / CVE-2014-9296 / VU#852879] threat.
X-Series Secure Core Router
  • Investigating

N, K, SSA, and S Modular Switches
  • No – does not use NTP software
A, B, C, D, G, I & 800 Series Fixed Switches
  • No  for A, B, C, D, G, & I Series Fixed Switches, including 800 Series
 
NetSight /NAC (IA)/ Purview:
  • Yes
  • NTP Daemon on NetSight Appliances
  • If NTP is configured on an appliance, that NTP process is vulnerable.
  • All product versions
  • Workaround is to disable NTP until a patch is released
  • Target Fix Release: 6.2
  • Target Month for Fix Release: June 2015
 
Ridgeline:
  • No – does not use NTP software
 
IDS / IPS:
  • Yes
  • NTP Daemon
  • When NTP is configured
  • All appliances
  • Workaround: is to disable NTP
  • Target Fix Release: No fix is planned for any version
     
Security Information & Event Manager:
  • No
CVE-2014-9293 - NA - NTPD is not enabled on QRadar installs.
CVE-2014-9294 - NA - We do not generate NTP keys using ntp-keygen.
CVE-2014-9295 - NA - NTPD is not enabled on QRadar installs.
CVE-2014-9296 - NA - We do not use NTP auth or NTP in General.
 
IdentiFi Wireless:
Controller & Access Points:
  • No
 
Wireless Mobility:
Controller & Access Points:
  • Yes
  • NTP Daemon
  • When NTP is configured
  • All devices
  • Workaround: Investigating
  • Target Fix Release: TBD
  • Target Month for Fix Release: TBD
 
XSR (X-Pedition Security Router):
  • No – Does not use NTP software
 
EWare (all products):
  • No – NTP is not supported
Threat Details
 
CVENameImpactVulnerable 
Versions
ClientServer
CVE-2014-9293-9296NTPMedium to HighNTP version 4.2.7 and earlier Medium to HighMedium to High
 
 
 
Vulnerability Mitigation
TBD

 
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the set-up of the computer network and how the local IT team wants to address the situation.  Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks’ products by replacing it with the latest releases from Extreme Networks including the following version (or above):  
 
  1. EXOS: TBD
  2. X-Series Secure Core Router: Investigating
  3. N, K, SSA, and S Modular Switches- N/A
  4. A, B, C, D, G, I & 800 Series Fixed Switches: N/A
  5. NetSight/NAC(IA)/ Purview: 6.2
  6. Ridgeline: N/A
  7. IDS/IPS: Workaround is to disable NTP 
  8. Security Information & Event Manager: N/A
  9. IdentiFi Wireless: N/A
  10. Wireless Mobility:  Investigating
  11. XSR: N/A
  12. EWare: N/A
 
Firmware & Software can be downloaded from - http://www.extremenetworks.com/support/
 
 
Further Information
 
NIST release:  http://web.nvd.nist.gov/
 
US-CERT Release:  https://www.us-cert.gov/ncas/alerts/
 
CERT:  http://www.kb.cert.org/vuls/id/852879
 
ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
 
 
Legal Notice
THIS ADVISORY NOTICE IS PROVIDED ON AN "AS IS" BASIS AND EXTREME NETWORKS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSLY DISCLAIMING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. USE OF THE INFORMATION PROVIDED HEREIN OR MATERIALS LINKED FROM THIS ADVISORY NOTICE IS AT YOUR OWN RISK. EXTREME NETWORKS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME, AND EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.  THE INFORMATION PROVIDED HEREIN IS APPLICABLE TO CURRENT EXTREME NETWORKS’ PRODUCTS IDENTIFIED HEREIN AND IS NOT INTENDED TO BE ANY REPRESENTATION OF FUTURE FUNCTIONALITY OR COMPATIBILITY WITH ANY 3RD PARTY TECHNOLOGIES REFERENCED HEREIN.  THIS NOTICE SHALL NOT CHANGE ANY CONTRACT OR AGREEMENT THAT YOU HAVE ENTERED INTO WITH EXTREME NETWORKS.
This notice was imported into GTAC Knowledge on 18-Jan-2016. 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255