Reset Search
 

 

Article

VN 2015 002 Leap Second

« Go Back

Vulnerability Notice

 
Vulnerability Summary
Linux kernel versions from 2.6.26 to 3.3 (inclusive) are vulnerable to a deadlock condition in the handling of leap second adjustments provided through NTP. The next leap second adjustment is going to occur on June 30th, 2015, and there is potential for this to cause Linux-based Extreme Networks products to crash/hang.
Applying the fix for leap second will be effective for future leap second events.


Background (From NIST)
What is a leap second?
http://www.nist.gov/pml/div688/leapseconds.cfm
Published: March 20, 2015
CVSS Severity: N/A

 
Impact
Potential for Linux-based Extreme Networks products to crash/hang. 
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOS (all products)Fixed
A, B, C, D, G, I and 800 Series Fixed SwitchesNo
ExtremeWareNo
IDS/IPS  No 
IdentiFi WirelessNo
NAC No
NetSight No
PurviewNo
Ridgeline No
Router N,K,SSA, and S Modular SwitchesNo
Security Information & Event Manager InvestigatingInvestigating 
Summit WM3000 SeriesInvestigating  
X-Series Secure Core Router  Yes (See Impact Details) 
XSR (X-Pedition Security Router)   No


 
 
 
Impact Details
ExtremeXOS (all products)
  • Vulnerable: Fixed
  • Vulnerable Component: Kernel
  • Conditions when component vulnerability occurs:  While logging the next leap second event via printk, kernel deadlock can occur due to bad locking. The fix will address future leap second events.
  • Product version(s) affected: All EXOS products
  • Workaround: Disable ntpd for at least 24 hours before leap second period.
  • Fixed In: EXOS 21.1.1 (released)  and 16.2.2 patch (target release March 2017)
A, B, C, D, G, I and 800 Series Fixed Switches
  • Vulnerable: No (Not a Linux based platform.)
ExtremeWare
  • Vulnerable: No (Runs on VxWorks)
IDS/IPS
  • Vulnerable: No
IdentiFi Wireless
  • Vulnerable: No
NAC
  • Vulnerable: No
NetSight
  • Vulnerable: No
Purview
  • Vulnerable: No
Ridgeline
  • Vulnerable: No – The OS is not provided with Ridgeline as it is a software-only application. Therefore, it is important to verify with the OS vendor whether the leap second vulnerability has been patched.
Router N, K, SSA, and S Modular Switches
  • Vulnerable: No (Product does not use Linux Kernel)
Security Information & Event Manager
  • Vulnerable: TBD
Summit WM3000 Series
  • Vulnerable: TBD
X-Series Secure Core Router
  • Vulnerable: Yes
  • Vulnerable Component: TBD
  • Describe conditions when component Vulnerability occurs (why/when/how): When the Linux kernel processes a NTP add second or delete second event, it may suffer a deadlock while trying to log an informational message. The chances of this may be greater when a system is busy.
  • Product version(s) affected: All active X-Series releases use a vulnerable Linux kernel version.
  • Workaround: Disable NTP at least 24 hours before the date of each upcoming leap second (e.g. June 30, 2015). Wait a day after the leap second and then re-enable NTP.
  • Target Fix Release: TBD
  • Target Month for Fix Release: TBD
XSR (X-Pedition Security Router)
  • Vulnerable: No
Repair Recommendations
This kernel bug can occur at any time during the 24 hour period before a leap second occurs. Since the next leap second will occur on June 30, 2015, the easiest workaround would be to disable ntpd at least 24 hours before the leap second occurs. The ndpd process/service may be re-enabled on July 1.

Switches running SNTP aren't subject to this issue because leap seconds don't receive special handling under the SNTP protocol.

The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network.

Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above.

Firmware and software can be downloaded from www.extremenetworks.com/support


Additional Information 
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Revision History

Rev. No.Date ModifiedDescription / Milestone
1.020-Mar-15First release.
2.022-Apr-15Update X-Series Secure Core Router
Update Target date for EXOS
3.029-Apr-15Updated the target date for EXOS fix

This notice was imported into GTAC Knowledge on 18-Jan-2016.  

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255