Reset Search
 

 

Article

VN 2015 006 Symmetric Key NTP

« Go Back

Vulnerability Notice

 
Vulnerability Summary
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.

Background (From CVE Project)
CVE-2015-1798
Published: 4/8/2015
CVSS Severity: 1.8

CVE-2015-1799
Published: 4/8/2015
CVSS Severity: 4.3

Impact
Potential Man in the Middle packet spoofing attack


 
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOS (all products)Fixed
A, B, C, D, G, I and 800 Series Fixed SwitchesNo
ExtremeWareNo
IDS/IPS  Fixed
IdentiFi WirelessFixed
N, K, SSA, and S Modular SwitchesNo 
NetSight Fixed
NAC (IA) Fixed
PurviewFixed
Ridgeline No
Security Information & Event Manager InvestigatingInvestigating 
Summit WM3000 SeriesYes (See Impact Details) 
X-Series Secure Core Router  Investigating 
XSR (X-Pedition Security Router)   No


 
 
 
Impact Details
ExtremeXOS (all products)
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTP
  • Conditions when component vulnerability occurs:  CVE-2015-1798- Authentication bypass vulnerability due to incorrect validation of mac field.  CVE-2015-1799 - Possible Dos attack due to incorrect state-variable updates upon receiving certain invalid packets.
  • Product version(s) affected: All EXOS versions
  • Workaround: No workaround is available, but system not running ntpd will be safe from this vulnerability. Risk of exploitation can be minimized by restricting ntp host access to trusted sources only.
  • Fixed In: EXOS 21.1.1, 16.2.1, 16.1.2, 15.7.2, 15.6.4
A, B, C, D, G, I and 800 Series Fixed Switches
  • Vulnerable: No   Unsupported protocol
ExtremeWare
  • Vulnerable: No   Extremeware does not have NTPD feature
IDS/IPS
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTP service on Dragon Appliance
  • Conditions when component Vulnerability occurs (Why/When/How):
  • CVE-2015-1798 - A vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature. This could cause the time on the host to not be synchronized correctly.
  • CVE-2015-1799 - NTP Authentication doesn't protect symmetric associations against DoS attacks. This could cause the time on the host to not be synchronized correctly.
  • Workaround:  Limiting access to NTP host to only trusted sources will reduce risk of exposure.
  • Fixed In:  8.3.0.350
IdentiFi Wireless
Wireless Controller
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTPD
  • Describe conditions when component Vulnerability occurs: As described in the two CVEs.
  • Product version(s) affected: all supported versions
  • Workaround: All management protocols including NTP should be run over a secure VLAN used exclusively for network management.
  • Target Fix Release: 10.11.01
Wireless 26xx series AP’s and 36xx, 37xx, and 38xx series AP’s
  • Vulnerable: No
N, K, SSA, and S Modular Switches
  • Vulnerable: No
NetSight / NAC (IA) / Purview
NetSight
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTP service on NetSight Appliance
  • Describe conditions when component Vulnerability occurs: CVE-2015-1798 - A vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature. This could cause the time on the host to not be synchronized correctly.
CVE-2015-1799 - NTP Authentication doesn't protect symmetric associations against DoS attacks. This could cause the time on the host to not be synchronized correctly.
  • Workaround: Limiting access to NTP host to only trusted sources will reduce risk of exposure.
  • Fixed In: 6.3.0.182
NAC
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTP service on NAC Appliance
  • Describe conditions when component Vulnerability occurs: CVE-2015-1798 - A vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature. This could cause the time on the host to not be synchronized correctly.
CVE-2015-1799 - NTP Authentication doesn't protect symmetric associations against DoS attacks. This could cause the time on the host to not be synchronized correctly.
  • Workaround: Limiting access to NTP host to only trusted sources will reduce risk of exposure.
  • Fixed In: 6.3.0.182
Purview
  • Vulnerable: Yes  - Fixed
  • Vulnerable Component: NTP service on Purview Appliance
  • Describe conditions when component Vulnerability occurs: CVE-2015-1798 - A vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature. This could cause the time on the host to not be synchronized correctly.
CVE-2015-1799 - NTP Authentication doesn't protect symmetric associations against DoS attacks. This could cause the time on the host to not be synchronized correctly.
  • Workaround: Limiting access to NTP host to only trusted sources will reduce risk of exposure.
  • Fixed In: 6.3.0.182
Ridgeline
  • Vulnerable: No
Security Information & Event Manager
  • Vulnerable: TBD
Summit WM3000 Series
  • Vulnerable: Yes 
  • Vulnerable Component: NTP
  • Describe conditions when component Vulnerability occurs: See CVE-2015-1798, CVE-2015-1799
  • Workaround: N/A
  • Target Fix Release: TBD
  • Target Month for Fix Release: TBD
X-Series Secure Core Router
  • Vulnerable: TBD
XSR (X-Pedition Security Router)
  • Vulnerable: No
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above.
Firmware and software can be downloaded from www.extremenetworks.com/support
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks. 
 

Revision History

Rev. No.Date ModifiedDescription / Milestone
1.012 May 2015First release.
2.028 May 2015Update Netsight, NAC and IDS.
3.008 Jun 2015Update Ridgeline
4.030 Jun 2015Update Summit WM3000 Series,          Correct Revision History Rev. No. 3.0
5.012 Aug 2015Update Purview Target Release and Target Month, XSR (X-Pedition Security Router) to not vulnerable
This notice was imported into GTAC Knowledge on 11-Jan-2016.  
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255