Cisco Found To Contain a NTP Related Vulnerability
9 May. 2002
Summary
Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been discovered in the NTP daemon query processing functionality. This vulnerability has been publicly announced.
The following products are identified as affected by this vulnerability:
* All releases of Cisco IOS software
* Media Gateway Controller (MGC) and related products
* BTS 10200
* Cisco IP Manager
Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures.
Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other products are considered to be not affected.
The workarounds for this vulnerability are described in the Workarounds section.
Affected Products:
The following products are affected:
* All releases of Cisco IOS software
* Media Gateway Controller (MGC) and related products, they encompass the following products:
* SC2200
* Cisco Virtual Switch Controller (VSC3000)
* Cisco PGW2200 Public Switched Telephone Network (PSTN) Gateway
* Cisco Billing and Management Server (BAMS)
* Cisco Voice Services Provisioning Tool (VSPT)
* BTS 10200
* Cisco IP Manager
Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures.
Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other products are considered to be not affected.
Details:
By sending a crafted NTP query packet it is possible to trigger a buffer overflow in the NTP daemon. This vulnerability can be exploited remotely. The successful exploitation may cause arbitrary code to be executed on the target machine. Such exploitation, if it is possible at all, would require significant engineering skill and a thorough knowledge of the internal operation of Cisco IOS software or SUN Solaris operating system.
To the best of our knowledge this vulnerability cannot cause arbitrary code to be executed on Cisco IOS and SUN Solaris.
The vulnerability is present regardless of the role played by the device. The device may be an NTP server or client and it will still be vulnerable.
For IOS, this vulnerability is documented as Cisco Bug ID CSCdt93866.
The main repository of NTP software and all other information regarding NTP, can be found at http://www.eecis.udel.edu/~ntp/.
Impact:
The successful exploitation may cause arbitrary code to be executed on the target machine. More often, an attempt to exploit this vulnerability will result in a daemon or device crash.
Obtaining Fixed Software:
Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers may only install and expect support for the feature sets they have purchased.
Customers with service contracts should obtain upgraded software through their regular update channels to any software release containing the feature sets they have purchased. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC). In those cases, customers may only upgrade to a later version of the same release as indicated by the applicable row in the Software Versions and Fixes table.
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds: Cisco IOS
There are a few methods available to lower the exposure. You can combine these methods or use them individually.
* Prevent IOS from processing NTP queries at all. No other NTP function is affected by this. This can be accomplished by adding the following statement into the configuration:
ntp access-group serve-only
* Use NTP with authentication. You must enable this feature on all participating peers and servers. You can enable it in IOS as follows:
ntp authentication-key 20 md5 your_NTP_key
ntp authenticate
ntp trusted-key 20
Note: The key must be the same on all participating peers and servers.
* It is possible to mitigate the exposure by using ACLs and dropping all NTP packets that are not from the legitimate servers. This can be accomplished as follows:
access-list 10 permit 1.2.3.4
access-list 10 permit 5.6.7.8
access-list 10 deny any any
!
ntp access-group peer 10
In the above example, 1.2.3.4 and 5.6.7.8 are addresses of peers or servers from which NTP packets will be accepted.
* Additionally, if you are not using NTP servers external from your network, you can drop all NTP packets on the network boundary. This can be done by the ACL as follows:
