OPERATIONAL DEFECT DATABASE
...
...
A vulnerability in Network Time Protocol (NTP) package of Cisco NX-OS Software and Cisco Multilayer Director Switch (MDS) could allow an unauthenticated, remote attacker to cause a Denial of Service (DoS) condition on an affected device. The vulnerability is due to processing of MODE_PRIVATE (Mode 7) NTP control messages which have a large amplification vector. An attacker could exploit this vulnerability by sending Mode 7 control requests to NTP servers and observing responses amplified up to 5500 times in size. An exploit could allow the attacker to cause a Denial of Service (DoS) condition where the affected NTP server is forced to process and respond with large response data.
This is a day 1 issue and all versions of NX-OS and MDS with support for NTP are vulnerable. Fixed Software: This bug will apply to the Cisco Nexus 7000 (N7K), Cisco Nexus 6000 (N6K), Cisco Nexus 5000 (N5K) and Cisco Multilayer Director Switch (MDS) and the fix is currently targeted for a release towards the end of CY2015. Cisco NX-OS Software and Cisco MDS switches are vulnerable to attacks utilizing Mode 7 NTP requests. Mode 7 requests can have amplification vector up to 5500. To see if a device is configured with NTP, log into the device and issue the CLI command ''show running-config | include ntp''. If the output returns either of the following commands listed then the device is vulnerable: ntp master ntp peer ntp server ntp broadcast client ntp multicast client For a Cisco MDS switch to confirm the NTP feature is disabled: # show running-config | include ''no feature ntp no feature ntp Information about Cisco NX-OS and MDS Software release naming conventions is available in ''White Paper: Cisco IOS and NX-OS Software Reference Guide'' at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html
There are no solid workarounds other than disabling NTP on the device via the ''no feature ntp'' command. The following mitigations have been identified for this vulnerability; only packets destined for any configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability. Note: NTP peer authentication is not a workaround and is still a vulnerable configuration. * NTP Access Group Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender's IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered to be used in conjunction to offer a better mitigation solution. Additionally, ''serve-only'' keyword added to the NTP access-group will limit the exposure of the server to only respond to valid queries. Note: NTP Access Group groups are not supported by the Cisco MDS switch. For additional information on NTP access control groups, consult the document titled ''Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 4.x'' at the following link: http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/system_management/configuration/guide/sm_3ntp.html * Infrastructure Access Control Lists Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution. Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled ''Protecting Your Core: Infrastructure Protection Access Control Lists'' presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Cisco MDS Workaround for Management Interface Step 0: The following configuration assumes a valid ntp configuration exists in the switch for two ntp servers, x.x.x.x and y.y.y.y Step 1: Remove any existing IP Access List from the mgmt 0 interface configure terminal interface mgmt 0 no ip access-group [existing ACL name] in Step 2: Configure new IP Access List. [Note: If existing ACL is needed, then merge the new commands into the existing ACL] ip access-list restrictNTP permit udp x.x.x.x 0.0.0.0 eq port ntp any eq port dst_ntp ip access-list restrictNTP permit udp y.y.y.y 0.0.0.0 eq port ntp any eq port dst_ntp ip access-list restrictNTP permit udp any eq port ntp x.x.x.x 0.0.0.0 eq port dst_ntp ip access-list restrictNTP permit udp any eq port ntp y.y.y.y 0.0.0.0 eq port dst_ntp ip access-list restrictNTP deny udp any any eq port dst_ntp ip access-list restrictNTP permit ip any any Step 4: Apply ACL to the interface interface mgmt 0 ip access-group restrictNTP in Step 5: Verify Connectivity between existing ntp servers: show ntp statistics peer ipaddr y.y.y.y show ntp statistics peer ipaddr x.x.x.x show ip access-list
The vulnerability comes from a shortcoming in RFC5905 that allows processing of optional Mode 7 command requests by NTP servers. In summary, the attack is based on the premise of processing Mode 7 (MODE_PRIVATE) requests from the clients. While the requests are small (for example, in case of Mode 7 only 8 bytes long), the response can grow up to 5500 times in amplification factor size. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2013-5211 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
