Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Cisco IOS and Cisco IOS XE Software includes a version of ntpd that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-7691; CVE-2015-7692; CVE-2015-7701; CVE-2015-7702; CVE-2015-7703; CVE-2015-7704; CVE-2015-7705; CVE-2015-7848; CVE-2015-7849; CVE-2015-7850; CVE-2015-7851; CVE-2015-7852; CVE-2015-7853; CVE-2015-7854; CVE-2015-7855; CVE-2015-7871 This product is affected by one of more of the listed CVE ids.
Cisco IOS and Cisco IOS XE devices are not affected by the vulnerabilities as described in the October 2015 NTP published security notice, other than the two KoD vulnerabilities. Cisco IOS Software checker is available for this issue. Currently only releases 15.2(4)M and later, or 3.5.0S/15.2(1)S and later could be affected. Prior to these releases KoD was not defined. Affected Configurations: client poll-based association are affected (IE If the device is configured with ntp server x.x.x.x). When exploited the poll values to request time updates will be changed to 36hours. This prevents a client from synchronizing to any of its preconfigured NTP servers. Symmetric active mode poll-based associations are NOT affected (IE ntp peer x.x.x.x). If your device is configured to serve time as an authoritative NTP Server (configured with "ntp master x) then it is not performing polling. Devices configured to use SNTP are NOT affected. Devices configured to use "ntp broadcast client or ntp multicast client are not affected as they dont do polling.
There is no complete workaround for this vulnerability. Having uRPF and infrastructure ACLs in place will help mitigate the attack surface. The following NTP access groups will help mitigate some exposure for the attackers would don't know the configured NTP server from obtaining the NTP server address via Mode 3 requests. The NTP Authentication, will ensure that any attacker sending in spoofed packets with the NTP server address would also have to pass NTP authentication. On devices configured with ntp server x.x.x.x ensure ntp access-groups are applied to only allow updates from trusted time sources and/or applying NTP Authentication will help mitigate CVE-2015-7704: Access-Groups: Example: trusted NTP server 192.168.0.1 Client configuration: ntp server 192.168.0.1 ntp access-group peer 10 ntp access-group serve 1 access-list 1 deny any access-list 10 permit 192.168.0.1 NTP Authentication: Example: trusted NTP server 192.168.0.1 Client configuration: ntp authentication-key 3 md5 example ntp authenticate ntp trusted-key 3 ntp server 192.168.0.1 key 3 ntp access-group peer 10 ntp access-group serve 1 access-list 1 deny any access-list 10 permit 192.168.0.1
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 6.4/5.3 http://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:OF/RC:C/CDP:N/TD:N/CR:L/IR:L/AR:L The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html