Symptom

A vulnerability in processing of NTP packets of Cisco IOS could allow an unauthenticated, remote attacker to cause a interface wedge and eventual denial of service (DoS) condition on the affected device. The vulnerability is due to insufficient checks on clearing the invalid NTP packets from the interface queue. An attacker could exploit this vulnerability by sending a number of crafted NTP packets to be processed by an affected device. An exploit could allow the attacker to cause a interface wedge and eventual denial of service (DoS) condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160804-wedge

Conditions

Customers should use Cisco IOS Software Checker to determine if the release of Cisco IOS and IOS XE is affected by this vulnerability: https://tools.cisco.com/security/center/selectIOSVersion.x Cisco devices running an affected version of IOS Software are vulnerable if they are configured for NTP operations. NTP is not enabled in Cisco IOS Software by default. To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable: ntp master ntp peer ntp server ntp broadcast client ntp multicast client

Workaround

1. Apply the following ACL to block the packets causing the issue: ip access-list extended BLOCK_NTP permit udp host ADDRESS_OF_NTP_SERVER any eq ntp deny udp any any eq 123 permit ip any any 2. Increase the input queue size to restore service immediately but still need to reboot to clear out the queue. config t int giX/X/X hold-queue 4096 in As a mitigation measure, customers can use interface access list (ACL), limiting NTP traffic to that coming from known NTP peers. Intimate knowledge and careful configuration is required by the network administrators in order to avoid valid NTP traffic to be dropped by implementing such mitigation measures. Because the NTP protocol in this vulnerability uses UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to this ports from trusted IP addresses. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2016-1478 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Further Problem Description