Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been discovered in the NTP daemon query processing functionality. This vulnerability has been publicly announced. The following products are identified as affected by this vulnerability: All releases of Cisco IOS software Media Gateway Controller (MGC) and related products BTS 10200 Cisco IP Manager Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures. Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other products are considered to be unaffected. There are workarounds available to mitigate the effects. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability.
Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been discovered in the NTP daemon query processing functionality. This vulnerability has been publicly announced.
The following products are identified as affected by this vulnerability:
Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures.
Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other products are considered to be unaffected.
There are workarounds available to mitigate the effects.
This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020508-ntp-vulnerability.
This section provides details on affected products.
The following products are affected:
Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures.
The following products are not affected:
Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other products are considered to be not affected.
By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon. This vulnerability can be exploited remotely. The successful exploitation may cause arbitrary code to be executed on the target machine. Such exploitation, if it is possible at all, would require significant engineering skill and a thorough knowledge of the internal operation of Cisco IOS software or SUN Solaris operating system.
The vulnerability is present regardless of the role played by the device. The device may be an NTP server or client and it will still be vulnerable.
For IOS, this vulnerability is documented as Cisco Bug ID CSCdt93866 and CSCdw35704.
The main repository of NTP software and all other information regarding NTP, can be found at http://www.ntp.org/ .
Workarounds are described in this section.
There are methods available to mitigate the exposure. You can combine these methods or use them individually.
The configuration above allows any peer to send an NTP request. If required, it is possible to limit allowed clients. In that case, ACL 20 can be modified to include only legitimate clients as in the following examplentp access-group serve-only 20 access-list 20 permit any
If you are acting as a client only, then you can use the following configuration:ntp access-group serve-only 20 access-list 20 permitaccess-list 20 permit
The configuration above allows this device to be synchronized by either of the servers. Note that this will not prevent control packets from being executed, therefore you will only limit your exposure. However, only control packets sent by the servers will be processed.ntp serverntp server ntp access-group peer 10 access-list 10 permit host access-list 10 permit host
The configuration above allows the router to respond to any NTP request and it will allow it to be synchronized by the given servers. Note that this will not prevent control packets from being executed, therefore you will only limit your exposure. However, only control packets sent by the servers will be processed.ntp serverntp server ntp access-group peer 10 ntp access-group serve-only 20 access-list 10 permit host access-list 10 permit host access-list 20 permit access-list 20 permit
In the above example,access-list 10 permitaccess-list 10 permit access-list 10 deny any ! ntp access-group peer 10
If you do not have an existing ACL, the following ACL can be used on the network boundry to deny only ntp and permit the rest of the IP trafficaccess-list 101 deny udp any any eq ntp
access-list 101 deny udp any any eq ntp access-list 101 permit ip any any
For more detailed information regarding individual commands and additional examples, please refer to the following documentation:
MGC and Related Products
Cisco IP Manager
BTS 10200
Although the workaround was posted on the Bugtraq list we recommend installing the patch provided.
The users must follow the installation instructions that are part of the patch.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
MGC and related products are running on three different Solaris versions.
Cisco IP Manager
BTS 10200
The customers should install the latest Recommended Solaris Patch Cluster available from http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access.
Each row of the following table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
When selecting a release, keep the following definitions in mind:
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown in the Obtaining Fixed Software section.
More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html.
Train |
Image or Platform Description |
Availability of Fixed Releases* |
||
---|---|---|---|---|
11.0-based Releases and Earlier |
Rebuild |
Interim** |
Maintenance |
|
10.3 |
Multiple releases and platforms |
End of Engineering |
||
Upgrade recommended |
||||
11.0 |
Multiple releases and platforms |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.1 |
Major release for all platforms |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.1AA |
End of Engineering |
|||
Upgrade recommended to 12.1(16) |
||||
11.1CA |
End of Engineering |
|||
Upgrade recommended |
||||
11.1CC |
End of Engineering |
|||
Upgrade recommended |
||||
11.1CT |
End of Engineering |
|||
Upgrade recommended to 12.0ST |
||||
11.1IA |
End of Engineering |
|||
Upgrade recommended to 12.2(10) |
||||
11.2 |
Major release for all platforms |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.2BC |
End of Engineering |
|||
Upgrade recommended to 12.1(16) |
||||
11.2F |
End of Engineering |
|||
Upgrade recommended to 12.0(23) |
||||
11.2GS |
End of Engineering |
|||
Upgrade recommended to 12.0(23) |
||||
11.2P |
End of Engineering |
|||
Upgrade recommended to 12.0(23) |
||||
11.2SA |
End of Engineering |
|||
Upgrade recommended to 12.0W |
||||
11.2WA4 |
End of Engineering |
|||
Upgrade recommended to 12.0W |
||||
11.2XA |
End of Engineering |
|||
Upgrade recommended to 12.0(23) |
||||
11.3-based Releases |
Rebuild |
Interim** |
Maintenance |
|
11.3 |
Major release for all platforms |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.3AA |
ED for dial platforms and access servers: 5800, 5200, 5300, 7200 |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
11.3DA |
Early deployment train for ISP DSLAM 6200 platform |
End of Engineering |
||
Upgrade recommended to 12.3 |
||||
11.3DB |
Early deployment train for ISP/Telco/PTT xDSL broadband concentrator platform, (NRP) for 6400 |
End of Engineering |
||
Upgrade recommended to 12.2B |
||||
11.3HA |
Short-lived ED release for ISR 3300 (SONET/SDH router) |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.3MA |
MC3810 functionality only |
End of Engineering |
||
Upgrade recommended to 12.1(16) |
||||
11.3NA |
Voice over IP, media convergence, various platforms |
End of Engineering (16) |
||
Upgrade recommended to 12.1 |
||||
11.3T |
Early deployment major release, feature-rich for early adopters |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.3XA |
Introduction of uBR7246 and 2600 |
End of Engineering |
||
Upgrade recommended to 12.0(23) |
||||
11.3WA4 |
LightStream 1010 |
End of Engineering |
||
Upgrade recommended to 12.0WA |
||||
12.0-based Releases |
Rebuild |
Interim** |
Maintenance |
|
12.0 |
General Deployment release for all platforms |
12.0(22.4) |
12.0(23) |
|
12.0DA |
xDSL support: 6100, 6200 |
Not Scheduled |
||
Upgrade recommended to 12.2T |
||||
12.0DB |
Early Deployment (ED) release, which delivers support for the Cisco 6400 Universal Access Concentrator (UAC) for Node Switch Processor (NSP). |
Not Scheduled |
||
Upgrade recommended to 12.2B |
||||
12.0DC |
Early Deployment (ED) release, which delivers support for the Cisco 6400 Universal Access Concentrator (UAC) for Node Switch Processor (NSP). |
Not Scheduled |
||
Upgrade recommended to 12.2B |
||||
12.0S |
Core/ISP support: GSR, RSP, c7200 |
12.0(16)S9, 12.0(21)S3 |
12.0(21.4)S, 12.0(22.3)S1 |
12.0(22)S |
12.0SC |
Cable/broadband ISP: uBR7200 |
Not Scheduled |
||
Upgrade recommended to 12.1(13)EC1 |
||||
12.0SL |
10000 ESR: c10k |
Not Scheduled |
||
Upgrade recommended to 12.0(23)S3 |
||||
12.0SP |
Early deployment release |
12.0(21)SP1 |
||
12.0ST |
Cisco IOS software Release 12.OST is an early deployment (ED) release for the Cisco 7200, 7500/7000RSP and 12000 (GSR) series routers for Service Providers (ISPs). |
12.0(21)ST3 |
||
12.0SY |
Early deployment release |
12.0(21.4)SY |
12.0(22)SY |
|
12.0T |
Early Deployment(ED): VPN, Distributed Director, various platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0W |
Catalyst switches: cat8510c, cat8540c, c6msm, ls1010, cat8510m, cat8540m |
12.0(24)W5(26) |
||
12.0W |
Catalyst switches: cat2948g, cat4232 |
12.0(25)W5(27) |
||
12.0W |
Catalyst switches: cat5000ATM |
12.0(24)W5(26a) |
||
12.0WC |
12.0(5)WC5a |
|||
12.0WT |
cat4840g |
Not Scheduled |
||
Upgrade to be determined |
||||
12.0XA |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XB |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XC |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XD |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XE |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(8b)E14 |
||||
12.0XF |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XG |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XH |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XI |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XJ |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0(5)XK |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0(7)XK |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.0XL |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XM |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.0XN |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XP |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.0(5)WC5a |
||||
12.0XQ |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.1(16) |
||||
12.0XR |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.0XS |
Early Deployment (ED): limited platforms |
End of Engineering |
||
Upgrade recommended to 12.1(8b)E14 |
||||
12.0XU |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.0(05)WC05a |
||||
12.0XV |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1-based Releases |
Rebuild |
Interim** |
Maintenance |
|
12.1 |
General deployment release for all platforms |
12.1(15.3) |
12.1(16) |
|
12.1AA |
Dial support |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1DA |
xDSL support: 6100, 6200 |
Not Scheduled |
||
Upgrade recommended to 12.2T |
||||
12.1DB |
Cisco IOS Software Release 12.1(1)DB supports the Cisco 6400 Universal Access Concentrator |
12.2(15)B |
||
12.1DC |
Cisco IOS Software Release 12.1(1)DC supports the Cisco 6400 Universal Access Concentrator |
12.2(15)B |
||
12.1E |
Enterprise |
12.1(8b)E14, 12.1(12c)E1 |
12.1(12.5)E, 12.1(18.1)E |
12.1(19)E |
12.1EA |
Catalyst 3550 |
12.1(11)EA1 |
||
12.1EC |
12.1EC is being offered to allow early support of new features on the uBR7200 platform, as well as future support for new Universal Broadband Router headend platforms. |
12.1(12.5)EC |
12.1(13)EC1 |
|
12.1EV |
Early Deployment Release |
12.1(10)EV1b |
12.1(10)EV4 |
|
12.1EW |
Early deployment for the Cisco 4000 series |
12.1(12c)EW |
||
12.1(1)EX |
Catalyst 6000 support |
12.1(8b)E14 |
||
12.1(10)EX |
Early deployment for the Cisco 7300 series |
12.1(13)EX |
||
12.1EY |
Cat8510c, Cat8510m, Cat8540c, Cat8540m, LS1010 |
Not Scheduled |
||
Upgrade recommended to 12.1(19)E |
||||
12.1EZ |
Early Deployment (ED): special image |
12.1(6)EZ8 |
||
12.1T |
Early Deployment(ED): VPN, Distributed Director, various platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XA |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XB |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XC |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XD |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XF |
Early Deployment (ED): 811 and 813 (c800 images) |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XG |
Early Deployment (ED): 800, 805, 820, and 1600 |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.1XH |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XI |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XJ |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XK |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XL |
Early Deployment (ED): limited platforms |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XM |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.1XP |
Early Deployment (ED): 1700 and SOHO |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XQ |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(10) |
||||
12.1XR |
Short-lived early deployment release |
End of Engineering |
||
Migrate recommended to 12.2(8)T |
||||
12.1XS |
Short-lived early deployment release |
Not Scheduled |
||
Update recommended |
||||
12.1XT |
Early Deployment (ED): 1700 series |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XU |
Early Deployment (ED): limited platforms |
End of Engineering |
||
Upgrade recommended |
||||
12.1XV |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.1XW |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.3 |
||||
12.1XX |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XY |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended |
||||
12.1XZ |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended |
||||
12.1YA |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended |
||||
12.1YB |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended |
||||
12.1YC |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.1YD |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.1YF |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.3 |
||||
12.2-based Releases |
Rebuild |
Interim** |
Maintenance |
|
12.2 |
General deployment release for all platforms |
12.2(6g) |
12.2(7.4) |
12.2(10) |
12.2B |
Special train for 6400, 7200, 7400, ubr10k, ubr7200 series |
12.2(7.6)B |
12.2(15)B |
|
12.2BX |
Broadband Leased Line |
12.2(15)BX |
||
12.2BW |
Early deployment release for 7200, 7400 and 7511 platforms |
12.2(15)BW |
||
12.2DA |
xDSL support for 6100 and 6200 platforms |
12.2(9.4)DA |
12.2(10)DA |
|
12.2S |
Core ISP Support |
12.2(7.4)S |
12.2(14)S |
|
12.2T |
Technology Train |
12.2(7.4)T |
12.2(8)T |
|
12.2XA |
SPLOB |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.2XB |
Short-lived early deployment release |
12.2(2)XB7 |
||
12.2XD |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.2XE |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.2XH |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(8)T |
||||
12.2XQ |
Short-lived early deployment release |
Not Scheduled |
||
Upgrade recommended to 12.2(11)T |
||||
12.2XZ |
Short-lived early deployment release |
12.2(4)XZ5 |
||
12.2YA |
Short Lived Release |
12.2(4)YA3 |
||
12.2YC |
Short Lived Release |
12.2(2)YC4 |
||
12.2ZN |
Short Lived Release |
12.2(15)ZN |
||
12.3 and 12.3T images are not affected |
||||
Notes |
||||
* All dates are estimates and subject to change. ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. |
This vulnerability was discovered by Przemyslaw Frasunek and it has been posted on the Bugtraq list on 2001-April-04. The full text of the mail can be seen at: http://www.securityfocus.com/archive/1/174011. This vulnerability is also described in CERT/CC vulnerability note VU#970472 available at http://www.kb.cert.org/vuls/id/970472 .
Our initial response has been sent to Bugtraq on 2001-April-12 and can be seen at http://www.securityfocus.com/archive/1/176137.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 2.1 |
2003-Oct-02 |
Updated and added IOS release information in "Software Versions and Fixes" section. |
Revision 2.0 |
2003-Sept-22 |
New bug has been added. Fixed IOS releases are updated. Patch for Solaris 8 is added. |
Revision 1.5 |
2002-May-16 |
The syntax of an access-list in the Workarounds section was corrected. |
Revision 1.4 |
2002-May-15 |
Removed "Use NTP with authentication" workaround. |
Revision 1.3 |
2002-May-13 |
Updated Details section and added a URL to CERT/CC vulnerability note VU#970472 in Exploitation and Public Announcements. |
Revision 1.2 |
2002-May-10 |
Updated products not affected to include Cisco Secure PIX Firewall. Also, updated the first workaround technique for Cisco IOS, which is preventing IOS from processing NTP queries. |
Revision 1.1 |
2002-May-09 |
Added Products Not Affected. |
Revision 1.0 |
2002-May-08 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.