Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products

Summary

• Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition.
  
  On April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows:
  

  • CVE-2015-1798: NTP Authentication bypass vulnerability
  • CVE-2015-1799: NTP Authentication doesn't protect symmetric associations against DoS attacks

  Cisco has released software updates that address these vulnerabilities.
  
  Workarounds that mitigate these vulnerabilities are available.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd

Affected Products

• Vulnerable Products

  Products and services listed in the following table are affected by one or both of the vulnerabilities described in CVE-2015-1798 or CVE-2015-1799.
  
  

  Product	Defect	Fixed releases availability
  Network Application, Service, and Acceleration
  Cisco Application Control Engine (ACE30/ ACE 4710)	CSCut83796
  Cisco Wide Area Application Services (WAAS)	CSCut77531	5.3.5d (31-May-2015)
  Network and Content Security Devices
  Cisco ASA CX and Cisco Prime Security Manager	CSCut77532	A patch file will be available for affected releases (Aug 2015)
  Cisco Clean Access Manager	CSCut77524	Pending CentOS fix
  Cisco Identity Services Engine (ISE)	CSCut77541	Pending RHEL fix
  Cisco Intrusion Prevention System Solutions (IPS)	CSCut77568	7.3.4 (Available July 2015) 7.1.11 (31-Oct-2015)
  Cisco NAC Appliance (Clean Access Server)	CSCut77525	Pending CentOS fix
  Cisco NAC Guest Server	CSCut77528	Pending CentOS fix
  Cisco Physical Access Control Gateway	CSCut77535	1.5.3 (15-May-2015)
  Cisco Secure Access Control Server (ACS)	CSCut77567	5.7 (30-May-2015)
  Cisco Virtual Security Gateway for Microsoft Hyper-V	CSCut77418	5.2(1)VSG2(1.3) (30-Apr-2015)
  Network Management and Provisioning
  Cisco Application Networking Manager	CSCut77402	Pending CentOS fix
  Cisco Prime Collaboration Assurance	CSCut77459	11.0 (6-Jul-2015)
  Cisco Prime Collaboration Provisioning	CSCut77458	11.0 (6-Jul-2015)
  Cisco UCS Central	CSCut77422	1.4.1 (30-Oct-2015)
  Cisco Virtual Topology System (formally Virtual Systems Operations Center)	CSCut77466	1.5 (April 2015) 2.0 (July 2015)
  Routing and Switching - Enterprise and Service Provider
  Cisco Application Policy Infrastructure Controller (APIC)	CSCut77409	1.1(1) (Available)
  Cisco IOS XR Software	CSCut77468	Pending
  Cisco IOS and Cisco IOS XE Software	CSCut77619	15.5(3)M (31-Jul-2015) XE3.16.0S-15.5(3)S (July 2015)
  Cisco MDS 9000 Series Multilayer Switches	CSCut77412	5.2(8g) (30-Jun-2015) 6.2(11c) (15-Jun-2015) 6.2(13) (15-Jul-2015)
  Cisco Nexus 1000V Series Switches	CSCut77414	5.2(1)SV3(2.1) (August 2015)
  Cisco Nexus 3000 Series Switches	CSCut77415	6.0(2)U7(1) 6.0(2)A7(1)
  Cisco Nexus 5000 Series Switches	CSCut77416	7.2 (31-May-2015)
  Cisco Nexus 6000 Series Switches	CSCut77417	7.2 (30-June-2015)
  Cisco Nexus 7000 Series Switches	CSCut77411	7.2 (31-May-2015)
  Cisco Nexus 9000 Series Switches	CSCut77413	7.0(3)I1(2) (30-Apr-2015)
  IOS-XR for Cisco Network Convergence System (NCS) 6000	CSCut77471	5.2.5
  Voice and Unified Communications Devices
  Cisco Management Heartbeat Server	CSCut77579	Upgrade instructions are available.
  Video, Streaming, TelePresence, and Transcoding Devices
  Cisco 910 Industrial Router	CSCut78846	1.2.1 (30-Apr-2014)
  Cisco Enterprise Content Delivery System (ECDS)	CSCut77479	2.6.4 (15-May-2015)
  Cisco Expressway Series	CSCut77506	X8.5.2 (8-May-2015)
  Cisco Show and Share	CSCut77493	5.6.1 (15-Aug-2015)
  Cisco TelePresence Conductor	CSCut77474	3.1 (June 2014)
  Cisco TelePresence Video Communication Server (VCS)	CSCut77506	X8.5.2 (8-May-2015)
  Cisco Video Surveillance Media Server	CSCut77540	7.7 (September 2015)
  Cisco Hosted Services
  Cisco Common Services Platform Collector	CSCut77370	1.6 (30-Jun-2015)

  
  

  Products Confirmed Not Vulnerable

  Products and services listed in the following table have been evaluated and are not affected by either of the vulnerabilities described in CVE-2015-1798 or CVE-2015-1799.
  
  Collaboration and Social Media
  

  • Cisco MeetingPlace
  • Cisco SocialMiner
  • Cisco WebEx Meetings Server versions 1.x
  • Cisco WebEx Meetings Server versions 2.x
  • Cisco WebEx Node for MCS

  
  Endpoint Clients and Client Software
  

  • Cisco Agent for OpenFlow
  • Cisco IP Communicator
  • Cisco Jabber Guest 10.0(2)
  • Cisco Jabber for Windows
  • Cisco NAC Agent for Mac
  • Cisco NAC Agent for Web
  • Cisco UC Integration for Microsoft Lync
  • Cisco Unified Personal Communicator
  • Cisco Virtualization Experience Media Engine
  • Cisco WebEx Meetings for Android
  • Cisco WebEx Meetings for Blackberry
  • Cisco WebEx Meetings for WP8
  • Cisco WebEx Productivity Tools
  • WebEx Recording Playback Client

  
  Network Application, Service, and Acceleration
  

  • Cisco Application Control Engine (ACE10 and ACE20)
  • Cisco Application and Content Networking System (ACNS)
  • Cisco Extensible Network Controller (XNC)
  • Cisco GSS 4492R Global Site Selector
  • Cisco Nexus Data Broker (NDB)
  • Cisco Smart Call Home Transport Gateway
  • Cisco Visual Quality Experience Server
  • Cisco Visual Quality Experience Tools Server
  • Content Services Switch

  
  Network and Content Security Devices
  

  • Cisco Adaptive Security Appliance (ASA) Software
  • Cisco Adaptive Security Device Manager
  • Cisco Email Security Appliance (ESA)
  • Cisco FireSIGHT System Software
  • Cisco IronPort Encryption Appliance (IEA)
  • Cisco IronPort WSA
  • Cisco Physical Access Manager
  • Cisco Security Management Appliance (SMA)

  
  Network Management and Provisioning
  

  • Cisco Access Registrar Appliance
  • Cisco Connected Grid Device Manager
  • Cisco Connected Grid Network Management System
  • Cisco Insight Reporter
  • Cisco Linear Stream Manager
  • Cisco MATE Collector
  • Cisco MATE Design
  • Cisco MATE Live
  • Cisco Mobile Wireless Transport Manager
  • Cisco Multicast Manager
  • Cisco Netflow Collection Agent
  • Cisco Network Analysis Module
  • Cisco Network Collector
  • Cisco Network Configuration and Change Management Service
  • Cisco Prime Access Registrar Appliance
  • Cisco Prime Access Registrar
  • Cisco Prime Analytics
  • Cisco Prime Cable Provisioning
  • Cisco Prime Central for SPs
  • Cisco Prime Data Center Network Manager (.ova and .iso installers)
  • Cisco Prime Home
  • Cisco Prime IP Express
  • Cisco Prime Infrastructure Standalone Plug and Play Gateway
  • Cisco Prime Infrastructure
  • Cisco Prime LAN Management Solution (LMS - Solaris)
  • Cisco Prime License Manager
  • Cisco Prime Network Registrar (CPNR) IPAM
  • Cisco Prime Network Registrar (CPNR) virtual appliance
  • Cisco Prime Network Services Controller
  • Cisco Prime Optical for SPs
  • Cisco Prime Performance Manager for SPs
  • Cisco Prime Provisioning for SPs
  • Cisco Prime Service Catalog Virtual Appliance
  • Cisco Quantum Policy Suite (QPS)
  • Cisco SON Suite
  • Cisco Security Manager
  • Cisco TelePresence MPS Series
  • Cisco Unified Provisioning Manager (CUPM)
  • CiscoWorks Network Compliance Manager
  • Security Module for Cisco Network Registrar
  • Unified Communications Deployment Tools

  
  Routing and Switching - Enterprise and Service Provider
  

  • CRS-CGSE-PLIM
  • CRS-CGSE-PLUS
  • Cisco ASR 9000 Series Integrated Service Module
  • Cisco Broadband Access Center Telco Wireless
  • Cisco Connected Grid Router
  • Cisco Metro Ethernet 1200 Series Access Devices
  • Cisco Nexus 4000 Series
  • Cisco ONS 15454 Series Multiservice Provisioning Platforms
  • Cisco OnePK All-in-One VM
  • Cisco Service Control Application for Broadband
  • Cisco Service Control Collection Manager
  • Cisco Service Control Operating System
  • Cisco Service Control Subscriber Manager
  • Cisco VPN Acceleration Engine

  
  Routing and Switching - Small Business
  

  • Cisco RV180W Wireless-N Multifunction VPN Router
  • Cisco Small Business RV 120W Wireless-N VPN Firewall
  • Cisco Small Business RV Series Routers 0xxv3
  • Cisco Small Business RV Series Routers RV110W
  • Cisco Small Business RV Series Routers RV130x
  • Cisco Small Business RV Series Routers RV215W
  • Cisco Small Business RV Series Routers RV220W
  • Cisco Small Business RV Series Routers RV315W
  • Cisco Small Business RV Series Routers RV320
  • Cisco Sx220 switches
  • Cisco Sx300 switches
  • Cisco Sx500 switches

  
  Unified Computing
  

  • Cisco Standalone rack server CIMC
  • Cisco UCS Director
  • Cisco UCS Invicta Series
  • Cisco UCS Manager
  • Cisco Unified Computing System B-Series (Blade) Servers
  • Cisco Unified Computing System E-Series Blade Server
  • UCS IO Modules

  
  Voice and Unified Communications Devices
  

  • Cisco 190 ATA Series Analog Terminal Adaptor
  • Cisco 7937 IP Phone
  • Cisco 8800 Series IP Phones - VPN Feature
  • Cisco ATA 187 Analog Telephone Adaptor
  • Cisco Agent Desktop
  • Cisco Broadband Access Center for Cable Tools Suite 4.1
  • Cisco Broadband Access Center for Cable Tools Suite 4.2
  • Cisco Computer Telephony Integration Object Server (CTIOS)
  • Cisco DX Series IP Phones
  • Cisco Desktop Collaboration Experience DX70 and DX80
  • Cisco Emergency Responder
  • Cisco Finesse
  • Cisco Hosted Collaboration Mediation Fulfillment
  • Cisco IM and Presence Service (CUPS)
  • Cisco IP Interoperability and Collaboration System (IPICS)
  • Cisco MS200X Ethernet Access Switch
  • Cisco MediaSense
  • Cisco Packaged Contact Center Enterprise
  • Cisco Paging Server (Informacast)
  • Cisco Paging Server
  • Cisco Prime Cable Provisioning Tools Suite 5.0
  • Cisco Prime Cable Provisioning Tools Suite 5.1
  • Cisco Remote Silent Monitoring
  • Cisco SPA112 2-Port Phone Adapter
  • Cisco SPA122 ATA with Router
  • Cisco SPA232D Multi-Line DECT ATA
  • Cisco SPA30X Series IP Phones
  • Cisco SPA50X Series IP Phones
  • Cisco SPA51X Series IP Phones
  • Cisco SPA525G
  • Cisco SPA8000 8-port IP Telephony Gateway
  • Cisco SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Cisco StarOS Software
  • Cisco TAPI Service Provider (TSP)
  • Cisco Unified 3900 series IP Phones
  • Cisco Unified 6900 series IP Phones
  • Cisco Unified 6911 IP Phones
  • Cisco Unified 6945 IP Phones
  • Cisco Unified 7800 Series IP Phones
  • Cisco Unified 8831 series IP Conference Phone
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco Unified Attendant Console Advanced
  • Cisco Unified Attendant Console Business Edition
  • Cisco Unified Attendant Console Department Edition
  • Cisco Unified Attendant Console Enterprise Edition
  • Cisco Unified Attendant Console Premium Edition
  • Cisco Unified Attendant Console Standard
  • Cisco Unified Client Services Framework
  • Cisco Unified Communications Domain Manager
  • Cisco Unified Communications Manager (UCM)
  • Cisco Unified Communications Manager Session Management Edition (SME)
  • Cisco Unified Communications Sizing Tool
  • Cisco Unified Contact Center Enterprise
  • Cisco Unified Contact Center Express
  • Cisco Unified E-Mail Interaction Manager
  • Cisco Unified IP Conference Phone 8831 for Third-Party Call Control
  • Cisco Unified IP Phone 7900 Series
  • Cisco Unified IP Phone 8941 and 8945 (SIP)
  • Cisco Unified Integration for IBM Sametime
  • Cisco Unified Intelligence Center (CUIC)
  • Cisco Unified Intelligent Contact Management Enterprise
  • Cisco Unified Operations Manager (CUOM)
  • Cisco Unified Service Monitor
  • Cisco Unified Service Statistics Manager
  • Cisco Unified Sip Proxy
  • Cisco Unified Web Interaction Manager
  • Cisco Unified Wireless IP Phone
  • Cisco Unified Workforce Optimization
  • Cisco Unity Connection (UC)
  • Cisco Unity Express
  • xony VIM/CCDM/CCMP

  
  Video, Streaming, TelePresence, and Transcoding Devices
  

  • Cisco AnyRes Live (CAL)
  • Cisco AnyRes VOD (CAL)
  • Cisco AutoBackup Server
  • Cisco CDS Internet Streaming
  • Cisco Command 2000 Server (cmd2k) (RH Based)
  • Cisco Common Download Server (CDLS)
  • Cisco D9034-S Encoder
  • Cisco D9036 Modular Encoding Platform
  • Cisco D9054 HDTV Encoder
  • Cisco D9804 Multiple Transport Receiver
  • Cisco D9824 Advanced Multi Decryption Receiver
  • Cisco D9854/D9854-I Advanced Program Receiver
  • Cisco D9858 Advanced Receiver Transcoder
  • Cisco D9859 Advanced Receiver Transcoder
  • Cisco D9865 Satellite Receiver
  • Cisco DCM Series 9900-Digital Content Manager
  • Cisco DNCS Application Server (AppServer)
  • Cisco Digital Media Manager
  • Cisco Digital Media Players
  • Cisco Digital Network Control System (DNCS)
  • Cisco Digital Transport Adapter Control System (DTACS)
  • Cisco Download Server (DLS) (RH Based)
  • Cisco Download Server (DLS) (Solaris)
  • Cisco Edge 300 Digital Media Player
  • Cisco Edge 340 Digital Media Player
  • Cisco IPTV Service Delivery System (ISDS)
  • Cisco International Digital Network Control System (iDNCS)
  • Cisco Media Experience Engines (MXE)
  • Cisco Media Services Interface
  • Cisco Model D9485 DAVIC QPSK
  • Cisco PowerVu Network Center
  • Cisco PowerKEY CAS Gateway (PCG)
  • Cisco PowerKEY Encryption Server (PKES)
  • Cisco Remote Conditional Access System (RCAS)
  • Cisco Remote Network Control System (RNCS)
  • Cisco TelePresence 1310
  • Cisco TelePresence Advanced Media Gateway Series
  • Cisco TelePresence Content Server (TCS)
  • Cisco TelePresence EX Series
  • Cisco TelePresence Exchange System (CTX)
  • Cisco TelePresence IP Gateway Series
  • Cisco TelePresence IP VCR Series
  • Cisco TelePresence ISDN GW 3241
  • Cisco TelePresence ISDN GW MSE 8321
  • Cisco TelePresence ISDN Link
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300)
  • Cisco TelePresence MX Series
  • Cisco TelePresence MXP Software
  • Cisco TelePresence Management Suite (TMS)
  • Cisco TelePresence Management Suite Analytics Extension (TMSAE)
  • Cisco TelePresence Management Suite Extension (TMSXE)
  • Cisco TelePresence Management Suite Extension for IBM
  • Cisco TelePresence Management Suite Provisioning Extension
  • Cisco TelePresence Multipoint Switch (CTMS)
  • Cisco TelePresence Profile Series
  • Cisco TelePresence SX Series
  • Cisco TelePresence Serial Gateway Series
  • Cisco TelePresence Server 8710, 7010
  • Cisco TelePresence Server on Multiparty Media 310, 320
  • Cisco TelePresence Server on Virtual Machine
  • Cisco TelePresence Supervisor MSE 8050
  • Cisco TelePresence System 1000
  • Cisco TelePresence System 1100
  • Cisco TelePresence System 1300
  • Cisco TelePresence System 3000 Series
  • Cisco TelePresence System 500-32
  • Cisco TelePresence System 500-37
  • Cisco TelePresence TE Software (for E20 - EoL)
  • Cisco TelePresence TX 9000 Series
  • Cisco Telepresence Integrator C Series
  • Cisco Transaction Encryption Device (TED)
  • Cisco VDS Service Broker
  • Cisco VEN401 Wireless Access Point Product
  • Cisco VEN501 Wireless Access Point
  • Cisco Video Delivery System Recorder
  • Cisco Video Surveillance 3000 Series IP Cameras
  • Cisco Video Surveillance 4000 Series High-Definition IP Cameras
  • Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras
  • Cisco Video Surveillance 6000 Series IP Cameras
  • Cisco Video Surveillance 7000 Series IP Cameras
  • Cisco Video Surveillance PTZ IP Cameras
  • Cisco Videoscape Back Office (VBO)
  • Cisco Videoscape Conductor
  • Cisco Videoscape Control Suite
  • Cisco Videoscape Distribution Suite Transparent Caching
  • Cisco Virtual PGW 2200 Softswitch
  • Cloud Object Store (COS)
  • Digital Media Player(DMP) 4310
  • Digital Media Player(DMP) 4400
  • Explorer Controller (EC) system
  • Tandberg Codian ISDN GW 3210/3220/3240
  • Tandberg Codian MSE 8320 model

  
  Wireless
  

  • Cisco 3G Femtocell Wireless
  • Cisco IOS Access Points
  • Cisco Mobility Services Engine (MSE)
  • Cisco RF Gateway 1 (RFGW-1)
  • Cisco Small Business 121 Series Wireless Access Points
  • Cisco Small Business 321 Series Wireless Access Points
  • Cisco Small Business 500 Series Wireless Access Points
  • Cisco WAP371 wireless access point
  • Cisco Wireless LAN Controller (WLC)

  
  Cisco Hosted Services
  

  • Cisco Cloud Email Security
  • Cisco Cloud Web Security
  • Cisco Intelligent Automation for Cloud
  • Cisco Registered Envelope Service (CRES)
  • Cisco Unified Services Delivery Platform (CUSDP)
  • Cisco Universal Small Cell (USC) CloudBase
  • Cisco Universal Small Cell 5000 Series running V3.4.2.x software
  • Cisco Universal Small Cell 7000 Series running V3.4.2.x software
  • Cisco Universal Small Cell CloudBase
  • Cisco WebEx WebOffice & Workspace
  • Cisco WebEx11 Application Server
  • Cisco Webex Meeting Center

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• On April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls.
  
  The impact of these vulnerabilities on Cisco products may vary depending on the affected product.
  
  For Cisco products, refer to the information provided in the Cisco bug IDs listed in the "Affected Products" section of this document.
  
  Additional information and detailed instructions are available in the Cisco installation, configuration, and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.
  
  The vulnerability names and associated Common Vulnerabilities and Exposures (CVE) IDs are as follows:
  
  CVE-2015-1798: NTP Authentication bypass vulnerability
  
  A vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature.
  
  The vulnerability is due to incorrect validation of the MAC field. An attacker could exploit this vulnerability by sending unauthenticated NTP packets to an NTP host that is configured with symmetric key authentication. An exploit could allow the attacker to inject NTP packets to the NTP host without knowledge of the NTP symmetric key.
  
  CVE-2015-1799: NTP Authentication doesn't protect symmetric associations against DoS attacks
  
  A vulnerability in the authentication code of ntpd could allow an unauthenticated, remote attacker to inject NTP state variables without knowledge of the NTP keys.
  
  The vulnerability is due to invalid processing of the NTP packets when authentication fails. An attacker could exploit this vulnerability by periodically sending NTP packets with set NTP state variables. A successful exploit could allow the attacker to disrupt communication between NTP hosts, preventing synchronization.
  

Workarounds

• Limiting access to NTP hosts to only trusted sources will reduce the risk of exploitation. An attacker could exploit these vulnerabilities using spoofed packets.
  
  Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
  http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=36857

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  For Cisco products software versions and fixes, refer to the information provided in the Cisco bug IDs listed in the "Affected Products" section of this document.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
  
  These vulnerabilities were reported to Cisco by US-CERT/CC.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd

Revision History

• Version	Description	Section	Status	Date
  1.11	Corrected bug IDs for Cisco Nexus 7000 and Cisco MDS.	Affected Products	Final	2015-December-07
  1.10	Removed SMU for N6K and updated IOS XR availability.			2015-September-09
  1.9	Updated Fixed releases availability column.			2015-May-28
  1.8	Updated Fixed releases availability column.			2015-May-14
  1.7	Finalized Affected Products section.			2015-May-06
  1.6	Moved Cisco WebEx Meetings Server versions 1.x and 2.x from vulnerable to not affected. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-30
  1.5	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-24
  1.4	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-23
  1.3	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-15
  1.2	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-13
  1.1	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-09
  1.0	Initial public release.			2015-April-08

  Show Complete History...