Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition. On April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows: CVE-2015-1798: NTP Authentication bypass vulnerability CVE-2015-1799: NTP Authentication doesn't protect symmetric associations against DoS attacks Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd
Product | Defect | Fixed releases availability |
---|---|---|
Network Application, Service, and Acceleration | ||
Cisco Application Control Engine (ACE30/ ACE 4710) | CSCut83796 | |
Cisco Wide Area Application Services (WAAS) | CSCut77531 | 5.3.5d (31-May-2015) |
Network and Content Security Devices | ||
Cisco ASA CX and Cisco Prime Security Manager | CSCut77532 | A patch file will be available for affected releases (Aug 2015) |
Cisco Clean Access Manager | CSCut77524 | Pending CentOS fix |
Cisco Identity Services Engine (ISE) | CSCut77541 | Pending RHEL fix |
Cisco Intrusion Prevention System Solutions (IPS) | CSCut77568 | 7.3.4 (Available July 2015) 7.1.11 (31-Oct-2015) |
Cisco NAC Appliance (Clean Access Server) | CSCut77525 | Pending CentOS fix |
Cisco NAC Guest Server | CSCut77528 | Pending CentOS fix |
Cisco Physical Access Control Gateway | CSCut77535 | 1.5.3 (15-May-2015) |
Cisco Secure Access Control Server (ACS) | CSCut77567 | 5.7 (30-May-2015) |
Cisco Virtual Security Gateway for Microsoft Hyper-V | CSCut77418 | 5.2(1)VSG2(1.3) (30-Apr-2015) |
Network Management and Provisioning | ||
Cisco Application Networking Manager | CSCut77402 | Pending CentOS fix |
Cisco Prime Collaboration Assurance | CSCut77459 | 11.0 (6-Jul-2015) |
Cisco Prime Collaboration Provisioning | CSCut77458 | 11.0 (6-Jul-2015) |
Cisco UCS Central | CSCut77422 | 1.4.1 (30-Oct-2015) |
Cisco Virtual Topology System (formally Virtual Systems Operations Center) | CSCut77466 | 1.5 (April 2015) 2.0 (July 2015) |
Routing and Switching - Enterprise and Service Provider | ||
Cisco Application Policy Infrastructure Controller (APIC) | CSCut77409 | 1.1(1) (Available) |
Cisco IOS XR Software | CSCut77468 | Pending |
Cisco IOS and Cisco IOS XE Software | CSCut77619 | 15.5(3)M (31-Jul-2015) XE3.16.0S-15.5(3)S (July 2015) |
Cisco MDS 9000 Series Multilayer Switches | CSCut77412 | 5.2(8g) (30-Jun-2015) 6.2(11c) (15-Jun-2015) 6.2(13) (15-Jul-2015) |
Cisco Nexus 1000V Series Switches | CSCut77414 | 5.2(1)SV3(2.1) (August 2015) |
Cisco Nexus 3000 Series Switches | CSCut77415 | 6.0(2)U7(1) 6.0(2)A7(1) |
Cisco Nexus 5000 Series Switches | CSCut77416 | 7.2 (31-May-2015) |
Cisco Nexus 6000 Series Switches | CSCut77417 | 7.2 (30-June-2015) |
Cisco Nexus 7000 Series Switches | CSCut77411 | 7.2 (31-May-2015) |
Cisco Nexus 9000 Series Switches | CSCut77413 | 7.0(3)I1(2) (30-Apr-2015) |
IOS-XR for Cisco Network Convergence System (NCS) 6000 | CSCut77471 | 5.2.5 |
Voice and Unified Communications Devices | ||
Cisco Management Heartbeat Server | CSCut77579 | Upgrade instructions are available. |
Video, Streaming, TelePresence, and Transcoding Devices | ||
Cisco 910 Industrial Router | CSCut78846 | 1.2.1 (30-Apr-2014) |
Cisco Enterprise Content Delivery System (ECDS) | CSCut77479 | 2.6.4 (15-May-2015) |
Cisco Expressway Series | CSCut77506 | X8.5.2 (8-May-2015) |
Cisco Show and Share | CSCut77493 | 5.6.1 (15-Aug-2015) |
Cisco TelePresence Conductor | CSCut77474 | 3.1 (June 2014) |
Cisco TelePresence Video Communication Server (VCS) | CSCut77506 | X8.5.2 (8-May-2015) |
Cisco Video Surveillance Media Server | CSCut77540 | 7.7 (September 2015) |
Cisco Hosted Services | ||
Cisco Common Services Platform Collector | CSCut77370 | 1.6 (30-Jun-2015) |
Limiting access to NTP hosts to only trusted sources will reduce the risk of exploitation. An attacker could exploit these vulnerabilities using spoofed packets.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=36857
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
For Cisco products software versions and fixes, refer to the information provided in the Cisco bug IDs listed in the "Affected Products" section of this document.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.11 | Corrected bug IDs for Cisco Nexus 7000 and Cisco MDS. | Affected Products | Final | 2015-December-07 |
1.10 | Removed SMU for N6K and updated IOS XR availability. | 2015-September-09 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.