A vulnerability in the processing of Network Time Protocol (NTP) packets by Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device. The vulnerability is due to insufficient checks on clearing the invalid NTP packets from the interface queue. An attacker could exploit this vulnerability by sending a number of crafted NTP packets to be processed by an affected device. An exploit could allow the attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability; however, there is a mitigation for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160804-wedge
The following example identifies a Cisco device that is configured with NTP:ntp master
ntp peer
ntp server
ntp broadcast client
ntp multicast client
The following example identifies a Cisco device that is not configured with NTP:router#show running-config | include ntp
ntp peer 192.168.0.12
This vulnerability can be exploited using both IPv4 and IPv6 packets. The vulnerability can be triggered by crafted NTP packets destined to UDP listening port 123 and using an IPv4 or IPv6 unicast address of any interface configured on a device or a network address.router#show running-config | include ntp
router#
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the command-line interface (CLI), and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team . . .
For information about the naming and numbering conventions for Cisco IOS Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.3 | Updated the Workarounds section to indicate the use of Control Plane Policing to cover all interface types. | Workarounds | Final | 2018-February-27 |
1.2 | Updated advisory metadata. | - | Final | 2016-October-06 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.