Preview Tool

Cisco Bug: CSCuj66318 - Vulnerability in NTP implmntn: allows query with access-group configured

Last Modified

Jul 20, 2020

Products (98)

  • Cisco IOS
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 1905 Serial Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 886VAG 3G Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco C892FSP Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(4)M2 15.4(1)T1

Description (partial)

A vulnerability in NTP access-group implementation of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to 
bypass configured NTP access-group and query the affected NTP configured server for time.

The vulnerability is due to improper implementation of NTP access-group command on certain IOS and IOS XE Software versions. An attacker could exploit this vulnerability by sending NTP query packets to an affected NTP server configured to deny all inbound requests. An exploit could allow the attacker to bypass configured NTP access-group and query the affected NTP configured server for time.

An NTP access-group must be configured to deny inbound NTP queries
access-list 99 deny any
ntp access-group query-only 99

After applying an NTP access-group to deny inbound NTP queries, a device still responds to NTP queries as if the ACL was not configured.

In the example shown, even though all inbound NTP queries should be denied, we will still process them as if the access-group was not configured.

The issue is a result of changes introduced with CSCtl20300 that affect multiple IOS releases.

Related Community Discussions

NTP ACL on IOS-XE (4500-X) bugged?
Hi, for obvious reasons the protection of NTP servers exposed to the Internet is currently getting some reinvestigation. On a fresh 4500-X running IOS-XE 03.04.03.SG (aka 151-2.SG3) I encountered that access-list 12 permit x.y.z.123access-list 12 permit a.b.c.123 access-list 12 deny   any [...] ntp access-group peer 12ntp server x.y.z.123 ntp server a.b.c.123 will not prevent certain control queries from getting answered by the switch. For instance, ntpq peer list queries (ntpq -p device-ip) from ...
Latest activity: Feb 25, 2017
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.