Guest

Preview Tool

Cisco Bug: CSCum44673 - Limited Mode 6 denial-of-service vulnerability on NTP server and client

Last Modified

Nov 26, 2020

Products (2)

  • Cisco 2600 Series Multiservice Platforms
  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

15.0 15.2(1.2)

Description (partial)

Symptom:
A vulnerability in Network Time Protocol (NTP) package of Cisco IOS and Cisco IOS-XE Software could allow an unauthenticated, remote attacker to 
cause a limited Denial of Service (DoS) condition  on an affected device.

The vulnerability is due to processing of MODE_CONTROL (Mode 6) NTP control messages which have a certain  amplification vector. An attacker could exploit  this vulnerability by sending Mode 6 control 
requests to NTP servers and clients and observing responses amplified up to 40 times in size. An exploit could allow the attacker to  cause a Denial of Service (DoS) condition where the affected NTP server is 
forced to process and respond with larger response data.

In order to elicit significantly big response and exploit this vulnerability, an attacker would have to send a huge number of mode 6 messages to a large number of servers or clients

Processing of Mode 7 messages is already disabled through the fix for CSCtd75033.

Conditions:
Cisco IOS, and Cisco IOS-XE Software devices configured as NTP servers or clients are only affected by a very limited amplification attack coming from processing Mode 6 requests.

Cisco IOS, and Cisco IOS-XE Software are not processing Mode 7 command requests from clients starting with the fix that got into CSCtd75033.

Prior to the fixed software in CSCum44673 Cisco IOS Software doesn’t perform rate limiting on Mode 6 packets.  All versions prior to the fix of CSCum44673 are subject to contributing to amplification attacks via mode 6 packets.

Once CSCum44673 is integrated (you can see that via the fixed field in Bug Search Toolkit), your device has access to the configuration command:

“
Device(config)#ntp allow mode control ?
  <3-15>  Rate limiting delay (s)
  <cr>
“

With the default setting being 3 seconds.

Any versions after the first fix also keep this NTP rate-limiting change.

To see if a device is configured with NTP, log into the device and issue the
 CLI command <cmd>show running-config | include ntp</cmd>. If the output returns
 either of the following commands listed then the device is vulnerable:
    
        ntp master <any following commands>
        ntp peer <any following commands>
        ntp server <any following commands>
        ntp broadcast client
        ntp multicast client
    
  The following example identifies a Cisco device that is configured with NTP:
    
        router#show running-config | include ntp
        ntp peer 192.168.0.12
    
  The following example identifies a Cisco device that is not configured with NTP:
    
        router#show running-config | include ntp
        router#
    

Information about Cisco IOS Software release naming conventions is available in ''White Paper: Cisco IOS and NX-OS Software Reference Guide'' at 
the following link:  
http://www.cisco.com/web/about/security/intelligence/ios-ref.html

Related Community Discussions

Catlyst 2960 - NTP Vulnerability <key>CSCum44673</key>
Hello,   I have the Vulnerability as per link: https://bst.cloudapps.cisco.com/bugsearch/bug/<key>CSCum44673</key>/?referring_site=bugquickviewredir   From the software advisory IOS version  15.0.2-SE11 is the latest version I can go up to.   Is there an omission here or is there some reason that this bug isn't fixed on our infrastructure.   Regards, David
Latest activity: Sep 27, 2017
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.