Message Image  

Switching

Expand all | Collapse all

Network Time Protocol (NTP) Mode 6 Scanner vulnerability

  • 1.  Network Time Protocol (NTP) Mode 6 Scanner vulnerability

    Posted 05-10-2019 10:15

    We just had an internal security scan run and the Nessus software found this vulnerability on our Juniper EX4200 switches running Junos 15.1R7.9. We do point all of our Juniper switches to our internal ntp server via this command.

    ntp {
        server 10.121.125.101 prefer;

    }

     

    Can I somehow fix this so these switches do not respond to this NTP query? We do sit behind a firewall that should mitigate that ability for someone to run an attack but I still thing it is important to rectify this issue.

     

    Description
    The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.
     
    Solution
    Restrict NTP mode 6 queries.
     
    See Also
     
    Output
    •   Nessus elicited the following response from the remote
        host by sending an NTP mode 6 query :
      
      'version="ntpd 4.2.0-a Tue Sep 11 05:30:54  2018 (1)",
      processor="powerpc", system="JUNOS15.1R7.9", leap=0, stratum=5,
      precision=-18, rootdelay=158.158, rootdispersion=201.049, peer=15396,
      refid=10.121.125.101, reftime=0xe07f4739.426e96ba, poll=10,
      clock=0xe07f4ad5.c89721cd, state=4, offset=-2.686, frequency=-37.253,
      jitter=13.382, stability=0.321'


  • 2.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

     
    Posted 05-10-2019 10:39

    For this situation you do need to open a TAC case, and get them to work the SIRT change into the 15.1 code stream for EX4200.  You should also ask them to include in next 12.3 SR.



  • 3.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

    Posted 05-10-2019 10:51

    We had the same internal security audit run last year and the same vulnerability was identified. I did not pursue it at that point since the Nessus software identified quite a few other problems we did work on. So what you are saying is this issue has existed for awhile and Juniper has just not addressed it in Junos to date?



  • 4.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

     
    Posted 05-10-2019 11:19

    Do you know what the SIRT vulernability (CVE) for this situation is?  I believe it might be CVE-2016-9310.  A quick search brings up this link:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10796&actp=METADATA

     

    From looking at this, it appears EX4200 not affected?  I would still think this type of situation should be work (at least in parallel) with TAC.

     



  • 5.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

    Posted 05-10-2019 12:27

    I opened a ticket with JTAC about this same vulnerability on our EX4600 core. They pointed me to this

    This vulnerability has been described on security bulletin JSA10613: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&actp=METADATA and PR 1234119 https://prsearch.juniper.net/PR1234119

     

    They said the best way to mitigate this is a firewall rule, here is what they wrote

     

    If a possible attack has been identified, or if the NTP process is occupying a large amount of CPU or memory resources, the most effective mitigation is to apply a firewall filter to allow only trusted addresses and networks, plus the router's loopback address, access to the NTP service on the device, rejecting all other requests.  For example:
     

    term allow-ntp {

        from {

            source-address {

                <trusted-addresses>;

                <router-loopback-address>;

            }

            protocol udp;

            port ntp;

        }

        then accept;

    }

     

    term block-ntp {

        from {

            protocol udp;

            port ntp;

        }

        then {

            discard;

        }

    }


    This term may be added to the existing loopback interface filter as part of an overall control plane protection strategy.  In general, security best practices recommend having such a filter term, even during normal operation.



  • 6.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

    Posted 05-13-2019 05:38

    I have been doing a lot of reading about how to protect against an NTP deflection attack. Nearly all of it talks about protecting the routing engine and applying some type of firewall filter to the loopback port. I do have a stack of EX4600s at the core of our network that provides layer 2/3. All of my edge switches are EX4200 that are strictly layer 2. All of the routing happens at the core. What I am not sure of is how to setup a firewall filter for ntp traffic for these edge switches.



  • 7.  RE: Network Time Protocol (NTP) Mode 6 Scanner vulnerability

     
    Posted 05-13-2019 17:32

    The firewall filters are applied to the layer 3 interface where you have the mgmt address for the switch configured.  This is the address where traffic for the routing engine is processed.  Once the filter is in place only the authorized ntp traffic is accepted on the mgmt address for the switch itself.