SA139 : November 2016 NTP Security Vulnerabilities
SUMMARY
Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can modify the target’s system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon.
AFFECTED PRODUCTS
The following products are vulnerable:
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1 |
| CVE-2016-7429, CVE-2016-7433 | 2.1 | Upgrade to later release with fixes. |
| 1.3 | Upgrade to later release with fixes. | |
| CVE-2016-7431 | 2.1 | Upgrade to later release with fixes. |
| 1.3.7.3, 1.3.7.4 | Upgrade to later release with fixes. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs except CVE-2016-7429 | 6.1 | Upgrade to 6.1.23.1. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-7429, CVE-2016-7433 | 1.1 | Not available at this time |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-7431, CVE-2016-7433 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1. |
| 1.10 | Upgrade to later release with fixes. | |
| 1.9 | Upgrade to later release with fixes. | |
| 1.8 | Upgrade to later release with fixes. | |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-7429, CVE-2016-7431, CVE-2016-7433 |
10.2 and later | Not vulnerable, fixed in 10.2.1.1. |
| 10.1 | Upgrade to 10.1.5.5. | |
| All CVEs | 9.5 | Not vulnerable |
| All CVEs | 9.4 | Not vulnerable |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 7.3 and later | Not vulnerable, fixed in 7.3.1. |
| CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, CVE-2016-9311 |
7.2 | Upgrade to 7.2.3. |
| 7.1 | Upgrade to later release with fixes. | |
| 6.6 | Upgrade to later release with fixes. | |
| CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7434 | 7.2.2 | Not available at this time |
| 7.1 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. | |
| 6.6 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-7431, CVE-2016-7433 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1. |
| 4.0 | Upgrade to later release with fixes. | |
| 3.8, 3.8.4FC, 3.9, 3.10, 3.12 | Not vulnerable to known vectors of attack. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, CVE-2016-9311 |
11.0 | Not available at this time |
| 10.0 | Not available at this time | |
| 9.7 | Upgrade to later release with fixes. | |
The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 7.1 | Not vulnerable, fixed in 7.1.1.1 |
| 6.7 | Upgrade to 6.7.3.1. | |
| 6.6 | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- ASG: all CVEs
- CA: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
- Director: CVE-2016-7429
- MTD: CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
- MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
- Reporter 10.1: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
- Security Analytics: CVE-2016-9312
- SSLV 3.x and 4.x: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429 (4.0 only), CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation
Symantec no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
| CVE-2016-7426 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94451 / NVD: CVE-2016-7426 |
| Impact | Denial of service |
| Description | A flaw in rate limiting allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers. The attacker can thus prevent the target from synchronizing its system time. |
| CVE-2016-7427 | |
|---|---|
| Severity / CVSSv2 | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94447 / NVD: CVE-2016-7427 |
| Impact | Denial of service |
| Description | A flaw in NTP broadcast packet replay prevention allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. |
| CVE-2016-7428 | |
|---|---|
| Severity / CVSSv2 | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94446 / NVD: CVE-2016-7428 |
| Impact | Denial of service |
| Description | A flaw in NTP broadcast packet poll interval enforcement allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. |
| CVE-2016-7429 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94453 / NVD: CVE-2016-7429 |
| Impact | Denial of service |
| Description | There is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets. A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time. |
| CVE-2016-7431 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 94454 / NVD: CVE-2016-7431 |
| Impact | Denial of service, unauthorized modification of time |
| Description | A flaw in NTP packet origin timestamp validation allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time. |
| CVE-2016-7433 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94455 / NVD: CVE-2016-7433 |
| Impact | Unauthorized modification of time |
| Description | A flaw in initial time synchronization allows a remote attacker to send a spoofed NTP response and modify the target's system time. |
| CVE-2016-7434 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94448 / NVD: CVE-2016-7434 |
| Impact | Denial of service |
| Description | A flaw in mrulist query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. |
| CVE-2016-9310 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) |
| References | SecurityFocus: BID 94452 / NVD: CVE-2016-9310 |
| Impact | Information disclosure, DDoS amplification, security control bypass |
| Description | A missing authorization flaw allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon. |
| CVE-2016-9311 | |
|---|---|
| Severity / CVSSv2 | High / 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) |
| References | SecurityFocus: BID 94444 / NVD: CVE-2016-9311 |
| Impact | Denial of service |
| Description | A flaw in remote query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. |
| CVE-2016-9312 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 94450 / NVD: CVE-2016-9312 |
| Impact | Denial of service |
| Description | A flaw in oversized packet handling on Windows platforms allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service. |
MITIGATION
These vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.
By default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.
By default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. The Security Analytics NTP daemon also does not listen by default on multiple network interfaces. Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.
By default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon. Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311.
REFERENCES
NTP.org Security Notice - https://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
Vulnerability Note VU#633847 - http://www.kb.cert.org/vuls/id/633847
REVISION
2020-04-26 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-08-10 SSLV 3.x has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is not vulnerable because a fix is available in SA 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable. Reporter 10.1 prior to 10.1.5.5 is vulnerable to CVE-2016-7429, CVE-2016-7431, and CVE-2016-7433. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-03-30 MC 1.10 is vulnerable to CVE-2016-7431 and CVE-2016-7433. It also has a vulnerable version of the NTP reference implementation for CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312 but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2016-06-10 Corrected advisory to say that SSLV 3.9, 3.10, and 3.11 are not vulnerable to CVE-2016-7431. Also, CA, MC, and SSLV are not vulnerable to known vectors of attack for CVE-2016-9312. SSLV 3.8.4FC is vulnerable to CVE-2016-7433. SSLV 3.8.4FC also has a vulnerable version of the ntp.org NTP reference implementation for CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312, but is not vulnerable to known vectors of attack.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-01-12 initial public release
2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)