SA139 : November 2016 NTP Security Vulnerabilities

Management Center - VA

1 more products

1393

04 May 2021

12 January 2017

CLOSED

High

CVSS v2: 7.1

SUMMARY

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities.  A remote attacker can modify the target’s system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon.

AFFECTED PRODUCTS 

The following products are vulnerable:

Content Analysis (CA)
CVE Affected Version(s) Remediation
All CVEs 2.2 and later Not vulnerable, fixed in 2.2.1.1
CVE-2016-7429, CVE-2016-7433 2.1 Upgrade to later release with fixes.
1.3 Upgrade to later release with fixes.
CVE-2016-7431 2.1 Upgrade to later release with fixes.
1.3.7.3, 1.3.7.4 Upgrade to later release with fixes.

 

Director
CVE Affected Version(s) Remediation
All CVEs except CVE-2016-7429 6.1 Upgrade to 6.1.23.1.

 

Mail Threat Defense (MTD)
CVE Affected Version(s) Remediation
CVE-2016-7429, CVE-2016-7433 1.1 Not available at this time

 

Management Center (MC)
CVE Affected Version(s) Remediation
CVE-2016-7431, CVE-2016-7433 1.11 and later Not vulnerable, fixed in 1.11.1.1.
1.10 Upgrade to later release with fixes.
1.9 Upgrade to later release with fixes.
1.8 Upgrade to later release with fixes.

 

Reporter
CVE Affected Version(s) Remediation
CVE-2016-7429, CVE-2016-7431,
CVE-2016-7433
10.2 and later Not vulnerable, fixed in 10.2.1.1.
10.1 Upgrade to 10.1.5.5.
All CVEs 9.5 Not vulnerable
All CVEs 9.4 Not vulnerable

 

Security Analytics
CVE Affected Version(s) Remediation
All CVEs 7.3 and later Not vulnerable, fixed in 7.3.1.
CVE-2016-7426, CVE-2016-7429,
CVE-2016-7433, CVE-2016-9310,
CVE-2016-9311
7.2 Upgrade to 7.2.3.
7.1 Upgrade to later release with fixes.
6.6 Upgrade to later release with fixes.
CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7434 7.2.2 Not available at this time
7.1 with ntp-4.2.8p8 RPM patch Upgrade to later release with fixes.
6.6 with ntp-4.2.8p8 RPM patch Upgrade to later release with fixes.

 

SSL Visibility (SSLV)
CVE Affected Version(s) Remediation
CVE-2016-7431, CVE-2016-7433 4.1 and later Not vulnerable, fixed in 4.1.1.1.
4.0 Upgrade to later release with fixes.
3.8, 3.8.4FC, 3.9, 3.10, 3.12 Not vulnerable to known vectors of attack.

 

X-Series XOS
CVE Affected Version(s) Remediation
CVE-2016-7426, CVE-2016-7429,
CVE-2016-7433, CVE-2016-9310,
CVE-2016-9311
11.0 Not available at this time
10.0 Not available at this time
9.7 Upgrade to later release with fixes.

 

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)
CVE Affected Version(s) Remediation
All CVEs 7.1 Not vulnerable, fixed in 7.1.1.1
6.7 Upgrade to 6.7.3.1.
6.6 Upgrade to later release with fixes.

 

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: all CVEs
  • CA: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
  • Director: CVE-2016-7429
  • MTD: CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
  • MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
  • Reporter 10.1: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
  • Security Analytics: CVE-2016-9312
  • SSLV 3.x and 4.x: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429 (4.0 only), CVE-2016-7434, CVE-2016-9310, CVE-2016-9311

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES 

CVE-2016-7426
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94451 / NVD: CVE-2016-7426
Impact Denial of service
Description A flaw in rate limiting allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers.  The attacker can thus prevent the target from synchronizing its system time.

 

CVE-2016-7427
Severity / CVSSv2 Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94447 / NVD: CVE-2016-7427
Impact Denial of service
Description A flaw in NTP broadcast packet replay prevention allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers.  The attacker can thus prevent the target from synchronizing its system time.

 

CVE-2016-7428
Severity / CVSSv2 Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94446 / NVD: CVE-2016-7428
Impact Denial of service
Description A flaw in NTP broadcast packet poll interval enforcement allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers.  The attacker can thus prevent the target from synchronizing its system time.

 

CVE-2016-7429
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94453 / NVD: CVE-2016-7429
Impact Denial of service
Description There is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets.  A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time.

 

CVE-2016-7431
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
References SecurityFocus: BID 94454 / NVD: CVE-2016-7431
Impact Denial of service, unauthorized modification of time
Description A flaw in NTP packet origin timestamp validation allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time.

 

CVE-2016-7433
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94455 / NVD: CVE-2016-7433
Impact Unauthorized modification of time
Description A flaw in initial time synchronization allows a remote attacker to send a spoofed NTP response and modify the target's system time.

 

CVE-2016-7434
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94448 / NVD: CVE-2016-7434
Impact Denial of service
Description A flaw in mrulist query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.

 

CVE-2016-9310
Severity / CVSSv2 Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
References SecurityFocus: BID 94452 / NVD: CVE-2016-9310
Impact Information disclosure, DDoS amplification, security control bypass
Description A missing authorization flaw allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon.

 

CVE-2016-9311
Severity / CVSSv2 High / 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
References SecurityFocus: BID 94444 / NVD: CVE-2016-9311
Impact Denial of service
Description A flaw in remote query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.

 

CVE-2016-9312
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 94450 / NVD: CVE-2016-9312
Impact Denial of service
Description A flaw in oversized packet handling on Windows platforms allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service.

 

MITIGATION

These vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS.  Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon.  Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon.  The Security Analytics NTP daemon also does not listen by default on multiple network interfaces.  Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon.  Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311.

REFERENCES

NTP.org Security Notice - https://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
Vulnerability Note VU#633847 - http://www.kb.cert.org/vuls/id/633847

REVISION 

2020-04-26 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-08-10 SSLV 3.x has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is not vulnerable because a fix is available in SA 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable.  Reporter 10.1 prior to 10.1.5.5 is vulnerable to CVE-2016-7429, CVE-2016-7431, and CVE-2016-7433.  Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for SSLV 3.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-03-30 MC 1.10 is vulnerable to CVE-2016-7431 and CVE-2016-7433.  It also has a vulnerable version of the NTP reference implementation for CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312 but is not vulnerable to known vectors of attack.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2016-06-10 Corrected advisory to say that SSLV 3.9, 3.10, and 3.11 are not vulnerable to CVE-2016-7431.  Also, CA, MC, and SSLV are not vulnerable to known vectors of attack for CVE-2016-9312.  SSLV 3.8.4FC is vulnerable to CVE-2016-7433.  SSLV 3.8.4FC also has a vulnerable version of the ntp.org NTP reference implementation for CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312, but is not vulnerable to known vectors of attack.
2017-05-29 A fix for Security Analytics 6.6 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-01-12 initial public release
2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)