SA147 : March 2017 NTP Security Vulnerabilities
SUMMARY
Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service through application crashes. A local attacker can exploit these vulnerabilities to execute arbitrary code.
AFFECTED PRODUCTS
The following products are vulnerable:
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, CVE-2017-6464 |
2.2 and later | Not vulnerable, fixed in 2.2.1.1. |
| 2.1 | Upgrade to later release with fixes. | |
| 1.3 | Upgrade to later release with fixes. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs except CVE-2017-6452 and CVE-2016-6459 | 6.1 | Upgrade to a version of MC with the fixes. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, CVE-2017-6464 |
1.1 | Upgrade to a version of CAS and SMG with the fixes. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, CVE-2017-6464 |
1.11 and later | Not vulnerable, fixed in 1.11.1.1. |
| 1.10 | Upgrade to later release with fixes. | |
| 1.9 | Upgrade to later release with fixes. | |
| Reporter | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2016-9042 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 |
| 10.1 | Upgrade to later release with fixes. | |
| CVE-2017-6462, CVE-2017-6463, CVE-2017-6464 |
10.5 | Not vulnerable, fixed in 10.5.1.1 |
| 10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
| 10.2 | Not vulnerable, fixed in 10.2.1.1 | |
| 10.1 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
| All CVEs | 9.4, 9.5 | Not vulnerable |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-9042, CVE-2017-6460, CVE-2017-6455, CVE-2017-6458 |
7.3 and later | Not vulnerable, fixed in 7.3.1 |
| CVE-2016-9042, CVE-2017-6460 | 7.2 | Upgrade to 7.2.4. |
| CVE-2017-6455, CVE-2017-6458 | 7.2 | Upgrade to 7.2.4. |
| 7.1 | Upgrade to later release with fixes. | |
| CVE-2017-6462, CVE-2017-6463, CVE-2017-6464 |
8.1 | Not vulnerable, fixed in 8.1.1 |
| 7.3, 8.0 | Upgrade to later release with fixes. | |
| 7.2 | Upgrade to 7.2.4. | |
| 7.1 | Upgrade to later release with fixes. | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 4.1 and later | Not vulnerable, fixed in 4.1.1.1 |
| CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, CVE-2017-6464 |
4.0 | Upgrade to later release with fixes. |
|
CVE-2017-6463, CVE-2017-6464 |
3.12 | Upgrade to later release with fixes. |
| 3.11 | Upgrade to later release with fixes. | |
| 3.10 | Upgrade to later release with fixes. | |
| 3.8.4FC, 3.9 | Upgrade to later release with fixes. | |
The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1 |
| 6.7 | Upgrade to 6.7.3.1. | |
| 6.6 | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- ASG: all CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459
- CA: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
- MTD: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
- MC: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
- Reporter 10.1, 10.3, 10.4: CVE-2017-6451 (10.1 only), CVE-2017-6458 (10.1 only), CVE-2017-6460 (10.1 only), CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
- SSLV: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
Web Isolation
The following products are under investigation:
X-Series XOS
ISSUES
| CVE-2016-9042 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 97046 / Red Hat: CVE-2016-9042 |
| Impact | Denial of service |
| Description | A flaw in ntpd origin timestamp validation allows a remote attacker who can spoof packets from a configured time server to cause ntpd to discard responses from that server. A remote attacker who can spoof packets from all configured time servers can prevent ntpd from adjusting the system time, resulting in denial of service. |
| CVE-2017-6451 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97058 / NVD: CVE-2017-6451 |
| Impact | Code execution |
| Description | An out-of-bounds write flaw in the legacy MX4200 refclock allows a local attacker to execute arbitrary code via unspecified vectors. |
| CVE-2017-6452 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97078 / NVD: CVE-2017-6452 |
| Impact | Unspecified |
| Description | An out-of-bounds write flaw in the NTP library Windows installer allows a local attacker to pass in a crafted application path and have unspecified impact. |
| CVE-2017-6455 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97074 / NVD: CVE-2017-6455 |
| Impact | Code execution |
| Description | A flaw in ntpd under Windows NT allows a local attacker to specify a malicious DLL in the PPSAPI_DLLS environment variable and execute arbitrary code within ntpd. |
| CVE-2017-6458 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97051 / NVD: CVE-2017-6458 |
| Impact | Unspecified |
| Description | A flaw in ntpd allows a remote attacker to send query requests and have unspecified impact. Successful exploitation requires the query responses to include custom variables with long names, which have been pre-configured in the ntpd configuration file. |
| CVE-2017-6459 | |
|---|---|
| Severity / CVSSv2 | Low / 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 97076 / NVD: CVE-2017-6459 |
| Impact | Unspecified |
| Description | A flaw in the NTP library Windows installer allows local attackers to have unspecified impact via vectors related to an argument with multiple NULL bytes. |
| CVE-2017-6460 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97052 / NVD: CVE-2017-6460 |
| Impact | Denial of service, code execution |
| Description | A flaw in ntpq allows a malicious remote NTP server to send a crafted list response and cause a stack-based buffer overflow. The malicious server can execute arbitrary code on the host running ntpq or cause ntpq to crash. |
| CVE-2017-6462 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97045 / NVD: CVE-2017-6462 |
| Impact | Unspecified |
| Description | A flaw in the legacy Datum Programmable Time Server (DPTS) refclock driver allows local attackers to cause a buffer overflow in ntpd via a crafted /dev/datum device file, and have unspecified impact. |
| CVE-2017-6463 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) |
| References | SecurityFocus: BID 97049 / NVD: CVE-2017-6463 |
| Impact | Denial of service |
| Description | A flaw in ntpd allows a remote authenticated attacker to send a crafted unpeer configuration request and cause ntpd to crash, resulting in denial of service. |
| CVE-2017-6464 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) |
| References | SecurityFocus: BID 97050 / NVD: CVE-2017-6464 |
| Impact | Denial of service |
| Description | A flaw in ntpd allows a remote authenticated attacker to send a crafted mode configuration request and cause ntpd to crash, resulting in denial of service. |
MITIGATION
These vulnerabilities can be exploited only through the management network port for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.
By default, Director does not use the PPSAPI_DLLS environment variable, custom variables with long names, and the DPTS refclock. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462.
By default, Security Analytics does not use the PPSAPI_DLLS environment variable, custom variables with long names, ntpq, and the DPTS refclock. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, CVE-2017-6460, and CVE-2017-6462.
REFERENCES
NTP Security Notice - https://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
REVISION
2021-05-21 A fix for Security Analytics 7.2 is available in 7.2.4. Moving Advisory Status to Closed.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-28 Reporter 10.3 and 10.4 are not vulnerable to CVE-2016-9042.
2020-04-23 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Fixes for Reporter 10.3 and 10.4 will not be provided. Please provide to a later version with the vulnerability fixes. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-08-29 Reporter 10.1 is vulnerable to CVE-2016-9042. Reporter 10.2 is not vulnerable because a fix for all CVEs is available in 10.2.1.1. Reporter 10.3 and 10.4 have vulnerable versions of the NTP reference implementation, but are not vulnerable to known vectors of attack.
2019-08-08 SSLV 3.x is not vulnerable to CVE-2017-6460.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v2 scores from NVD.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-23 MC 1.10 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. It also has a vulnerable version of the NTP reference implementation for CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-05-19 CA 2.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.
2017-05-05 Security Analytics 7.1 and 7.2 are vulnerable to CVE-2017-6458, CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464. Security Analytics 7.2 is also vulnerable to CVE-2016-9042 and CVE-2017-6460.
2017-04-13 initial public release