VN-2014-005 – NTP Threats – CVE-2014-9293-9296

VN-2014-005 – NTP Threats – CVE-2014-9293-9296
VN-2014-005 – NTP Threats – CVE-2014-9293-9296
Extreme Networks Software
PRODUCTS POTENTIALLY AFFECTED
SUMMARY (From CERT)
The Network Time Protocol (NTP) provides network
systems with a way to synchronize time for various
services and applications. ntpd version 4.2.7 and
previous versions allow attackers to overflow several
buffers in a way that may allow malicious code to be
executed. ntp-keygen prior to version 4.2.7p230 also
uses a non-cryptographic random number generator
when generating symmetric keys.
BACKGROUND
The ntpd implementation has multiple security
weaknesses that affect various components. These
weaknesses stem from several bugs where insecure
random data is collected from the OS for key generation,
a missing return statement for proper error handling, and
two separate stack buffer overflows (in the ctl_putdata(),
and configure() functions) have been discovered. For
practical exploitation, the worst of these bugs are the
buffer overflows, and would allow an attacker to achieve
remote code execution (RCE) in the ntpd process as a
result of sending carefully crafted malicious packets over
the network. Additional background information may be
found in the security notice from the NTP project:
http://support.ntp.org/bin/view/Main/SecurityNotice
Published: 2014-12-19
CVSS Severity:
7.5 (from CERT)
6.8 (from NVD/NIST)
The following software, and software supported products
by Extreme Networks will be analyzed for this
vulnerability:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
ExtremeXOS
X-Series Secure Core Router
N, K, SSA, and S Modular Switches
A, B, C, D, G, I & 800 Series Fixed Switches
NetSight / NAC (IA) / Purview
Ridgeline
IDS/IPS
Security Information & Event Manager
IdentiFi Wireless
Wireless Mobility
XSR (X-Pedition Security Router)
EWare
IMPACT (from CERT)
The buffer overflow vulnerabilities in ntpd may allow a
remote unauthenticated attacker to execute arbitrary
malicious code with the privilege level of the ntpd
process. The weak default key and non-cryptographic
random number generator in ntp-keygen may allow an
attacker to gain information regarding the integrity
checking and authentication encryption schemes.
Here is the vulnerability status of the software products supported by Extreme
Networks for this issue:












ExtremeXOS - No
X-Series Secure Core Router – Investigating
N, K, SSA, and S Modular Switches – No
A, B, C, D, G, I & 800 Series Fixed Switches - No
NetSight/NAC(IA)/ Purview - Yes
Ridgeline - No
IDS/IPS - Yes
Security Information & Event Manager - No
IdentiFi Wireless - No
Wireless Mobility versions WM 5.5.X – Yes
XSR (X-Pedition Security Router) – No
EWare - No
Note: To our knowledge, no other Extreme products (including the
Enterasys-branded products) have been determined to be vulnerable at this
time.
IMPACT DETAILS
The Impact Details will be listed using the following format:
a.
Vulnerable – Yes / No / Investigating
b.
Vulnerable Component
c.
Conditions when component vulnerability occurs
d.
Product version affected
e.
Workaround
f.
Target Fix Release
g.
Target Fix Timeframe
ExtremeXOS (all products):
a.
No - EXOS NTP implementation is not vulnerable to the recent threats
even though EXOS uses the vulnerable NTP version ntp-4.2.6p2.
EXOS NTP already blocks external (known/unknown) NTP server/client
to query/modify EXOS NTP client/server.
EXOS NTP supports authentication with MD5 key only. The “crypto”
libraries are not part of the EXOS NTP executable hence we are not
vulnerable to crypto [Sec 2670 / CVE-2014-9296 / VU#852879] threat.
X-Series Secure Core Router
a.
Investigating
N, K, SSA, and S Modular Switches
a) No – does not use NTP software
NOTE: Information in RED, denotes new updated
information since the last revision of this notice.
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice
Document No. / Revision: VN-2014-005 / Rev 04
Effective Date: 7/8/2015 / Owner: Serviceability
VN-2014-005 – NTP Threats – CVE-2014-9293-9296
Extreme Networks Software
IMPACT DETAILS – Cont.
A, B, C, D, G, I & 800 Series Fixed Switches
a.
No for A, B, C, D, G, & I Series Fixed Switches, including 800 Series
NetSight /NAC (IA)/ Purview:
a.
Yes
b.
NTP Daemon on NetSight Appliances
c.
If NTP is configured on an appliance, that NTP process is vulnerable.
d.
All product versions
e.
Workaround is to disable NTP until a patch is released
f.
Target Fix Release: 6.2
g.
Target Month for Fix Release: June 2015
Ridgeline:
a.
No – does not use NTP software
IDS / IPS:
a.
b.
c.
d.
e.
f.
Yes
NTP Daemon
When NTP is configured
All appliances
Workaround: is to disable NTP
Target Fix Release: No fix is planned for any version
Security Information & Event Manager:
a.
No
CVE-2014-9293 - NA - NTPD is not enabled on QRadar installs.
CVE-2014-9294 - NA - We do not generate NTP keys using ntp-keygen.
CVE-2014-9295 - NA - NTPD is not enabled on QRadar installs.
CVE-2014-9296 - NA - We do not use NTP auth or NTP in General.
IdentiFi Wireless:
Controller & Access Points:
a.
No
Wireless Mobility:
Controller & Access Points:
a.
Yes
b.
NTP Daemon
c.
When NTP is configured
d.
All devices
e.
Workaround: Investigating
f.
Target Fix Release: TBD
g.
Target Month for Fix Release: TBD
XSR (X-Pedition Security Router):
a.
No – Does not use NTP software
EWare (all products):
a.
No – NTP is not supported
Threat Details
CVE
Name
Impact
Vulnerable
Versions
Client
Server
CVE-2014-92939296
NTP
Medium to
High
NTP version 4.2.7 and
earlier
Medium to
High
Medium to
High
Vulnerability Mitigation
TBD
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice
Document No. / Revision: VN-2014-005 / Rev 04
Effective Date: 7/8/2015 / Owner: Serviceability
VN-2014-005 – NTP Threats – CVE-2014-9293-9296
Extreme Networks Software
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the set-up of the computer network and how the local IT team wants to
address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the
situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks’ products by replacing it with the latest releases from Extreme Networks including the
following version (or above):
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
EXOS: TBD
X-Series Secure Core Router: Investigating
N, K, SSA, and S Modular Switches- N/A
A, B, C, D, G, I & 800 Series Fixed Switches: N/A
NetSight/NAC(IA)/ Purview: 6.2
Ridgeline: N/A
IDS/IPS: Workaround is to disable NTP
Security Information & Event Manager: N/A
IdentiFi Wireless: N/A
Wireless Mobility: Investigating
XSR: N/A
EWare: N/A
Firmware & Software can be downloaded from - http://www.extremenetworks.com/support/
Further Information
NIST release: http://web.nvd.nist.gov/
US-CERT Release: https://www.us-cert.gov/ncas/alerts/
CERT: http://www.kb.cert.org/vuls/id/852879
ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
Legal Notice
THIS ADVISORY NOTICE IS PROVIDED ON AN "AS IS" BASIS AND EXTREME NETWORKS MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSLY DISCLAIMING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. USE OF THE INFORMATION PROVIDED HEREIN OR
MATERIALS LINKED FROM THIS ADVISORY NOTICE IS AT YOUR OWN RISK. EXTREME NETWORKS RESERVES THE
RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME, AND EXPECTS TO UPDATE THIS DOCUMENT AS
NEW INFORMATION BECOMES AVAILABLE. THE INFORMATION PROVIDED HEREIN IS APPLICABLE TO CURRENT
EXTREME NETWORKS’ PRODUCTS IDENTIFIED HEREIN AND IS NOT INTENDED TO BE ANY REPRESENTATION OF
FUTURE FUNCTIONALITY OR COMPATIBILITY WITH ANY 3RD PARTY TECHNOLOGIES REFERENCED HEREIN. THIS
NOTICE SHALL NOT CHANGE ANY CONTRACT OR AGREEMENT THAT YOU HAVE ENTERED INTO WITH EXTREME
NETWORKS.
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice
Document No. / Revision: VN-2014-005 / Rev 04
Effective Date: 7/8/2015 / Owner: Serviceability
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement