RE: [nsp] Cisco Security Advisory: NTP vulnerability

From: Zhang, Anchi (AZhang@reliant.com)
Date: Fri May 10 2002 - 10:16:53 EDT


On bad thing about the IOS NTP implementation, at least the version I tested, is that whether you have "ntp server" or "ntp peer" in your config, the IOS always replies upon receiving an NTP client request:

10.51.2.35 runs IOS with "ntp peer 10.1.1.1"

solaris# snoop -r port 123
Using device /dev/hme (promiscuous mode)
 10.51.5.248 -> 10.51.2.35 NTP client (Fri May 10 09:07:04 2002)
  10.51.2.35 -> 10.51.5.248 NTP server (Fri May 10 09:07:03 2002)

10.51.2.34 runs IOS with "ntp server 10.1.1.1"

solaris# snoop -r port 123
Using device /dev/hme (promiscuous mode)
 10.51.5.248 -> 10.51.2.34 NTP client (Fri May 10 09:08:39 2002)
  10.51.2.34 -> 10.51.5.248 NTP server (Fri May 10 09:08:39 2002)

Anchi

-----Original Message-----
From: Ray Davis [mailto:ray@carpe.net]
Sent: Friday, May 10, 2002 8:30 AM
To: kf@reign.sk
Cc: 'Damir Rajnovic'; psirt@cisco.com; cisco-nsp@puck.nether.net
Subject: Re: [nsp] Cisco Security Advisory: NTP vulnerability

Here is what we did and it seems to work:

    ! Allow ntp queries from our nets and our customers nets
    access-list 90 permit 212.96.128.0 0.0.31.255
    access-list 90 permit 192.107.123.0 0.0.0.255
    access-list 90 permit 193.102.208.0 0.0.0.255
        .
        .

    ! Allow us the use these NTP servers
    access-list 91 permit 129.132.2.21
    access-list 91 permit 130.149.17.21
    access-list 91 permit 129.69.1.153
    access-list 91 permit 192.53.103.103

    ! Apply the access lists and define the servers
    ntp access-group peer 91
    ntp access-group serve-only 90
    ntp server 192.53.103.103
    ntp server 130.149.17.21
    ntp server 129.132.2.21
    ntp server 129.69.1.153

If anybody sees any problems here - please speak up!

Cheers,
Ray

PS: It would sure be nice if IOS would allow the "ntp server" command to
keep a hostname in its config instead of converting it to an IP address
and storing it as an IP address in the config. Because it stores an IP
address we have to periodically check to make sure the IP address of,
for example, swisstime.ee.ethz.ch didn't change.

> Nono...
>
> I was thinking of using access list for NTP daemon e.g. ntp access-group server 99.....
>
> or?
>
> cheers
>
> alex
>
>
> >
> > Hi,
> >
> > At 20:10 08/05/2002 +0200, KF wrote:
> > >Anyone aware, if ACL specified for NTP service in IOS are
> > overlooked or ?
> >
> > Do you mean to put an ACL on an interface? It is a valid workaround.
> > It is mentioned here:
> >
> > ======
> > Additionally, if you are not using NTP servers external from
> > your network,
> > you can drop all NTP packets on the network boundary. This
> > can be done by
> > the ACL as follows:
> > ==
> >
> > If it is not clear then I will have to update the advisory to make it
> > more clear.
> >
> > Gaus
> > ==============
> > Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager,
> > Cisco Systems
> > <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
> > 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
> > ==============
> > There is no insolvable problems.
> > The question is can you accept the solution?
> >
> >
> >
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:56 EDT