NTP vulnerability CVE-2014-9295

2014-12-24T07:27:00
ID F5:K15936
Type f5
Reporter f5
Modified 2018-02-06T01:03:00

Description

F5 Product Development has assigned ID 497719 (BIG-IP), ID 499068 (Enterprise Manager), and ID 499071 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H498315-2 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature
---|---|---|---
BIG-IP LTM| 11.6.0
11.0.0 - 11.5.2
10.1.0 - 10.2.4| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP AAM| 11.6.0
11.4.0 - 11.5.2| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10| NTP daemon of Linux subsystem
BIG-IP AFM| 11.6.0
11.3.0 - 11.5.2| 12.0.0
11.6.0 HF4
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10| NTP daemon of Linux subsystem
BIG-IP Analytics| 11.6.0
11.0.0 - 11.5.2| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14| NTP daemon of Linux subsystem
BIG-IP APM| 11.6.0
11.0.0 - 11.5.2
10.1.0 - 10.2.4| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP ASM| 11.6.0
11.0.0 - 11.5.2
10.1.0 - 10.2.4| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP DNS| None| 12.0.0| None
BIG-IP Edge Gateway| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP GTM| 11.6.0
11.0.0 - 11.5.2
10.1.0 - 10.2.4| 11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP Link Controller| 11.6.0
11.0.0 - 11.5.2
10.1.0 - 10.2.4| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP PEM| 11.6.0
11.3.0 - 11.5.2| 12.0.0
11.6.0 HF4
11.5.3
11.5.0 HF7
11.4.1 HF9
11.4.0 HF10| NTP daemon of Linux subsystem
BIG-IP PSM| 11.0.0 - 11.4.1
10.1.0 - 10.2.4| 11.4.1 HF9
11.4.0 HF10
11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP WebAccelerator| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
BIG-IP WOM| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 11.2.1 HF14
10.2.4 HF11| NTP daemon of Linux subsystem
ARX| None| 6.0.0 - 6.4.0| None
Enterprise Manager| 3.0.0 - 3.1.1 HF5
2.1.0 - 2.3.0| 3.1.1 HF6| NTP daemon of Linux subsystem
FirePass| None| 7.0.0
6.0.0 - 6.1.0| None
BIG-IQ ADC| 4.5.0| 4.5.0 HF3| NTP daemon of Linux subsystem
BIG-IQ Cloud| 4.0.0 - 4.5.0| 4.5.0 HF3| NTP daemon of Linux subsystem
BIG-IQ Device| 4.2.0 - 4.5.0| 4.5.0HF3| NTP daemon of Linux subsystem
BIG-IQ Security| 4.0.0 - 4.5.0| 4.5.0 HF3| NTP daemon of Linux subsystem
LineRate| None| 2.2.0 - 2.6.1
1.6.0 - 1.6.4| None

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

To mitigate this vulnerability, you should only use the Configuration utility or the Traffic Management Shell (tmsh) to configure NTP. Additionally, you should permit management access to F5 products only over a secure network and limit shell access to trusted users.

Additionally, if a system has already been configured with a vulnerable custom NTP configuration, you should remove the customizations.