SOL00329831 - Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severityvalues published in the previous table. The Severityvalues and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:

• Configure the NTP service to use multiple time sources
• Configure the NTP service to restrict the use of ntpq queries with the restrictnoquery directive
• Configure restrict network access to the NTP service

Configure the NTP service to use multiple time sources

To add multiple time sources for the NTP service using the Configuration Utility, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.
2. Navigate to System >Configuration>Device>NTP. 3. In the**Address **box, type the IP address of the NTP server you want.
3. In the Time Server List box, clickAdd to include the desired NTP server.
4. Repeat step 3 and step 4 for each NTP server you want.
5. To save the changes, click Update.

Configure the NTP service to restrict the use of ntpq queries with the restrict noquery directive

To configure the NTP service to restrict the use of ntpq withnoquery directive, perform the following procedure.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the tmsh utility.
2. Depending on your existing configuration, choose one of the following:
   * If you already have an access restriction configured, but the noquery directive is disabled, use the following command syntax:

modify sys ntp restrict modify { <Name> { no-query enabled } }

For example, to modify an existing access restriction name called ntp_restriction to enablenoquery, type the following command:

modify sys ntp restrict modify { ntp_restriction { no-query enabled } }
* If you do not have an existing access restriction configured, use the following command syntax:

modify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled }

For example, to configure an access restriction named ntp_restriction, for the 192.168.1.0/24 subnet, withnotrap,nomodify,andnoquery enabled, type the following command:

modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }
3. Save the configuration by typing the following command:
save /sys config

Configure restrict network access to the NTP service

For information about restricting network access to the NTP service, refer to SOL13092: Overview of securing access to the BIG-IP system.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL10025: Managing BIG-IP product hotfixes (10.x)
• SOL9502: BIG-IP hotfix matrix
• SOL15106: Managing BIG-IQ product hotfixes
• SOL15113: BIG-IQ hotfix matrix