SOL17566 - NTP vulnerability CVE-2015-7704

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

To mitigate this vulnerability for the BIG-IP system, you should allow only trusted NTP traffic to the management interface and/or self IP in a secure network. To mitigate this vulnerability for Traffix SDC, you should restrict access to the Mobile operator internal NTP servers and the hosts on the Traffix SDC private internal local network. While there is no data plane exposure, the management port and non-default self IP configurations that expose the NTP service (UDP port 123) are vulnerable.Â

In addition, consider the following mitigations:

• Implement Time Source Diversity & Upstream Time Server Quantity that utilizes multiple, trusted NTP servers. From ntp.org, “Conventional wisdom is that using at least five upstream time servers would probably be a good idea, and you may want more. Note that ntpdwon’t use more than ten upstream time servers, although it will continue to monitor as many as you configure.”
• If the NTP server did not legitimately send a KoD, simply restarting the NTPD service bigstart restart ntpd should allow legitimate queries to work, provided the NTP server has not placed you on a blacklist.
• Use the ntpqutility to determine which servers ntpdwill not query due to receiving the KoD, by typing ntpq at the BIG-IP or BIG-IQ command line, and enteringassociationsat the interactive prompt. If you see the wordrate_exceededin thelast_eventcolumn, thenntpd has recently received the KoD packet with a source address that matches the server. For more information about usingntpq, refer to SOL10240: Verifying NTP peer server communications.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy