SOL17566 - NTP vulnerability CVE-2015-7704

ID SOL17566
Type f5
Reporter f5
Modified 2016-09-01T00:00:00


Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

To mitigate this vulnerability for the BIG-IP system, you should allow only trusted NTP traffic to the management interface and/or self IP in a secure network. To mitigate this vulnerability for Traffix SDC, you should restrict access to the Mobile operator internal NTP servers and the hosts on the Traffix SDC private internal local network. While there is no data plane exposure, the management port and non-default self IP configurations that expose the NTP service (UDP port 123) are vulnerable.Â

In addition, consider the following mitigations:

  • Implement Time Source Diversity & Upstream Time Server Quantity that utilizes multiple, trusted NTP servers. From, "Conventional wisdom is that using at least five upstream time servers would probably be a good idea, and you may want more. Note that ntpd won't use more than ten upstream time servers, although it will continue to monitor as many as you configure."
  • If the NTP server did not legitimately send a KoD, simply restarting the NTPD service bigstart restart ntpd should allow legitimate queries to work, provided the NTP server has not placed you on a blacklist.
  • Use the ntpq utility to determine which servers ntpd will not query due to receiving the KoD, by typing ntpq at the BIG-IP or BIG-IQ command line, and entering associations at the interactive prompt. If you see the word rate_exceeded in the last_event column, then ntpd has recently received the KoD packet with a source address that matches the server. For more information about using ntpq, refer to SOL10240: Verifying NTP peer server communications.

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4602: Overview of the F5 security vulnerability response policy
  • SOL4918: Overview of the F5 critical issue hotfix policy