Network Time Protocol Vulnerabilities (Supplement Update A)

OVERVIEW

--------- Begin Update A Part 1 of 2 --------

This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-353-01C Network Time Protocol Vulnerabilities that was published February 5, 2015, on the ICS‑CERT web site.

--------- End Update A Part 1 of 2 ----------

Please refer to this advisory for all the details of the vulnerabilities. The purpose of this advisory supplement is to document which products are affected by these vulnerabilities and suggest how users of these products may mitigate the effects of these vulnerabilities. This document will be updated as needed.

ICS-CERT thanks the following companies for responding to our inquiry on the affected products (listed vendors may have answered yes or no):

Arbiter, Catapult Software, Codesys, Ecava IntegraXor, Festo, Innominate, KEP (Kessler-Ellis Products), Meinberg, Microsys, spol. s r.o., Nordex Energy GmbH, Pepperl+Fuchs GmbH, Progea, Red Lion, Roche Diagnostics GmbH, SELINC, Sielcosistemi, Siemens, Sierra Wireless, SUBNET, Trihedral Engineering Limited, and Wind River Systems.

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.

AFFECTED PRODUCTS

Arbiter Systems products:

• Clock products using the network card. Arbiter has deployed a new firmware based on NTP Version 4.2.8

Innomoninate products:

--------- Begin Update A Part 2 of 2 --------

Innominate Security Technologies AG, Security Advisory 2015/01/20-001 addresses
CVE-2014-9295.

• mGuard Firmware Version 7.0 should be upgraded to Version 7.6.7
• mGuard Firmware Version 8.0 should be upgraded to Version 8.1.5

Meinberg products:

Please see Meinberg’s public notification and mitigation strategies at:

• Meinberg Security Advisory: [MBGSA-1405] Multiple NTP Vuln (2014-12-22) - <https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1405-multiple-ntp-vulnerabilities.htm&gt;
• Meinberg NTP Download information - <https://www.meinbergglobal.com/english/sw/ntp.htm&gt;
• LANTIME M3000, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SYNCFIRE 1000

Siemens products:

• Please see Siemens’s public notification and mitigation strategies at SSA-671683 NTP Vulnerabilities in Ruggedcom ROX-based Devices (Update March 05, 2015), located at www.siemens.com/cert/advisories. This Security notification update announces new updates for the affected products and recommends specific countermeasures for users to use until the fixes can be applied. CVE-2014-9293, CVE-2014-9294, and CVE-2014-9295.
• Please see Siemens’s public notification and mitigation strategies at SSA-749212 NTP Vulnerabilities in SINUMERIK Controllers-based Devices (Published March 05, 2015), located at www.siemens.com/cert/advisories. Siemens has released an update for the SINUMERIK controllers and recommends updating the system. CVE-2014-9294 and CVE‑2014-9295.

--------- End Update A Part 2 of 2 ----------

Wind River System products:

• Please see Wind River Support Network (<http://www.windriver.com/feeds/vxworks_networking_security_notice.xml&gt;) Wind River VxWorks 20150108 Security Advisory for NTP, for public notification and mitigation strategies.
• News updates for Wind River Linux:
• <https://knowledge.windriver.com/Content_Lookup?id=044944&gt;
• News updates for Wind River VxWorks:
• <http://www.windriver.com/feeds/wrsn.xml&gt;.

There are patches for WR Linux for the other (related) CVEs (2014-9293 - 9286) available at https://knowledge.windriver.com/?title=Content_Lookup&id=044772:

• VxWorks 7
• VxWorks 6.9
• WR Linux 4.3.0.X
• WR Linux 5.0.1.x
• WR Linux 6.0.0.x
• WR Linux 7.0.0.x