SA139 : November 2016 NTP Security Vulnerabilities

SUMMARY

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can modify the target's system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
All CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1
CVE-2016-7429, CVE-2016-7433 | 2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to later release with fixes.
CVE-2016-7431 | 2.1 | Upgrade to later release with fixes.
1.3.7.3, 1.3.7.4 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2016-7429 | 6.1 | Upgrade to 6.1.23.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-7429, CVE-2016-7433 | 1.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-7431, CVE-2016-7433 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1.
1.10 | Upgrade to later release with fixes.
1.9 | Upgrade to later release with fixes.
1.8 | Upgrade to later release with fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-7429, CVE-2016-7431,
CVE-2016-7433 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1.
10.1 | Upgrade to 10.1.5.5.
All CVEs | 9.5 | Not vulnerable
All CVEs | 9.4 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 7.3 and later | Not vulnerable, fixed in 7.3.1.
CVE-2016-7426, CVE-2016-7429,
CVE-2016-7433, CVE-2016-9310,
CVE-2016-9311 | 7.2 | Upgrade to 7.2.3.
7.1 | Upgrade to later release with fixes.
6.6 | Upgrade to later release with fixes.
CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7434 | 7.2.2 | Not available at this time
7.1 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes.
6.6 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-7431, CVE-2016-7433 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1.
4.0 | Upgrade to later release with fixes.
3.8, 3.8.4FC, 3.9, 3.10, 3.12 | Not vulnerable to known vectors of attack.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-7426, CVE-2016-7429,
CVE-2016-7433, CVE-2016-9310,
CVE-2016-9311 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 7.1 | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: all CVEs
• CA: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
• Director: CVE-2016-7429
• MTD: CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
• MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
• Reporter 10.1: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312
• Security Analytics: CVE-2016-9312
• SSLV 3.x and 4.x: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429 (4.0 only), CVE-2016-7434, CVE-2016-9310, CVE-2016-9311

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-7426

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94451 / NVD: CVE-2016-7426 Impact| Denial of service Description | A flaw in rate limiting allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers. The attacker can thus prevent the target from synchronizing its system time.

CVE-2016-7427

Severity / CVSSv2 | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94447 / NVD: CVE-2016-7427 Impact| Denial of service Description | A flaw in NTP broadcast packet replay prevention allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time.

CVE-2016-7428

Severity / CVSSv2 | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94446 / NVD: CVE-2016-7428 Impact| Denial of service Description | A flaw in NTP broadcast packet poll interval enforcement allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time.

CVE-2016-7429

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94453 / NVD: CVE-2016-7429 Impact| Denial of service Description | There is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets. A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon’s internal state and prevent it from synchronizing the system time.

CVE-2016-7431

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 94454 / NVD: CVE-2016-7431 Impact| Denial of service, unauthorized modification of time Description | A flaw in NTP packet origin timestamp validation allows a remote attacker to send crafted NTP packets and and either modify the target’s system time or prevent it from synchronizing its time.

CVE-2016-7433

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94455 / NVD: CVE-2016-7433 Impact| Unauthorized modification of time Description | A flaw in initial time synchronization allows a remote attacker to send a spoofed NTP response and modify the target’s system time.

CVE-2016-7434

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94448 / NVD: CVE-2016-7434 Impact| Denial of service Description | A flaw in mrulist query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.

CVE-2016-9310

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) References| SecurityFocus: BID 94452 / NVD: CVE-2016-9310 Impact| Information disclosure, DDoS amplification, security control bypass Description | A missing authorization flaw allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target’s NTP daemon.

CVE-2016-9311

Severity / CVSSv2 | High / 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 94444 / NVD: CVE-2016-9311 Impact| Denial of service Description | A flaw in remote query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.

CVE-2016-9312

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94450 / NVD: CVE-2016-9312 Impact| Denial of service Description | A flaw in oversized packet handling on Windows platforms allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. The Security Analytics NTP daemon also does not listen by default on multiple network interfaces. Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon. Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311.

REFERENCES

NTP.org Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se&gt;
Vulnerability Note VU#633847 - http://www.kb.cert.org/vuls/id/633847

REVISION

2020-04-26 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-08-10 SSLV 3.x has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is not vulnerable because a fix is available in SA 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable. Reporter 10.1 prior to 10.1.5.5 is vulnerable to CVE-2016-7429, CVE-2016-7431, and CVE-2016-7433. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-03-30 MC 1.10 is vulnerable to CVE-2016-7431 and CVE-2016-7433. It also has a vulnerable version of the NTP reference implementation for CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312 but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2016-06-10 Corrected advisory to say that SSLV 3.9, 3.10, and 3.11 are not vulnerable to CVE-2016-7431. Also, CA, MC, and SSLV are not vulnerable to known vectors of attack for CVE-2016-9312. SSLV 3.8.4FC is vulnerable to CVE-2016-7433. SSLV 3.8.4FC also has a vulnerable version of the ntp.org NTP reference implementation for CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312, but is not vulnerable to known vectors of attack.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-01-12 initial public release
2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)