SA147 : March 2017 NTP Security Vulnerabilities

SUMMARY

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service through application crashes. A local attacker can exploit these vulnerabilities to execute arbitrary code.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2016-9042, CVE-2017-6460,
CVE-2017-6463, CVE-2017-6464 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1.
2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2017-6452 and CVE-2016-6459 | 6.1 | Upgrade to a version of MC with the fixes.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-9042, CVE-2017-6460,
CVE-2017-6463, CVE-2017-6464 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-9042, CVE-2017-6460,
CVE-2017-6463, CVE-2017-6464 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1.
1.10 | Upgrade to later release with fixes.
1.9 | Upgrade to later release with fixes.

Reporter

CVE |Supported Version(s)|Remediation
CVE-2016-9042 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to later release with fixes.
CVE-2017-6462, CVE-2017-6463,
CVE-2017-6464 | 10.5 | Not vulnerable, fixed in 10.5.1.1
10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
10.2 | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
All CVEs | 9.4, 9.5 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2016-9042, CVE-2017-6460,
CVE-2017-6455, CVE-2017-6458 | 7.3 and later | Not vulnerable, fixed in 7.3.1
CVE-2016-9042, CVE-2017-6460 | 7.2 | Upgrade to 7.2.4.
CVE-2017-6455, CVE-2017-6458 | 7.2 | Upgrade to 7.2.4.
7.1 | Upgrade to later release with fixes.
CVE-2017-6462, CVE-2017-6463,
CVE-2017-6464 | 8.1 | Not vulnerable, fixed in 8.1.1
7.3, 8.0 | Upgrade to later release with fixes.
7.2 | Upgrade to 7.2.4.
7.1 | Upgrade to later release with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 4.1 and later | Not vulnerable, fixed in 4.1.1.1
CVE-2016-9042, CVE-2017-6460,
CVE-2017-6463, CVE-2017-6464 | 4.0 | Upgrade to later release with fixes.

CVE-2017-6463, CVE-2017-6464

| 3.12 | Upgrade to later release with fixes.
3.11 | Upgrade to later release with fixes.
3.10 | Upgrade to later release with fixes.
3.8.4FC, 3.9 | Upgrade to later release with fixes.

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: all CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459
• CA: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
• MTD: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
• MC: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
• Reporter 10.1, 10.3, 10.4: CVE-2017-6451 (10.1 only), CVE-2017-6458 (10.1 only), CVE-2017-6460 (10.1 only), CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
• SSLV: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG Unified Agent
Web Isolation

The following products are under investigation:
**X-Series XOS

**

ISSUES

CVE-2016-9042

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 97046 / Red Hat: CVE-2016-9042 Impact| Denial of service Description | A flaw in ntpd origin timestamp validation allows a remote attacker who can spoof packets from a configured time server to cause ntpd to discard responses from that server. A remote attacker who can spoof packets from all configured time servers can prevent ntpd from adjusting the system time, resulting in denial of service.

CVE-2017-6451

Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 97058 / NVD: CVE-2017-6451 Impact| Code execution Description | An out-of-bounds write flaw in the legacy MX4200 refclock allows a local attacker to execute arbitrary code via unspecified vectors.

CVE-2017-6452

Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 97078 / NVD: CVE-2017-6452 Impact| Unspecified Description | An out-of-bounds write flaw in the NTP library Windows installer allows a local attacker to pass in a crafted application path and have unspecified impact.

CVE-2017-6455

Severity / CVSSv2 | Medium / 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 97074 / NVD: CVE-2017-6455 Impact| Code execution Description | A flaw in ntpd under Windows NT allows a local attacker to specify a malicious DLL in the PPSAPI_DLLS environment variable and execute arbitrary code within ntpd.

CVE-2017-6458

Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) References| SecurityFocus: BID 97051 / NVD: CVE-2017-6458 Impact| Unspecified Description | A flaw in ntpd allows a remote attacker to send query requests and have unspecified impact. Successful exploitation requires the query responses to include custom variables with long names, which have been pre-configured in the ntpd configuration file.

CVE-2017-6459

Severity / CVSSv2 | Low / 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 97076 / NVD: CVE-2017-6459 Impact| Unspecified Description | A flaw in the NTP library Windows installer allows local attackers to have unspecified impact via vectors related to an argument with multiple NULL bytes.

CVE-2017-6460

Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) References| SecurityFocus: BID 97052 / NVD: CVE-2017-6460 Impact| Denial of service, code execution Description | A flaw in ntpq allows a malicious remote NTP server to send a crafted list response and cause a stack-based buffer overflow. The malicious server can execute arbitrary code on the host running ntpq or cause ntpq to crash.

CVE-2017-6462

Severity / CVSSv2 | Medium / 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 97045 / NVD: CVE-2017-6462 Impact| Unspecified Description | A flaw in the legacy Datum Programmable Time Server (DPTS) refclock driver allows local attackers to cause a buffer overflow in ntpd via a crafted /dev/datum device file, and have unspecified impact.

CVE-2017-6463

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) References| SecurityFocus: BID 97049 / NVD: CVE-2017-6463 Impact| Denial of service Description | A flaw in ntpd allows a remote authenticated attacker to send a crafted unpeer configuration request and cause ntpd to crash, resulting in denial of service.

CVE-2017-6464

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) References| SecurityFocus: BID 97050 / NVD: CVE-2017-6464 Impact| Denial of service Description | A flaw in ntpd allows a remote authenticated attacker to send a crafted mode configuration request and cause ntpd to crash, resulting in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management network port for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not use the PPSAPI_DLLS environment variable, custom variables with long names, and the DPTS refclock. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462.

By default, Security Analytics does not use the PPSAPI_DLLS environment variable, custom variables with long names, ntpq, and the DPTS refclock. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, CVE-2017-6460, and CVE-2017-6462.

REFERENCES

NTP Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu&gt;

REVISION

2021-05-21 A fix for Security Analytics 7.2 is available in 7.2.4. Moving Advisory Status to Closed.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-28 Reporter 10.3 and 10.4 are not vulnerable to CVE-2016-9042.
2020-04-23 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Fixes for Reporter 10.3 and 10.4 will not be provided. Please provide to a later version with the vulnerability fixes. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-08-29 Reporter 10.1 is vulnerable to CVE-2016-9042. Reporter 10.2 is not vulnerable because a fix for all CVEs is available in 10.2.1.1. Reporter 10.3 and 10.4 have vulnerable versions of the NTP reference implementation, but are not vulnerable to known vectors of attack.
2019-08-08 SSLV 3.x is not vulnerable to CVE-2017-6460.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v2 scores from NVD.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-23 MC 1.10 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. It also has a vulnerable version of the NTP reference implementation for CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-05-19 CA 2.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.
2017-05-05 Security Analytics 7.1 and 7.2 are vulnerable to CVE-2017-6458, CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464. Security Analytics 7.2 is also vulnerable to CVE-2016-9042 and CVE-2017-6460.
2017-04-13 initial public release