SA165: NTP Vulnerabilities February 2018

SUMMARY

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code, modify the target’s system time, prevent the target from updating its system time, and cause denial of service through application crashes.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis

CVE |Affected Version(s)|Remediation
CVE-2018-7182, CVE-2018-7183,
CVE-2018-7184 | 2.4 and later | Not vulnerable, fixed in 2.4.1.1
2.3 | Upgrade to 2.3.5.1.
2.1, 2.2 | Upgrade to a later version with fixes.

Director

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 | Upgrade to a version of MC with the fixes.

Mail Threat Defense

CVE |Affected Version(s)|Remediation
CVE-2018-7182, CVE-2018-7183,
CVE-2018-7184 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Management Center

CVE |Affected Version(s)|Remediation
CVE-2018-7182, CVE-2018-7183,
CVE-2018-7184 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1.
1.11, 2.0 | Upgrade to a later version with fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2018-7170, CVE-2018-7185 | 10.5 | Not vulnerable, fixed in 10.5.1.1
10.3, 10.4 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to a later version with fixes.
CVE-2018-7182, CVE-2018-7183,
CVE-2018-7184 | 10.1, 10.2 | Upgrade to a later version with fixes.
All CVEs | 9.5 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2018-7170 and CVE-2018-7185 | 8.1, 8.2 | Not available at this time
7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes.
CVE-2018-7182, CVE-2018-7183,
CVE-2018-7184 | 7.2 | Upgrade to later version with fixes.

SSL Visibility

CVE |Affected Version(s)|Remediation
CVE-2018-7182 | 5.0 | Not vulnerable, fixed in 5.0.2.1.
4.5 | Not vulnerable, fixed in 4.5.1.1.
4.1, 4.2, 4.3, 4.4 | Upgrade to a later version with fixes.
3.10, 3.11, 3.12 | Upgrade to a later version with fixes.
3.8.4FC | Upgrade to a later version with fixes.

Web Isolation (WI)

CVE |Supported Version(s)|Remediation
CVE-2018-7170 | 1.13, 1.14 | Not available at this time
1.12 | Upgrade to a later version with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2018-7185 | 10.0, 11.0 | A fix will not be provided.

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway

CVE |Affected Version(s)|Remediation
All CVEs | 7.1 and later | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.4.2.
6.6 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: all CVEs
• CA: CVE-2018-7170 and CVE-2018-7185
• MTD: CVE-2018-7170 and CVE-2018-7185
• MC: CVE-2018-7170 and CVE-2018-7185
• Reporter: CVE-2018-7170 and CVE-2018-7185
• SSLV: all CVEs except CVE-2018-7182

The following products are not vulnerable:
**Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
WSS Agent

**

ISSUES

CVE-2018-7170

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) References| SecurityFocus: BID 103194 / NVD: CVE-2018-7170 Impact| Unauthorized modification of system time Description | A Sybil vulnerability in ntpd allows remote authenticated NTP servers to establish a large number of ephemeral associations in order to influence the ntpd clock selection algorithm and modify the target’s system time.

CVE-2018-7182

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 103191 / NVD: CVE-2018-7182 Impact| Denial of service Description | A buffer overread flaw in ntpd allows a remote attacker to send crafted mode 6 packets and cause denial of service through application crashes.

CVE-2018-7183

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 103351 / NVD: CVE-2018-7183 Impact| Denial of service Description | A buffer overflow flaw in ntpq allows a remote attacker to send a response with a crafted array and execute arbitrary code or cause denial of service.

CVE-2018-7184

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 103192 / NVD: CVE-2018-7184 Impact| Denial of service Description | A packet handling flaw in ntpd allows a remote attacker to send a packet with a zero-origin timestamp and reset the NTP association. This prevents ntpd from updating the system time until the NTP association resets, resulting in denial of service.

CVE-2018-7185

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 103339 / NVD: CVE-2018-7185 Impact| Denial of service Description | A packet handling flaw in ntpd allows a remote attacker to send a packet with a zero-origin timestamp and reset the NTP association.

MITIGATION

All CVEs except CVE-2018-7183 can be exploited only through the management network port for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not configure ntpd in symmetric on interleave mode. Customers who leave this behavior unchanged prevent attacks against Director using CVE-2018-7170, CVE-2018-7174, and CVE-2018-7185.

By default, all versions of Security Analytics do not configure ntpd in symmetric or interleave mode. Customers who leave this behavior unchanged prevent attacks against Security Analytics using CVE-2018-7170 and CVE-2018-7185. Also, Security Analytics 7.2 does not query remote NTP servers using ntpq. Customers who leave this behavior unchanged prevent attacks against Security Analytics 7.2 using CVE-2018-7183.

REFERENCES

NTP Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S&gt;

REVISION

2021-08-27 WSS Agent is not vulnerable.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-01-15 WI 1.14 is vulnerable to CVE-2018-7170. A fix is not available at this time. Fixes will not be provided for WI 1.12. Please upgrade to a later release with the vulnerability fixes.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-17 Content Analysis (CA) 2.4 and later versions are not vulnerable because a fix is available in 2.4.1.1. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes for Reporter 10.3 and SSLV 4.4 will not be provided. Please upgrade to later versions with the vulnerability fixes. Security Analytics 8.1 is vulnerable to CVE-2018-7170 and CVE-2018-7185. Advanced Secure Gateway (ASG) 7.1 and later are not vulnerable because a fix is available in 7.1.1.1.
2019-10-07 WI 1.12 and 1.13 are vulnerable to CVE-2018-7170. A fix is not available at this time.
2019-08-30 Reporter 10.4 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2019-08-12 A fix for MC 2.0 will not be provided. Please update to a later version with the vulnerability fixes.
2019-08-09 SSLV 4.5 is not vulnerable because a fix is available in 4.5.1.1.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-27 A fix for CA 2.3 is available in 2.3.5.1. A fix for ASG 6.7 is available in 6.7.4.2.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-7170 and CVE-2018-7185.
2019-01-18 SSLV 4.3 and 4.4 are vulnerable to CVE-2018-7182. SSLV 5.0 is not vulnerable because a fix is available in 5.0.2.1. A fix for SSLV 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 is not vulnerable because a fix is available in 2.1.1.1. A fix for MC 1.11 will not be provided. Please update to a later version with the vulnerability fixes. Reporter 10.3 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please update to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please update to a later version with the vulnerability fixes.
2018-07-23 Director 6.1 is vulnerable to all CVEs.
2018-04-26 initial public release