Tuesday, February 2, 2016

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016

Medium

Advisory ID: cisco-sa-20160127-ntpd
Last Updated: 2016 January 27 23:47 GMT
Published: 2016 January 27 20:00 GMT
Version 1.1: Interim
CVSS Score:
Base - 5.0
Workarounds:
Yes
CVE-2015-7973
CVE-2015-7974
CVE-2015-7975
More...
CWE-119
CWE-20
CWE-200
More...
Download PDF
Email

Summary
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.

On January 19th, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may result in an attacker gaining the ability to shift a clients time. The vulnerabilities covered in this document are as follows:
CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability
CVE-2015-7974: Network Time Protocol Missing Trusted Key Check
CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check
CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames
CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability
CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service
CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service
CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass
CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp
CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack
CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop
Additional details on each of the vulnerabilities can be found in the official security advisory from NTP Consortium at Network Time Foundation at the following link: Security Notice

Cisco has released software updates that address these vulnerabilities.

Workarounds that mitigate some of these vulnerabilities may be available. The workarounds will be made present where available in the corresponding Cisco Bug ID for each affected product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd
Affected Products
Cisco is currently investigating its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. As the investigation progresses, this document will be updated to include the Cisco bug IDs for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software versions.

Products Under Investigation

Collaboration and Social Media
Cisco WebEx Node for MCS

Network Application, Service, and Acceleration
Cisco Application Control Engine (ACE30/ ACE 4710)
Cisco Visual Quality Experience Server
Cisco Visual Quality Experience Tools Server
Cisco Wide Area Application Services (WAAS)

Network and Content Security Devices
Cisco Identity Services Engine (ISE)
Cisco Physical Access Control Gateway
Cisco Physical Access Manager
Cisco Secure Access Control Server (ACS)
Cisco Virtual Security Gateway for Microsoft Hyper-V

Network Management and Provisioning
Cisco Application Networking Manager
Cisco Prime Collaboration Assurance
Cisco Prime Data Center Network Manager (.ova and .iso installers)
Cisco Prime IP Express
Cisco Prime Infrastructure Standalone Plug and Play Gateway
Cisco Prime Infrastructure
Cisco Prime LAN Management Solution (LMS - Solaris)
Cisco Prime License Manager
Cisco Prime Network Registrar (CPNR) virtual appliance
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Service Catalog Virtual Appliance

Routing and Switching - Enterprise and Service Provider
Cisco Connected Grid Router
Cisco IOS XR Software
Cisco IOS and Cisco IOS XE Software
Cisco MDS 9000 Series Multilayer Switches
Cisco Metro Ethernet 1200 Series Access Devices
Cisco Nexus 1000V Series Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches

Unified Computing
Cisco Common Services Platform Collector
Cisco UCS Director
Cisco UCS Invicta Series
Cisco UCS Manager
Cisco Unified Computing System E-Series Blade Server

Voice and Unified Communications Devices
Cisco Desktop Collaboration Experience DX70 and DX80
Cisco Emergency Responder
Cisco IM and Presence Service (CUPS)
Cisco MediaSense
Cisco Paging Server (Informacast)
Cisco Paging Server
Cisco Unified Sip Proxy
Cisco Unity Connection (UC)
Cisco Unity Express

Video, Streaming, TelePresence, and Transcoding Devices
Cisco Edge 340 Digital Media Player
Cisco International Digital Network Control System (iDNCS)
Cisco Show and Share
Cisco TelePresence 1310
Cisco TelePresence Exchange System (CTX)
Cisco TelePresence ISDN Link
Cisco TelePresence Server 8710, 7010
Cisco TelePresence Server on Multiparty Media 310, 320
Cisco TelePresence Server on Virtual Machine
Cisco TelePresence System 1000
Cisco TelePresence System 1100
Cisco TelePresence System 1300
Cisco TelePresence System 3000 Series
Cisco TelePresence System 500-32
Cisco TelePresence System 500-37
Cisco TelePresence TX 9000 Series
Cisco Transaction Encryption Device (TED)
Cisco Videoscape Control Suite
Cisco Videoscape Distribution Suite Transparent Caching

Wireless
Cisco Small Business 121 Series Wireless Access Points
Cisco Small Business 321 Series Wireless Access Points
Cisco Small Business 500 Series Wireless Access Points
Cisco WAP371 wireless access point

Cisco Hosted Services
Cisco Cloud Services
Cisco Cloud Web Security
Cisco Universal Small Cell usc-iuh
MACD Process Controller (MPC)
Network Change and Configuration Management

Vulnerable Products

The following list of products is under active investigation to determine the impact of the vulnerabilities covered by this document. This section will be updated as more information becomes available.

...
Product Defect Fixed releases availability
Collaboration and Social Media
Cisco Jabber Guest 10.0(2) CSCux95226
Network Application, Service, and Acceleration
Cisco Application and Content Networking System (ACNS) CSCux95159 5.5.41 (29-Feb-2016)
Network and Content Security Devices
Cisco ASA CX and Cisco Prime Security Manager CSCux95174 9.3.4.5 (30-May-2016)
Cisco Clean Access Manager CSCux95160 4.9.5 (19-Feb-2016)
Cisco FireSIGHT System Software CSCux95085 6.1 (June 2016)
Cisco Intrusion Prevention System Solutions (IPS) CSCux95190 7.1(11) Patch 1 (31-Mar-2016)
7.3(05) Patch 1 (30-Apr-2016)
Cisco NAC Guest Server CSCux95162 2.1.0 (19-Feb-2016)
Cisco NAC Server CSCux95161 4.9.5 (19-Feb-2016)
Network Management and Provisioning
Cisco UCS Central CSCux95108
Cisco Virtual Topology System (formally Virtual Systems Operations Center) CSCux95125
Unified Communications Deployment Tools CSCux95082
Routing and Switching - Enterprise and Service Provider
Cisco 910 Industrial Router CSCux95192
Cisco Application Policy Infrastructure Controller (APIC) CSCux95097
Cisco Service Control Operating System CSCux95215
IOS-XR for Cisco Network Convergence System (NCS) 6000 CSCux95128
Unified Computing
Cisco Standalone rack server CIMC CSCux95110
Voice and Unified Communications Devices
Cisco 3G Femtocell Wireless CSCux95197 SR10MR (29-Jul-2016)
Cisco Finesse CSCux95221
Cisco Hosted Collaboration Mediation Fulfillment CSCux95224
Cisco IP Interoperability and Collaboration System (IPICS) CSCux95148
Cisco Management Heartbeat Server CSCux95200 RMS5.x MR (29-Jul-2016)
Cisco Quantum Virtualized Packet Core CSCux95076
Cisco Unified Communications Manager (UCM) CSCux95217
Cisco Unified Communications Manager Session Management Edition (SME) CSCux95217
Video, Streaming, TelePresence, and Transcoding Devices
Cisco DCM Series 9900-Digital Content Manager CSCux95111 18.0 (31-Mar-2016)
Cisco Digital Media Manager (DMM) CSCux95141
Cisco Digital Media Manager CSCux95133
Cisco Edge 300 Digital Media Player CSCux95193 1.6RB4_4 (25-Feb-2016)
Cisco Enterprise Content Delivery System (ECDS) CSCux95135 2.6.7 (30-Apr-2016)
Cisco Expressway Series CSCux95145 8.7.1(22-Feb-2016)
Cisco Media Experience Engines (MXE) CSCux95139
Cisco TelePresence Conductor CSCux95130 XC4.2 (30-Mar-2016)
Cisco TelePresence EX Series CSCux95143
Cisco TelePresence MX Series CSCux95143
Cisco TelePresence Profile Series CSCux95143
Cisco TelePresence SX Series CSCux95143
Cisco TelePresence Video Communication Server (VCS) CSCux95145 8.7.1(22-Feb-2016)
Cisco Telepresence Integrator C Series CSCux95143
Cisco Video Delivery System Recorder CSCux95153 A patch file will be available for affected releases on 30-Apr-2016.
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) CSCux95154
Cisco Video Surveillance Media Server CSCux95180
Cisco Videoscape Policy and Resource Management CSCux95205
Cloud Object Store (COS) CSCux95152 3.8 (9-Apr-2016)
Cisco Hosted Services
Cisco Intelligent Automation for Cloud CSCux95147
Cisco Universal Small Cell 5000 Series running V3.4.2.x software CSCux95198
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
More...
Workarounds
Any workarounds will be posted in the Cisco bug IDs, which are accessible through the Cisco Bug Search Tool.
Fixed Software
Information about fixed software will be in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
These vulnerabilities were discovered by researchers from Cisco Systems Inc.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016
Medium
Advisory ID: cisco-sa-20160127-ntpd
Last Updated: 2016 January 27 23:47 GMT
Published: 2016 January 27 20:00 GMT
Version 1.1: Interim
CVSS Score:
Base - 5.0
Workarounds:
Yes
CVE-2015-7973
CVE-2015-7974
CVE-2015-7975
More...
CWE-119
CWE-20
CWE-200
More...
Download PDF
Email
Summary
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.

On January 19th, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may result in an attacker gaining the ability to shift a clients time. The vulnerabilities covered in this document are as follows:
CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability
CVE-2015-7974: Network Time Protocol Missing Trusted Key Check
CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check
CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames
CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability
CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service
CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service
CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass
CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp
CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack
CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop
Additional details on each of the vulnerabilities can be found in the official security advisory from NTP Consortium at Network Time Foundation at the following link: Security Notice

Cisco has released software updates that address these vulnerabilities.

Workarounds that mitigate some of these vulnerabilities may be available. The workarounds will be made present where available in the corresponding Cisco Bug ID for each affected product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd
Affected Products
Cisco is currently investigating its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. As the investigation progresses, this document will be updated to include the Cisco bug IDs for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software versions.

Products Under Investigation

Collaboration and Social Media
Cisco WebEx Node for MCS

Network Application, Service, and Acceleration
Cisco Application Control Engine (ACE30/ ACE 4710)
Cisco Visual Quality Experience Server
Cisco Visual Quality Experience Tools Server
Cisco Wide Area Application Services (WAAS)

Network and Content Security Devices
Cisco Identity Services Engine (ISE)
Cisco Physical Access Control Gateway
Cisco Physical Access Manager
Cisco Secure Access Control Server (ACS)
Cisco Virtual Security Gateway for Microsoft Hyper-V

Network Management and Provisioning
Cisco Application Networking Manager
Cisco Prime Collaboration Assurance
Cisco Prime Data Center Network Manager (.ova and .iso installers)
Cisco Prime IP Express
Cisco Prime Infrastructure Standalone Plug and Play Gateway
Cisco Prime Infrastructure
Cisco Prime LAN Management Solution (LMS - Solaris)
Cisco Prime License Manager
Cisco Prime Network Registrar (CPNR) virtual appliance
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Service Catalog Virtual Appliance

Routing and Switching - Enterprise and Service Provider
Cisco Connected Grid Router
Cisco IOS XR Software
Cisco IOS and Cisco IOS XE Software
Cisco MDS 9000 Series Multilayer Switches
Cisco Metro Ethernet 1200 Series Access Devices
Cisco Nexus 1000V Series Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches

Unified Computing
Cisco Common Services Platform Collector
Cisco UCS Director
Cisco UCS Invicta Series
Cisco UCS Manager
Cisco Unified Computing System E-Series Blade Server

Voice and Unified Communications Devices
Cisco Desktop Collaboration Experience DX70 and DX80
Cisco Emergency Responder
Cisco IM and Presence Service (CUPS)
Cisco MediaSense
Cisco Paging Server (Informacast)
Cisco Paging Server
Cisco Unified Sip Proxy
Cisco Unity Connection (UC)
Cisco Unity Express

Video, Streaming, TelePresence, and Transcoding Devices
Cisco Edge 340 Digital Media Player
Cisco International Digital Network Control System (iDNCS)
Cisco Show and Share
Cisco TelePresence 1310
Cisco TelePresence Exchange System (CTX)
Cisco TelePresence ISDN Link
Cisco TelePresence Server 8710, 7010
Cisco TelePresence Server on Multiparty Media 310, 320
Cisco TelePresence Server on Virtual Machine
Cisco TelePresence System 1000
Cisco TelePresence System 1100
Cisco TelePresence System 1300
Cisco TelePresence System 3000 Series
Cisco TelePresence System 500-32
Cisco TelePresence System 500-37
Cisco TelePresence TX 9000 Series
Cisco Transaction Encryption Device (TED)
Cisco Videoscape Control Suite
Cisco Videoscape Distribution Suite Transparent Caching

Wireless
Cisco Small Business 121 Series Wireless Access Points
Cisco Small Business 321 Series Wireless Access Points
Cisco Small Business 500 Series Wireless Access Points
Cisco WAP371 wireless access point

Cisco Hosted Services
Cisco Cloud Services
Cisco Cloud Web Security
Cisco Universal Small Cell usc-iuh
MACD Process Controller (MPC)
Network Change and Configuration Management

Vulnerable Products

The following list of products is under active investigation to determine the impact of the vulnerabilities covered by this document. This section will be updated as more information becomes available.

...
Product Defect Fixed releases availability
Collaboration and Social Media
Cisco Jabber Guest 10.0(2) CSCux95226
Network Application, Service, and Acceleration
Cisco Application and Content Networking System (ACNS) CSCux95159 5.5.41 (29-Feb-2016)
Network and Content Security Devices
Cisco ASA CX and Cisco Prime Security Manager CSCux95174 9.3.4.5 (30-May-2016)
Cisco Clean Access Manager CSCux95160 4.9.5 (19-Feb-2016)
Cisco FireSIGHT System Software CSCux95085 6.1 (June 2016)
Cisco Intrusion Prevention System Solutions (IPS) CSCux95190 7.1(11) Patch 1 (31-Mar-2016)
7.3(05) Patch 1 (30-Apr-2016)
Cisco NAC Guest Server CSCux95162 2.1.0 (19-Feb-2016)
Cisco NAC Server CSCux95161 4.9.5 (19-Feb-2016)
Network Management and Provisioning
Cisco UCS Central CSCux95108
Cisco Virtual Topology System (formally Virtual Systems Operations Center) CSCux95125
Unified Communications Deployment Tools CSCux95082
Routing and Switching - Enterprise and Service Provider
Cisco 910 Industrial Router CSCux95192
Cisco Application Policy Infrastructure Controller (APIC) CSCux95097
Cisco Service Control Operating System CSCux95215
IOS-XR for Cisco Network Convergence System (NCS) 6000 CSCux95128
Unified Computing
Cisco Standalone rack server CIMC CSCux95110
Voice and Unified Communications Devices
Cisco 3G Femtocell Wireless CSCux95197 SR10MR (29-Jul-2016)
Cisco Finesse CSCux95221
Cisco Hosted Collaboration Mediation Fulfillment CSCux95224
Cisco IP Interoperability and Collaboration System (IPICS) CSCux95148
Cisco Management Heartbeat Server CSCux95200 RMS5.x MR (29-Jul-2016)
Cisco Quantum Virtualized Packet Core CSCux95076
Cisco Unified Communications Manager (UCM) CSCux95217
Cisco Unified Communications Manager Session Management Edition (SME) CSCux95217
Video, Streaming, TelePresence, and Transcoding Devices
Cisco DCM Series 9900-Digital Content Manager CSCux95111 18.0 (31-Mar-2016)
Cisco Digital Media Manager (DMM) CSCux95141
Cisco Digital Media Manager CSCux95133
Cisco Edge 300 Digital Media Player CSCux95193 1.6RB4_4 (25-Feb-2016)
Cisco Enterprise Content Delivery System (ECDS) CSCux95135 2.6.7 (30-Apr-2016)
Cisco Expressway Series CSCux95145 8.7.1(22-Feb-2016)
Cisco Media Experience Engines (MXE) CSCux95139
Cisco TelePresence Conductor CSCux95130 XC4.2 (30-Mar-2016)
Cisco TelePresence EX Series CSCux95143
Cisco TelePresence MX Series CSCux95143
Cisco TelePresence Profile Series CSCux95143
Cisco TelePresence SX Series CSCux95143
Cisco TelePresence Video Communication Server (VCS) CSCux95145 8.7.1(22-Feb-2016)
Cisco Telepresence Integrator C Series CSCux95143
Cisco Video Delivery System Recorder CSCux95153 A patch file will be available for affected releases on 30-Apr-2016.
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) CSCux95154
Cisco Video Surveillance Media Server CSCux95180
Cisco Videoscape Policy and Resource Management CSCux95205
Cloud Object Store (COS) CSCux95152 3.8 (9-Apr-2016)
Cisco Hosted Services
Cisco Intelligent Automation for Cloud CSCux95147
Cisco Universal Small Cell 5000 Series running V3.4.2.x software CSCux95198
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
More...
Workarounds
Any workarounds will be posted in the Cisco bug IDs, which are accessible through the Cisco Bug Search Tool.
Fixed Software
Information about fixed software will be in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
These vulnerabilities were discovered by researchers from Cisco Systems Inc.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd

- wong chee tat :)

No comments: