SA139 : November 2016 NTP Security Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA139
Published Date: 
Jan 12, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVE Number: 
CVE-2016-7426 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2016-7427 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-7428 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-7429 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2016-7431 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-2016-7433 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-7434 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-9310 - 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVE-2016-9311 - 7.1 (HIGH) (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVE-2016-9312 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities.  A remote attacker can modify the target’s system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon.

Affected Products:

The following products are vulnerable:

Content Analysis
CAS 1.3 and 2.1 are vulnerable to CVE-2016-7429 and CVE-2016-7433.  CAS 1.3.7.3, 1.3.7.4, and 2.1 are also vulnerable to CVE-2016-7431 and CVE-2016-9312.

Director
Director 6.1 prior to 6.1.23.1 is vulnerable to all CVEs except CVE-2016-7429.

Management Center
MC 1.8 and 1.9 are vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-7429 and CVE-2016-7433.

Security Analytics
Security Analytics 6.6, 7.1, and 7.2 prior to 7.2.3 are vulnerable to CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311.  Security Analytics 6.6 with the ntp-4.2.8p8 RPM patch, 7.1 with the ntp-4.2.8p8 RPM, and 7.2.2 are also vulnerable to CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, and CVE-2016-7434.

SSL Visibility
SSLV 3.9, 3.10, 3.11, and 4.0 are vulnerable to CVE-2016-7431 and CVE-2016-7433.  SSLV 4.0 is also vulnerable to CVE-2016-9312.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311.

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

The following products are under investigation:
Reporter

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP reference implementation announced in November 2016.  Symantec Network Protection products that include a vulnerable version of the NTP reference implementation and make use of the affected functionality are vulnerable.

  • CVE-2016-7426 is a flaw in rate limiting that allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers.  The attacker can thus prevent the target from synchronizing its system time.
  • CVE-2016-7427 is a flaw in NTP broadcast packet replay prevention that allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers.  The attacker can thus prevent the target from synchronizing its system time.
  • CVE-2016-7428 is a flaw in NTP broadcast packet poll interval enforcement that allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers.  The attacker can thus prevent the target from synchronizing its system time.
  • CVE-2016-7429 is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets.  A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time.
  • CVE-2016-7431 is a flaw in NTP packet origin timestamp validation that allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time.
  • CVE-2016-7433 is a flaw in initial time synchronization that allows a remote attacker to send a spoofed NTP response and modify the target's system time.
  • CVE-2016-7434 is a flaw in mrulist query handling that allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.
  • CVE-2016-9310 is a missing authorization flaw that allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon.
  • CVE-2016-9311 is a flaw in remote query handling that allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service.
  • CVE-2016-9312 is a flaw in oversized packet handling on Windows platforms that allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service.

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: all CVEs
  • CA: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311
  • Director: CVE-2016-7429
  • MTD: CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311
  • MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, and CVE-2016-9311
  • Security Analytics: CVE-2016-9312
  • SSLV: all CVEs except CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312
Workarounds: 

These vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS.  Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon.  Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon.  The Security Analytics NTP daemon also does not listen by default on multiple network interfaces.  Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.

By default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon.  Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis
CA 2.1 - a fix is not available at this time.
CA 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is available in 6.1.23.1.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is not available at this time.
MC 1.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Security Analytics
Security Analytics 7.2 - a fix is available in 7.2.3.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 6.6 - a fix is not available at this time.

SSL Visibility
SSLV 4.0 - a fix is not available at this time.
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
2017-01-12 initial public release
2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)