SA147 : March 2017 NTP Security Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA147
Published Date: 
Apr 13, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: TBD
CVE Number: 
CVE-2016-9042 - TBD
CVE-2017-6451 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6452 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6455 - 4.4 (MEDIUM) (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE-2017-6458 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2017-6459 - 2.1 (LOW) (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-6460 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2017-6462 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6463 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVE-2017-6464 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Symantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service through application crashes.  A local attacker can exploit these vulnerabilities to execute arbitrary code.

CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete.  The advisory severity may be adjusted once the CVSS v2 base scores become available.

Affected Products:

The following products are vulnerable:

Content Analysis
CA 1.3 and 2.1 are vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.

Director
Director 6.1 is vulnerable to all CVEs except CVE-2017-6452 and CVE-2016-6459.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.

Management Center
MC 1.9 and 1.10 are vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.

Security Analytics
Security Analytics 7.1 and 7.2 are vulnerable to CVE-2017-6455, CVE-2017-6458, CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.  Security Analytics 7.2 is also vulnerable to CVE-2016-9042 and CVE-2017-6460.  Security Analytics 7.3 is not vulnerable.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 are vulnerable to CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.  SSLV 4.0 is also vulnerable to CVE-2016-9042.  SSLV 4.1 is not vulnerable.

The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
ProxySG


The following products are under investigation:
Reporter
X-Series XOS

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP reference implementation announced in March 2017. Symantec Network Protection products that include a vulnerable version of the NTP reference implementation and make use of the affected functionality are vulnerable.

  • CVE-2016-9042 is a flaw in ntpd origin timestamp validation.  A remote attacker who can spoof packets from a configured time server can cause ntpd to discard responses from that server.  A remote attacker who can spoof packets from all configured time servers can prevent ntpd from adjusting the system time, resulting in denial of service.
  • CVE-2017-6451 is an out-of-bounds write flaw in the legacy MX4200 refclock that allows a local attacker to execute arbitrary code via unspecified vectors.
  • CVE-2017-6452 is an out-of-bounds write flaw in the NTP library Windows installer that allows a local attacker to pass in a crafted application path and have unspecified impact.
  • CVE-2017-6455 is a flaw in ntpd under Windows NT that allows a local attacker to specify a malicious DLL in the PPSAPI_DLLS environment variable and execute arbitrary code within ntpd.
  • CVE-2017-6458 is a flaw in ntpd that allows a remote attacker to send query requests and have unspecified impact.  Successful exploitation requires the query responses to include custom variables with long names, which have been pre-configured in the ntpd configuration file.
  • CVE-2017-6459 is a flaw in the NTP library Windows installer that allows local attackers to have unspecified impact via vectors related to an argument with multiple NULL bytes.
  • CVE-2017-6460 is a flaw in ntpq that allows a malicious remote NTP server to send a crafted list response and cause a stack-based buffer overflow. The malicious server can execute arbitrary code on the host running ntpq or cause ntpq to crash.
  • CVE-2017-6462 is a flaw in the legacy Datum Programmable Time Server (DPTS) refclock driver that allows local attackers to cause a buffer overflow in ntpd via a crafted /dev/datum device file, and have unspecified impact.
  • CVE-2017-6463 is a flaw in ntpd that allows a remote authenticated attacker to send a crafted unpeer configuration request and cause ntpd to crash, resulting in denial of service.
  • CVE-2017-6464 is a flaw in ntpd that allows a remote authenticated attacker to send a crafted mode configuration request and cause ntpd to crash, resulting in denial of service.

Symantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: all CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459
  • CA: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
  • MTD: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
  • MC: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
  • SSLV: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
Workarounds: 

These vulnerabilities can be exploited only through the management network port for Director, MTD, MC, and SSLV.  Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director does not use the PPSAPI_DLLS environment variable, custom variables with long names, and the DPTS refclock.  Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462.

By default, Security Analytics does not use the PPSAPI_DLLS environment variable, custom variables with long names, ntpq, and the DPTS refclock.  Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, CVE-2017-6460, and CVE-2017-6462.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis
CA 2.1 - a fix is not available at this time.
CA 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.10 - a fix is not available at this time.
MC 1.9 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Security Analytics
Security Analytics 7.3 - a fix is available in 7.3.1.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

SSL Visibility
SSLV 4.1 - a fix is available in 4.1.1.1.
SSLV 4.0 - a fix is not available at this time.
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
SSLV 3.8.4FC - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Advisory History: 

2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-23 MC 1.10 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.  It also has a vulnerable version of the NTP reference implementation for CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-05-19 CA 2.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464.
2017-05-05 Security Analytics 7.1 and 7.2 are vulnerable to CVE-2017-6458, CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.  Security Analytics 7.2 is also vulnerable to CVE-2016-9042 and CVE-2017-6460.
2017-04-13 initial public release