DX Unified Infrastructure Management

 View Only
Expand all | Collapse all

ntp probe security flaw

  • 1.  ntp probe security flaw

    Posted 16 days ago
    Hi Team

    We are trying to monitor NTP response of all the servers in our environment but when we used ntp protocol on NTP_response probe it got blocked by cisco
    time Devices and when client contacted cisco they came up with below finding
    1. It is incorrect to use ntp packets with mode 6 as (as this is classified as unsecure and possible to use in amplification attack)
    2. Major distributions and NTP server SW does not support mode 6 or defaults to disable it
    • References
          1. RHEL chrony does not support mode 6 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_achieving-some-settings-previously-supported-by-ntp-in-chrony_configuring-basic-system-settings
          2. Cisco ratelimits mode 6 packets https://quickview.cloudapps.cisco.com/quickview/bug/CSCum44673
          3. Ntpd https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-understanding_the_ntpd_configuration_file

    Can anybody suggest if there is a workaround for this.

    regards
    Nijin


  • 2.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    The ntp_response probe has not been updated since Jan. 2017.

    You would have to request an enhancement.

    How to raise an enhancement request for UIM

    Steve

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 3.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    Since this can be considered a Security flaw, please also open a case and we will enter a defect.

    Steve

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 4.  RE: ntp probe security flaw

    Posted 16 days ago
    Already did stephen 

    Please use below link to access same

    https://community.broadcom.com/idea/ntp-response-probe-using-reserved-mode

    regards
    Nijin


  • 5.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    great, ask others to vote it up! and please open a case as well.

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 6.  RE: ntp probe security flaw

    Posted 16 days ago
    Stephen 

    case opened and closed with same statement that this requires enhancement but no update on enhancement made me search for workaround or other ways to monitor ntp jitter between serer and network device.

    So is there any way to speed up this process

    regards
    nijin


  • 7.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    The case should not be closed as this does represent a security flaw. What is the case number? I will reach out to our security SME as well.

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 8.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    Never mind, I found it. Case 33273686 DE550309

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 9.  RE: ntp probe security flaw

    Posted 16 days ago
    Stephen 

    Will raising this as defect speed up a new release for this issue with NTP ?

    Regards
    Nijin


  • 10.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 16 days ago
    Im working on it, will let you know after my discussion with our Security team.

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 11.  RE: ntp probe security flaw

    Posted 12 days ago
    Hi Stephen

    Have you got any update on this from security Team?

    Regards
    Nijin




  • 12.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 12 days ago
    Ive sent a reminder to the Security team, and Ill let you know as soon as I hear back.

    Steve

    ------------------------------
    Support Engineer
    Broadcom
    US
    ------------------------------



  • 13.  RE: ntp probe security flaw

    Broadcom Employee
    Posted 10 days ago
    This request has been added to our backlog and shall be reviewed for prioritization in our next meeting. 


    ------------------------------
    Principal Product Manager
    Broadcom Software
    ------------------------------



  • 14.  RE: ntp probe security flaw

    Posted 6 days ago
    Hi Ravishu

    Thanks for update

    When can I expect update on this, when will next meeting take place?

    Regards
    Nijin