Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

NTP Mode 7 Denial-of-Service Vulnerability

0

0

Article ID: JSA10416 SECURITY_ADVISORIES Last Updated: 05 Mar 2017Version: 5.0
Legacy Advisory Id:
PSN-2009-12-609
Product Affected:
All routers and switches running Junos with NTP server configured.
All DX Series Application Acceleration products with NTP server configured.
Problem:

On December 8, 2009, US-CERT published Vulnerability Note VU#568372 entitled, "NTP mode 7 denial-of-service vulnerability". Internal testing has determined that Junos routers and the DX Series are vulnerable to this spoofed NTP control message, causing error messages to be "ping ponged" back and forth between NTP servers. While the effect on the Junos RE is minimal and not service-affecting, Juniper Networks SIRT has logged PR 493591 to have this issue resolved in all non-EOL releases of Junos.
Solution:

The defect described above will be resolved in all supported releases of Junos, and in the next release of DX-OS. A fix for PR/493591 for Junos has already been coded and is being tested by JTAC. Once testing has been confirmed as successful, the fix will be merged through all non-EOE branches, and be made available in follow-on maintenance and services releases of Junos software.

Workaround:
  • Deny any NTP packet from outside the network to reach the infrastructure
    The only NTP packets coming into your network should be those which are time synchronization sources and NTP queries from customers of your network. Customers can be set up where they get NTP broadcast from the upstream router, which also reduces any need to allow for any NTP packets into the network. This "no NTP into the infrastructure unless explicitly configured" policy can be configured with infrastructure ACLs on the edge of your network or by using well known IP anti-spoofing techniques (IETF BCP 38).
  • Disable NTP server
    If NTP server functionality is not required, disabling the service is a viable and effective mitigation technique. This workaround is applicable to both Junos and DX-OS.
Status:
FINAL.

Please see PSN-2010-04-711 for the latest information regarding this vulnerability, including fix details.
Modification History:
Modification History:

2017-03-05: Category restructure.

Severity Level:
Medium
Severity Assessment:
The effect on the Junos RE is minimal and not service-affecting, although the added load on ntpd and logging may have a minor adverse effect on NTP service. The effect on DX Series Application Acceleration products is unknown at this time.

Implementing typical security BCPs to limit access to NTP services on the RE is strongly recommended.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search