PSN-2010-04-711

All JUNOS devices with NTP server enabled.

This is an update to previously published PSN-2009-12-609.

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address which is not listed in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will reply with a mode 7 error response (and log a message). Given this intended functionality:

• If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.
  
• If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, A will respond to itself endlessly, consuming CPU and logging excessively.

This issue is being tracked as PR 493591. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with JTAC.

All JUNOS software releases built on or after January 9, 2010, have been updated to resolve this issue. Releases containing the enhancement specifically include: 8.5S6, 9.0S3, 9.1S8, 9.3S8, 9.6S4, 10.0S3, 10.1R1, and all subsequent releases.

• Deny any NTP packet from outside the network to reach the infrastructure
  The only NTP packets coming into your network should be those which are time synchronization sources and NTP queries from customers of your network. Customers can be set up where they get NTP broadcast from the upstream router, which also reduces any need to allow for any NTP packets into the network. This "no NTP into the infrastructure unless explicitly configured" policy can be configured with infrastructure ACLs on the edge of your network or by using well known IP anti-spoofing techniques (IETF BCP 38).
  
  
• Disable NTP server
  If NTP server functionality is not required, disabling the service is a viable and effective mitigation technique. This workaround is applicable to both Junos and DX-OS.

How to obtain Service Releases:

Security vulnerabilities are fixed in the next available Maintenance Release of each supported JUNOS version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory notices will indicate which Maintenance and/or Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2017-03-05: Category restructure.

5 (AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:W/RC:C)

.

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" available in the Related Links section above.