-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0533
 SOL00329831: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140
                               1 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2015-8140 CVE-2015-8139 

Original Bulletin: 
   https://support.f5.com/kb/en-us/solutions/public/k/00/sol00329831.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL00329831: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140

Security Advisory

Original Publication Date: 02/29/2016

Vulnerability Description

CVE-2015-8139 - reserved

ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients

CVE-2015-8140 - reserved

ntpq protocol vulnerable to replay attacks

Impact

CVE-2015-8139

An attacker may exploit this vulnerability using specially crafted NTP packets
to impersonate as a legitimate NTP peer.

CVE-2015-8140

An attacker may be able to intercept and replay authenticated reconfiguration
commands to re-establish an association to a malicious NTP server.

Security Issue Status

F5 Product Development has assigned ID 575629 (BIG-IP), ID 575702 (BIG-IQ), ID
575704 (Enterprise Manager), and INSTALLER-2226 (Traffix SDC) to this 
vulnerability, and has evaluated the currently supported releases for 
potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 		Versions known 		Versions known to 	Severity 	Vulnerable component 
			to be vulnerable 	be not vulnerable 			or feature

BIG-IP LTM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1
			10.1.0 - 10.2.4 

BIG-IP AAM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1 			

BIG-IP AFM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0 	

BIG-IP Analytics 	12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1 			

BIG-IP APM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1	
			10.1.0 - 10.2.4 	

BIG-IP ASM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1
			10.1.0 - 10.2.4 	

BIG-IP DNS 		12.0.0 			None 			Low 		NTP package

BIG-IP Edge Gateway 	11.2.1
			10.1.0 - 10.2.4 	None 			Low 		NTP package

BIG-IP GTM 		11.4.0 - 11.6.0
			11.2.1
			10.1.0 - 10.2.4 	None 			Low 		NTP package

BIG-IP Link Controller 	12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1
			10.1.0 - 10.2.4 	

BIG-IP PEM 		12.0.0			None 			Low 		NTP package
			11.4.0 - 11.6.0
			11.2.1 			

BIG-IP PSM 		11.4.0 - 11.4.1		None 			Low 		NTP package
			11.2.1
			10.1.0 - 10.2.4 	

BIG-IP WebAccelerator 	11.2.1		
			10.1.0 - 10.2.4 	None 			Low 		NTP package

BIG-IP WOM 		11.2.1
			10.1.0 - 10.2.4 	None 			Low 		NTP package

ARX 			None 			6.0.0 - 6.4.0 		Not vulnerable 	None

Enterprise Manager 	3.0.0 - 3.1.1 		None 			Low 		NTP package

FirePass 		None 			7.0.0
						6.0.0 - 6.1.0 		Not vulnerable 	None

BIG-IQ Cloud 		4.0.0 - 4.5.0 		None 			Low 		NTP package

BIG-IQ Device 		4.2.0 - 4.5.0 		None 			Low 		NTP package

BIG-IQ Security 	4.0.0 - 4.5.0 		None 			Low 		NTP package

BIG-IQ ADC 		4.5.0 			None 			Low 		NTP package

BIG-IQ Centralized 
 Management 		4.6.0 			None 			Low 		NTP package

BIG-IQ Cloud and 
 Orchestration 		1.0.0 			None 			Low 		NTP package

LineRate 		None 			2.5.0 - 2.6.1 		Not vulnerable 	None

F5 WebSafe 		None 			1.0.0 			Not vulnerable 	None

Traffix SDC 		4.0.0 - 4.4.0
			3.3.2 - 3.5.1 		None 			Low 		NTP package

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values 
published in the previous table. The Severity values and other security 
vulnerability parameters are defined in SOL4602: Overview of the F5 security 
vulnerability response policy.

To mitigate this vulnerability, you can perform one of the following 
recommended modifications to the NTP service:

Configure the NTP service to use multiple time sources

Configure the NTP service to restrict the use of ntpq queries with the 
restrict noquery directive

Configure restrict network access to the NTP service

Configure the NTP service to use multiple time sources

To add multiple time sources for the NTP service using the Configuration 
Utility, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a 
negative impact on your system.

1. Log in to the Configuration utility.

2. Navigate to System > Configuration > Device > NTP.

3. In the Address box, type the IP address of the NTP server you want.

4. In the Time Server List box, click Add to include the desired NTP server.

5. Repeat step 3 and step 4 for each NTP server you want.

6. To save the changes, click Update.

Configure the NTP service to restrict the use of ntpq queries with the 
restrict noquery directive

To configure the NTP service to restrict the use of ntpq with noquery 
directive, perform the following procedure.

Impact of procedure: Performing the following procedure should not have a 
negative impact on your system.

1. Log in to the tmsh utility.

2. Depending on your existing configuration, choose one of the following:

If you already have an access restriction configured, but the noquery 
directive is disabled, use the following command syntax:

modify sys ntp restrict modify { <Name> { no-query enabled } }

For example, to modify an existing access restriction name called 
ntp_restriction to enable noquery, type the following command:

modify sys ntp restrict modify { ntp_restriction { no-query enabled } }

If you do not have an existing access restriction configured, use the 
following command syntax:

modify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap 
enabled no-modify enabled no-query enabled }

For example, to configure an access restriction named ntp_restriction, for the
192.168.1.0/24 subnet, with notrap, nomodify, and noquery enabled, type the 
following command:

modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 
255.255.255.0 no-trap enabled no-modify enabled no-query enabled }

3. Save the configuration by typing the following command:

save /sys config

Configure restrict network access to the NTP service

For information about restricting network access to the NTP service, refer to
SOL13092: Overview of securing access to the BIG-IP system.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents

SOL4918: Overview of the F5 critical issue hotfix policy

SOL167: Downloading software and firmware from F5

SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)

SOL10025: Managing BIG-IP product hotfixes (10.x)

SOL9502: BIG-IP hotfix matrix

SOL15106: Managing BIG-IQ product hotfixes

SOL15113: BIG-IQ hotfix matrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVtT2vn6ZAP0PgtI9AQL0xQ/+LhL3XN97arAKxHRKZPYpAhJw0mpbr62X
mDTx1L4cUH6Q71sS+rZlwcWRXFD5tQIXM91B/wgsYrO5OWbIuQ8klxajjPg7fsni
KTQf/I6NwKSihXIcISNnHRkTePwnLgYY5FWtnZIcnZqf7ZGgNWYwKFFQyyojfsfr
nVJuBqe4ILtTGjt/nveQ2z54ZsILWUp8Nf6drp6uBTvt++V3xrNckcmuBXj0gmeQ
yQE5Pp6WGWB/56ieBNVSZOLtQc+Fm2UocxyEbMx6nfNn3AP8b/pOv3oxUestOWd1
FxUZ2XGU3ov76Rx6i61W2NoD8Lqzkzw0xekl36vxGabW4qvJFlAZwXoxBcHqSj72
v5GNp3zFa+5OsvVN4cfT9YIYaCZ+zx2JLG26n1gCmK7HIo5huZ0BORFmaETWUbkX
2p/r2rFfODcnyOnnJoKrpuO7szD4Ozhr+i4NDVWHoPk6NrmGwhgvQP3ay5OLsTqt
6D9P4jh42quVElOI7hSeTWB9ftHiA6WxJXWQOpsrgQc32/InlztwMxITYBKStODu
BTjkY/y4+FMxWuAbVGjT/BgjAtJhn6pbQ0ROP8s4rt/yw+NjrFFESMi8UqffclK2
CmKF2LRwNBVM0d5A8AUK8czKTot9sC9/NkEvsyztfXep4NPJI0HAGD8noHEBJnPa
tTFPzSm7G+I=
=YCAp
-----END PGP SIGNATURE-----