Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3092.3
NTP vulnerabilities CVE-2020-13187
25 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13187
Original Bulletin:
https://support.f5.com/csp/article/K55376430
Revision History: January 25 2021: Vendor updated fixes introduced
September 14 2020: Vendor updated advisory
September 9 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K55376430: NTP vulnerabilities CVE-2020-13817
Original Publication Date: 09 Sep, 2020
Latest Publication Date: 22 Jan, 2021
Security Advisory Description
The ntpd in the network time protocol (NTP) before 4.2.8p14, and in 4.3.x
before 4.3.100, allows remote attackers to cause a denial-of-service (DoS),
either daemon exit or system time change, by predicting transmit timestamps for
use in spoofed packets. The victim must be relying on unauthenticated IPv4 time
sources. There must be an off-path attacker who can query time from the
victim's ntpd instance. (CVE-2020-13817)
Impact
An attacker who can send a large number of packets with the spoofed IPv4
address of the upstream server can use this flaw to modify the victim's clock
by a limited amount or cause ntpd to exit.
BIG-IP
Your BIG-IP system is affected only when you configure it as an NTP server, and
sources for the BIG-IP system's time are unreliable, unauthenticated, upstream
NTP servers.
BIG-IQ
The BIG-IQ system is not directly affected by this vulnerability, but it
inherits the vulnerability from the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 931837 (BIG-IP), ID 934609 (BIG-IQ), and
CPF-25203 and CPF-25204 (Traffix) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+---------------------+------+----------+----------+--------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity|score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+---------------------+------+----------+----------+--------+------+----------+
| |16.x |16.0.0 |None | | | |
| +------+----------+----------+ | | |
| |15.x |15.1.0 |15.1.2.1 | | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, AAM, |14.x |14.1.0 - |None | | | |
|Advanced WAF, AFM, | |14.1.2 | | | | |
|Analytics, APM, ASM, +------+----------+----------+ | | |
|DDHD, DNS, FPS, GTM, |13.x |13.1.0 - |None |Medium |6.5 |ntpd |
|Link Controller, PEM,| |13.1.3 | | | | |
|SSLO) +------+----------+----------+ | | |
| |12.x |12.1.0 - |None | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+---------------------+------+----------+----------+--------+------+----------+
| |7.x |7.0.0 - |None | | | |
| | |7.1.0 | | | | |
|BIG-IQ Centralized +------+----------+----------+ | | |
|Management |6.x |6.0.0 - |None |Medium |6.5 |ntpd |
| | |6.1.0 | | | | |
| +------+----------+----------+ | | |
| |5.x |5.4.0 |None | | | |
+---------------------+------+----------+----------+--------+------+----------+
|Traffix SDC |5.x |5.1.0 |None |High |7.4 |ntpd |
+---------------------+------+----------+----------+--------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you should perform the following recommended
modifications to the NTP service on your BIG-IP system:
1. Configure the BIG-IP system to use only authenticated time sources.
2. Configure NTP packet authentication with symmetric keys.
3. Configure the NTP service to use multiple time sources to reduce the risk
of the vulnerability.
4. If your NTP client must get unauthenticated time over IPv4 on a hostile
network, configure the BIG-IP system as an NTP server to use restrict
no-serve-packets to block time service to the specified network to prevent
this attack (note that this is a heavy-handed protection).
5. Monitor log messages in /var/log/ltm and /var/log/daemon from the ntpd
daemon.
Procedures
o Configuring the BIG-IP system to use only authenticated time sources
o Configuring NTP packet authentication with symmetric keys
o Configuring the NTP service to use multiple time sources
o Configuring the BIG-IP system as an NTP server to use restrict
no-serve-packets
Configuring the BIG-IP system to use only authenticated time sources
To configure the BIG-IP system to use only authenticated time sources, refer to
the Configuring the BIG-IP system to synchronize with an NTP server only if
authentication is successful section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).
Configuring NTP packet authentication with symmetric keys
To configure NTP packet authentication on the BIG-IP system, refer to the
Symmetric key authentication section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).
Configuring the NTP service to use multiple time sources
To mitigate the risk of the vulnerability, you can add multiple time sources
for the NTP service.
To add multiple time sources on the BIG-IP system, do the following:
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the Configuration utility.
2. Navigate to System > Configuration > Device > NTP.
3. In Address, enter the IP address of the NTP server you want, and then click
Add.
The IP address displays in the Time Server List.
4. Repeat step 3 for each NTP server you want.
5. Select Update.
Configuring the BIG-IP system as an NTP server to use restrict no-serve-packets
To configure the BIG-IP system as an NTP server that does not serve time to a
subnet/host, use the restrict no-serve-packets option.
To use the restrict no-serve-packets option, do the following:
Impact of procedure: Performing the following procedure should not have a
negative impact on your system.
1. Ensure that the self IP on which you want to listen for NTP requests is
configured to accept User Datagram Protocol (UDP) traffic on port 123.
If you need to adjust the Port Lockdown setting of the self IP, do the
following:
1. Go to Network > Self IPs
2. Select the IP you want.
3. In the Port Lockdown list, select the setting you want.
4. Select Update.
Note: For more information, refer to K13250: Overview of port lockdown
behavior (10.x - 11.x) or K17333: Overview of port lockdown behavior (12.x
- 16.x).
2. Log in to tmsh by entering the following command:
tmsh
3. To configure an access restriction to not serve time to a subnet/host, use
the following command syntax:
modify sys ntp restrict add { <name> { address <network> mask <mask>
no-serve-packets enabled } }
For example, to configure an access restriction named ntp_restriction for
the 192.168.1.0/24 subnet with no-trap, no-serve-packets, and no-modify
enabled, enter the following command:
modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask
255.255.255.0 no-trap enabled no-serve-packets enabled no-modify enabled }
}
4. Save the configuration to memory by entering the following command:
save sys config
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYA4fNONLKJtyKPYoAQgIbBAAicx5sU8PtkmfCz1LAd59phc8ZdVqFB2b
y0gsAOKzGGxOoIpAvfNE57/ryQ3HZrX0gktO6GCUGylBgpl6j32MUuwXEejfpiAh
YXB/GUhlZS2fHKqjoH34DU9w3Qf6uL8t6RaUvs/R1sCHPHXqlukLoH3pTyMH9aKI
+uWolLwVHPvA9qlWl4kfUVV9O+e+FrAPid9SjsJ3SU+awNr2xORaQa/uP+bAJkKs
GYOGB5jiJ4LSLLzd0EA5rq8Mc5nm4N5TeiE7RWUu5uOrXdkdT9W/SkuAEjI+hnm4
QI6TC3vAGscuaCSVjrnnuV8rmau+EKSx0qFlK3lBS8wS4EdbkBpSZhvT7KgCzEHS
ezmbCKuPW/GrHDmyXNH8g16cwJSY00vU/doRDY4VaG7Ykwf2YAOYSMRVUKf6RvP7
2EN1xwQCoFJym1TerFX3ycgVAMvXpuL8fy6ZKn9NconRe3uS81xjN3aigPDudScs
ElhbiN/vXocrp3R7I1nhf9D3tNcKIq+Po8dVlzo9WTwZbrH+qrLU0ItIs3IjCGp0
+5+ED9D8LAClimt8UjJknhBJiEkkPwdxXc4/3Q5NwA9RkIwloYka9sG3f27W9jUu
3nWZ7s3hlid+wO0jKWMSEB9Mfsu0y92J9eK2loQprc/JdCUiHx8OiucX/LT0zwI9
Q01fdIc/tAY=
=cfsC
-----END PGP SIGNATURE-----