-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3092.2
                    NTP vulnerabilities CVE-2020-13187
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13187  

Original Bulletin: 
   https://support.f5.com/csp/article/K55376430

Revision History:  September 14 2020: Vendor updated advisory
                   September  9 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K55376430:NTP vulnerabilities CVE-2020-13817

Security Advisory

Original Publication Date: 09 Sep, 2020

Latest   Publication Date: 13 Sep, 2020

Security Advisory Description

The ntpd in the network time protocol (NTP) before 4.2.8p14, and in 4.3.x
before 4.3.100, allows remote attackers to cause a denial-of-service (DoS),
either daemon exit or system time change, by predicting transmit timestamps for
use in spoofed packets. The victim must be relying on unauthenticated IPv4 time
sources. There must be an off-path attacker who can query time from the
victim's ntpd instance. (CVE-2020-13817)

Impact

An attacker who can send a large number of packets with the spoofed IPv4
address of the upstream server can use this flaw to modify the victim's clock
by a limited amount or cause ntpd to exit.

BIG-IP

Your BIG-IP system is affected only when you configure it as an NTP server, and
sources for the BIG-IP system's time are unreliable, unauthenticated, upstream
NTP servers.

BIG-IQ

The BIG-IQ system is not directly affected by this vulnerability, but it
inherits the vulnerability from the BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 931837 (BIG-IP), ID 934609 (BIG-IQ), and
CPF-25203 and CPF-25204 (Traffix) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+---------------------+------+----------+----------+--------+------+----------+
|                     |      |Versions  |Fixes     |        |CVSSv3|Vulnerable|
|Product              |Branch|known to  |introduced|Severity|score^|component |
|                     |      |be        |in        |        |1     |or feature|
|                     |      |vulnerable|          |        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |16.x  |16.0.0    |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |15.x  |15.1.0    |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
|BIG-IP (LTM, AAM,    +------+----------+----------+        |      |          |
|Advanced WAF, AFM,   |14.x  |14.1.0 -  |Not       |        |      |          |
|Analytics, APM, ASM, |      |14.1.2    |applicable|        |      |          |
|DDHD, DNS, FPS, GTM, +------+----------+----------+Medium  |6.5   |ntpd      |
|Link Controller, PEM,|13.x  |13.1.0 -  |Not       |        |      |          |
|SSLO)                |      |13.1.3    |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |12.x  |12.1.0 -  |Not       |        |      |          |
|                     |      |12.1.5    |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |11.x  |11.6.1 -  |Not       |        |      |          |
|                     |      |11.6.5    |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |7.x   |7.0.0 -   |Not       |        |      |          |
|                     |      |7.1.0     |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|BIG-IQ Centralized   |6.x   |6.0.0 -   |Not       |Medium  |6.5   |ntpd      |
|Management           |      |6.1.0     |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |5.x   |5.4.0     |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|Traffix SDC          |5.x   |5.1.0     |Not       |High    |7.4   |ntpd      |
|                     |      |          |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you should perform the following recommended
modifications to the NTP service on your BIG-IP system:

 1. Configure the BIG-IP system to use only authenticated time sources.
 2. Configure NTP packet authentication with symmetric keys.
 3. Configure the NTP service to use multiple time sources to reduce the risk
    of the vulnerability.
 4. If your NTP client must get unauthenticated time over IPv4 on a hostile
    network, configure the BIG-IP system as an NTP server to use restrict
    no-serve-packets to block time service to the specified network to prevent
    this attack (note that this is a heavy-handed protection).
 5. Monitor log messages in /var/log/ltm and /var/log/daemon from the ntpd 
    daemon.

Procedures

  o Configuring the BIG-IP system to use only authenticated time sources
  o Configuring NTP packet authentication with symmetric keys
  o Configuring the NTP service to use multiple time sources
  o Configuring the BIG-IP system as an NTP server to use restrict
    no-serve-packets

Configuring the BIG-IP system to use only authenticated time sources

To configure the BIG-IP system to use only authenticated time sources, refer to
the Configuring the BIG-IP system to synchronize with an NTP server only if
authentication is successful section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).

Configuring NTP packet authentication with symmetric keys

To configure NTP packet authentication on the BIG-IP system, refer to the 
Symmetric key authentication section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).

Configuring the NTP service to use multiple time sources

To mitigate the risk of the vulnerability, you can add multiple time sources
for the NTP service.

To add multiple time sources on the BIG-IP system, do the following:

Impact of action: Performing the following procedure should not have a negative
impact on your system.

 1. Log in to the Configuration utility.
 2. Navigate to System > Configuration > Device > NTP.
 3. In Address, enter the IP address of the NTP server you want, and then click
    Add.

    The IP address displays in the Time Server List.

 4. Repeat step 3 for each NTP server you want.
 5. Select Update.

Configuring the BIG-IP system as an NTP server to use restrict no-serve-packets

To configure the BIG-IP system as an NTP server that does not serve time to a
subnet/host, use the restrict no-serve-packets option.

To use the restrict no-serve-packets option, do the following:

Impact of procedure: Performing the following procedure should not have a
negative impact on your system.

 1. Ensure that the self IP on which you want to listen for NTP requests is
    configured to accept User Datagram Protocol (UDP) traffic on port 123.

    If you need to adjust the Port Lockdown setting of the self IP, do the
    following:

     1. Go to Network > Self IPs
     2. Select the IP you want.
     3. In the Port Lockdown list, select the setting you want.
     4. Select Update.

    Note: For more information, refer to K13250: Overview of port lockdown
    behavior (10.x - 11.x) or K17333: Overview of port lockdown behavior (12.x
    - 16.x).

 2. Log in to tmsh by entering the following command:

    tmsh

 3. To configure an access restriction to not serve time to a subnet/host, use
    the following command syntax:

    modify sys ntp restrict add { <name> { address <network> mask <mask>
    no-serve-packets enabled } }

    For example, to configure an access restriction named ntp_restriction for
    the 192.168.1.0/24 subnet with no-trap, no-serve-packets, and no-modify
    enabled, enter the following command:

    modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask
    255.255.255.0 no-trap enabled no-serve-packets enabled no-modify enabled }
    }

 4. Save the configuration to memory by entering the following command:

    save sys config

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX17HXeNLKJtyKPYoAQgw9Q/+PVAGa4OUicOWkrp/3R7I9HroUzO152Ae
f0K+s4IbVoOeO7802GdOTxeZjXv6G9nLfmRykyf4qzvULR8bCIwiV1u5Frz4t1aD
VA/CtmapGHkOBiJbC2HDLS96b5m0I1NwYD36hRRfp7CRUtN22AV+xkTV9ZHIY9qK
VbYU580hKM53v0oCwYh/VeyZuMo2x/9Kk+tGo2FEjF0mQ7jqhr8DE9SRjV0gr4NF
eQ7Snl3uxsKCmkTqiLyuqAGN1H6PwDD8f2eS7LX7wXn+GBUtiu+dWtdWVfZ7+FcB
EdUv5b1FkhVC/4T2f+IJZ158DmC6lo//qmNyw2NTbuPG69FZZ1IwrlyGWc9HBg2G
HJi/DKJgW6H6l6hVIsz1q1IFfsVJO1fMt/ufisoUXVfjdpEATHKqLxNccBznT85+
+TrmzAlKZ7ifq3JWaiCyzBVHZmTaTg9Bv1S2DU1ST1sC+zAQTtrwjkf9FluWIi7J
0bqjjof0dRfQRY09n+fzq8QQFK0O/JYtpPIQ+JSgOeOuUQ+aIqSbK/ut4/38YkoZ
kFElmol2aP7o62L264Vn/G5DE8b5hvOt9XsZU7VvcrAok+iyK6r3HbtfCXffyHi3
Toi6u+hsEqo+vtyXfn2gZv9hROLNqzT740CDz8n3vyC1FnrytVla8b+kf4zM1c7w
32NONyDq7pk=
=n6r8
-----END PGP SIGNATURE-----