Posted on November 6, 2015 4:37 pm
 |  Asked by Trey Dismukes
 |  1979 views
RESOLVED
0
0
Print Friendly, PDF & Email

In Security Advisory 0016 CVE-2015-7704 and CVE-2015-7705 are shown as affecting Arista switches in EOS release trains 4.15, 4.14, 4.13, and 4.12. Until a patch comes out, the mitigation for this vulnerability is to, “restrict who can query ntpd to learn who its servers are, and what IPs are allowed to ask your system for the time.”

I was unaware that my Arista switches even ran ntpd, nor that they had the capacity to listen to time requests. In searching through the documentation I can only find the ability to configure the ntp client; nothing about ntpd server.

Does anyone know how to determine if I have an ntpd server listening on my switches? If so, what commands are used to limit who it listens to?

Marked as spam
1
Posted by Vikram
Answered on November 7, 2015 1:27 am

Hi Trey,

CVE-2015-7704 & CVE-2015-7705 affect NTP clients as it corresponds to an attacker spoofing a KoD (Kiss-o’-Death) packet which is used to rate-limit NTP requests from the client to the server under normal circumstances.

On Arista switches the ”ntp server <hostname>|<ip address>” command is used to make the switch behave as a NTP client and query the server specified in the ntp server command.

Once configured as a NTP client, Arista switches will initiate outbound messages towards the NTP server requesting for time sync. The switch will only query the server specified in the ”ntp server” command for time sync. 

If an attacker can spoof the packet such that it seems to appear from the server specified in the config then they could send a KoD message which would essentially stop the client from querying the server for time updates which means that the client would not be able to sync time.

You could enable NTP authentication in order to make it more difficult for someone to use the exploit.

With regards to the NTP server functionality, Arista switches can be configured to act as a NTP server and serve time to clients. This is disabled by default and can be enabled using the ”ntp serve” interface command or the ”ntp serve all” global command.

HTH

Thank you for such a complete reply Vikram. That may be the most thorough answer to a question I’ve ever seen. Very helpful.

(Trey Dismukes at November 9, 2015 6:08 pm)

Is the NTP server on the Arista switch itself vulnerable to these CVEs?

(Trey Dismukes at November 9, 2015 6:10 pm)

I’ve done some checking, and I can’t find any documentation on how to configure my switches for NTP authentication. Are you aware of anything that would tell me how to configure it?

(Trey Dismukes at November 9, 2015 6:19 pm)

Hi Trey,

Thank you for the feedback. Much appreciated.

With regards to your last query could you please advise what EOS version are you running. IIRC NTP authentication was released in the 4.12 EOS code Train.

Please look at the ntp authenticate, ntp authentication-key & ntp trusted-key commands in the config manual.

Here’s an example:

ntp authentication-key 123 md5 NTP123TEST
ntp trusted-key 123
ntp authenticate
ntp server 10.10.10.10 iburst key 123

HTH

(Vikram at November 10, 2015 7:22 pm)
0
Posted by Piotr
Answered on November 8, 2015 8:55 pm

Hey,

You can also use control-plane ACL to limit access to UDP port 123.

Using an ACL on the switch itself would not thwart someone who has spoofed a reply packet. The source, destination, and port will look the same on the UDP reply whether it came from the actual source or the attacker.

(Trey Dismukes at November 9, 2015 6:10 pm)

Post your Answer

You must be logged in to post an answer.