A vulnerability in Network Time Protocol (NTP) package of Cisco IOS. Resolve an issue with (Network Time Protocol (NTP) Mode 6 Scanner).
Vulnerability: Network Time Protocol (NTP) Mode 6 denial-of-service vulnerability
Scanner
Description: The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. Attacker would have to send a massive amount of mode 6 messages to a huge number of recipient servers or clients in your organization.
Impact: An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.
Solution:
Notes for Cisco IOS Catalyst Switch devices:
Authenticated NTP time updates can be configured on Cisco Catalyst Switch devices with the following commands:
#ntp authenticate
#ntp authentication-key key-num md5 key-string
#ntp server ip-address key key-num [prefer]
If access restrictions are in place, you will need to ensure that you allow time synchronization with the following command
#ntp access-group peer acl
Leave a Reply