In November 2016, the NTP project released an advisory that announced ten security issues (CVEs) of which one was rated high severity, and two were rated medium severity. This post addresses the impact of these CVEs against NetScaler.
NetScaler uses a secure default setting for the underlying NTP server, which avoids all of these issues in this advisory. NTP may be further configured from the NetScaler root shell at /nsconfig/ntp.conf to achieve any required settings. In doing so, be sure that the setting does not unsafely expose your appliance to these, or other existing vulnerabilities.
A breakdown of the CVEs from the November advisory follows:
CVE-2016-9312 – the only high severity CVE – does not impact NetScaler since it pertains to Windows systems only. NetScaler does not employ Windows.
CVE-2016-9311 – does not impact NetScaler as NTP on NetScaler does not enable traps, using the notrap qualifier.
CVE-2016-9310 – does not impact NetScaler since default settings ensure that incoming commands are restricted. Customers adding a new timeserver are recommended to add it as –
“restrict new.time.server.ip mask 255.255.255.255 nomodify notrap nopeer noquery”
CVE-2016-7426 – does not impact NetScaler as the default settings do not use the limited flag.
CVE-2016-7427, CVE-2016-7428 – do not impact NTP on NetScaler as there is no support for NTP broadcast messages.
CVE-2016-7429, CVE-2016-7431, CVE-2016-7433 – do not impact NTP on NetScaler as NetScaler does not support the peering use-case. The default settings use the nopeer qualifier.
CVE-2016-7434 – does not impact NTP on NetScaler since mode 6 is blocked by default. Customers adding a new timeserver are recommended to add it as –
“restrict new.time.server.ip mask 255.255.255.255 nomodify notrap nopeer noquery”
This is to avoid mode 6 queries using the noquery modifier.
As always, please continue to engage with your regular support representative for assistance on securely configuring NTP on your appliance.
