Menu
Reply
  • 12
  • 0
  • 0
ewxrjk
Joining in
1,948 Views
Message 1 of 34
Flag for a moderator

NTP mode 6 vulnerability letters

I've received one of the letters described here: https://help.virginmedia.com/system/templates/selfservice/vm/help/customer/locale/en-GB/portal/20030...

As far as I can tell from my own testing this is a false positive, because:

  1. The NTP implementation I have is recent enough to not be vulnerable.
  2. Querying it from outside my network gets no response.

So I don't currently plan to do anything about it. However it raises the question of why Virgin Media are sending me a letter about an issue that apparently doesn't exist.

I asked @virginmedia on Twitter about it but apparently they are unwilling or unable to anyone else within Virgin Media, which is rather weird but whatever.

As such my questions are:

  1. What test, if any, are Virgin Media doing, in order to detect these vulnerabilities?
  2. Alternatively, are they simply relying blindly on shadowserver.org's data - in which case, what test are they doing?
0 Kudos
Reply
  • 14.59K
  • 432
  • 46
Moderator (Retired) Ralph_R
Moderator (Retired)
1,889 Views
Message 2 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

Virgin Media act on the information provided by shadowserver.org, we then check the information provided and contact the account holder affected. We don't run any further vulnerability checks ourselves.

If you've followed up on the advice provided and are confident that your network is secure then a false positive is a possibility.

 

 

Ralph_R
Forum Moderator

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


0 Kudos
Reply
  • 131
  • 4
  • 27
Dominatez
Up to speed
1,854 Views
Message 3 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

Have you looked at how shadowserver get the information and what ports they are checking ?

 

You do know that NTP = Network Time Protocol and is what many script kiddies were using on botnets to attack and ddos others. These amplification attacks are a real pain in the ass, as a few ips can do massive damage when amplified.

 

https://www.us-cert.gov/ncas/alerts/TA14-017A <---- For your perusal

0 Kudos
Reply
  • 8
  • 0
  • 1
Davewhit
Tuning in
1,755 Views
Message 4 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

I have two of these letters and no one can explain all virgin said was change my password useless

  • 3.54K
  • 384
  • 1.24K
Very Insightful Person
Very Insightful Person
1,737 Views
Message 5 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters


@Davewhitwrote:

I have two of these letters and no one can explain all virgin said was change my password useless


Open NTP Version (Mode 6) Scanning Project maybe of help.

0 Kudos
Reply
  • 4.02K
  • 250
  • 1.24K
Sololobo
Community elder
1,728 Views
Message 6 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

Open NTP Version (Mode 6) Scanning Project maybe of help.

Not really.

I am fairly IT literate and have no idea how to mitigate this vulnerability from information provided in the posted link, nor from the  VM provided information

https://help.virginmedia.com/system/templates/selfservice/vm/help/customer/locale/en-GB/portal/20030...

Please note that the link to team.cymru provided by VM has been sunsetted!  That's how much VM care about keeping their own information up do date.

As far as I'm aware a home PC would have to be specifically configured to provide NTP/SNTP services, something which the average user would never do.

http://www.hellpc.net/how-to-make-your-computer-a-time-server-ntp-server-without-any-software/

Most broadband customers will expect to connect to their ISP provided internet connection and do their thing, they will not expect to be IT security professionals and have to deal with issues such as these.

 




It's What I Do.
I Drink and I
Remember Things.
0 Kudos
Reply
  • 3.54K
  • 384
  • 1.24K
Very Insightful Person
Very Insightful Person
1,695 Views
Message 7 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

@Sololobo wrote:

Most broadband customers will expect to connect to their ISP provided internet connection and do their thing, they will not expect to be IT security professionals and have to deal with issues such as these.

But that does not absolve users / customers of their responsibility to keep their devices up to date and their LAN secure however this task is not helped by the lack of information contained in the notice sent by Virgin Media. For example, the Shadowserver report contains the following fields of which timestamp, version, and system could help in locating the vulnerable device:

FieldDescription
timestampTime that the IP was probed in UTC+0
ipThe IP address of the device in question
protocolProtocol that the NTP response came on (UDP)
portPort that the NTP response came from
hostnameReverse DNS name of the device in question
asnASN of where the device in question resides
geoCountry where the device in question resides
regionState / Province / Administrative region where the device in question resides
cityCity in which the device in question resides
versionNTP software version and build time
clk_wanderclock frequency wander (PPM)
clockdate and time of day
errorfrequency error
frequencyfrequency offset (PPM) relative to hardware clock
jitterclock jitter
leapleap warning indicator (0-3)
mintcminimum time constant (log2 s) (3-10)
noise"white phase" noise, aka jitter
offsetcombined offset of server relative to this host
peerAn identification number of the peer in use.
phasecombined offset of server relative to this host
pollpoll messages sent (for association with a reference clock)
precisionprecision (log2 s)
processorhardware platform and version
refidreference ID or kiss code
reftimereference time
rootdelaytotal roundtrip delay to the primary reference clock
rootdispersiontotal dispersion to the primary reference clock
stabilityPPM mean frequency deviation
stateThe current mode of NTP operation, where 1 is symmetric active, 2 is symmetric passive, 3 is client, 4 is server, and 5 is broadcast.
stratumThe stratum of the peer server (1-15). Anything greater than 1 is a secondary reference
systemoperating system and version
taiTAI-UTC offest (s)
tctime constant and poll exponent (log2 s) (3-17)


Concerning mitigation of vulnerability on device(s) try either:

  • upgrade ntpd to  4.2.8 or later
  • configure device to act as ntp client and to ignore ntp queries except from localhost address
  • configure firewall to deny/drop incoming traffic to port 123/udp

FYI Team Cymru templates are located here: http://www.team-cymru.org/secure-ntp-template.html

 

0 Kudos
Reply
  • 12
  • 0
  • 0
ewxrjk
Joining in
1,515 Views
Message 8 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

I've now had an email saying much the same as the original letter, only with a link to a web page that 404s.

I've recheck and my IP address continues not to respond to NTP queries. So I still believe this is a false positive and Virgin Media are just being incompetent.

0 Kudos
Reply
  • 3.54K
  • 384
  • 1.24K
Very Insightful Person
Very Insightful Person
1,506 Views
Message 9 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

Maybe best to contact Shadowserver and query the reports with them.

  • 8
  • 0
  • 1
Davewhit
Tuning in
1,310 Views
Message 10 of 34
Flag for a moderator

Re: NTP mode 6 vulnerability letters

not helped at all what do i do to so call stop it if im doing something wrong in the first place
0 Kudos
Reply