Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14390
Views
5
Helpful
7
Replies

97861 - Network Time Protocol (NTP) Mode 6 Scanner

vinod.tiwari16
Level 1
Level 1

‎09-20-2017 02:27 AM - edited ‎03-01-2019 06:08 PM

HI,

I come across Network Time Protocol (NTP) Mode 6 Scanner  Vulnerability on Cisco 2960x and 3750x Switches. Switches IOS version is 15.0(2).

 

Please help to Remediate the same.

 

Thank You

3 people had this problem
Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2017 03:55 AM

There is a known bugID for this. You should upgrade to one of the IOS versions that fixes the vulnerability.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum44673/?referring_site=bugquickviewclick

0 Helpful

jedavis
Level 4
Level 4
In response to Marvin Rhoads

‎02-26-2018 08:19 AM - edited ‎02-26-2018 08:23 AM

I am getting this vulnerability flagged by Nessus on a 2960X running 15.2(2)E5.  Yet the CSCum44673 bug description claims that it is fixed as of 15.2(2)E3.  At this point I don't know if it is Nessus or the bug description that is in error.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jedavis

‎02-26-2018 09:26 AM

Did you configure "ntp allow mode control" as directed in the BugID?

0 Helpful

David Griffith
Level 1
Level 1
In response to Marvin Rhoads

‎03-19-2018 09:03 AM

sir,. I am having the same problem. what number should I set it too? thank you.

 

Device(config)#ntp allow mode control ?
<3-15> Rate limiting delay (s)

0 Helpful

David Griffith
Level 1
Level 1
In response to Marvin Rhoads

‎03-19-2018 09:15 AM

Morning again. Also, would ntp allow mode private work as well. I've been digging hard to find a way to remediate this.

 

I own a cisco 3945 series router.

 

My existing IOS is 15.4(3)M8

 

Thank you.

 

0 Helpful

arc8882
Level 1
Level 1
In response to David Griffith

‎05-03-2018 12:16 PM

I added "no ntp allow mode control 3" to my switches and it passed Nessus scan.

pohare@fnts.com
Level 1
Level 1
In response to Marvin Rhoads

‎12-26-2018 09:55 AM

Greetings,
I also, am dealing with a case of the Network Time Protocol (NTP) Mode 6 Scanner vulnerability.
I have a customer that presented to us a scan of network devices vulnerable to this bug.
It had several items in the list.
I had opened a TAC case and was advised to apply the "ntp allow mode control 3" command.
I was only able to apply this command to one device. However, the "mode control 3" command did eliminate this device from my customer's vulnerability scan.
The other devices had an "ntp allow mode private" command, but no "ntp allow mode control".
I further engaged Cisco and they claimed that the IOS versions that I provided them, for the remaining devices, were not affected by the NTP mode 6 scanner vulnerability. Although, the remaining devices still surface on my customer's NTP mode 6 scan.
Furthermore, I engaged Cisco on the "ntp allow mode control" command and  at what up-version this command is supported, for the following IOS versions:
!
These are the 4 IOS versions that currently do not support the "ntp allow mode control" command:
c3560-ipbasek9-mz.122-55.SE12.bin
c2960-lanbasek9-mz.150-2.SE11.bin
c3560-ipbasek9-mz.122-58.SE2.bin
c2960-lanbasek9-mz.122-55.SE12.bin
!
Can anyone help me determine which next up-version for each of these platforms, supports the "ntp allow mode control" command?

thank you in advance for any assistance

0 Helpful
Customers Also Viewed These Support Documents