09-20-2017 02:27 AM - edited 03-01-2019 06:08 PM
HI,
I come across Network Time Protocol (NTP) Mode 6 Scanner Vulnerability on Cisco 2960x and 3750x Switches. Switches IOS version is 15.0(2).
Please help to Remediate the same.
Thank You
09-20-2017 03:55 AM
There is a known bugID for this. You should upgrade to one of the IOS versions that fixes the vulnerability.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum44673/?referring_site=bugquickviewclick
02-26-2018 08:19 AM - edited 02-26-2018 08:23 AM
I am getting this vulnerability flagged by Nessus on a 2960X running 15.2(2)E5. Yet the CSCum44673 bug description claims that it is fixed as of 15.2(2)E3. At this point I don't know if it is Nessus or the bug description that is in error.
02-26-2018 09:26 AM
Did you configure "ntp allow mode control" as directed in the BugID?
03-19-2018 09:03 AM
sir,. I am having the same problem. what number should I set it too? thank you.
Device(config)#ntp allow mode control ?
<3-15> Rate limiting delay (s)
03-19-2018 09:15 AM
Morning again. Also, would ntp allow mode private work as well. I've been digging hard to find a way to remediate this.
I own a cisco 3945 series router.
My existing IOS is 15.4(3)M8
Thank you.
05-03-2018 12:16 PM
I added "no ntp allow mode control 3" to my switches and it passed Nessus scan.
12-26-2018 09:55 AM
Greetings,
I also, am dealing with a case of the Network Time Protocol (NTP) Mode 6 Scanner vulnerability.
I have a customer that presented to us a scan of network devices vulnerable to this bug.
It had several items in the list.
I had opened a TAC case and was advised to apply the "ntp allow mode control 3" command.
I was only able to apply this command to one device. However, the "mode control 3" command did eliminate this device from my customer's vulnerability scan.
The other devices had an "ntp allow mode private" command, but no "ntp allow mode control".
I further engaged Cisco and they claimed that the IOS versions that I provided them, for the remaining devices, were not affected by the NTP mode 6 scanner vulnerability. Although, the remaining devices still surface on my customer's NTP mode 6 scan.
Furthermore, I engaged Cisco on the "ntp allow mode control" command and at what up-version this command is supported, for the following IOS versions:
!
These are the 4 IOS versions that currently do not support the "ntp allow mode control" command:
c3560-ipbasek9-mz.122-55.SE12.bin
c2960-lanbasek9-mz.150-2.SE11.bin
c3560-ipbasek9-mz.122-58.SE2.bin
c2960-lanbasek9-mz.122-55.SE12.bin
!
Can anyone help me determine which next up-version for each of these platforms, supports the "ntp allow mode control" command?
thank you in advance for any assistance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide