LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.


Userlevel 3
When do LEAP Second Security Vulnerability will happen again in end of December 2016???

Is Vulnerability or 2015 002 or any Leap Second going to happen end of this December 2016???

25 replies

Userlevel 3
Hi all, Kindly reply and really appreciate to your answer.

Thanks.
Paul
Userlevel 3
the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Hi Paul,
would you check if following articles answer you questions?
Are products affected?
Script to apply workaround.

Kind regards,
Konstantin
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Hi Korsovsky,

thanks. my question is will it be happen in this end of December 2016???
Userlevel 7
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

No
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Yes, as you saw in Wikipedia article next leap second will be added at the end of day of 31 Dec 2016.
--
Konstantin
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Hi Ronald,

please could you provide more information. So that i can update my client on this. thanks a lot.
Userlevel 5
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Paul,

EXOS switches prior to 16.2 are vulnerable to a kernel deadlock due to the leap second, if NTP is enabled. SNTP is not affected. NTP advertises the leap second for 24 hours prior to the leap second occurring, so the workaround is to disable NTP at least 24 hours before the leap second.


EXOS 16.2 and EXOS 21.1 are not affected by this. Please see the following GTAC Knowledge article for further information:-



https://gtacknowledge.extremenetworks.com/articles/Q_A/Are-Extreme-Networks-products-vulnerable-to-VN-2015-002-Leap-Second
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

i am running NTP on X450a-24x 15.3.3.5
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Hi Vellachery,

thanks for the article.

The next leap second adjustment is going to occur on December 31, 2016, at 23:59:60 UTC and effect to X450a-24x 15.3.3.5 ???
Userlevel 7
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

from ... https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second?_ga=...

ExtremeXOS (all products)
  • Vulnerable: Fixed
  • Vulnerable Component: Kernel
  • Conditions when component vulnerability occurs: Next leap second will be added on 30 June 2015. While logging this event via printk, kernel deadlock can occur due to bad locking. The fix will address future leap second events.
  • Product version(s) affected: All EXOS products
  • Workaround: Disable ntpd for at least 24 hours before leap second period.
  • Fixed In: EXOS 16.2.1, and 21.1.1
Userlevel 7
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

So you'd either upgrade or disable the NTP.
Sorry I wasn't aware that v15 is still a thing 🙂
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

i cannot upgrade to 16.2.1 due to hardware limitation.

so i can say that the issue Vulnerability may happen in December 31, 2016 right?

😞
Userlevel 5
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Paul,

Rightly said Ronald... 🙂

If you are running NTP. The workaround is to disable NTP at least 24 hours before the leap second.
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Vellachery / Ronald,

Noted and thanks. No choice i have to disable and enable ntp. 😞
Userlevel 5
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

Paul,

Pleasure assisting you..... 🙂
Userlevel 3
Paul wrote:

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

any different between this.

Timezone: [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.

current my timezone is as SIN. Will still Vulnerability?

Timezone: [Auto DST Disabled] GMT Offset: 480 minutes, name is SIN.

if yes. what time should i follow to disable ntp at UTC time?
Disable ntpd for at least 24 hours before leap second period (command: "disable ntp".)

The next leap second will be inserted on December 31, 2016, at 23:59:60 UTC.

For Singapore time.

disable ntp at 07:59:30 AM, 1 January, 2017 SIN
enable ntp at 08:00:30 AM, 1 January, 2017 SIN
Userlevel 6
Paul, The vulnerability does not depend on time zone if NTP module is present it can be affected. EXOS version older than EXOS 16.2.1, and 21.1.1 are affected. Here is an article for reference https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second If NTP module is present then disable ntp before 24 hours of the leap second insertion and Wait a day after the leap second and then re-enable NTP
Userlevel 3
Karthik Mohandoss wrote:

Paul, The vulnerability does not depend on time zone if NTP module is present it can be affected. EXOS version older than EXOS 16.2.1, and 21.1.1 are affected. Here is an article for reference https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second If NTP module is present then disable ntp before 24 hours of the leap second insertion and Wait a day after the leap second and then re-enable NTP

Thanks Karthik,

so i no need to care about timezone on the switch. as long as i have enable NTP. I should disable it as below?

disable
ntp at 23:59:00 PM, 30 Dec, 2017
enable ntp at 23:59:0 PM, 1 January, 2017
Userlevel 3
Karthik Mohandoss wrote:

Paul, The vulnerability does not depend on time zone if NTP module is present it can be affected. EXOS version older than EXOS 16.2.1, and 21.1.1 are affected. Here is an article for reference https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second If NTP module is present then disable ntp before 24 hours of the leap second insertion and Wait a day after the leap second and then re-enable NTP

One more thing, our setup

NTP is running as a NTP server on the X450a-24x firmware 15.3.3.5 patch1-6 windows server (NTP client) is getting NTP time from Extreme X450a.

we are not getting any NTP from outside. NTP Server is Exteme x450a.

Will this setup also effected leap second Vulnerable?
Userlevel 6
Paul, That is correct, may be you have typo on the year. disable ntp at 23:59:00 PM, 30 Dec, 2016 UTC enable ntp at 23:59:00 PM, 1 Jan, 2017 UTC The leap second insertion would happen on December 31, 2016, at 23:59:60 UTC. would be fine.
Userlevel 3
Karthik Mohandoss wrote:

Paul, That is correct, may be you have typo on the year. disable ntp at 23:59:00 PM, 30 Dec, 2016 UTC enable ntp at 23:59:00 PM, 1 Jan, 2017 UTC The leap second insertion would happen on December 31, 2016, at 23:59:60 UTC. would be fine.

One more thing, our setup

NTP is running as a NTP server on the X450a-24x firmware 15.3.3.5 patch1-6 windows server (NTP client) is getting NTP time from Extreme X450a.

we are not getting any NTP from outside. NTP Server is Exteme x450a.

Will this setup also effected leap second Vulnerable?

-----------------------
Thanks Karthik,

sorry to keep asking as i need to understand my setup and this vulnerability issue. sorry my typo. thanks for correcting me.

I am really appreciate on your help and valuable advice. this Exteme HUB is really awesome with strong technical guru.

Thanks again Karthik.
Userlevel 6
Paul, " I do not think Windows server will be affected with leap second insertion. Disclaimer : This information is taken from External source 🙂 Please check the Microsoft link and one external link https://blogs.msdn.microsoft.com/mthree/2015/01/08/the-story-around-leap-seconds-and-windows-its-likely-not-y2k/ http://www.windowstricks.in/2015/06/is-leap-second-impact-windows-servers-and-application.html "
Userlevel 6
As long as the switch X450a-24x do not get the leap second insertion packet it will remain unaffected.
Userlevel 3
Karthik Mohandoss wrote:

As long as the switch X450a-24x do not get the leap second insertion packet it will remain unaffected.

Hi Karthik,

Very informative. I greatly appreciate your help and input.

Regards,
Paul

Reply