topic RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP. in ExtremeSwitching (EXOS/Switch Engine)

LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:28:00 GMT

When do LEAP Second Security Vulnerability will happen again in end of December 2016???

Is Vulnerability or 2015 002 or any Leap Second going to happen end of this December 2016???

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:30:00 GMT

Hi all, Kindly reply and really appreciate to your answer.

Thanks.
Paul

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

the next leap second will be inserted on December 31, 2016, at 23:59:60 UTC. https://en.wikipedia.org/wiki/Leap_second

Are Extreme Networks products vulnerable to Leap Second?

Is it going to effect to all extreme xos ???

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Korsovsky__Kons — Thu, 29 Dec 2016 21:43:00 GMT

Hi Paul,
would you check if following articles answer you questions?
Are products affected?
Script to apply workaround.

Kind regards,
Konstantin

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

Hi Korsovsky,

thanks. my question is will it be happen in this end of December 2016???

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Ronald_Dvorak — Thu, 29 Dec 2016 21:43:00 GMT

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

Hi Ronald,

please could you provide more information. So that i can update my client on this. thanks a lot.

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Vellachery__Sum — Thu, 29 Dec 2016 21:43:00 GMT

Paul,

EXOS switches prior to 16.2 are vulnerable to a kernel deadlock due to the leap second, if NTP is enabled. SNTP is not affected. NTP advertises the leap second for 24 hours prior to the leap second occurring, so the workaround is to disable NTP at least 24 hours before the leap second.

EXOS 16.2 and EXOS 21.1 are not affected by this. Please see the following GTAC Knowledge article for further information:-

https://gtacknowledge.extremenetworks.com/articles/Q_A/Are-Extreme-Networks-products-vulnerable-to-VN-2015-002-Leap-Second

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

i am running NTP on X450a-24x 15.3.3.5

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

Hi Vellachery,

thanks for the article.

The next leap second adjustment is going to occur on December 31, 2016, at 23:59:60 UTC and effect to X450a-24x 15.3.3.5 ???

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Ronald_Dvorak — Thu, 29 Dec 2016 21:43:00 GMT

from ... https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second?_ga=...

ExtremeXOS (all products)

Vulnerable: Fixed
Vulnerable Component: Kernel
Conditions when component vulnerability occurs: Next leap second will be added on 30 June 2015. While logging this event via printk, kernel deadlock can occur due to bad locking. The fix will address future leap second events.
Product version(s) affected: All EXOS products
Workaround: Disable ntpd for at least 24 hours before leap second period.
Fixed In: EXOS 16.2.1, and 21.1.1

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Ronald_Dvorak — Thu, 29 Dec 2016 21:43:00 GMT

So you'd either upgrade or disable the NTP.
Sorry I wasn't aware that v15 is still a thing 🙂

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

i cannot upgrade to 16.2.1 due to hardware limitation.

so i can say that the issue Vulnerability may happen in December 31, 2016 right?



RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Vellachery__Sum — Thu, 29 Dec 2016 21:43:00 GMT

Paul,

Rightly said Ronald... 

If you are running NTP. The workaround is to disable NTP at least 24 hours before the leap second.

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

Vellachery / Ronald,

Noted and thanks. No choice i have to disable and enable ntp. 

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Vellachery__Sum — Thu, 29 Dec 2016 21:43:00 GMT

Paul,

Pleasure assisting you..... 

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Thu, 29 Dec 2016 21:43:00 GMT

any different between this.

Timezone: [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.

current my timezone is as SIN. Will still Vulnerability?

Timezone: [Auto DST Disabled] GMT Offset: 480 minutes, name is SIN.

if yes. what time should i follow to disable ntp at UTC time?
Disable ntpd for at least 24 hours before leap second period (command: "disable ntp".)

The next leap second will be inserted on December 31, 2016, at 23:59:60 UTC.

For Singapore time.

disable ntp at 07:59:30 AM, 1 January, 2017 SIN
enable ntp at 08:00:30 AM, 1 January, 2017 SIN

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Karthik_Mohando — Fri, 30 Dec 2016 07:57:00 GMT

Paul, The vulnerability does not depend on time zone if NTP module is present it can be affected. EXOS version older than EXOS 16.2.1, and 21.1.1 are affected. Here is an article for reference https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2015-002-Leap-Second If NTP module is present then disable ntp before 24 hours of the leap second insertion and Wait a day after the leap second and then re-enable NTP

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Fri, 30 Dec 2016 07:57:00 GMT

Thanks Karthik,

so i no need to care about timezone on the switch. as long as i have enable NTP. I should disable it as below?

disable ntp at 23:59:00 PM, 30 Dec, 2017
enable ntp at 23:59:0 PM, 1 January, 2017

RE: LEAP Second Security Vulnerability - Urgent - Attention please answer ASAP.

Paul11 — Fri, 30 Dec 2016 07:57:00 GMT

One more thing, our setup

NTP is running as a NTP server on the X450a-24x firmware 15.3.3.5 patch1-6 windows server (NTP client) is getting NTP time from Extreme X450a.

we are not getting any NTP from outside. NTP Server is Exteme x450a.

Will this setup also effected leap second Vulnerable?