ICS Advisory (ICSA-14-353-01-SupplementA)

Network Time Protocol Vulnerabilities (Supplement Update A)

Click to Tweet.
Click to send to Facebook.
Click to Share.

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.



--------- Begin Update A Part 1 of 2 --------

This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-353-01C Network Time Protocol Vulnerabilities that was published February 5, 2015, on the ICS‑CERT web site.

--------- End Update A Part 1 of 2 ----------

Please refer to this advisory for all the details of the vulnerabilities. The purpose of this advisory supplement is to document which products are affected by these vulnerabilities and suggest how users of these products may mitigate the effects of these vulnerabilities. This document will be updated as needed.

ICS-CERT thanks the following companies for responding to our inquiry on the affected products (listed vendors may have answered yes or no):

Arbiter, Catapult Software, Codesys, Ecava IntegraXor, Festo, Innominate, KEP (Kessler-Ellis Products), Meinberg, Microsys, spol. s r.o., Nordex Energy GmbH, Pepperl+Fuchs GmbH, Progea, Red Lion, Roche Diagnostics GmbH, SELINC, Sielcosistemi, Siemens, Sierra Wireless, SUBNET, Trihedral Engineering Limited, and Wind River Systems.

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.


Arbiter Systems products:

  • Clock products using the network card. Arbiter has deployed a new firmware based on NTP Version 4.2.8

Innomoninate products:

--------- Begin Update A Part 2 of 2 --------

Innominate Security Technologies AG, Security Advisory 2015/01/20-001 addresses

  • mGuard Firmware Version 7.0 should be upgraded to Version 7.6.7
  • mGuard Firmware Version 8.0 should be upgraded to Version 8.1.5

Meinberg products:

Please see Meinberg’s public notification and mitigation strategies at:

Siemens products:

  • Please see Siemens’s public notification and mitigation strategies at SSA-671683 NTP Vulnerabilities in Ruggedcom ROX-based Devices (Update March 05, 2015), located at www.siemens.com/cert/advisories. This Security notification update announces new updates for the affected products and recommends specific countermeasures for users to use until the fixes can be applied. CVE-2014-9293, CVE-2014-9294, and CVE-2014-9295.
  • Please see Siemens’s public notification and mitigation strategies at SSA-749212 NTP Vulnerabilities in SINUMERIK Controllers-based Devices (Published March 05, 2015), located at www.siemens.com/cert/advisories. Siemens has released an update for the SINUMERIK controllers and recommends updating the system. CVE-2014-9294 and CVE‑2014-9295.

--------- End Update A Part 2 of 2 ----------

Wind River System products:

  • News updates for Wind River VxWorks:

There are patches for WR Linux for the other (related) CVEs (2014-9293 - 9286) available at https://knowledge.windriver.com/?title=Content_Lookup&id=044772:

  • VxWorks 7
  • VxWorks 6.9
  • WR Linux 4.3.0.X
  • WR Linux 5.0.1.x
  • WR Linux 6.0.0.x
  • WR Linux 7.0.0.x

Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  https://us-cert.cisa.gov/ics 
or incident reporting:  https://us-cert.cisa.gov/report

CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.