Knowledge Search


×
 

Out of Cycle Security Bulletin: Multiple vulnerabilities in NTP

  [JSA10663] Show Article Properties


Product Affected:
Junos OS, NSM Series devices, NSMXpress, NSM server software, vGW Series, Junos Space
Problem:

NTP.org has published a security advisory for six vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. In the worst case, some of these issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition.

CVE CVSS v2 base score Summary
CVE-2014-9295 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Three stack-based buffer overflows in ntpd.
CVE-2014-9293 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) When an auth key is not configured ntpd generates a weak default key.
CVE-2014-9294 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The ntp-keygen utility in NTP before 4.2.7p230 create cryptographically weak symmetric keys.
CVE-2014-9296 0.0 (AV:N/AC:L/Au:N/C:N/I:N/A:N) ntpd continues to execute after detecting a certain authentication error. This issue has an unknown impact.
CVE-2014-9297 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented
CVE-2014-9298 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C) ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed.

Vulnerable Products:

  • Junos OS: Junos is confirmed to be vulnerable to one of the three buffer overflow issues covered by CVE-2014-9295 in all versions of Junos OS. CVE-2014-9295 is only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level.  Junos is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9296, CVE-2014-9297, or CVE-2014-9298.

  • NSM: All versions of NSM software, NSMXpress and NSM Series Appliances are vulnerable to these issues if the "Automatically Sync Time" option (under Time Server settings in the Web UI) is checked. This is off by default. NSM server software installed on generic Linux or Solaris servers may require NTP fixes from the respective server OS vendor.

  • vGW: The vGW Series incorporates ntp 4.2.4p7-1.1-1 which is known to be vulnerable to all listed issues.

  • Junos Space: Junos Space includes a vulnerable version of ntp which will be upgraded to ntp-4.2.2p1-18 in a future release.  Engineering is also working on a hot-patch to resolve this issue.


Products not vulnerable:

  • ScreenOS and JUNOSe are not vulnerable. The NTP modules in these products were designed and coded by Juniper Networks. They are not based on ntpd from NTP Project.

  • Pulse Secure (IC/MAG/SA, etc.) products are not vulnerable. The Pulse Secure products do not include NTP server functionality and are therefore not vulnerable to these issues.


As new information becomes available on products that are not listed above, this document will be updated.
Solution:
Junos OS: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D20, 12.3R9, 12.3X48-D15, 13.2R8, 13.3R6, 14.1R5, 14.1X50-D90, 14.1X55-D16, 14.2R3, and all subsequent releases.

Junos Space:
A Junos Space hot-patch has been released to resolve both the NTP and GHOST vulnerabilities described in JSA10663 and JSA10671, respectively.

Download the Patch (SHA1)

To install the patch:
  1. Transfer patch to the VIP Space Node
  2. Log into the VIP node CLI
  3. Extract the archive:
    tar -zxf glibc-ntp-hotpatch-vz.tgz

  4. Change to the patch directory
    cd glibc-ntp-hotpatch-v1

  5. Run the patch script
    sh patchme.sh

    Note: If the system is a cluster, it will prompt for login credentials for the other nodes, and patch all systems.

IMPORTANT

If this patch is installed, and you are upgrading the Junos Space platform to any currently released version up to and including 14.1R2 [Check release notes of newer versions before upgrading, or contact JTAC], the upgrade will FAIL if you do not follow the instructions below:
  1. Upload the desired upgrade version of Space Platform to the system. [Do NOT start the upgrade]
  2. Login to the VIP node
  3. Change to the patch directory. [You may need to upload it again to the current node]
    cd glibc-ntp-hotpatch-v1
  4. Run the command to patch the Space Upgrade script:
    sh fixupgrade.sh
  5. Run the Junos Space Upgrade from the Web Interface.

NSM:

This Patch is for CentOS 6 only. Upgrading to CentOS6 first is required.

  1. SCP JSA10663_NSM_CentOS6.zip (SHA1) to NSM server /home/admin
  2. Connect to NSM server CLI, become root using "sudo su -"
  3. Change to to /home/admin: cd /home/admin
  4. Unzip Package: unzip JSA10663.zip
  5. Cd to NTP: cd NTP
  6. Upgrade RPMs: rpm -Uvh *.rpm
  7. Reboot NSM appliance

This section will be updated as additional fixes for the vulnerabilities are available.

Workaround:

Junos OS: Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) will protect against any remote malicious attacks against NTP. Customers who have already applied the workaround described in JSA10613 are already protected against any remote exploitation of these vulnerabilities. Refer to the Workaround section of JSA10613 for specific applicable mitigation techniques.

NSM: Turning off NTP daemon by unchecking the "Automatically Sync Time" option (under Time Server settings in Web UI) should completely mitigate these issues.

vGW: Disable NTP services or limit access to NTP from trusted hosts.

Implementation:

Modification History:
Modification History:

2015-01-05: Initial release.
2015-01-08: Confirmed that CVE-2014-9294 and CVE-2014-9296 may also apply to Junos.
2015-01-15: Explicitly stated that JUNOSe is not vulnerable.
2015-01-21: Added vGW Series.
2015-02-03: Added explicit statement about CVE-2014-9293 not affecting Junos.
2015-02-24: Added Junos Space.
2015-02-24: Added fixed releases for Junos OS.
2015-02-26: Added Junos Space hot-patch info.
2015-02-27: Removed End-of-Engineering release 11.4 from Junos OS fixed release list.
2015-03-10: Confirmed that only CVE-2014-9295 affects Junos.
2015-03-23: Clarified Junos Space patch instructions.
2015-09-03: Added references to CVE-2014-9297 (formerly known as "NTP Bug 2671") and CVE-2014-9298 (formerly known as "NTP Bug 2672").
2015-12-09: Added NSM patch instructions.

Related Links:
CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Level:
High
Risk Assessment:
These issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition
Acknowledgements: