Knowledge Search


×
 

2015-10 Out of Cycle Security Bulletin: NTP.org announcement of multiple vulnerabilities.

  [JSA10711] Show Article Properties


Product Affected:
This issue can affect any product or platform running NTP.org's NTP daemon.
Problem:
NTP.org published a security advisory for thirteen vulnerabilities in NTP software and Boston University published CVE-2015-5300 on Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to cause Denial(s) of Service(s), disruption of service(s) by modification of time stamps being issued by the NTP server from malicious NTP crafted packets, including maliciously crafted NTP authentication packets and disclosure of information.  This can impact DNS services, as well as certificate chains, such as those used in SSL/https communications and allow attackers to maliciously inject invalid certificates as valid which clients would accept as valid.

Junos OS

Vulnerable CVE-2015-7704 and CVE-2015-7705 http://support.ntp.org/bin/view/Main/NtpBug2901
Vulnerable CVE-2015-7853 http://support.ntp.org/bin/view/Main/NtpBug2920
 
NTP is not enabled in Junos by default. When NTP is enabled within the [edit system ntp] hierarchy level of the Junos configuration Junos OS may be impacted by these vulnerabilities.
If unwanted NTP requests come into a Junos device, the NTP process may process these requests as valid NTP incoming packets.

On the SRX Series platform, NTP requests coming in from security zones to the firewall self-traffic are dropped by default unless the 'host-inbound-traffic' for 'protocol ntp' is explicitly enabled.

CTP OS/CTPView

Vulnerable CVE-2015-7871 http://support.ntp.org/bin/view/Main/NtpBug2941
Vulnerable CVE-2015-7852 http://support.ntp.org/bin/view/Main/NtpBug2919
Vulnerable CVE-2015-5300 https://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf

These issues have been assigned CVE-2015-7871 CVE-2015-7855 CVE-2015-7854 CVE-2015-7853 CVE-2015-7852 CVE-2015-7851 CVE-2015-7850 CVE-2015-7849 CVE-2015-7848 CVE-2015-7701 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5300.

JSA-Series (Formerly STRM)
Vulnerable CVE-2015-5196 http://support.ntp.org/bin/view/Main/NtpBug2902
Vulnerable CVE-2015-7691 http://support.ntp.org/bin/view/Main/NtpBug2899
Vulnerable CVE-2015-7692 http://support.ntp.org/bin/view/Main/NtpBug2899
Vulnerable CVE-2015-7701 http://support.ntp.org/bin/view/Main/NtpBug2909
Vulnerable CVE-2015-7702 http://support.ntp.org/bin/view/Main/NtpBug2899
Vulnerable CVE-2015-7703 http://support.ntp.org/bin/view/Main/NtpBug2902
Vulnerable CVE-2015-7705 http://support.ntp.org/bin/view/Main/NtpBug2901
 
Solution:
These issues are being tracked as:

PR 1132181 Junos OS
PR 1133713 ScreenOS
PR 1134729 Junos Space
PR 1144300 / 1134726 CTP OS/CTPView
PR 1134747 JSA-Series (Formerly STRM)
PR 1134760 WLAN
PR 1134789 WX OS

Junos OS
CVE-2015-7703 Not Vulnerable http://support.ntp.org/bin/view/Main/NtpBug2902
CVE-2015-7849 Not Vulnerable http://support.ntp.org/bin/view/Main/NtpBug2916
CVE-2015-7851 Not Vulnerable http://support.ntp.org/bin/view/Main/NtpBug2918
CVE-2015-7854 Not Vulnerable http://support.ntp.org/bin/view/Main/NtpBug2921
CVE-2015-7871 Not Vulnerable http://support.ntp.org/bin/view/Main/NtpBug2941

The following software releases have been updated to resolve the remaining issues: Junos OS 12.1X46-D45, 12.1X46-D50, 12.1X47-D35, 12.3R12, 12.3X48-D25, 13.2X51-D40, 13.3R9, 14.1R3-S9, 14.1R4-S9, 14.1R6-S2, 14.1R7, 14.1X51-D75, 14.1X53-D35, 14.2R6, 15.1F4, 15.1F5, 15.1R3, 15.1X49-D30, 15.1X53-D30, 16.1R1, and all subsequent releases.

ScreenOS
Not Vulnerable

CTP OS/CTPView
Not vulnerable to remainder of NTP.Org announced vulnerabilities.

WXOS
Not Vulnerable

JSA-Series (Formerly STRM)
CVE-2015-7848 Not Vulnerable
CVE-2015-7849 Not Vulnerable
CVE-2015-7851 Not Vulnerable
CVE-2015-7853 Not Vulnerable
CVE-2015-7854 Not Vulnerable
CVE-2015-7855 Not Vulnerable
CVE-2015-7871 Not Vulnerable

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Additional PRs and outstanding CVE's, platforms and products are still being reviewed.

This section will be updated as additional fixes for the vulnerabilities are available.
Workaround:
Juniper has published JSA10613 and JSA10663 previously to mitigate attacks and exploits against NTP.  To mitigate risk of NTP exploits, customers should read and follow the workaround sections of these JSA's.

To mitigate these exploits:
  • Authenticate with only trusted higher-stratum servers e.g. if your stratum is 10, authenticate to only trusted stratum 0 - 9 servers.
  • Limit the attack surface by implementing firewall filters to only accept NTP authentication messages from trusted servers.
  • Some evidence exists that retrieval of time services from Non-NTP.org NTP-based servers may mitigate these currently-disclosed risks, but is not guaranteed.
  • Enabling layered approaches to time services using alternate protocols such as PTPv2 (Precision Time Protocol v2) with intrusion detection systems and firewall filters externally and gatewaying PTP to NTP-required services internally may potentially mitigate risk, but is not guaranteed.
If your NTP server is a high level stratum; e.g. stratum 0 or 1; open NTP server, no known workarounds exists.

Additional JSA-Series (Formerly STRM), and QRadar mitigation:
This will not affect any functionality of QRadar as QRadar does not use the NTP service. It is recommended to save a backup of the file: ntp.conf on /tmp and then apply the following mitigations:
1. Disable NTP autokey authentication by removing, or commenting out, all configuration directives beginning with the 'crypto' keyword in your ntp.conf file.
2. Disable remote runtime configuration with ntpq or ntpdc. In the default NTP configuration on Red Hat Enterprise Linux, runtime configuration with ntpq or ntpdc is limited to localhost.
3. Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.

Customers are urged to apply the updates as they become available and follow the Solution section.
 
Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

 
Modification History:
Modification History:

2015-10-23: Initial publication
2015-10-30: Updated current research for known non-vulnerable and vulnerable CVE's, additional PR details added.
2015-11-02: Added Boston University CVE-2015-5300 detail.
2015-11-04: Added ScreenOS not vulnerable detail.
2015-11-13: Added WXOS not vulnerable detail.
2015-11-25: Updated investigation for CTPOS/CTPView. 2 of 13 NTP.Org vulnerabilities are applicable.  Boston University CVE-2015-5300 still under investigation.
2015-11-28: CTPOS/CTPView is vulnerable to CVE-2015-5300.
2016-03-16: Updated JSA-Series (Formerly STRM) problem, solution and workaround sections with most recent details.  Boston University CVE-2015-5300 still under investigation.
 

Related Links:
CVSS Score:
7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"