Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2015-10 Out of Cycle Security Bulletin: announcement of multiple vulnerabilities.



Article ID: JSA10711 SECURITY_ADVISORIES Last Updated: 27 Aug 2018Version: 18.0
Product Affected:
This issue can affect any product or platform running's NTP daemon.
Problem: published a security advisory for thirteen vulnerabilities in NTP software and Boston University published CVE-2015-5300 on Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to cause Denial(s) of Service(s), disruption of service(s) by modification of time stamps being issued by the NTP server from malicious NTP crafted packets, including maliciously crafted NTP authentication packets and disclosure of information.  This can impact DNS services, as well as certificate chains, such as those used in SSL/https communications and allow attackers to maliciously inject invalid certificates as valid which clients would accept as valid.

Junos OS

Vulnerable CVE-2015-7704 and CVE-2015-7705
Vulnerable CVE-2015-7853
NTP is not enabled in Junos by default. When NTP is enabled within the [edit system ntp] hierarchy level of the Junos configuration Junos OS may be impacted by these vulnerabilities.
If unwanted NTP requests come into a Junos device, the NTP process may process these requests as valid NTP incoming packets.

On the SRX Series platform, NTP requests coming in from security zones to the firewall self-traffic are dropped by default unless the 'host-inbound-traffic' for 'protocol ntp' is explicitly enabled.


Vulnerable CVE-2015-7871
Vulnerable CVE-2015-7852
Vulnerable CVE-2015-5300

These issues have been assigned CVE-2015-7871 CVE-2015-7855 CVE-2015-7854 CVE-2015-7853 CVE-2015-7852 CVE-2015-7851 CVE-2015-7850 CVE-2015-7849 CVE-2015-7848 CVE-2015-7701 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5300.

JSA-Series (Formerly STRM)
Vulnerable CVE-2015-5196
Vulnerable CVE-2015-7691
Vulnerable CVE-2015-7692
Vulnerable CVE-2015-7701
Vulnerable CVE-2015-7702
Vulnerable CVE-2015-7703
Vulnerable CVE-2015-7705
These issues are being tracked as:

PR 1132181 Junos OS
PR 1133713 ScreenOS
PR 1134729 Junos Space
PR 1144300 / 1134726 CTP OS/CTPView
PR 1134747 JSA-Series (Formerly STRM)
PR 1134760 WLAN
PR 1134789 WX OS

Junos OS
CVE-2015-7703 Not Vulnerable
CVE-2015-7849 Not Vulnerable
CVE-2015-7851 Not Vulnerable
CVE-2015-7854 Not Vulnerable
CVE-2015-7871 Not Vulnerable

The following software releases have been updated to resolve the remaining issues: Junos OS 12.1X46-D45, 12.1X46-D50, 12.1X47-D35, 12.3R12, 12.3X48-D25, 13.2X51-D40, 13.3R9, 14.1R3-S9, 14.1R4-S9, 14.1R6-S2, 14.1R7, 14.1X51-D75, 14.1X53-D35, 14.2R6, 15.1F4, 15.1F5, 15.1R3, 15.1X49-D30, 15.1X53-D30, 16.1R1, and all subsequent releases.

Not Vulnerable

Not vulnerable to remainder of NTP.Org announced vulnerabilities.

Not Vulnerable

JSA-Series (Formerly STRM)
CVE-2015-7848 Not Vulnerable
CVE-2015-7849 Not Vulnerable
CVE-2015-7851 Not Vulnerable
CVE-2015-7853 Not Vulnerable
CVE-2015-7854 Not Vulnerable
CVE-2015-7855 Not Vulnerable
CVE-2015-7871 Not Vulnerable

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Additional PRs and outstanding CVE's, platforms and products are still being reviewed.

This section will be updated as additional fixes for the vulnerabilities are available.
Juniper has published JSA10613 and JSA10663 previously to mitigate attacks and exploits against NTP.  To mitigate risk of NTP exploits, customers should read and follow the workaround sections of these JSA's.

To mitigate these exploits:
  • Authenticate with only trusted higher-stratum servers e.g. if your stratum is 10, authenticate to only trusted stratum 0 - 9 servers.
  • Limit the attack surface by implementing firewall filters to only accept NTP authentication messages from trusted servers.
  • Some evidence exists that retrieval of time services from NTP-based servers may mitigate these currently-disclosed risks, but is not guaranteed.
  • Enabling layered approaches to time services using alternate protocols such as PTPv2 (Precision Time Protocol v2) with intrusion detection systems and firewall filters externally and gatewaying PTP to NTP-required services internally may potentially mitigate risk, but is not guaranteed.
If your NTP server is a high level stratum; e.g. stratum 0 or 1; open NTP server, no known workarounds exists.

Additional JSA-Series (Formerly STRM), and QRadar mitigation:
This will not affect any functionality of QRadar as QRadar does not use the NTP service. It is recommended to save a backup of the file: ntp.conf on /tmp and then apply the following mitigations:
1. Disable NTP autokey authentication by removing, or commenting out, all configuration directives beginning with the 'crypto' keyword in your ntp.conf file.
2. Disable remote runtime configuration with ntpq or ntpdc. In the default NTP configuration on Red Hat Enterprise Linux, runtime configuration with ntpq or ntpdc is limited to localhost.
3. Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.

Customers are urged to apply the updates as they become available and follow the Solution section.
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Modification History:
Modification History:

2015-10-23: Initial publication
2015-10-30: Updated current research for known non-vulnerable and vulnerable CVE's, additional PR details added.
2015-11-02: Added Boston University CVE-2015-5300 detail.
2015-11-04: Added ScreenOS not vulnerable detail.
2015-11-13: Added WXOS not vulnerable detail.
2015-11-25: Updated investigation for CTPOS/CTPView. 2 of 13 NTP.Org vulnerabilities are applicable.  Boston University CVE-2015-5300 still under investigation.
2015-11-28: CTPOS/CTPView is vulnerable to CVE-2015-5300.
2016-03-16: Updated JSA-Series (Formerly STRM) problem, solution and workaround sections with most recent details.  Boston University CVE-2015-5300 still under investigation.

CVSS Score:
7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
Severity Level:
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search