Product Affected:Junos OS, NSM Series devices, NSMXpress and NSM server software.
Problem:NTP.org has published a security advisory for six vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. In the worst case, some of these issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition. CVE CVSS v2 base score Summary CVE-2014-9295 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Three stack-based buffer overflows in ntpd. CVE-2014-9293 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) When an auth key is not configured ntpd generates a weak default key. CVE-2014-9294 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The ntp-keygen utility in NTP before 4.2.7p230 create cryptographically weak symmetric keys. CVE-2014-9296 0.0 (AV:N/AC:L/Au:N/C:N/I:N/A:N) ntpd continues to execute after detecting a certain authentication error. This issue has an unknown impact. Vulnerable Products: Junos OS: Junos is confirmed to be vulnerable to CVE-2014-9294, CVE-2014-9296, and one of the three buffer overflow issues covered by CVE-2014-9295 in all versions of Junos OS. CVE-2014-9295 is only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level. CVE-2014-9296 is also specific to NTP server functionality, but is not considered exploitable. CVE-2014-9294 is only applicable when ntp-keygen is used to generate symmetric keys. NSM: All versions of NSM software, NSMXpress and NSM Series Appliances are vulnerable to these issues if the “Automatically Sync Time” option (under Time Server settings in the Web UI) is checked. This is off by default. NSM server software installed on generic Linux or Solaris servers may require NTP fixes from the respective server OS vendor. Products not vulnerable: ScreenOS is not vulnerable. The NTP module in ScreenOS was designed and coded by Juniper Networks. It is not based on ntpd from NTP Project. Pulse Secure (IC/MAG/SA, etc.) products are not vulnerable. The Pulse Secure products do not include NTP server functionality and are therefore not vulnerable to these issues. As new information becomes available on products that are not listed above, this document will be updated.
Solution:This section will be updated when fixes for the vulnerabilities are available.
Workaround:Junos OS: Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) will protect against any remote malicious attacks against NTP. Customers who have already applied the workaround described in JSA10613 are already protected against any remote exploitation of these vulnerabilities. Refer to the Workaround section of JSA10613 for specific applicable mitigation techniques.NSM: Turning off NTP daemon by unchecking the “Automatically Sync Time” option (under Time Server settings in Web UI) should completely mitigate these issues.
Implementation: Modification History: 2015-01-05: Initial release.2015-01-08: Confirmed that CVE-2014-9294 and CVE-2014-9296 also apply to Junos.
Related Links: CVSS Score:7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Assessment:These issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition