Hello, Does anyone know if Juniper has issued a patched version of JunOS for the following vulnerabilities in ntpd ?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (1) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv (2) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata (3) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_configure Buffer overflows (2) and (3) have no mitigation except upgrading ntp to 4.2.8 or filtering ntp packets. (1) depends on having "crypto ..." directives in ntp.conf. ntpd on JunOS 11.4 seems to be based on ntpd 4.2.0 and is likely vulnerable. $strings ntpd |grep ntpd.4 ntpd 4.2.0-a Fri Mar 1 08:50:44 UTC 2013 (1) -- Jean BENOIT Université de Strasbourg _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp