Hello,
Does anyone know if Juniper has issued a patched version
of JunOS for the following vulnerabilities in ntpd ?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8
allow remote attackers to execute arbitrary code via a crafted
packet, related to (1) the crypto_recv function when the Autokey
Authentication feature is used, (2) the ctl_putdata function,
and (3) the configure function.
(1)
http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv
(2)
http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata
(3)
http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_configure
Buffer overflows (2) and (3) have no mitigation except upgrading
ntp to 4.2.8 or filtering ntp packets. (1) depends on having "crypto
..." directives in ntp.conf.
ntpd on JunOS 11.4 seems to be based on ntpd 4.2.0 and is likely
vulnerable.
$strings ntpd |grep ntpd.4
ntpd 4.2.0-a Fri Mar 1 08:50:44 UTC 2013 (1)
--
Jean BENOIT
Université de Strasbourg
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
