Re: [j-nsp] ntpd vulnerability
On Wed, Dec 24, 2014 at 01:30:15PM +0200, Ivan Ivanov wrote: On Tue, Dec 23, 2014 at 5:01 PM, Jean Benoit j...@unistra.fr wrote: Does anyone know if Juniper has issued a patched version of JunOS for the following vulnerabilities in ntpd ? Check this out! https://prsearch.juniper.net/InfoCenter/index?page=prcontentid=PR931184 Though the PR was updated recently, the vulnerability description does not match the issue I am worrying about. The description refers to the 1 year old NTP amplification attack based on the ntp monlist command (CVE-2013-5211). CVE-2014-9295 is a completely unrelated issue. Of course, the same mitigation technique could be applied (filtering the source address). By the way, Cisco acknowledged the vulnerability exists, but hasn't issued any fix as of december 29: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd -- Jean Benoit Université de Strasbourg ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ntpd vulnerability
Hi, Check this out! https://prsearch.juniper.net/InfoCenter/index?page=prcontentid=PR931184 HTH, Ivan, On Tue, Dec 23, 2014 at 5:01 PM, Jean Benoit j...@unistra.fr wrote: Hello, Does anyone know if Juniper has issued a patched version of JunOS for the following vulnerabilities in ntpd ? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (1) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv (2) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata (3) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_configure Buffer overflows (2) and (3) have no mitigation except upgrading ntp to 4.2.8 or filtering ntp packets. (1) depends on having crypto ... directives in ntp.conf. ntpd on JunOS 11.4 seems to be based on ntpd 4.2.0 and is likely vulnerable. $strings ntpd |grep ntpd.4 ntpd 4.2.0-a Fri Mar 1 08:50:44 UTC 2013 (1) -- Jean BENOIT Université de Strasbourg ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Best Regards! Ivan Ivanov ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ntpd vulnerability
Hello, Does anyone know if Juniper has issued a patched version of JunOS for the following vulnerabilities in ntpd ? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (1) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv (2) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata (3) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_configure Buffer overflows (2) and (3) have no mitigation except upgrading ntp to 4.2.8 or filtering ntp packets. (1) depends on having crypto ... directives in ntp.conf. ntpd on JunOS 11.4 seems to be based on ntpd 4.2.0 and is likely vulnerable. $strings ntpd |grep ntpd.4 ntpd 4.2.0-a Fri Mar 1 08:50:44 UTC 2013 (1) -- Jean BENOIT Université de Strasbourg ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp