-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0145
        Multiple vulnerabilities in NTP affect Check Point Gaia OS
                             23 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Checkpoint Gaia
Operating System:     Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Existing Account      
                      Denial of Service               -- Remote/Unauthenticated
                      Provide Misleading Information  -- Existing Account      
                      Reduced Security                -- Existing Account      
Resolution:           Mitigation
CVE Names:            CVE-2014-9296 CVE-2014-9295 CVE-2014-9294
                      CVE-2014-9293  
Member content until: Thursday, January 22 2015

OVERVIEW

        Check Point advises multiple vulnerabilities in NTP affect GAiA OS 
        versions R75.40, R75.40VS, R75.40VS for 61000, R75.45, R75.46, R75.47,
        R76, R76SP for 61000, R76SP.10 for 61000, R77 and R77.10, when:
        
        1. Gaia OS is configured only as a NTP Client
        2. Gaia OS is configured as a NTP Server
        3. Gaia OS is configured to use NTP Autokey Authentication.[1]


IMPACT

        Checkpoint references the ICS-CERT advisory, ICSA-14-353-01, 
        for details regarding the vulnerabilities:
        
        "CVE-2014-9293: If the authentication key is not set in the 
        configuration file, ntpd will generate a weak random key with 
        insufficient entropy.
        
        CVE-2014-9294: Prior to NTP-4.2.7p230 ntp-keygen used a weak seed 
        to prepare a random number generator. The random numbers produced 
        were then used to generate symmetric keys.
        
        CVE-2014-9295: A remote attacker can send a carefully crafted 
        packet that can overflow a stack buffer and potentially allow 
        malicious code to be executed with the privilege level of the ntpd 
        process.
        
        CVE-2014-9296: In the NTP code, a section of code is missing a 
        return, and the resulting error indicates processing did not stop. 
        This indicated a specific rare error occurred, which does not appear
        to affect system integrity. All NTP Version 4 releases before 
        Version 4.2.8 are vulnerable".[2]


MITIGATION

        Checkpoint advises users with vulnerable configurations of NTP to 
        apply appropriate mitigation procedures.[1]


REFERENCES

        [1] Check Point response to NTP vulnerabilities (CVE-2014-9293,
            CVE-2014-9294, CVE-2014-9295)
            https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103825&src=securityAlerts

        [2] Advisory (ICSA-14-353-01) Network Time Protocol Vulnerabilities
            https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVJj+uhLndAQH1ShLAQKvWQ/9HW47q//z2Qw5XGYM3UeChlBfeNHFDdd6
h0zRyl373GLkBtovvpXG7wXaJ26mLtpwct8P2My+UFuKhq4V3+JOiEQpFn7g8o+R
grq1OcuFjJI+otWT2B4IBl/jxYMTEHd4tFo+OMm15R5DZWPtU1eBbm2jMvx0TsA7
diDh4tzfDGNlV9SyQAUb52NjYHwQhKI1dBsGQLb9pCEUjEsMm1lR+UtSwTOEeS0T
TcW7qleIEJQovvWjL+/T8IB09f34H6HBb2FDNHwLl1oESIhJoQO5fX2A8tAuSass
9RBifSS33UBvTfNdWQk1JqPpyeAk+/jvsFGNoITo6ldmAhdBA+aleKMLit+px3Oh
ZYUnYH2sEB4INhwXmJs5x9RFT2nUOGQjNzgXm+pQiUivxtx0nTVg91YL3w+uGoFF
OojyoJIURjk3Ip1y9XmW7CbinDUjoeF1YcquC9AEsr+CetNhqFO7zRqOVn5Q0KnK
ssVNABA9sRDdK+A9UosrIuQngklN7YxtiQpybIvqN3Y/2HOWRQQXbId7930XXggH
MKFfBh5Wk4Ji92qNWRKG+3Jn7/9peFm/2XX5MSeHDVA3UOnZ2fYFdkfTRwDKN8Lb
8q87zncidS8xxzUMMbHc2M+c+Psk4MXXCBgxA/F3lgaYB1XrDNgDu7Dk8gJxAzgT
SGCaPjpxqyc=
=Pa+N
-----END PGP SIGNATURE-----