Support Center > Search Results > SecureKnowledge Details
Check Point response to NTP vulnerabilities (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296)
Symptoms
  • Google Security Team researchers Neel Mehta and Stephen Roettger have expose multiple vulnerabilities with the Network Time Protocol (NTP):
    https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

  • Gaia OS:
    • Out-of-the-box (NTP is disabled) is not vulnerable.
    • Even if NTP was enabled with default configuration (setting Time and Date automatically using NTP), R77.20 is not vulnerable.
    • Vulnerable to CVE-2014-9293, CVE-2014-9294 and CVE-2014-9295 in specific scenarios.
    • Not vulnerable to CVE-2014-9296
  • SecurePlatform OS is not vulnerable.

  • Gaia Embedded OS is not vulnerable (600 / 1100 / 1200R / Security Gateway 80 appliances).

  • Edge / Safe@Office devices are not vulnerable.

  • IPSO OS:

  • X-Series XOS:
    • Out-of-the-box (NTP is disabled) is not vulnerable.
    • Even if NTP was enabled with default configuration (setting Time and Date automatically using NTP), it is not vulnerable.
    • Vulnerable to CVE-2014-9293, CVE-2014-9294 and CVE-2014-9295 in specific scenarios.
    • Not vulnerable to CVE-2014-9296
Solution

Table of Contents:

  • Mitigation procedures for Gaia OS
  • Mitigation procedures for IPSO OS
  • Mitigation procedures for X-Series XOS
  • Related solutions
  • Related manual pages
  • Revision History
Click Here to Show Entire Article

 

Mitigation procedures for Gaia OS for CVE-2014-9293, CVE-2014-9294 and CVE-2014-9295

  • If Gaia OS is configured only as NTP Client (on R77.10 and lower)

    Affected Gaia OS versions: R75.40 / R75.40VS / R75.40VS for 61000 / R75.45 / R75.46 / R75.47 / R76 / R76SP for 61000 / R76SP.10 for 61000 / R77 and R77.10. Starting in R77.20, default NTP configuration is not vulnerable (setting Time and Date automatically using NTP).

    • Mitigation procedure for Open Servers / Check Point appliances

      1. Backup the current NTPD configuration file:

        [Expert@HostName]# cp /etc/ntp.conf /etc/ntp.conf_ORIGINAL

      2. Edit the current NTPD configuration file:

        [Expert@HostName]# vi /etc/ntp.conf

      3. Add / edit the following lines:

        restrict default ignore
        restrict -6 default ignore
        restrict 127.0.0.1
        restrict -6 ::1
        driftfile /var/lib/ntp/ntp.drift
        
      4. For every configured NTP Server, add the following lines:

        • If it is IPv4 or Host name:

          server [IPv4 address or Host name of NTP server] version [version number 1...4] iburst

          restrict [IPv4 address or Host name of NTP server] nomodify notrap nopeer noquery

        • If it is IPv6:

          server -6 [IPv6 address of NTP server] version 4 iburst

          restrict -6 [IPv6 address of NTP server] nomodify notrap nopeer noquery


      5. Save the changes in the file and exit from Vi editor.

      6. After making all the changes in the /etc/ntp.conf file, you have to write-protect it from being overwritten by Gaia OS daemon (confd).

        Add the Linux file system 'immutable' attribute:
        
        [Expert@HostName]# lsattr /etc/ntp.conf
        [Expert@HostName]# chattr +i /etc/ntp.conf
        [Expert@HostName]# lsattr /etc/ntp.conf
        
        

        Notes:

        • If any changes in NTP configuration are made in Gaia Clish / Gaia Portal after write-protecting the /etc/ntp.conf file, they will not be saved in this file - these changes will be saved only in Gaia database. This will result in inconsistency between the real NTP configuration in the /etc/ntp.conf file and the NTP configuration in Gaia database.

        • To remove the write-protection, remove the Linux file system 'immutable' attribute:
          
          [Expert@HostName]# lsattr /etc/ntp.conf
          [Expert@HostName]# chattr -i /etc/ntp.conf
          [Expert@HostName]# lsattr /etc/ntp.conf
          
          
      7. Restart the NTPD process:

        [Expert@HostName]# dbset process:ntpd
        [Expert@HostName]# dbset process:ntpd t
        
      8. Check the NTP synchronization:

        [Expert@HostName]# ntpq -pn
        [Expert@HostName]# ntpstat
        


    • Mitigation procedure for 61000 / 41000 Security Systems

      Required changes in the NTP configuration will be added to the sk103121 - Data Center Security Appliances R76SP.10 - Jumbo Hotfix Accumulator.


  • If Gaia OS is configured as NTP Server

    Important Note: Such configuration is not supported (refer to sk32027).

    Gaia OS should be configured as NTP Client only.



  • If Gaia OS is configured to use NTP Autokey Authentication

    Important Note: This is not the default configuration.

    Affected Gaia OS versions: R75.40 / R75.40VS / R75.40VS for 61000 / R75.45 / R75.46 / R75.47 / R76 / R76SP for 61000 / R76SP.10 for 61000 / R77 / R77.10 and R77.20

    Mitigation procedure:

    Check Point recommends not to configure Gaia OS with NTP Autokey Authentication (remove all 'crypto' and other related directives from the /etc/ntp.conf file).

    If such configuration is required, then contact Check Point Support to get a Hotfix for this issue.
    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

 

Mitigation procedures for IPSO OS for CVE-2014-9293, CVE-2014-9294 and CVE-2014-9295

  • If IPSO OS is configured only as NTP Client

    1. Backup the current NTPD configuration file:

      HostName[admin]# cp /var/etc/ntp.conf /var/etc/ntp.conf_ORIGINAL

    2. Edit the current NTPD configuration file:

      HostName[admin]# vi /var/etc/ntp.conf

    3. Add / edit the following lines:

      restrict default ignore
      restrict -6 default ignore
      restrict 127.0.0.1
      restrict -6 ::1
      driftfile /var/etc/ntp.drift
      
    4. For every configured NTP Server, add the following lines:

      • If it is IPv4 or Host name:

        server [IPv4 address or Host name of NTP server] version [version number 1...4] iburst

        restrict [IPv4 address or Host name of NTP server] nomodify notrap nopeer noquery

      • If it is IPv6:

        server -6 [IPv6 address of NTP server] version 4 iburst

        restrict -6 [IPv6 address of NTP server] nomodify notrap nopeer noquery


    5. Save the changes in the file and exit from Vi editor.

    6. After making all the changes in the /var/etc/ntp.conf file, you have to write-protect it from being overwritten by IPSO OS.

      Add the IPSO file system 'immutable' attribute:
      
      HostName[admin]# ls -lo /var/etc/ntp.conf
      HostName[admin]# chflags schg,uchg /var/etc/ntp.conf
      HostName[admin]# ls -lo /var/etc/ntp.conf
      
      

      Notes:

      • If any changes in NTP configuration are made in IPSO Clish / IPSO Voyager after write-protecting the /var/etc/ntp.conf file, they will not be saved in this file - these changes will be saved only in IPSO database. This will result in inconsistency between the real NTP configuration in the /var/etc/ntp.conf file and the NTP configuration in IPSO database.

      • To remove the write-protection, remove the IPSO file system 'immutable' attribute:
        
        HostName[admin]# ls -lo /var/etc/ntp.conf
        HostName[admin]# chflags noschg,nouchg /var/etc/ntp.conf
        HostName[admin]# ls -lo /var/etc/ntp.conf
        
        
    7. Restart the NTPD process:

      HostName[admin]# dbset process:ntpd
      HostName[admin]# dbset process:ntpd t
      
    8. Check the NTP synchronization:

      HostName[admin]# ntpq -pn
      

    Related solution: sk41502 (How to adjust the polling interval in NTP on IP appliances)



  • If IPSO OS is configured as NTP Server

    Important Note: This is not the default configuration.

    Check Point recommends not to configure IPSO OS as NTP Server (it should be configured as NTP Client only).

    No hotfix is possible for such configuration.

    Related solution: sk41502 (How to adjust the polling interval in NTP on IP appliances)



  • If IPSO OS is configured to use NTP Autokey Authentication

    Important Note: This is not the default configuration.

    Check Point recommends not to configure IPSO OS with NTP Autokey Authentication (remove all 'crypto' and other related directives from the /var/etc/ntp.conf file).

    If such configuration is required, then contact Check Point Support to get a Hotfix for this issue.
    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

    Related solution: sk41502 (How to adjust the polling interval in NTP on IP appliances)

 

Mitigation procedures for X-Series XOS for CVE-2014-9293, CVE-2014-9294 and CVE-2014-9295

 

 

 

Revision History

Show / Hide the revision history

Date Description
16 June 2015
  • Updated mitigation procedure for "NTP Server" on Gaia OS (such configuration is not supported)
03 Apr 2015
  • Updated mitigation procedure for "NTP Server" on IPSO OS (no hotfix is possible)
27 Jan 2015
  • Updated mitigation procedure for "NTP Client" on Gaia OS
  • Updated mitigation procedure for "NTP Client" on IPSO OS
13 Jan 2015
  • Updated the status of X-Series XOS vulnerability.
  • Added mitigation procedure for X-Series XOS.
24 Dec 2014
  • Updated the status of Gaia Embedded OS vulnerability.
  • Updated the status of Edge / Safe@Office devices vulnerability.
  • Added mitigation procedure for IPSO OS.
23 Dec 2014
  • Updated mitigation procedure for "NTP Client" on 61000 / 41000 Security Systems.
22 Dec 2014
  • Updated the status of Gaia OS vulnerability to CVE-2014-9293 and CVE-2014-9294.
  • Updated the list of affected Gaia OS versions (in the "Mitigation procedures" section).
  • Updated mitigation procedure for "NTP Client" to include IPv6.
  • Rephrased Check Point recommendation for "NTP Server" scenario.
  • Rephrased Check Point recommendation for "NTP Autokey Authentication" scenario.
21 Dec 2014
  • First release of this document.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment