SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Nokia IPSO Vendors:   Check Point
(Check Point Issues Advisory for Check Point IPSO) NTP Uses Weak Default Encryption Key and Weak RNG Seed
SecurityTracker Alert ID:  1031454
SecurityTracker URL:  http://securitytracker.com/id/1031454
CVE Reference:   CVE-2014-9293, CVE-2014-9294   (Links to External Site)
Date:  Dec 25 2014
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in NTP. A remote user can access and modify data. Check Point IPSO is affected.

A remote user with the ability to conduct a man-in-the-middle attack can obtain encrypted data and decrypt it.

When no auth key is specified in the configuration file, the system generates a 31-bit key using a weak randomization function [CVE-2014-9293]. Versions prior to 4.2.7p11 [January 2010] are affected.

Neel Mehta of the Google Security Team reported this vulnerability.

The system uses a week seed for ntp-keygen to genearte symmetric keys [CVE-2014-9294]. Versions prior to 4.2.7p230 are affected [Nov 2011].

Stephen Roettger of the Google Security Team reported this vulnerability.

Impact:   A remote user can access and modify data.
Solution:   Check Point IPSO is affected in specific scenarios.

Check Point has issued mitigation instructions for Check Point IPSO.

The Check Point advisory is available at:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103825

Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
Dec 20 2014 NTP Uses Weak Default Encryption Key and Weak RNG Seed



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC