Cisco IOS XR NCS 6000 Multiple ntpd Vulnerabilities

2015-03-18T00:00:00
ID CISCO-SN-CSCUS27229-IOSXR.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

The remote Cisco device is running a version of IOS XR software that is affected by the following vulnerabilities :

  • Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294)

  • Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet. (CVE-2014-9295)

  • An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296)

                                        
                                            #TRUSTED 678186886bc0a0f9b8f570cf6176b9b608e55e0a7d4335a3764f48180f4a47f1282d46d308127357cba0b32e61bdc9b229ee2c407be21d293f45c8a3090a15f859c31cb5672dad1325981a75c01cd1ff5e33f609a6f345af73236cdc8a8993d3e0d680ba6611417ed3c5b70ce56fec60e6f13a34bb0801042e149b9d5f99889916ec5dd0358fe5af6f77fd7c71359a6c46309921db320b4c4600bf641486bbf4bb7c2924b96a718d8cfe594e7572ad56ca5716c0dc6a9d10c458aaef03013229bdd1cb74c6be870d54a99b71124261d5dd0c2895f608df18274612448f3ae6dc8c3cbf903c6277831e08377144317f2753adb2d1f74966acb391b8909f4ff140c7a922301eefc390324b9f22d5f26021c8891b73a06b448d148481fc79ee8a0d7d6037f785a4336660f966d87b7bfe55eaf4a43153ca0c803ec2fd027b80b8498aa9721baf4c08cdd9a847c7990f6cd77c01804271dd1a5414b8a887d29fd814e64bfc36630227cf3c6717ea5c30cf0d5667700a1175ce04a05949e5cae83e76585b438ee9ec091269ae33f9349d21f48210dd7beac8194609b5c90c402118c226bbfbe0548cdb5a455bec5b05b605557f0c2c09ababb972f0cd617aa68be47420d02e0a1bba516bd0b01207e33a99d21499fe7a855ebcd01458774dd76e9b5bf08590d541dd45070fd47f1357245af858388ff0775fce3eea6e27d4941ba74a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81913);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/09");

  script_cve_id(
    "CVE-2014-9293",
    "CVE-2014-9294",
    "CVE-2014-9295",
    "CVE-2014-9296"
  );
  script_bugtraq_id(71757, 71758, 71761, 71762);
  script_xref(name:"CERT", value:"852879");
  script_xref(name:"CISCO-BUG-ID", value:"CSCus27229");

  script_name(english:"Cisco IOS XR NCS 6000 Multiple ntpd Vulnerabilities");
  script_summary(english:"Checks the IOS XR version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device is running a version of IOS XR software that
is affected by the following vulnerabilities :

  - Errors exist related to weak cryptographic pseudorandom
    number generation (PRNG), the functions 'ntp_random' and
    and 'config_auth', and the 'ntp-keygen' utility. A
    man-in-the-middle attacker can exploit these to disclose
    sensitive information. (CVE-2014-9293, CVE-2014-9294)

  - Multiple stack-based buffer overflow errors exist in the
    Network Time Protocol daemon (ntpd), which a remote
    attacker can exploit to execute arbitrary code or cause
    a denial of service by using a specially crafted packet.
    (CVE-2014-9295)

  - An error exists in the 'receive' function in the Network
    Time Protocol daemon (ntpd) that allows denial of
    service attacks. (CVE-2014-9296)");
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79cfbf7f");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/534319");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch or workaround referenced in Cisco bug ID
CSCus27229.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version  = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");
override = FALSE;

# Check model
model = get_kb_item("CISCO/model");
if (model)
{
  if (model !~ "^cisco([Nn]cs|NCS)(6008|6k)")
    audit(AUDIT_HOST_NOT, "an affected model");
}
else
{
  model = get_kb_item_or_exit("Host/Cisco/IOS-XR/Model");
  if (
    "NCS6K"   >!< model
    &&
    "NCS6008" >!< model
  ) audit(AUDIT_HOST_NOT, "an affected model");
}

# Check version
# per bug page :
#  - "5.2.4.BASE" in "Known Affected" list
if (version != "5.2.4") audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IOS XR', version);

if (!isnull(get_kb_item("Host/local_checks_enabled")))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_ntp_staus", "show ntp status");
  # Check for traces of ntp
  if (check_cisco_result(buf))
  {
      if (
        "%NTP is not enabled." >< buf
        &&
        "system poll" >!< buf
        &&
        "Clock is" >!< buf
      ) audit(AUDIT_HOST_NOT, "affected because NTP is not enabled.");
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (report_verbosity > 0)
{
  report =
    '\n  Cisco bug IDs     : CSCus27229' +
    '\n  Installed release : ' + version +
    '\n';
  security_hole(port:0, extra:report+cisco_caveat(override));
}
else security_hole(port:0, extra:cisco_caveat(override));