Debian DSA-3108-1 : ntp - security update

2014-12-23T00:00:00
ID DEBIAN_DSA-3108.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2014-12-23T00:00:00

Description

Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol.

  • CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities).

  • CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy.

  • CVE-2014-9295 ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code.

  • CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly.

The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6).

Keys explicitly generated by

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3108. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80208);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-9293", "CVE-2014-9294", "CVE-2014-9295", "CVE-2014-9296");
  script_bugtraq_id(71757, 71761, 71762);
  script_xref(name:"DSA", value:"3108");

  script_name(english:"Debian DSA-3108-1 : ntp - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities were discovered in the ntp package, an
implementation of the Network Time Protocol.

  - CVE-2014-9293
    ntpd generated a weak key for its internal use, with
    full administrative privileges. Attackers could use this
    key to reconfigure ntpd (or to exploit other
    vulnerabilities).

  - CVE-2014-9294
    The ntp-keygen utility generated weak MD5 keys with
    insufficient entropy.

  - CVE-2014-9295
    ntpd had several buffer overflows (both on the stack and
    in the data section), allowing remote authenticated
    attackers to crash ntpd or potentially execute arbitrary
    code.

  - CVE-2014-9296
    The general packet processing function in ntpd did not
    handle an error case correctly.

The default ntpd configuration in Debian restricts access to localhost
(and possible the adjacent network in case of IPv6).

Keys explicitly generated by 'ntp-keygen -M' should be regenerated."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9293"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9294"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9295"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9296"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/ntp"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2014/dsa-3108"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the ntp packages.

For the stable distribution (wheezy), these problems have been fixed
in version 1:4.2.6.p5+dfsg-2+deb7u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"ntp", reference:"1:4.2.6.p5+dfsg-2+deb7u1")) flag++;
if (deb_check(release:"7.0", prefix:"ntp-doc", reference:"1:4.2.6.p5+dfsg-2+deb7u1")) flag++;
if (deb_check(release:"7.0", prefix:"ntpdate", reference:"1:4.2.6.p5+dfsg-2+deb7u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");