NewStart CGSL CORE 5.05 / MAIN 5.05 : ntp Vulnerability (NS-SA-2021-0186)

2021-10-2700:00:00

www.tenable.com

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ntp packages installed that are affected by a vulnerability:

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim’s ntpd instance. (CVE-2020-13817)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2021-0186. The text
# itself is copyright (C) ZTE, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(154477);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/10/27");

  script_cve_id("CVE-2020-13817");

  script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : ntp Vulnerability (NS-SA-2021-0186)");

  script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ntp packages installed that are affected by a
vulnerability:

  - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service
    (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The
    victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can
    query time from the victim's ntpd instance. (CVE-2020-13817)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2021-0186");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/info/CVE-2020-13817");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL ntp packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-13817");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/10/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:ntp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:ntp-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:ntp-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:ntp-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:ntpdate");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:sntp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:ntp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:ntp-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:ntp-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:ntp-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:ntpdate");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:sntp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_core:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:5");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');

if (release !~ "CGSL CORE 5.05" &&
    release !~ "CGSL MAIN 5.05")
  audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');

if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);

var flag = 0;

var pkgs = {
  'CGSL CORE 5.05': [
    'ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-debuginfo-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-doc-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-perl-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntpdate-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'sntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10'
  ],
  'CGSL MAIN 5.05': [
    'ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-debuginfo-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-doc-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntp-perl-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'ntpdate-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10',
    'sntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10'
  ]
};
var pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ntp');
}

VendorProductVersionCPE
ztecgsl_corentpp-cpe:/a:zte:cgsl_core:ntp
ztecgsl_corentp-debuginfop-cpe:/a:zte:cgsl_core:ntp-debuginfo
ztecgsl_corentp-docp-cpe:/a:zte:cgsl_core:ntp-doc
ztecgsl_corentp-perlp-cpe:/a:zte:cgsl_core:ntp-perl
ztecgsl_corentpdatep-cpe:/a:zte:cgsl_core:ntpdate
ztecgsl_coresntpp-cpe:/a:zte:cgsl_core:sntp
ztecgsl_mainntpp-cpe:/a:zte:cgsl_main:ntp
ztecgsl_mainntp-debuginfop-cpe:/a:zte:cgsl_main:ntp-debuginfo
ztecgsl_mainntp-docp-cpe:/a:zte:cgsl_main:ntp-doc
ztecgsl_mainntp-perlp-cpe:/a:zte:cgsl_main:ntp-perl

Vendor	Product	Version	CPE
zte	cgsl_core	ntp	p-cpe:/a:zte:cgsl_core:ntp
zte	cgsl_core	ntp-debuginfo	p-cpe:/a:zte:cgsl_core:ntp-debuginfo
zte	cgsl_core	ntp-doc	p-cpe:/a:zte:cgsl_core:ntp-doc
zte	cgsl_core	ntp-perl	p-cpe:/a:zte:cgsl_core:ntp-perl
zte	cgsl_core	ntpdate	p-cpe:/a:zte:cgsl_core:ntpdate
zte	cgsl_core	sntp	p-cpe:/a:zte:cgsl_core:sntp
zte	cgsl_main	ntp	p-cpe:/a:zte:cgsl_main:ntp
zte	cgsl_main	ntp-debuginfo	p-cpe:/a:zte:cgsl_main:ntp-debuginfo
zte	cgsl_main	ntp-doc	p-cpe:/a:zte:cgsl_main:ntp-doc
zte	cgsl_main	ntp-perl	p-cpe:/a:zte:cgsl_main:ntp-perl