The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p2.
It is, therefore, affected by the following vulnerabilities :
The symmetric-key feature in the receive() function requires a correct message authentication code (MAC) only if the MAC field has a nonzero length. A man-in-the-middle attacker can exploit this to spoof packets by omitting the MAC. (CVE-2015-1798)
A flaw exists in the symmetric-key feature in the receive() function when handling a specially crafted packet sent to one of two hosts that are peering with each other. An attacker can exploit this to cause the next attempt by the servers to synchronize to fail.
(CVE-2015-1799)
A flaw exists in util/ntp-keygen.c due to the way that the ntp-keygen utility generates MD5 symmetric keys on big-endian systems. A remote attacker can exploit this to more easily guess MD5 symmetric keys and thereby spoof an NTP server or client. (CVE-2015-3405)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(83744);
script_version("1.11");
script_cvs_date("Date: 2019/11/22");
script_cve_id(
"CVE-2015-1798",
"CVE-2015-1799",
"CVE-2015-2781",
"CVE-2015-3405"
);
script_bugtraq_id(73950, 73951, 74045);
script_xref(name:"CERT", value:"374268");
script_name(english:"Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p2 Multiple Vulnerabilities");
script_summary(english:"Checks for a vulnerable NTP server.");
script_set_attribute(attribute:"synopsis", value:
"The remote NTP server is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p2.
It is, therefore, affected by the following vulnerabilities :
- The symmetric-key feature in the receive() function
requires a correct message authentication code (MAC)
only if the MAC field has a nonzero length. A
man-in-the-middle attacker can exploit this to spoof
packets by omitting the MAC. (CVE-2015-1798)
- A flaw exists in the symmetric-key feature in the
receive() function when handling a specially crafted
packet sent to one of two hosts that are peering with
each other. An attacker can exploit this to cause the
next attempt by the servers to synchronize to fail.
(CVE-2015-1799)
- A flaw exists in util/ntp-keygen.c due to the way that
the ntp-keygen utility generates MD5 symmetric keys on
big-endian systems. A remote attacker can exploit this
to more easily guess MD5 symmetric keys and thereby
spoof an NTP server or client. (CVE-2015-3405)");
script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/SecurityNotice");
# http://support.ntp.org/bin/view/Main/SecurityNotice#April_2015_NTP_Security_Vulnerab
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fd24f37");
script_set_attribute(attribute:"see_also", value:"http://bugs.ntp.org/show_bug.cgi?id=2797");
script_set_attribute(attribute:"solution", value:
"Upgrade to NTP version 4.2.8p2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-3405");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/30");
script_set_attribute(attribute:"patch_publication_date", value:"2015/04/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/21");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ntp:ntp");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ntp_open.nasl");
script_require_keys("NTP/Running", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
# Make sure NTP server is running
get_kb_item_or_exit('NTP/Running');
app_name = "NTP Server";
port = get_kb_item("Services/udp/ntp");
if (!port) port = 123;
version = get_kb_item_or_exit("Services/ntp/version");
if (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);
match = pregmatch(string:version, pattern:"([0-9a-z.]+)");
if (isnull(match) || empty_or_null(match[1])) audit(AUDIT_UNKNOWN_APP_VER, app_name);
# Paranoia check
if (report_paranoia < 2) audit(AUDIT_PARANOID);
ver = match[1];
verfields = split(ver, sep:".", keep:FALSE);
major = int(verfields[0]);
minor = int(verfields[1]);
if ('p' >< verfields[2])
{
revpatch = split(verfields[2], sep:"p", keep:FALSE);
rev = int(revpatch[0]);
patch = int(revpatch[1]);
}
else
{
rev = verfields[2];
patch = 0;
}
# This vulnerability affects NTP 3.x / 4.x < 4.2.8p2
if (
(major < 4 && major >= 3) ||
(major == 4 && minor < 2) ||
(major == 4 && minor == 2 && rev < 8) ||
(major == 4 && minor == 2 && rev == 8 && patch < 2)
)
{
fix = "4.2.8p2";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
report =
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_report_v4(
port : port,
proto : "udp",
extra : report,
severity : SECURITY_WARNING
);
exit(0);
bugs.ntp.org/show_bug.cgi?id=2797
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3405
support.ntp.org/bin/view/Main/SecurityNotice
www.nessus.org/u?9fd24f37