The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution (CVE-2018-12327)
An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. (CVE-2016-1547)
A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim’s clock. (CVE-2016-1549)
An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. (CVE-2016-1550)
The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
(CVE-2016-4954)
ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. (CVE-2016-4955)
ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. (CVE-2016-4956)
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. (CVE-2016-7426)
NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use. (CVE-2016-7429)
The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. (CVE-2016-9310)
ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted packet. (CVE-2016-9311)
Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.
(CVE-2017-6462)
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.
(CVE-2017-6463)
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive. (CVE-2017-6464)
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim’s clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. (CVE-2018-7170)
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
(CVE-2019-11331)
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim’s ntpd instance. (CVE-2020-13817)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory ntp. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196527);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-1547",
"CVE-2016-1549",
"CVE-2016-1550",
"CVE-2016-4954",
"CVE-2016-4955",
"CVE-2016-4956",
"CVE-2016-7426",
"CVE-2016-7429",
"CVE-2016-9310",
"CVE-2016-9311",
"CVE-2017-6462",
"CVE-2017-6463",
"CVE-2017-6464",
"CVE-2018-7170",
"CVE-2018-12327",
"CVE-2019-11331",
"CVE-2020-11868",
"CVE-2020-13817"
);
script_name(english:"RHEL 5 : ntp (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution
(CVE-2018-12327)
- An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and
earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim
client with a spoofed source address of an existing associated peer. This is true even if authentication
is enabled. (CVE-2016-1547)
- A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the
clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec
3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a
victim's clock. (CVE-2016-1549)
- An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4
and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to
attempt to recover the message digest key. (CVE-2016-1550)
- The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to
cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP
addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
(CVE-2016-4954)
- ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of
service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2)
a packet with an incorrect MAC value at a certain time. (CVE-2016-4955)
- ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode
transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2016-1548. (CVE-2016-4956)
- NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all
associations is enabled, which allows remote attackers to cause a denial of service (prevent responses
from the sources) by sending responses with a spoofed source address. (CVE-2016-7426)
- NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source,
which allows remote attackers to cause a denial of service (prevent communication with a source) by
sending a response for a source to an interface the source does not use. (CVE-2016-7429)
- The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or
unset traps via a crafted control mode packet. (CVE-2016-9310)
- ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) via a crafted packet. (CVE-2016-9311)
- Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10
and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.
(CVE-2017-6462)
- NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service
(daemon crash) via an invalid setting in a :config directive, related to the unpeer option.
(CVE-2017-6463)
- NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd
crash) via a malformed mode configuration directive. (CVE-2017-6464)
- ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private
symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of
ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for
CVE-2016-1549. (CVE-2018-7170)
- Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port
number is not required, which makes it easier for remote attackers to conduct off-path attacks.
(CVE-2019-11331)
- ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated
synchronization via a server mode packet with a spoofed source IP address, because transmissions are
rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)
- ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service
(daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The
victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can
query time from the victim's ntpd instance. (CVE-2020-13817)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12327");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'ntp', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'ntp'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ntp');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | ntp | p-cpe:/a:redhat:enterprise_linux:ntp |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11331
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11868
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817