RHEL 5 : ntp (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory ntp. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196527);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-1547",
    "CVE-2016-1549",
    "CVE-2016-1550",
    "CVE-2016-4954",
    "CVE-2016-4955",
    "CVE-2016-4956",
    "CVE-2016-7426",
    "CVE-2016-7429",
    "CVE-2016-9310",
    "CVE-2016-9311",
    "CVE-2017-6462",
    "CVE-2017-6463",
    "CVE-2017-6464",
    "CVE-2018-7170",
    "CVE-2018-12327",
    "CVE-2019-11331",
    "CVE-2020-11868",
    "CVE-2020-13817"
  );

  script_name(english:"RHEL 5 : ntp (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution
    (CVE-2018-12327)

  - An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and
    earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim
    client with a spoofed source address of an existing associated peer. This is true even if authentication
    is enabled. (CVE-2016-1547)

  - A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the
    clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec
    3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a
    victim's clock. (CVE-2016-1549)

  - An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4
    and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to
    attempt to recover the message digest key. (CVE-2016-1550)

  - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to
    cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP
    addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
    (CVE-2016-4954)

  - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of
    service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2)
    a packet with an incorrect MAC value at a certain time. (CVE-2016-4955)

  - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode
    transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2016-1548. (CVE-2016-4956)

  - NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all
    associations is enabled, which allows remote attackers to cause a denial of service (prevent responses
    from the sources) by sending responses with a spoofed source address. (CVE-2016-7426)

  - NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source,
    which allows remote attackers to cause a denial of service (prevent communication with a source) by
    sending a response for a source to an interface the source does not use. (CVE-2016-7429)

  - The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or
    unset traps via a crafted control mode packet. (CVE-2016-9310)

  - ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of
    service (NULL pointer dereference and crash) via a crafted packet. (CVE-2016-9311)

  - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10
    and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.
    (CVE-2017-6462)

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service
    (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.
    (CVE-2017-6463)

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd
    crash) via a malformed mode configuration directive. (CVE-2017-6464)

  - ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private
    symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of
    ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for
    CVE-2016-1549. (CVE-2018-7170)

  - Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port
    number is not required, which makes it easier for remote attackers to conduct off-path attacks.
    (CVE-2019-11331)

  - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated
    synchronization via a server mode packet with a spoofed source IP address, because transmissions are
    rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)

  - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service
    (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The
    victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can
    query time from the victim's ntpd instance. (CVE-2020-13817)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12327");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'ntp', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'ntp'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ntp');
}