Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-NTP-RHEL6.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 6 : ntp (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
2
rhel6
ntp
unpatched
vulnerabilities
denial of service
remote attackers
ntpd
cve-2019-11331
cve-2016-1549
cve-2016-2516
cve-2016-4954
cve-2016-4955
cve-2016-4956
cve-2018-7170
cve-2018-7185
cve-2020-11868
cve-2020-13817
cve-2023-26551
cve-2023-26552

7.3 High

AI Score

Confidence

High

JSON

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • ntp: Using port 123 for modes where a fixed port number is not required facilitates off-path attacks.
    (CVE-2019-11331)

  • A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim’s clock. (CVE-2016-1549)

  • NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.
    (CVE-2016-2516)

  • The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
    (CVE-2016-4954)

  • ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. (CVE-2016-4955)

  • ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. (CVE-2016-4956)

  • ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim’s clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. (CVE-2018-7170)

  • The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the other side of an interleaved association causing the victim ntpd to reset its association.
    (CVE-2018-7185)

  • ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)

  • ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim’s ntpd instance. (CVE-2020-13817)

  • mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp<cpdec while loop. An adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26551)

  • mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point. An adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26552)

  • mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number.
    An adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26553)

  • mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a ‘\0’ character. An adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26554)

  • praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write. Any attack method would be complex, e.g., with a manipulated GPS receiver. (CVE-2023-26555)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory ntp. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196526);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-1549",
    "CVE-2016-2516",
    "CVE-2016-4954",
    "CVE-2016-4955",
    "CVE-2016-4956",
    "CVE-2018-7170",
    "CVE-2018-7185",
    "CVE-2019-11331",
    "CVE-2020-11868",
    "CVE-2020-13817",
    "CVE-2023-26551",
    "CVE-2023-26552",
    "CVE-2023-26553",
    "CVE-2023-26554",
    "CVE-2023-26555"
  );

  script_name(english:"RHEL 6 : ntp (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ntp: Using port 123 for modes where a fixed port number is not required facilitates off-path attacks.
    (CVE-2019-11331)

  - A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the
    clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec
    3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a
    victim's clock. (CVE-2016-1549)

  - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a
    denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.
    (CVE-2016-2516)

  - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to
    cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP
    addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
    (CVE-2016-4954)

  - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of
    service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2)
    a packet with an incorrect MAC value at a certain time. (CVE-2016-4955)

  - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode
    transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2016-1548. (CVE-2016-4956)

  - ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private
    symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of
    ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for
    CVE-2016-1549. (CVE-2018-7170)

  - The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service
    (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the
    other side of an interleaved association causing the victim ntpd to reset its association.
    (CVE-2018-7185)

  - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated
    synchronization via a server mode packet with a spoofed source IP address, because transmissions are
    rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)

  - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service
    (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The
    victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can
    query time from the victim's ntpd instance. (CVE-2020-13817)

  - mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp<cpdec while loop. An
    adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26551)

  - mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point. An
    adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26552)

  - mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number.
    An adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26553)

  - mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a '\0' character. An
    adversary may be able to attack a client ntpq process, but cannot attack ntpd. (CVE-2023-26554)

  - praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write. Any attack method
    would be complex, e.g., with a manipulated GPS receiver. (CVE-2023-26555)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11331");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'ntp', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'ntp'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ntp');
}
VendorProductVersionCPE
redhatenterprise_linux5cpe:/o:redhat:enterprise_linux:5
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linux8cpe:/o:redhat:enterprise_linux:8
redhatenterprise_linuxntpp-cpe:/a:redhat:enterprise_linux:ntp

Related

nessus 67
openvas 58
amazon 5
slackware 3
ibm 9
aix 3
photon 1
fedora 10
mageia 3
oraclelinux 1
centos 1
redhat 1
redhatcve 4
cve 3
f5 3
prion 4
suse 8
cisco 1
ubuntucve 2
debiancve 2
cvelist 3
archlinux 2
freebsd_advisory 1
cert 1
freebsd 2
gentoo 1
nessus
nessus
RHEL 7 : ntp (Unpatched Vulnerability)
2024-05-11 00:00:00
EulerOS Virtualization 2.11.1 : ntp (EulerOS-SA-2023-2734)
2024-01-16 00:00:00
EulerOS Virtualization 2.9.1 : ntp (EulerOS-SA-2023-2964)
2024-01-16 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2023-2565)
2023-08-03 00:00:00
Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2023-2765)
2023-09-11 00:00:00
Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2023-2734)
2023-09-11 00:00:00
amazon
amazon
Medium: ntp
2024-01-03 21:04:00
Medium: ntp
2016-08-01 13:30:00
Medium: ntp
2020-07-14 02:38:00
slackware
slackware
[slackware-security] ntp
2023-06-02 21:06:00
[slackware-security] ntp
2016-06-04 00:43:43
[slackware-security] ntp
2018-03-01 23:49:07
ibm
ibm
Security Bulletin: AIX is vulnerable to a denial of service due to NTP (CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554)
2023-10-05 17:11:12
Security Bulletin: IBM QRadar Network Security is affected by Network Time Protocol (NTP) vulnerabilities (CVE-2020-11868, CVE-2020-13817)
2020-11-27 02:34:47
Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities
2021-01-12 10:48:57
aix
aix
AIX is vulnerable to a denial of service due to NTP
2023-10-05 10:43:28
There are vulnerabilities in NTPv4 that affect AIX.
2020-10-26 15:14:11
Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS
2018-08-14 14:48:57
photon
photon
Moderate Photon OS Security Update - PHSA-2023-5.0-0040
2023-06-28 00:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: ntp-4.2.6p5-41.fc23
2016-07-02 19:36:52
[SECURITY] Fedora 22 Update: ntp-4.2.6p5-41.fc22
2016-07-02 19:29:35
[SECURITY] Fedora 24 Update: ntp-4.2.6p5-41.fc24
2016-06-18 19:39:53
mageia
mageia
Updated ntp packages fix security vulnerability
2016-06-08 00:39:50
Updated ntp packages fix security vulnerabilities
2018-04-07 01:54:47
Updated ntp packages fix security vulnerabilities
2016-05-14 00:54:49
oraclelinux
oraclelinux
ntp security update
2020-06-24 00:00:00
centos
centos
ntp, ntpdate, sntp security update
2020-06-23 19:52:57
redhat
redhat
(RHSA-2020:2663) Moderate: ntp security update
2020-06-23 11:08:48
redhatcve
redhatcve
CVE-2016-4956
2016-06-02 13:49:28
CVE-2019-11331
2019-04-26 07:50:17
CVE-2023-26553
2023-04-13 13:31:14
cve
cve
CVE-2016-4956
2016-07-05 01:59:00
CVE-2018-7170
2018-03-06 20:29:00
CVE-2019-11331
2019-04-18 22:29:00
f5
f5
K82570157 : NTP vulnerability CVE-2018-7170
2018-03-19 00:00:00
K64505405 : NTP vulnerability CVE-2016-4956
2016-06-16 00:00:00
K09940637 : NTP vulnerability CVE-2019-11331
2019-07-23 00:00:00
prion
prion
Code injection
2018-03-06 20:29:00
Design/Logic Flaw
2016-07-05 01:59:00
Path traversal
2019-04-18 22:29:00
suse
suse
Security update for ntp (important)
2016-06-17 14:08:38
Security update for ntp (important)
2016-06-15 14:08:23
Security update for ntp (important)
2016-06-20 21:07:55
cisco
cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: June 2016
2016-06-03 16:00:00
ubuntucve
ubuntucve
CVE-2016-4956
2016-07-04 00:00:00
CVE-2018-7170
2018-03-06 00:00:00
debiancve
debiancve
CVE-2016-4956
2016-07-05 01:59:00
CVE-2018-7170
2018-03-06 20:29:00
cvelist
cvelist
CVE-2018-7170
2018-03-06 20:00:00
CVE-2016-4956
2016-07-05 01:00:00
CVE-2019-11331
2019-04-18 21:58:36
archlinux
archlinux
ntp: distributed denial of service amplification
2016-06-04 00:00:00
[ASA-201803-11] ntp: multiple issues
2018-03-16 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:24.ntp
2016-06-04 00:00:00
cert
cert
NTP.org ntpd is vulnerable to denial of service and other vulnerabilities
2016-06-02 00:00:00
freebsd
freebsd
FreeBSD -- Multiple ntp vulnerabilities
2016-06-04 00:00:00
ntp -- multiple vulnerabilities
2018-02-27 00:00:00
gentoo
gentoo
NTP: Multiple vulnerabilities
2020-07-26 00:00:00

7.3 High

AI Score

Confidence

High

JSON
Related for REDHAT_UNPATCHED-NTP-RHEL6.NASL
nessus67openvas58amazon5slackware3ibm9aix3photon1fedora10mageia3oraclelinux1centos1redhat1redhatcve4cve3f53prion4suse8cisco1ubuntucve2debiancve2cvelist3archlinux2freebsd_advisory1cert1freebsd2gentoo1