NTP.org 'ntpd' 4.2.8p6 - 4.2.8p8, 4.3.90 - 4.3.93 Multiple Vulnerabilities (Nov 2016)

2016-06-0300:00:00

plugins.openvas.org

4.3 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.1 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:N/I:N/A:P

0.01 Low

EPSS

Percentile

83.4%

JSON

NTP.org

# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:ntp:ntp";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.106405");
  script_version("2024-02-23T14:36:45+0000");
  script_cve_id("CVE-2016-7428", "CVE-2016-7427");
  script_tag(name:"last_modification", value:"2024-02-23 14:36:45 +0000 (Fri, 23 Feb 2024)");
  script_tag(name:"creation_date", value:"2016-06-03 11:18:33 +0700 (Fri, 03 Jun 2016)");
  script_tag(name:"cvss_base", value:"3.3");
  script_tag(name:"cvss_base_vector", value:"AV:A/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2019-01-24 11:29:00 +0000 (Thu, 24 Jan 2019)");
  script_name("NTP.org 'ntpd' 4.2.8p6 - 4.2.8p8, 4.3.90 - 4.3.93 Multiple Vulnerabilities (Nov 2016)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2016 Greenbone AG");
  script_family("General");
  script_dependencies("ntp_open.nasl", "gb_ntp_detect_lin.nasl");
  script_mandatory_keys("ntpd/version/detected");

  script_xref(name:"URL", value:"https://www.kb.cert.org/vuls/id/633847");

  script_tag(name:"summary", value:"NTP.org's reference implementation of NTP server, ntpd, is prone to
  multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"NTP.org's ntpd is prone to multiple vulnerabilities:

  - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is
  accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode
  replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can
  periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being
  logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.
  (CVE-2016-7427)

  - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is
  accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode
  poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each
  broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before
  the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP
  broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while
  being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.
  (CVE-2016-7428)");

  script_tag(name:"impact", value:"A remote unauthenticated attacker may be able to perform a denial of
  service on ntpd.");

  script_tag(name:"affected", value:"NTPd version 4.2.8p6 up to 4.2.8p8, 4.3.90 up to 4.3.93.");

  script_tag(name:"solution", value:"Update to version 4.2.8p9, 4.3.94 or later.");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("version_func.inc");
include("revisions-lib.inc");
include("host_details.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];
proto = infos["proto"];

if ((revcomp(a: version, b: "4.2.8p6") >= 0) && (revcomp(a: version, b: "4.2.8p9") < 0)) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.2.8p9", install_path: location);
  security_message(port: port, proto: proto, data: report);
  exit(0);
}

if ((revcomp(a: version, b: "4.3.90") >= 0) && (revcomp(a: version, b: "4.3.94") < 0)) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.3.94", install_path: location);
  security_message(port: port, proto: proto, data: report);
  exit(0);
}

exit(99);