Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2015.192
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-192-1)
Summary:	The remote host is missing an update for the Debian 'ntp' package(s) announced via the DLA-192-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'ntp' package(s) announced via the DLA-192-1 advisory. Vulnerability Insight: CVE-2015-1798 When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC. CVE-2015-1799 An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at [link moved to references] . According to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side. ntp-keygen on big endian hosts Using ntp-keygen to generate an MD5 key on big endian hosts resulted in either an infite loop or an key of only 93 possible keys. Affected Software/OS: 'ntp' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-1798 1032032 http://www.securitytracker.com/id/1032032 20150408 Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd 20150408 Network Time Protocol Daemon MAC Checking Failure Authentication Bypass Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=38276 73951 http://www.securityfocus.com/bid/73951 APPLE-SA-2015-06-30-2 http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html DSA-3223 http://www.debian.org/security/2015/dsa-3223 FEDORA-2015-5761 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html FEDORA-2015-5874 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155863.html GLSA-201509-01 https://security.gentoo.org/glsa/201509-01 HPSBUX03333 http://marc.info/?l=bugtraq&m=143213867103400&w=2 MDVSA-2015:202 http://www.mandriva.com/security/advisories?name=MDVSA-2015:202 RHSA-2015:1459 http://rhn.redhat.com/errata/RHSA-2015-1459.html SSRT102029 USN-2567-1 http://www.ubuntu.com/usn/USN-2567-1 VU#374268 http://www.kb.cert.org/vuls/id/374268 http://bugs.ntp.org/show_bug.cgi?id=2779 http://support.apple.com/kb/HT204942 http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html https://kc.mcafee.com/corporate/index?page=content&id=SB10114 openSUSE-SU-2015:0775 http://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html Common Vulnerability Exposure (CVE) ID: CVE-2015-1799 1032031 http://www.securitytracker.com/id/1032031 20150408 Network Time Protocol Daemon Symmetric Mode Packet Processing Denial of Service Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=38275 73950 http://www.securityfocus.com/bid/73950 DSA-3222 http://www.debian.org/security/2015/dsa-3222 HPSBHF03557 http://marc.info/?l=bugtraq&m=145750740530849&w=2 [chrony-announce] 20150407 chrony-1.31.1 released (security) http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html http://bugs.ntp.org/show_bug.cgi?id=2781 Common Vulnerability Exposure (CVE) ID: CVE-2015-3405 74045 http://www.securityfocus.com/bid/74045 DSA-3388 http://www.debian.org/security/2015/dsa-3388 FEDORA-2015-5830 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156248.html RHSA-2015:2231 http://rhn.redhat.com/errata/RHSA-2015-2231.html SUSE-SU-2015:1173 http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.html [oss-security] 20150423 Re: CVE request: ntp-keygen may generate non-random symmetric keys on big-endian systems http://www.openwall.com/lists/oss-security/2015/04/23/14 http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg https://bugs.ntp.org/show_bug.cgi?id=2797 https://bugzilla.redhat.com/show_bug.cgi?id=1210324 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03886en_us
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.