NTPsec < 1.2.1 Improper Filtering Vulnerability

2024-02-2000:00:00

plugins.openvas.org

improper filtering vulnerability

ntpsec

ntpkeygen

mitm attacks

version 1.2.1

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

38.7%

JSON

NTPsec is prone to an improper filtering vulnerability.

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:ntpsec:ntpsec";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.114365");
  script_version("2024-02-20T14:37:13+0000");
  script_tag(name:"last_modification", value:"2024-02-20 14:37:13 +0000 (Tue, 20 Feb 2024)");
  script_tag(name:"creation_date", value:"2024-02-20 09:23:30 +0000 (Tue, 20 Feb 2024)");
  script_tag(name:"cvss_base", value:"5.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2021-06-21 13:55:34 +0000 (Mon, 21 Jun 2021)");

  script_cve_id("CVE-2021-22212");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("NTPsec < 1.2.1 Improper Filtering Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("General");
  script_dependencies("ntp_open.nasl");
  script_mandatory_keys("ntpsec/detected");

  script_tag(name:"summary", value:"NTPsec is prone to an improper filtering vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"ntpkeygen can generate keys that ntpd fails to parse. NTPsec
  allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or
  fails to load these keys entirely, depending on the key type and the placement of the '#'. This
  results in the administrator not being able to use the keys as expected or the keys are shorter
  than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients
  and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them, but for
  other types there is no message as any length can be used for the legacy MAC. The key file is
  normally only writable by administrators.");

  script_tag(name:"affected", value:"NTPsec versions prior to 1.2.1.");

  script_tag(name:"solution", value:"Update to version 1.2.1 or later.");

  script_xref(name:"URL", value:"https://gitlab.com/NTPsec/ntpsec/-/issues/699");
  script_xref(name:"URL", value:"https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22212.json");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];
proto = infos["proto"];

if (version_is_less(version: version, test_version: "1.2.1")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "1.2.1", install_path: location);
  security_message(port: port, proto: proto, data: report);
  exit(0);
}

exit(99);