The target servers expose their Network Time Protocol (NTP) service to the Internet on UDP port 123. The Network Time Protocol is used for servers to synchronize their time. Unless these servers are part of a public NTP server pool,NTP should not be enabled on public interfaces.
Impact Exposing unnecessary services to the Internet increases the attack surface and may be exploited by attackers discovering vulnerabilities in NTP.
Limit access to the NTP service (UDP port 123) to the public Medallia IP address range and internal IP addresses.
- Nmap: Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Command
sudo nmap -sUV -p 161 <server ip>
Vulnerable Output
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-07-12 14:18 EDT
Nmap scan report for <server ip>
Host is up (0.069s latency).
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service; ciscoSystems SNMPv3 server
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds
Command
nmap -sU -pU:123 -Pn -n --script=ntp-monlist <server ip>
Vulnerable Output
PORT STATE SERVICE REASON
123/udp open ntp udp-response
| ntp-monlist:
| Target is synchronised with 127.127.38.0 (reference clock)
| Alternative Target Interfaces:
| 10.17.4.20
| Private Servers (0)
| Public Servers (0)
| Private Peers (0)
| Public Peers (0)
| Private Clients (2)
| 10.20.8.69 169.254.138.63
| Public Clients (597)
| 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152
| ...
| 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118
| 68.56.205.98
| 2001:1400:0:0:0:0:0:1 2001:16d8:dd00:38:0:0:0:2
| 2002:db5a:bccd:1:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682
| Other Associations (1)
|_ 127.0.0.1 seen 1949869 times. last tx was unicast v2 mode 7
Command
nmap -sU -p 123 --script ntp-info <server ip>
Vulnerable Output
PORT STATE SERVICE VERSION
123/udp open ntp NTP [email protected]
| ntp-info:
| receive time stamp: Sat Dec 12 16:22:41 2009
| version: ntpd [email protected] Wed May 13 21:06:31 UTC 2009 (1)
| processor: x86_64
| system: Linux/2.6.24-24-server
| stratum: 2
|_ refid: 195.145.119.188