Vulnerabilities > CVE-2012-4502 - Numeric Errors vulnerability in Tuxfamily Chrony
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2760.NASL description Florian Weimer discovered two security problems in the Chrony time synchronisation software (buffer overflows and use of uninitialised data in command replies). last seen 2020-03-17 modified 2013-09-19 plugin id 69960 published 2013-09-19 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69960 title Debian DSA-2760-1 : chrony - several vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201402-28.NASL description The remote host is affected by the vulnerability described in GLSA-201402-28 (Chrony: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chrony. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition by sending specially crafted packets. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72755 published 2014-03-02 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72755 title GLSA-201402-28 : Chrony: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2013-14539.NASL description This update fixes two security vulnerabilities: a crash when processing crafted commands (CVE-2012-4502) and uninitialized data sent in command replies (CVE-2012-4503). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-08-15 plugin id 69365 published 2013-08-15 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69365 title Fedora 18 : chrony-1.29-1.fc18 (2013-14539) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2020-0027_CHRONY.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has chrony packages installed that are affected by multiple vulnerabilities: - Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. (CVE-2012-4502) - cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply. (CVE-2012-4503) - Chrony before 1.29.1 has traffic amplification in cmdmon protocol (CVE-2014-0021) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-05-27 plugin id 136904 published 2020-05-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136904 title NewStart CGSL CORE 5.04 / MAIN 5.04 : chrony Multiple Vulnerabilities (NS-SA-2020-0027) NASL family Fedora Local Security Checks NASL id FEDORA_2013-14549.NASL description This update fixes two security vulnerabilities: a crash when processing crafted commands (CVE-2012-4502) and uninitialized data sent in command replies (CVE-2012-4503). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-08-12 plugin id 69302 published 2013-08-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69302 title Fedora 19 : chrony-1.29-1.fc19 (2013-14549)
References
- http://permalink.gmane.org/gmane.comp.time.chrony.announce/15
- https://bugzilla.redhat.com/show_bug.cgi?id=846392
- http://seclists.org/oss-sec/2013/q3/332
- http://www.debian.org/security/2013/dsa-2760
- http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=7712455d9aa33d0db0945effaa07e900b85987b1