Vulnerabilities > CVE-2015-1853 - Unspecified vulnerability in Tuxfamily Chrony
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.
Vulnerable Configurations
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201507-01.NASL description The remote host is affected by the vulnerability described in GLSA-201507-01 (chrony: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in chrony. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can cause arbitrary remote code execution or Denial of service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 84531 published 2015-07-06 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84531 title GLSA-201507-01 : chrony: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201507-01. # # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(84531); script_version("2.3"); script_cvs_date("Date: 2019/12/18"); script_cve_id("CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"); script_bugtraq_id(73948, 73955, 73956); script_xref(name:"GLSA", value:"201507-01"); script_name(english:"GLSA-201507-01 : chrony: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201507-01 (chrony: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in chrony. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can cause arbitrary remote code execution or Denial of service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201507-01" ); script_set_attribute( attribute:"solution", value: "All chrony users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/chrony-1.31.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:chrony"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/chrony", unaffected:make_list("ge 1.31.1"), vulnerable:make_list("lt 1.31.1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chrony"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-193.NASL description CVE-2015-1853 : Protect authenticated symmetric NTP associations against DoS attacks. An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn last seen 2020-03-17 modified 2015-04-13 plugin id 82716 published 2015-04-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82716 title Debian DLA-193-1 : chrony security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-193-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82716); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"); script_bugtraq_id(73948, 73955, 73956); script_name(english:"Debian DLA-193-1 : chrony security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "CVE-2015-1853 : Protect authenticated symmetric NTP associations against DoS attacks. An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. It is a denial of service attack. According to [1], NTP authentication is supposed to protect symmetric associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications the state variables are updated before the authentication check is performed, which means the association is vulnerable to the attack even when authentication is enabled. To fix this problem, save the originate and local timestamps only when the authentication check (test5) passed. [1] https://www.eecis.udel.edu/~mills/onwire.html CVE-2015-1821 : Fix access configuration with subnet size indivisible by 4. When NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. CVE-2015-1822 : Fix initialization of reply slots for authenticated commands. When allocating memory to save unacknowledged replies to authenticated command requests, the last 'next' pointer was not initialized to NULL. When all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/04/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/chrony" ); script_set_attribute( attribute:"see_also", value:"https://www.eecis.udel.edu/~mills/onwire.html" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected chrony package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:chrony"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"chrony", reference:"1.24-3+squeeze2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2015-5748.NASL description Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-23 plugin id 83007 published 2015-04-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83007 title Fedora 22 : chrony-2.0-0.3.pre2.fc22 (2015-5748) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-5748. # include("compat.inc"); if (description) { script_id(83007); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"); script_xref(name:"FEDORA", value:"2015-5748"); script_name(english:"Fedora 22 : chrony-2.0-0.3.pre2.fc22 (2015-5748)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209572" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209631" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209632" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155777.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6b5f9986" ); script_set_attribute( attribute:"solution", value:"Update the affected chrony package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:chrony"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"chrony-2.0-0.3.pre2.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chrony"); }NASL family Fedora Local Security Checks NASL id FEDORA_2015-5816.NASL description Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-23 plugin id 83009 published 2015-04-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83009 title Fedora 21 : chrony-1.31.1-1.fc21 (2015-5816) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-5816. # include("compat.inc"); if (description) { script_id(83009); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"); script_bugtraq_id(73948, 73955, 73956); script_xref(name:"FEDORA", value:"2015-5816"); script_name(english:"Fedora 21 : chrony-1.31.1-1.fc21 (2015-5816)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209572" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209631" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209632" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155850.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6c109bf7" ); script_set_attribute( attribute:"solution", value:"Update the affected chrony package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:chrony"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC21", reference:"chrony-1.31.1-1.fc21")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chrony"); }NASL family Scientific Linux Local Security Checks NASL id SL_20151119_CHRONY_ON_SL7_X.NASL description An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include : - Updated to NTP version 4 (RFC 5905) - Added pool directive to specify pool of NTP servers - Added leapsecmode directive to select how to correct clock for leap second - Added smoothtime directive to smooth served time and enable leap smear - Added asynchronous name resolving with POSIX threads - Ready for year 2036 (next NTP era) - Improved clock control - Networking code reworked to open separate client sockets for each NTP server This update also fixes the following bug : - The chronyd service previously assumed that network interfaces specified with the last seen 2020-03-18 modified 2015-12-22 plugin id 87551 published 2015-12-22 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87551 title Scientific Linux Security Update : chrony on SL7.x x86_64 (20151119) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C4571CA8053D44C9AB3C89B1372AD0A5.NASL description Chrony News reports : CVE-2015-1853: DoS attack on authenticated symmetric NTP associations CVE-2015-1821: Heap-based buffer overflow in access configuration CVE-2015-1822: Use of uninitialized pointer in command processing last seen 2020-06-01 modified 2020-06-02 plugin id 82892 published 2015-04-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82892 title FreeBSD : chrony -- multiple vulnerabilities (c4571ca8-053d-44c9-ab3c-89b1372ad0a5) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3222.NASL description Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server : - CVE-2015-1821 Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code. - CVE-2015-1822 When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code. - CVE-2015-1853 When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers. last seen 2020-03-17 modified 2015-04-14 plugin id 82744 published 2015-04-14 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82744 title Debian DSA-3222-1 : chrony - security update NASL family Fedora Local Security Checks NASL id FEDORA_2015-5809.NASL description Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-27 plugin id 83067 published 2015-04-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83067 title Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-2241.NASL description From Red Hat Security Advisory 2015:2241 : Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) These issues were discovered by Miroslav Lichvar of Red Hat. The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include : * Updated to NTP version 4 (RFC 5905) * Added pool directive to specify pool of NTP servers * Added leapsecmode directive to select how to correct clock for leap second * Added smoothtime directive to smooth served time and enable leap smear * Added asynchronous name resolving with POSIX threads * Ready for year 2036 (next NTP era) * Improved clock control * Networking code reworked to open separate client sockets for each NTP server (BZ#1117882) This update also fixes the following bug : * The chronyd service previously assumed that network interfaces specified with the last seen 2020-06-01 modified 2020-06-02 plugin id 87032 published 2015-11-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87032 title Oracle Linux 7 : chrony (ELSA-2015-2241) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-539.NASL description As reported upstream : When NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) When allocating memory to save unacknowledged replies to authenticated command requests, the last last seen 2020-06-01 modified 2020-06-02 plugin id 83978 published 2015-06-04 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83978 title Amazon Linux AMI : chrony (ALAS-2015-539) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-2241.NASL description Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) These issues were discovered by Miroslav Lichvar of Red Hat. The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include : * Updated to NTP version 4 (RFC 5905) * Added pool directive to specify pool of NTP servers * Added leapsecmode directive to select how to correct clock for leap second * Added smoothtime directive to smooth served time and enable leap smear * Added asynchronous name resolving with POSIX threads * Ready for year 2036 (next NTP era) * Improved clock control * Networking code reworked to open separate client sockets for each NTP server (BZ#1117882) This update also fixes the following bug : * The chronyd service previously assumed that network interfaces specified with the last seen 2020-06-01 modified 2020-06-02 plugin id 86978 published 2015-11-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86978 title RHEL 7 : chrony (RHSA-2015:2241) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-2241.NASL description Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) These issues were discovered by Miroslav Lichvar of Red Hat. The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include : * Updated to NTP version 4 (RFC 5905) * Added pool directive to specify pool of NTP servers * Added leapsecmode directive to select how to correct clock for leap second * Added smoothtime directive to smooth served time and enable leap smear * Added asynchronous name resolving with POSIX threads * Ready for year 2036 (next NTP era) * Improved clock control * Networking code reworked to open separate client sockets for each NTP server (BZ#1117882) This update also fixes the following bug : * The chronyd service previously assumed that network interfaces specified with the last seen 2020-06-01 modified 2020-06-02 plugin id 87146 published 2015-12-02 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87146 title CentOS 7 : chrony (CESA-2015:2241)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|