CVE-2016-1567
Published: 26 January 2016
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
From the Ubuntu Security Team
Matt Street discovered that chrony doesn't verify peer associations of symmetric keys. A remote attacker could use this vulnerability impersonate another user.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
chrony Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(3.1-5)
|
| bionic |
Not vulnerable
(3.2-4ubuntu1)
|
|
| cosmic |
Not vulnerable
(3.2-4ubuntu1)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(1.29-1ubuntu0.1)
|
|
| upstream |
Released
(2.2.1, 1.31.2)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Released
(2.1.1-1ubuntu0.1)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
|
Patches: upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1567
- http://www.talosintel.com/reports/TALOS-2016-0071/
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html
- http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
- NVD
- Launchpad
- Debian