Your submission was sent successfully! Close

CVE-2016-1567

Published: 26 January 2016

chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

From the Ubuntu security team

Matt Street discovered that chrony doesn't verify peer associations of symmetric keys. A remote attacker could use this vulnerability impersonate another user.

Priority

Low

CVSS 3 base score: 8.1

Status

Package Release Status
chrony
Launchpad, Ubuntu, Debian
Upstream
Released (2.2.1, 1.31.2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.2-4ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.1.1-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.29-1ubuntu0.1)
Patches:
Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481