ID CVE-2016-1567
Summary chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
References
Vulnerable Configurations
  • cpe:2.3:a:tuxfamily:chrony:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.18:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.18:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.19:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.19:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.19.99.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.19.99.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.19.99.2:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.19.99.2:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.19.99.3:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.19.99.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.20:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.20:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.21:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.21:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.21:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.21:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.23:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.23:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.23:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.23:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.23.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.24:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.24:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.24:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.24:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.25:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.25:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.25:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.25:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.25:pre2:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.25:pre2:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.26:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.26:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.26:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.26:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.27:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.27:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.27:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.27:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.28:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.28:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.28:pre1:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.28:pre1:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.29:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.29:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.31:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.31:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:1.31.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:1.31.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tuxfamily:chrony:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:tuxfamily:chrony:2.2:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 06-12-2016 - 03:07)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
confirm http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
fedora
  • FEDORA-2016-6a0b0ab775
  • FEDORA-2016-6f783d1768
misc http://www.talosintel.com/reports/TALOS-2016-0071/
Last major update 06-12-2016 - 03:07
Published 26-01-2016 - 19:59
Last modified 06-12-2016 - 03:07
Back to Top