CVE-2015-1853 — Insufficient Verification of Data Authenticity in Chrony

CWE-345 — Insufficient Verification of Data Authenticity9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.9%

top 24.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tuxfamily Chrony Chrony

Timeline

PublishedDec 9

Latest updateMay 24

Description

chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDtuxfamily/chrony< 1.31.1

▶Debiantuxfamily/chrony< 1.30-2+3

▶CVEListV5chrony/chronybefore 1.31.1

🔴Vulnerability Details

GHSA

GHSA-gf8j-j7q8-vhh5: chrony before 1↗2022-05-24

▶

OSV

CVE-2015-1853: chrony before 1↗2019-12-09

▶

CVEList

CVE-2015-1853: chrony before 1↗2019-12-09

▶

📋Vendor Advisories

Red Hat

chrony: authentication doesn't protect symmetric associations against DoS attacks↗2015-04-07

▶

Debian

CVE-2015-1853: chrony - chrony before 1.31.1 does not properly protect state variables in authenticated ...↗2015

▶

💬Community

Bugzilla

CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks [fedora-all]↗2015-04-07

▶

Bugzilla

CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks↗2015-04-07

▶

Bugzilla

CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks [epel-all]↗2015-04-07

▶