CVE-2016-1567 — Missing Critical Step in Authentication in Chrony

CWE-254 CWE-304 — Missing Critical Step in Authentication9 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 38.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tuxfamily Chrony

Timeline

PublishedJan 26

Latest updateMay 17

Description

chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶Debiantuxfamily/chrony< 2.2.1-1+3

▶NVDtuxfamily/chrony1.31.1+4

Patches

Patch: lists.fedoraproject.org ↗Patch: lists.fedoraproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-vwxj-hm98-qj7v: chrony before 1↗2022-05-17

▶

CVEList

CVE-2016-1567: chrony before 1↗2016-01-26

▶

OSV

CVE-2016-1567: chrony before 1↗2016-01-26

▶

📋Vendor Advisories

Red Hat

chrony: missing key check allows impersonation between authenticated peers (VU#357792)↗2016-01-20

▶

Debian

CVE-2016-1567: chrony - chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of sym...↗2016

▶

💬Community

Bugzilla

CVE-2016-1567 chrony: missing key check allows impersonation between authenticated peers (VU#357792) [epel-all]↗2016-01-20

▶

Bugzilla

CVE-2016-1567 chrony: missing key check allows impersonation between authenticated peers (VU#357792) [fedora-all]↗2016-01-20

▶

Bugzilla

CVE-2016-1567 chrony: missing key check allows impersonation between authenticated peers (VU#357792)↗2016-01-11

▶