Vulnerability Details CVE-2016-1567
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.2%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html
- http://www.talosintel.com/reports/TALOS-2016-0071/
- http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html
- http://www.talosintel.com/reports/TALOS-2016-0071/
Products affected by CVE-2016-1567
-
cpe:2.3:a:tuxfamily:chrony:1.0
-
cpe:2.3:a:tuxfamily:chrony:1.1
-
cpe:2.3:a:tuxfamily:chrony:1.18
-
cpe:2.3:a:tuxfamily:chrony:1.19
-
cpe:2.3:a:tuxfamily:chrony:1.19.99.1
-
cpe:2.3:a:tuxfamily:chrony:1.19.99.2
-
cpe:2.3:a:tuxfamily:chrony:1.19.99.3
-
cpe:2.3:a:tuxfamily:chrony:1.20
-
cpe:2.3:a:tuxfamily:chrony:1.21
-
cpe:2.3:a:tuxfamily:chrony:1.23
-
cpe:2.3:a:tuxfamily:chrony:1.23.1
-
cpe:2.3:a:tuxfamily:chrony:1.24
-
cpe:2.3:a:tuxfamily:chrony:1.25
-
cpe:2.3:a:tuxfamily:chrony:1.26
-
cpe:2.3:a:tuxfamily:chrony:1.27
-
cpe:2.3:a:tuxfamily:chrony:1.28
-
cpe:2.3:a:tuxfamily:chrony:1.29
-
cpe:2.3:a:tuxfamily:chrony:1.31
-
cpe:2.3:a:tuxfamily:chrony:1.31.1
-
cpe:2.3:a:tuxfamily:chrony:2.0
-
cpe:2.3:a:tuxfamily:chrony:2.1
-
cpe:2.3:a:tuxfamily:chrony:2.1.1
-
cpe:2.3:a:tuxfamily:chrony:2.2