Search...

Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809)

2015-04-27T00:00:00

ID FEDORA_2015-5809.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.
Modified 2021-01-11T00:00:00

Description

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-5809.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(83067);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853");
  script_xref(name:"FEDORA", value:"2015-5809");

  script_name(english:"Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209572"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209631"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1209632"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155949.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f07aa6bc"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected chrony package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:chrony");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" &gt;!&lt; release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"chrony-1.31.1-1.fc20")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chrony");
}

JSON Vulners Source

Initial Source

{"id": "FEDORA_2015-5809.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809)", "description": "Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-04-27T00:00:00", "modified": "2021-01-11T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/83067", "reporter": "This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822", "https://bugzilla.redhat.com/show_bug.cgi?id=1209631", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853", "http://www.nessus.org/u?f07aa6bc", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821", "https://bugzilla.redhat.com/show_bug.cgi?id=1209572", "https://bugzilla.redhat.com/show_bug.cgi?id=1209632"], "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "immutableFields": [], "lastseen": "2021-08-19T12:46:12", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2015-539"]}, {"type": "archlinux", "idList": ["ASA-201504-9"]}, {"type": "centos", "idList": ["CESA-2015:2241"]}, {"type": "cve", "idList": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"]}, {"type": "debian", "idList": ["DEBIAN:DLA-193-1:215A9", "DEBIAN:DSA-3222-1:D7848"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-1821", "DEBIANCVE:CVE-2015-1822", "DEBIANCVE:CVE-2015-1853"]}, {"type": "fedora", "idList": ["FEDORA:282CF601EAA6", "FEDORA:3BBAC604947C", "FEDORA:8549C6087A7A"]}, {"type": "freebsd", "idList": ["C4571CA8-053D-44C9-AB3C-89B1372AD0A5"]}, {"type": "gentoo", "idList": ["GLSA-201507-01"]}, {"type": "nessus", "idList": ["ALA_ALAS-2015-539.NASL", "CENTOS_RHSA-2015-2241.NASL", "DEBIAN_DLA-193.NASL", "DEBIAN_DSA-3222.NASL", "FEDORA_2015-5748.NASL", "FEDORA_2015-5816.NASL", "FREEBSD_PKG_C4571CA8053D44C9AB3C89B1372AD0A5.NASL", "GENTOO_GLSA-201507-01.NASL", "NEWSTART_CGSL_NS-SA-2021-0127_CHRONY.NASL", "ORACLELINUX_ELSA-2015-2241.NASL", "REDHAT-RHSA-2015-2241.NASL", "SL_20151119_CHRONY_ON_SL7_X.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120202", "OPENVAS:1361412562310121382", "OPENVAS:1361412562310122737", "OPENVAS:1361412562310703222", "OPENVAS:1361412562310869289", "OPENVAS:1361412562310869293", "OPENVAS:1361412562310869720", "OPENVAS:1361412562310871505", "OPENVAS:703222"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2241"]}, {"type": "redhat", "idList": ["RHSA-2015:2241"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31928", "SECURITYVULNS:VULN:14400"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-1821", "UB:CVE-2015-1822", "UB:CVE-2015-1853"]}], "rev": 4}, "score": {"value": 6.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201504-9"]}, {"type": "centos", "idList": ["CESA-2015:2241"]}, {"type": "cve", "idList": ["CVE-2015-1821", "CVE-2015-1822"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3222-1:D7848"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-1853"]}, {"type": "fedora", "idList": ["FEDORA:3BBAC604947C"]}, {"type": "freebsd", "idList": ["C4571CA8-053D-44C9-AB3C-89B1372AD0A5"]}, {"type": "gentoo", "idList": ["GLSA-201507-01"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3222.NASL", "REDHAT-RHSA-2015-2241.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107358"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2241"]}, {"type": "redhat", "idList": ["RHSA-2015:2241"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-1853"]}]}, "exploitation": null, "vulnersScore": 6.3}, "pluginID": "83067", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-5809.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83067);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"FEDORA\", value:\"2015-5809\");\n\n script_name(english:\"Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209631\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209632\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155949.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f07aa6bc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"chrony-1.31.1-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "naslFamily": "Fedora Local Security Checks", "cpe": ["p-cpe:/a:fedoraproject:fedora:chrony", "cpe:/o:fedoraproject:fedora:20"], "solution": "Update the affected chrony package.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "5.9"}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2015-04-09T00:00:00", "vulnerabilityPublicationDate": null, "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 0}}

{"nessus": [{"lastseen": "2021-08-19T12:46:16", "description": "CVE-2015-1853 :\n\nProtect authenticated symmetric NTP associations against DoS attacks.\n\nAn attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. It is a denial of service attack.\n\nAccording to [1], NTP authentication is supposed to protect symmetric associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications the state variables are updated before the authentication check is performed, which means the association is vulnerable to the attack even when authentication is enabled.\n\nTo fix this problem, save the originate and local timestamps only when the authentication check (test5) passed.\n\n[1] https://www.eecis.udel.edu/~mills/onwire.html\n\nCVE-2015-1821 :\n\nFix access configuration with subnet size indivisible by 4.\n\nWhen NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array.\n\nAn attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process.\n\nCVE-2015-1822 :\n\nFix initialization of reply slots for authenticated commands.\n\nWhen allocating memory to save unacknowledged replies to authenticated command requests, the last 'next' pointer was not initialized to NULL. When all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it.\n\nAn attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-04-13T00:00:00", "type": "nessus", "title": "Debian DLA-193-1 : chrony security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chrony", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-193.NASL", "href": "https://www.tenable.com/plugins/nessus/82716", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-193-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82716);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_bugtraq_id(73948, 73955, 73956);\n\n script_name(english:\"Debian DLA-193-1 : chrony security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2015-1853 :\n\nProtect authenticated symmetric NTP associations against DoS attacks.\n\nAn attacker knowing that NTP hosts A and B are peering with\neach other (symmetric association) can send a packet with\nrandom timestamps to host A with source address of B which\nwill set the NTP state variables on A to the values sent by\nthe attacker. Host A will then send on its next poll to B a\npacket with originate timestamp that doesn't match the\ntransmit timestamp of B and the packet will be dropped. If\nthe attacker does this periodically for both hosts, they\nwon't be able to synchronize to each other. It is a\ndenial of service attack.\n\nAccording to [1], NTP authentication is supposed to protect\nsymmetric associations against this attack, but in the NTPv3\n(RFC 1305) and NTPv4 (RFC 5905) specifications the state\nvariables are updated before the authentication check is\nperformed, which means the association is vulnerable to the\nattack even when authentication is enabled.\n\nTo fix this problem, save the originate and local timestamps\nonly when the authentication check (test5) passed.\n\n[1] https://www.eecis.udel.edu/~mills/onwire.html\n\nCVE-2015-1821 :\n\nFix access configuration with subnet size indivisible by 4.\n\nWhen NTP or cmdmon access was configured (from chrony.conf\nor via authenticated cmdmon) with a subnet size that is\nindivisible by 4 and an address that has nonzero bits in the\n4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3),\nthe new setting was written to an incorrect location,\npossibly outside the allocated array.\n\nAn attacker that has the command key and is allowed to\naccess cmdmon (only localhost is allowed by default) could\nexploit this to crash chronyd or possibly execute arbitrary\ncode with the privileges of the chronyd process.\n\nCVE-2015-1822 :\n\nFix initialization of reply slots for authenticated commands.\n\nWhen allocating memory to save unacknowledged replies to\nauthenticated command requests, the last 'next' pointer was\nnot initialized to NULL. When all allocated reply slots were\nused, the next reply could be written to an invalid memory\ninstead of allocating a new slot for it.\n\nAn attacker that has the command key and is allowed to\naccess cmdmon (only localhost is allowed by default) could\nexploit this to crash chronyd or possibly execute arbitrary\ncode with the privileges of the chronyd process.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/04/msg00008.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/chrony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.eecis.udel.edu/~mills/onwire.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"chrony\", reference:\"1.24-3+squeeze2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:43:52", "description": "Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap second\n\n* Added smoothtime directive to smooth served time and enable leap smear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each NTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces specified with the 'bindaddress' directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap seconds, configured using the 'leapsecmode' option. The clock can be either stepped by the kernel (the default 'system' mode), stepped by chronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or the leap second can be ignored and corrected later in normal operation ('ignore' mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the 'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-12-02T00:00:00", "type": "nessus", "title": "CentOS 7 : chrony (CESA-2015:2241)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:chrony", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2015-2241.NASL", "href": "https://www.tenable.com/plugins/nessus/87146", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2241 and \n# CentOS Errata and Security Advisory 2015:2241 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87146);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"RHSA\", value:\"2015:2241\");\n\n script_name(english:\"CentOS 7 : chrony (CESA-2015:2241)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated chrony packages that fix three security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation\nof the Network Time Protocol (NTP), specially designed to support\nsystems with intermittent connections. It can synchronize the system\nclock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a\ntime service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has\nthe command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to\nsave unacknowledged replies to authenticated command requests. An\nattacker that has the command key and is allowed to access cmdmon\n(only localhost is allowed by default) could use this flaw to crash\nchronyd or, possibly, execute arbitrary code with the privileges of\nthe chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer\nhost, which could cascade to other peers, and stop the synchronization\nprocess among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n* Added smoothtime directive to smooth served time and enable leap\nsmear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each\nNTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces\nspecified with the 'bindaddress' directive were ready when the service\nwas started. This could cause chronyd to fail to bind an NTP server\nsocket to the interface if the interface was not ready. With this\nupdate, chronyd uses the IP_FREEBIND socket option, enabling it to\nbind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap\nseconds, configured using the 'leapsecmode' option. The clock can be\neither stepped by the kernel (the default 'system' mode), stepped by\nchronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or\nthe leap second can be ignored and corrected later in normal operation\n('ignore' mode). If you select slewing, the correction will always\nstart at 00:00:00 UTC and will be applied at a rate specified in the\n'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2015-November/002147.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?278008f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-1821\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"chrony-2.1.1-1.el7.centos\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:15", "description": "Chrony News reports :\n\nCVE-2015-1853: DoS attack on authenticated symmetric NTP associations\n\nCVE-2015-1821: Heap-based buffer overflow in access configuration\n\nCVE-2015-1822: Use of uninitialized pointer in command processing", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-04-20T00:00:00", "type": "nessus", "title": "FreeBSD : chrony -- multiple vulnerabilities (c4571ca8-053d-44c9-ab3c-89b1372ad0a5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chrony", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_C4571CA8053D44C9AB3C89B1372AD0A5.NASL", "href": "https://www.tenable.com/plugins/nessus/82892", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82892);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n\n script_name(english:\"FreeBSD : chrony -- multiple vulnerabilities (c4571ca8-053d-44c9-ab3c-89b1372ad0a5)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Chrony News reports :\n\nCVE-2015-1853: DoS attack on authenticated symmetric NTP associations\n\nCVE-2015-1821: Heap-based buffer overflow in access configuration\n\nCVE-2015-1822: Use of uninitialized pointer in command processing\"\n );\n # http://chrony.tuxfamily.org/News.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://chrony.tuxfamily.org/News.html\"\n );\n # https://vuxml.freebsd.org/freebsd/c4571ca8-053d-44c9-ab3c-89b1372ad0a5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5bd90f7d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chrony<1.31.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:43:35", "description": "An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853)\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include :\n\n - Updated to NTP version 4 (RFC 5905)\n\n - Added pool directive to specify pool of NTP servers\n\n - Added leapsecmode directive to select how to correct clock for leap second\n\n - Added smoothtime directive to smooth served time and enable leap smear\n\n - Added asynchronous name resolving with POSIX threads\n\n - Ready for year 2036 (next NTP era)\n\n - Improved clock control\n\n - Networking code reworked to open separate client sockets for each NTP server\n\nThis update also fixes the following bug :\n\n - The chronyd service previously assumed that network interfaces specified with the 'bindaddress' directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts.\n\nIn addition, this update adds the following enhancement :\n\n - The chronyd service now supports four modes of handling leap seconds, configured using the 'leapsecmode' option.\n The clock can be either stepped by the kernel (the default 'system' mode), stepped by chronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or the leap second can be ignored and corrected later in normal operation ('ignore' mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the 'maxslewrate' option.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-12-22T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : chrony on SL7.x x86_64 (20151119)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:chrony", "p-cpe:/a:fermilab:scientific_linux:chrony-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20151119_CHRONY_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/87551", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87551);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n\n script_name(english:\"Scientific Linux Security Update : chrony on SL7.x x86_64 (20151119)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has\nthe command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to\nsave unacknowledged replies to authenticated command requests. An\nattacker that has the command key and is allowed to access cmdmon\n(only localhost is allowed by default) could use this flaw to crash\nchronyd or, possibly, execute arbitrary code with the privileges of\nthe chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer\nhost, which could cascade to other peers, and stop the synchronization\nprocess among the reached peers. (CVE-2015-1853)\n\nThe chrony packages have been upgraded to upstream version 2.1.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. Notable enhancements include :\n\n - Updated to NTP version 4 (RFC 5905)\n\n - Added pool directive to specify pool of NTP servers\n\n - Added leapsecmode directive to select how to correct\n clock for leap second\n\n - Added smoothtime directive to smooth served time and\n enable leap smear\n\n - Added asynchronous name resolving with POSIX threads\n\n - Ready for year 2036 (next NTP era)\n\n - Improved clock control\n\n - Networking code reworked to open separate client sockets\n for each NTP server\n\nThis update also fixes the following bug :\n\n - The chronyd service previously assumed that network\n interfaces specified with the 'bindaddress' directive\n were ready when the service was started. This could\n cause chronyd to fail to bind an NTP server socket to\n the interface if the interface was not ready. With this\n update, chronyd uses the IP_FREEBIND socket option,\n enabling it to bind to an interface later, not only when\n the service starts.\n\nIn addition, this update adds the following enhancement :\n\n - The chronyd service now supports four modes of handling\n leap seconds, configured using the 'leapsecmode' option.\n The clock can be either stepped by the kernel (the\n default 'system' mode), stepped by chronyd ('step'\n mode), slowly adjusted by slewing ('slew' mode), or the\n leap second can be ignored and corrected later in normal\n operation ('ignore' mode). If you select slewing, the\n correction will always start at 00:00:00 UTC and will be\n applied at a rate specified in the 'maxslewrate' option.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1512&L=scientific-linux-errata&F=&S=&P=5577\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b06cf0eb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony and / or chrony-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:chrony-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"chrony-2.1.1-1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"chrony-debuginfo-2.1.1-1.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony / chrony-debuginfo\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:45:29", "description": "The remote host is affected by the vulnerability described in GLSA-201507-01 (chrony: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in chrony. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker can cause arbitrary remote code execution or Denial of service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-07-06T00:00:00", "type": "nessus", "title": "GLSA-201507-01 : chrony: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chrony", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201507-01.NASL", "href": "https://www.tenable.com/plugins/nessus/84531", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201507-01.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84531);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_bugtraq_id(73948, 73955, 73956);\n script_xref(name:\"GLSA\", value:\"201507-01\");\n\n script_name(english:\"GLSA-201507-01 : chrony: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201507-01\n(chrony: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in chrony. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker can cause arbitrary remote code execution or Denial of\n service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201507-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All chrony users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/chrony-1.31.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/chrony\", unaffected:make_list(\"ge 1.31.1\"), vulnerable:make_list(\"lt 1.31.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:44:02", "description": "From Red Hat Security Advisory 2015:2241 :\n\nUpdated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap second\n\n* Added smoothtime directive to smooth served time and enable leap smear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each NTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces specified with the 'bindaddress' directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap seconds, configured using the 'leapsecmode' option. The clock can be either stepped by the kernel (the default 'system' mode), stepped by chronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or the leap second can be ignored and corrected later in normal operation ('ignore' mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the 'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-11-24T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : chrony (ELSA-2015-2241)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:chrony", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2015-2241.NASL", "href": "https://www.tenable.com/plugins/nessus/87032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:2241 and \n# Oracle Linux Security Advisory ELSA-2015-2241 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87032);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"RHSA\", value:\"2015:2241\");\n\n script_name(english:\"Oracle Linux 7 : chrony (ELSA-2015-2241)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:2241 :\n\nUpdated chrony packages that fix three security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation\nof the Network Time Protocol (NTP), specially designed to support\nsystems with intermittent connections. It can synchronize the system\nclock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a\ntime service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has\nthe command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to\nsave unacknowledged replies to authenticated command requests. An\nattacker that has the command key and is allowed to access cmdmon\n(only localhost is allowed by default) could use this flaw to crash\nchronyd or, possibly, execute arbitrary code with the privileges of\nthe chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer\nhost, which could cascade to other peers, and stop the synchronization\nprocess among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n* Added smoothtime directive to smooth served time and enable leap\nsmear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each\nNTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces\nspecified with the 'bindaddress' directive were ready when the service\nwas started. This could cause chronyd to fail to bind an NTP server\nsocket to the interface if the interface was not ready. With this\nupdate, chronyd uses the IP_FREEBIND socket option, enabling it to\nbind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap\nseconds, configured using the 'leapsecmode' option. The clock can be\neither stepped by the kernel (the default 'system' mode), stepped by\nchronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or\nthe leap second can be ignored and corrected later in normal operation\n('ignore' mode). If you select slewing, the correction will always\nstart at 00:00:00 UTC and will be applied at a rate specified in the\n'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-November/005566.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"chrony-2.1.1-1.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:08", "description": "Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server :\n\n - CVE-2015-1821 Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.\n\n - CVE-2015-1822 When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.\n\n - CVE-2015-1853 When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-04-14T00:00:00", "type": "nessus", "title": "Debian DSA-3222-1 : chrony - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chrony", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3222.NASL", "href": "https://www.tenable.com/plugins/nessus/82744", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3222. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82744);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_bugtraq_id(73948, 73955, 73956);\n script_xref(name:\"DSA\", value:\"3222\");\n\n script_name(english:\"Debian DSA-3222-1 : chrony - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in\nchrony, an alternative NTP client and server :\n\n - CVE-2015-1821\n Using particular address/subnet pairs when configuring\n access control would cause an invalid memory write. This\n could allow attackers to cause a denial of service\n (crash) or execute arbitrary code.\n\n - CVE-2015-1822\n When allocating memory to save unacknowledged replies to\n authenticated command requests, a pointer would be left\n uninitialized, which could trigger an invalid memory\n write. This could allow attackers to cause a denial of\n service (crash) or execute arbitrary code.\n\n - CVE-2015-1853\n When peering with other NTP hosts using authenticated\n symmetric association, the internal state variables\n would be updated before the MAC of the NTP messages was\n validated. This could allow a remote attacker to cause a\n denial of service by impeding synchronization between\n NTP peers.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-1821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-1822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-1853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/chrony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3222\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the chrony packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 1.24-3.1+deb7u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"chrony\", reference:\"1.24-3.1+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-16T01:39:41", "description": "As reported upstream :\n\nWhen NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g.\n192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821)\n\nWhen allocating memory to save unacknowledged replies to authenticated command requests, the last 'next' pointer was not initialized to NULL.\nWhen all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it.\nAn attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nAn attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. Authentication using a symmetric key can fully protect against this attack, but in implementations following the NTPv3 (RFC 1305) or NTPv4 (RFC 5905) specification the state variables were updated even when the authentication check failed and the association was not protected. (CVE-2015-1853)", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-06-04T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : chrony (ALAS-2015-539)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-12-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:chrony", "p-cpe:/a:amazon:linux:chrony-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-539.NASL", "href": "https://www.tenable.com/plugins/nessus/83978", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-539.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83978);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2019/12/18\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"ALAS\", value:\"2015-539\");\n\n script_name(english:\"Amazon Linux AMI : chrony (ALAS-2015-539)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"As reported upstream :\n\nWhen NTP or cmdmon access was configured (from chrony.conf or via\nauthenticated cmdmon) with a subnet size that is indivisible by 4 and\nan address that has nonzero bits in the 4-bit subnet remainder (e.g.\n192.168.15.0/22 or f000::/3), the new setting was written to an\nincorrect location, possibly outside the allocated array. An attacker\nthat has the command key and is allowed to access cmdmon (only\nlocalhost is allowed by default) could exploit this to crash chronyd\nor possibly execute arbitrary code with the privileges of the chronyd\nprocess. (CVE-2015-1821)\n\nWhen allocating memory to save unacknowledged replies to authenticated\ncommand requests, the last 'next' pointer was not initialized to NULL.\nWhen all allocated reply slots were used, the next reply could be\nwritten to an invalid memory instead of allocating a new slot for it.\nAn attacker that has the command key and is allowed to access cmdmon\n(only localhost is allowed by default) could exploit this to crash\nchronyd or possibly execute arbitrary code with the privileges of the\nchronyd process. (CVE-2015-1822)\n\nAn attacker knowing that NTP hosts A and B are peering with each other\n(symmetric association) can send a packet with random timestamps to\nhost A with source address of B which will set the NTP state variables\non A to the values sent by the attacker. Host A will then send on its\nnext poll to B a packet with originate timestamp that doesn't match\nthe transmit timestamp of B and the packet will be dropped. If the\nattacker does this periodically for both hosts, they won't be able to\nsynchronize to each other. Authentication using a symmetric key can\nfully protect against this attack, but in implementations following\nthe NTPv3 (RFC 1305) or NTPv4 (RFC 5905) specification the state\nvariables were updated even when the authentication check failed and\nthe association was not protected. (CVE-2015-1853)\"\n );\n # http://chrony.tuxfamily.org/News.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://chrony.tuxfamily.org/News.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-539.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update chrony' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:chrony-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"chrony-1.31.1-1.13.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"chrony-debuginfo-1.31.1-1.13.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony / chrony-debuginfo\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:18", "description": "Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-04-23T00:00:00", "type": "nessus", "title": "Fedora 21 : chrony-1.31.1-1.fc21 (2015-5816)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chrony", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2015-5816.NASL", "href": "https://www.tenable.com/plugins/nessus/83009", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-5816.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83009);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_bugtraq_id(73948, 73955, 73956);\n script_xref(name:\"FEDORA\", value:\"2015-5816\");\n\n script_name(english:\"Fedora 21 : chrony-1.31.1-1.fc21 (2015-5816)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209631\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209632\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155850.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6c109bf7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"chrony-1.31.1-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:18", "description": "Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-04-23T00:00:00", "type": "nessus", "title": "Fedora 22 : chrony-2.0-0.3.pre2.fc22 (2015-5748)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chrony", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-5748.NASL", "href": "https://www.tenable.com/plugins/nessus/83007", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-5748.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83007);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"FEDORA\", value:\"2015-5748\");\n\n script_name(english:\"Fedora 22 : chrony-2.0-0.3.pre2.fc22 (2015-5748)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209631\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209632\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155777.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6b5f9986\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"chrony-2.0-0.3.pre2.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:43:56", "description": "Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap second\n\n* Added smoothtime directive to smooth served time and enable leap smear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each NTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces specified with the 'bindaddress' directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap seconds, configured using the 'leapsecmode' option. The clock can be either stepped by the kernel (the default 'system' mode), stepped by chronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or the leap second can be ignored and corrected later in normal operation ('ignore' mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the 'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-11-20T00:00:00", "type": "nessus", "title": "RHEL 7 : chrony (RHSA-2015:2241)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-12-18T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chrony", "p-cpe:/a:redhat:enterprise_linux:chrony-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2015-2241.NASL", "href": "https://www.tenable.com/plugins/nessus/86978", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2241. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86978);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/12/18\");\n\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_xref(name:\"RHSA\", value:\"2015:2241\");\n\n script_name(english:\"RHEL 7 : chrony (RHSA-2015:2241)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated chrony packages that fix three security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation\nof the Network Time Protocol (NTP), specially designed to support\nsystems with intermittent connections. It can synchronize the system\nclock with NTP servers, hardware reference clocks, and manual input.\nIt can also operate as an NTPv4 (RFC 5905) server or peer to provide a\ntime service to other computers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has\nthe command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to\nsave unacknowledged replies to authenticated command requests. An\nattacker that has the command key and is allowed to access cmdmon\n(only localhost is allowed by default) could use this flaw to crash\nchronyd or, possibly, execute arbitrary code with the privileges of\nthe chronyd process. (CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer\nhost, which could cascade to other peers, and stop the synchronization\nprocess among the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. Notable enhancements include :\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n* Added smoothtime directive to smooth served time and enable leap\nsmear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each\nNTP server\n\n(BZ#1117882)\n\nThis update also fixes the following bug :\n\n* The chronyd service previously assumed that network interfaces\nspecified with the 'bindaddress' directive were ready when the service\nwas started. This could cause chronyd to fail to bind an NTP server\nsocket to the interface if the interface was not ready. With this\nupdate, chronyd uses the IP_FREEBIND socket option, enabling it to\nbind to an interface later, not only when the service starts.\n(BZ#1169353)\n\nIn addition, this update adds the following enhancement :\n\n* The chronyd service now supports four modes of handling leap\nseconds, configured using the 'leapsecmode' option. The clock can be\neither stepped by the kernel (the default 'system' mode), stepped by\nchronyd ('step' mode), slowly adjusted by slewing ('slew' mode), or\nthe leap second can be ignored and corrected later in normal operation\n('ignore' mode). If you select slewing, the correction will always\nstart at 00:00:00 UTC and will be applied at a rate specified in the\n'maxslewrate' option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:2241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1853\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chrony and / or chrony-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chrony-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2241\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"chrony-2.1.1-1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"chrony-2.1.1-1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"chrony-debuginfo-2.1.1-1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"chrony-debuginfo-2.1.1-1.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chrony / chrony-debuginfo\");\n }\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-02-01T00:00:00", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has chrony packages installed that are affected by multiple vulnerabilities:\n\n - Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. (CVE-2012-4502)\n\n - cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply.\n (CVE-2012-4503)\n\n - Chrony before 1.29.1 has traffic amplification in cmdmon protocol (CVE-2014-0021)\n\n - Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.\n (CVE-2015-1821)\n\n - chrony before 1.31.1 does not initialize the last next pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. (CVE-2015-1822)\n\n - chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets. (CVE-2015-1853)\n\n - chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a skeleton key. (CVE-2016-1567)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : chrony Multiple Vulnerabilities (NS-SA-2021-0127)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4502", "CVE-2012-4503", "CVE-2014-0021", "CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853", "CVE-2016-1567"], "modified": "2021-10-27T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_main:chrony", "p-cpe:/a:zte:cgsl_main:chrony-debuginfo", "p-cpe:/a:zte:cgsl_main:chrony-debugsource", "cpe:/o:zte:cgsl_main:6"], "id": "NEWSTART_CGSL_NS-SA-2021-0127_CHRONY.NASL", "href": "https://www.tenable.com/plugins/nessus/154559", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0127. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154559);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/27\");\n\n script_cve_id(\n \"CVE-2012-4502\",\n \"CVE-2012-4503\",\n \"CVE-2014-0021\",\n \"CVE-2015-1821\",\n \"CVE-2015-1822\",\n \"CVE-2015-1853\",\n \"CVE-2016-1567\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : chrony Multiple Vulnerabilities (NS-SA-2021-0127)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has chrony packages installed that are affected by multiple\nvulnerabilities:\n\n - Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial\n of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to\n the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5)\n RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which\n triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require\n authentication to exploit. (CVE-2012-4502)\n\n - cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from\n stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the\n handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses\n function when client logging is disabled, which causes uninitialized data to be included in a reply.\n (CVE-2012-4503)\n\n - Chrony before 1.29.1 has traffic amplification in cmdmon protocol (CVE-2014-0021)\n\n - Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of\n service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access\n with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.\n (CVE-2015-1821)\n\n - chrony before 1.31.1 does not initialize the last next pointer when saving unacknowledged replies to\n command requests, which allows remote authenticated users to cause a denial of service (uninitialized\n pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command\n requests. (CVE-2015-1822)\n\n - chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP\n associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service\n (inability to synchronize) via random timestamps in crafted NTP data packets. (CVE-2015-1853)\n\n - chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when\n authenticating packets, which might allow remote attackers to conduct impersonation attacks via an\n arbitrary trusted key, aka a skeleton key. (CVE-2016-1567)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0127\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2012-4502\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2012-4503\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2014-0021\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2015-1821\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2015-1822\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2015-1853\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2016-1567\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL chrony packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1567\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:chrony\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:chrony-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:chrony-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:6\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL MAIN 6.02': [\n 'chrony-3.5-1.el8.cgslv6_2.0.1.g6211dc8',\n 'chrony-debuginfo-3.5-1.el8.cgslv6_2.0.1.g6211dc8',\n 'chrony-debugsource-3.5-1.el8.cgslv6_2.0.1.g6211dc8'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chrony');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-07-07T00:00:00", "type": "openvas", "title": "Fedora Update for chrony FEDORA-2015-5748", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869720", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869720", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chrony FEDORA-2015-5748\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869720\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-07 06:39:45 +0200 (Tue, 07 Jul 2015)\");\n script_cve_id(\"CVE-2015-1853\", \"CVE-2015-1821\", \"CVE-2015-1822\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chrony FEDORA-2015-5748\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chrony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chrony on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-5748\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155777.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~2.0~0.3.pre2.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:58:35", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "cvss3": {}, "published": "2015-09-08T00:00:00", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2015-539)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310120202", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120202", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120202\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:20:01 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2015-539)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in Chrony. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update chrony to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-539.html\");\n script_cve_id(\"CVE-2015-1822\", \"CVE-2015-1853\", \"CVE-2015-1821\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"chrony-debuginfo\", rpm:\"chrony-debuginfo~1.31.1~1.13.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~1.31.1~1.13.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:52:32", "description": "Miroslav Lichvar of Red Hat discovered\nmultiple vulnerabilities in chrony, an alternative NTP client and server:\n\nCVE-2015-1821 \nUsing particular address/subnet pairs when configuring access control\nwould cause an invalid memory write. This could allow attackers to\ncause a denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1822 \nWhen allocating memory to save unacknowledged replies to authenticated\ncommand requests, a pointer would be left uninitialized, which could\ntrigger an invalid memory write. This could allow attackers to cause a\ndenial of service (crash) or execute arbitrary code.\n\nCVE-2015-1853 \nWhen peering with other NTP hosts using authenticated symmetric\nassociation, the internal state variables would be updated before the\nMAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.", "cvss3": {}, "published": "2015-04-12T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3222-1 (chrony - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703222", "href": "http://plugins.openvas.org/nasl.php?oid=703222", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3222.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3222-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703222);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_name(\"Debian Security Advisory DSA 3222-1 (chrony - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-04-12 00:00:00 +0200 (Sun, 12 Apr 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3222.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"chrony on Debian Linux\");\n script_tag(name: \"insight\", value: \"It consists of a pair of programs :\n`chronyd'. This is a daemon which runs in background on the system. It\nobtains measurements (e.g. via the network) of the system's offset\nrelative to other systems, and adjusts the system time accordingly. For\nisolated systems, the user can periodically enter the correct time by hand\n(using `chronyc'). In either case, `chronyd' determines the rate at which\nthe computer gains or loses time, and compensates for this. Chronyd\nimplements the NTP protocol and can act as either a client or a server.\n`chronyc'. This is a command-line driven control and monitoring program.\nAn administrator can use this to fine-tune various parameters within the\ndaemon, add or delete servers etc whilst the daemon is running.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 1.24-3.1+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.30-2.\n\nWe recommend that you upgrade your chrony packages.\");\n script_tag(name: \"summary\", value: \"Miroslav Lichvar of Red Hat discovered\nmultiple vulnerabilities in chrony, an alternative NTP client and server:\n\nCVE-2015-1821 \nUsing particular address/subnet pairs when configuring access control\nwould cause an invalid memory write. This could allow attackers to\ncause a denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1822 \nWhen allocating memory to save unacknowledged replies to authenticated\ncommand requests, a pointer would be left uninitialized, which could\ntrigger an invalid memory write. This could allow attackers to cause a\ndenial of service (crash) or execute arbitrary code.\n\nCVE-2015-1853 \nWhen peering with other NTP hosts using authenticated symmetric\nassociation, the internal state variables would be updated before the\nMAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"chrony\", ver:\"1.24-3.1+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-12-20T19:56:23", "description": "Miroslav Lichvar of Red Hat discovered\nmultiple vulnerabilities in chrony, an alternative NTP client and server:\n\nCVE-2015-1821\nUsing particular address/subnet pairs when configuring access control\nwould cause an invalid memory write. This could allow attackers to\ncause a denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1822\nWhen allocating memory to save unacknowledged replies to authenticated\ncommand requests, a pointer would be left uninitialized, which could\ntrigger an invalid memory write. This could allow attackers to cause a\ndenial of service (crash) or execute arbitrary code.\n\nCVE-2015-1853\nWhen peering with other NTP hosts using authenticated symmetric\nassociation, the internal state variables would be updated before the\nMAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.", "cvss3": {}, "published": "2015-04-12T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3222-1 (chrony - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310703222", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703222", "sourceData": "# OpenVAS Vulnerability Test\n# Auto-generated from advisory DSA 3222-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703222\");\n script_version(\"2019-12-20T08:10:23+0000\");\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_name(\"Debian Security Advisory DSA 3222-1 (chrony - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 08:10:23 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-04-12 00:00:00 +0200 (Sun, 12 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3222.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"chrony on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthese problems have been fixed in version 1.24-3.1+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.30-2.\n\nWe recommend that you upgrade your chrony packages.\");\n script_tag(name:\"summary\", value:\"Miroslav Lichvar of Red Hat discovered\nmultiple vulnerabilities in chrony, an alternative NTP client and server:\n\nCVE-2015-1821\nUsing particular address/subnet pairs when configuring access control\nwould cause an invalid memory write. This could allow attackers to\ncause a denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1822\nWhen allocating memory to save unacknowledged replies to authenticated\ncommand requests, a pointer would be left uninitialized, which could\ntrigger an invalid memory write. This could allow attackers to cause a\ndenial of service (crash) or execute arbitrary code.\n\nCVE-2015-1853\nWhen peering with other NTP hosts using authenticated symmetric\nassociation, the internal state variables would be updated before the\nMAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed\nsoftware version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"chrony\", ver:\"1.24-3.1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:58", "description": "Oracle Linux Local Security Checks ELSA-2015-2241", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-2241", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310122737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122737", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-2241.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122737\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-24 10:17:15 +0200 (Tue, 24 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-2241\");\n script_tag(name:\"insight\", value:\"ELSA-2015-2241 - chrony security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-2241\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-2241.html\");\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~2.1.1~1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:24", "description": "Gentoo Linux Local Security Checks GLSA 201507-01", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201507-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121382", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121382", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201507-01.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121382\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:52 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201507-01\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in chrony. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201507-01\");\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201507-01\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-misc/chrony\", unaffected: make_list(\"ge 1.31.1\"), vulnerable: make_list(\"lt 1.31.1\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:07", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-11-20T00:00:00", "type": "openvas", "title": "RedHat Update for chrony RHSA-2015:2241-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871505", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871505", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for chrony RHSA-2015:2241-03\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871505\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-20 06:27:02 +0100 (Fri, 20 Nov 2015)\");\n script_cve_id(\"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2015-1853\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for chrony RHSA-2015:2241-03\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chrony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The chrony suite, chronyd and chronyc, is\nan advanced implementation of the Network Time Protocol (NTP), specially designed\nto support systems with intermittent connections. It can synchronize the system\nclock with NTP servers, hardware reference clocks, and manual input. It can also\noperate as an NTPv4 (RFC 5905) server or peer to provide a time service to other\ncomputers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has the\ncommand key and is allowed to access cmdmon (only localhost is allowed by\ndefault) could use this flaw to crash chronyd or, possibly, execute\narbitrary code with the privileges of the chronyd process. (CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save\nunacknowledged replies to authenticated command requests. An attacker that\nhas the command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer host,\nwhich could cascade to other peers, and stop the synchronization process\namong the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichvar of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which\nprovides a number of bug fixes and enhancements over the previous version.\nNotable enhancements include:\n\n * Updated to NTP version 4 (RFC 5905)\n\n * Added pool directive to specify pool of NTP servers\n\n * Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n * Added smoothtime directive to smooth served time and enable leap smear\n\n * Added asynchronous name resolving with POSIX threads\n\n * Ready for year 2036 (next NTP era)\n\n * Improved clock control\n\n * Networking code reworked to open separate client sockets for each NTP\nserver\n\n(BZ#1117882)\n\nThis update also fixes the following bug:\n\n * The chronyd service previously assumed that network interfaces specified\nwith the 'bindaddress' directive were ready when the service was started.\nThis could cause chronyd to fail to bind an NTP server socket to the\ninterface if the interface was not ready. With this update, chronyd uses\nthe IP_FREEBIND socket option, enabling it to bind to an interface later,\nnot only when the service starts. (BZ#11693 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"chrony on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:2241-03\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-November/msg00035.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~2.1.1~1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chrony-debuginfo\", rpm:\"chrony-debuginfo~2.1.1~1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-04-23T00:00:00", "type": "openvas", "title": "Fedora Update for chrony FEDORA-2015-5816", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869289", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869289", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chrony FEDORA-2015-5816\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869289\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-23 07:33:03 +0200 (Thu, 23 Apr 2015)\");\n script_cve_id(\"CVE-2015-1853\", \"CVE-2015-1821\", \"CVE-2015-1822\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chrony FEDORA-2015-5816\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chrony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chrony on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-5816\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155850.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~1.31.1~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-04-25T00:00:00", "type": "openvas", "title": "Fedora Update for chrony FEDORA-2015-5809", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0021", "CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869293", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869293", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chrony FEDORA-2015-5809\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869293\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-25 05:56:47 +0200 (Sat, 25 Apr 2015)\");\n script_cve_id(\"CVE-2015-1853\", \"CVE-2015-1821\", \"CVE-2015-1822\", \"CVE-2014-0021\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chrony FEDORA-2015-5809\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chrony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chrony on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-5809\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155949.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"chrony\", rpm:\"chrony~1.31.1~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3222-1 security@debian.org\r\nhttp://www.debian.org/security/ Alessandro Ghedini\r\nApril 12, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : chrony\r\nCVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853\r\nDebian Bug : 782160\r\n\r\nMiroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony,\r\nan alternative NTP client and server:\r\n\r\nCVE-2015-1821\r\n\r\n Using particular address/subnet pairs when configuring access control\r\n would cause an invalid memory write. This could allow attackers to\r\n cause a denial of service (crash) or execute arbitrary code.\r\n\r\nCVE-2015-1822\r\n\r\n When allocating memory to save unacknowledged replies to authenticated\r\n command requests, a pointer would be left uninitialized, which could\r\n trigger an invalid memory write. This could allow attackers to cause a\r\n denial of service (crash) or execute arbitrary code.\r\n\r\nCVE-2015-1853\r\n\r\n When peering with other NTP hosts using authenticated symmetric\r\n association, the internal state variables would be updated before the\r\n MAC of the NTP messages was validated. This could allow a remote\r\n attacker to cause a denial of service by impeding synchronization\r\n between NTP peers.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 1.24-3.1+deb7u3.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.30-2.\r\n\r\nWe recommend that you upgrade your chrony packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVKpCYAAoJEK+lG9bN5XPL3AYQAIP4kxodemn5SPmEoLAvQVQ3\r\nJVMMUWGrPBjQshd93Xo8xXAkY7WLaSI4hVP0cAG79yykY2dCmpJQLFvTf8l0bH5a\r\nH0mBG0vfNr4SdxJmX57QWVNJ96iQH5JJUZDcZmmF63A6Q2KNiydzTxTpnDOplaIZ\r\nUDT3JA1kPIWarqbz4StvHe6x3BuOJNeFWDiCyxaT1ktpVoRFXIYF37Qy0Npo7Uo8\r\npeWpqA+hlbbvJsG4yjzsmod3mupx9AGSRCwS7KfHNqsabemY44wQBEJZbLc3nt6A\r\nVknZ0qKaOMEqCvQYFLllkVp+LIfblg9lBtYcAos9TYqe0+nMJKeO2y1C4wOb9S5M\r\nfxv9I1rNjvTfH+qXOEiPKbjBFQYWwHTnOMYcqeU8DWYjFAWg95T2EaFmAFTDiJOM\r\n9VAs/ewFaIZMG76+oxAegm19N6Ly6iCB0vjERRCITGwkUCgqsWd7oBMdVwUMpiW4\r\n59aZJfjBytTfs53Rj8qwvZbLv7oI5jluMW73S8iebz/Gq0YywpzJErqn0ssaqKqe\r\n610B6ti4r00HGBfvFS+QzjavkjCwOs0c6XnzqPwDXKwG0v1flZL/kAIPFHHP/Z31\r\n5RYtPs2xO15/uRdSX/PZqAQzUxBBt52DALzzGPkVMrIpPmAYk6AMRLn/J36xzm9+\r\nAu3cXBsQY6Sbc9M1Cs6A\r\n=NyVY\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-04-17T00:00:00", "title": "[SECURITY] [DSA 3222-1] chrony security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-17T00:00:00", "id": "SECURITYVULNS:DOC:31928", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31928", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "description": "Memory corruption, uninitialized pointer dereference, DoS.", "edition": 1, "cvss3": {}, "published": "2015-04-17T00:00:00", "title": "chrony multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-17T00:00:00", "id": "SECURITYVULNS:VULN:14400", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14400", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2021-10-21T04:43:13", "description": "The chrony suite, chronyd and chronyc, is an advanced implementation of the\nNetwork Time Protocol (NTP), specially designed to support systems with\nintermittent connections. It can synchronize the system clock with NTP\nservers, hardware reference clocks, and manual input. It can also operate\nas an NTPv4 (RFC 5905) server or peer to provide a time service to other\ncomputers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has the\ncommand key and is allowed to access cmdmon (only localhost is allowed by\ndefault) could use this flaw to crash chronyd or, possibly, execute\narbitrary code with the privileges of the chronyd process. (CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save\nunacknowledged replies to authenticated command requests. An attacker that\nhas the command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer host,\nwhich could cascade to other peers, and stop the synchronization process\namong the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichv\u00e1r of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which\nprovides a number of bug fixes and enhancements over the previous version.\nNotable enhancements include:\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n* Added smoothtime directive to smooth served time and enable leap smear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each NTP\nserver\n\n(BZ#1117882)\n\nThis update also fixes the following bug:\n\n* The chronyd service previously assumed that network interfaces specified\nwith the \"bindaddress\" directive were ready when the service was started.\nThis could cause chronyd to fail to bind an NTP server socket to the\ninterface if the interface was not ready. With this update, chronyd uses\nthe IP_FREEBIND socket option, enabling it to bind to an interface later,\nnot only when the service starts. (BZ#1169353)\n\nIn addition, this update adds the following enhancement:\n\n* The chronyd service now supports four modes of handling leap seconds,\nconfigured using the \"leapsecmode\" option. The clock can be either stepped\nby the kernel (the default \"system\" mode), stepped by chronyd (\"step\"\nmode), slowly adjusted by slewing (\"slew\" mode), or the leap second can be\nignored and corrected later in normal operation (\"ignore\" mode). If you\nselect slewing, the correction will always start at 00:00:00 UTC and will\nbe applied at a rate specified in the \"maxslewrate\" option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages, which\ncorrect these issues and add these enhancements.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-11-19T14:42:40", "type": "redhat", "title": "(RHSA-2015:2241) Moderate: chrony security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2018-04-11T23:31:38", "id": "RHSA-2015:2241", "href": "https://access.redhat.com/errata/RHSA-2015:2241", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2021-06-04T20:21:10", "description": "[2.1.1-1]\n- update to 2.1.1 (#1117882)\n- add -n option to gzip command to not save timestamp\n[2.1-1]\n- update to 2.1 (#1117882 #1169353 #1206504 #1209568 CVE-2015-1821\n CVE-2015-1822 CVE-2015-1853)\n- extend chrony-helper to allow using servers from DNS SRV records (#1211600)\n- add servers from DHCP with iburst option by default (#1219492)\n- execute test suite", "cvss3": {}, "published": "2015-11-23T00:00:00", "type": "oraclelinux", "title": "chrony security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-11-23T00:00:00", "id": "ELSA-2015-2241", "href": "http://linux.oracle.com/errata/ELSA-2015-2241.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nChrony News reports:\n\nCVE-2015-1853: DoS attack on authenticated symmetric NTP\n\t associations\nCVE-2015-1821: Heap-based buffer overflow in access\n\t configuration\nCVE-2015-1822: Use of uninitialized pointer in command\n\t processing\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-02-17T00:00:00", "type": "freebsd", "title": "chrony -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-02-17T00:00:00", "id": "C4571CA8-053D-44C9-AB3C-89B1372AD0A5", "href": "https://vuxml.freebsd.org/freebsd/c4571ca8-053d-44c9-ab3c-89b1372ad0a5.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2021-09-27T19:37:51", "description": "**Issue Overview:**\n\nAs reported <a href=\"http://chrony.tuxfamily.org/News.html\">upstream</a>:\n\nWhen NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821)\n\nWhen allocating memory to save unacknowledged replies to authenticated command requests, the last \"next\" pointer was not initialized to NULL. When all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822)\n\nAn attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. Authentication using a symmetric key can fully protect against this attack, but in implementations following the NTPv3 (RFC 1305) or NTPv4 (RFC 5905) specification the state variables were updated even when the authentication check failed and the association was not protected. (CVE-2015-1853)\n\n \n**Affected Packages:** \n\n\nchrony\n\n \n**Issue Correction:** \nRun _yum update chrony_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 chrony-debuginfo-1.31.1-1.13.amzn1.i686 \n \u00a0\u00a0\u00a0 chrony-1.31.1-1.13.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 chrony-1.31.1-1.13.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 chrony-debuginfo-1.31.1-1.13.amzn1.x86_64 \n \u00a0\u00a0\u00a0 chrony-1.31.1-1.13.amzn1.x86_64 \n \n \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-06-02T22:25:00", "type": "amazon", "title": "Medium: chrony", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-06-02T22:42:00", "id": "ALAS-2015-539", "href": "https://alas.aws.amazon.com/ALAS-2015-539.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Updated chrony package fixes security vulnerabilities: Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code (CVE-2015-1821). When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code (CVE-2015-1822). When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers (CVE-2015-1853). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2015-04-23T21:14:25", "type": "mageia", "title": "Updated chrony packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-23T21:14:25", "id": "MGASA-2015-0163", "href": "https://advisories.mageia.org/MGASA-2015-0163.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-01-17T19:06:59", "description": "### Background\n\nchrony is a versatile implementation of the Network Time Protocol (NTP).\n\n### Description\n\nMultiple vulnerabilities have been discovered in chrony. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker can cause arbitrary remote code execution or Denial of service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll chrony users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/chrony-1.31.1\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-07-05T00:00:00", "type": "gentoo", "title": "chrony: Multiple vulnerabilities ", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-07-05T00:00:00", "id": "GLSA-201507-01", "href": "https://security.gentoo.org/glsa/201507-01", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "description": "A client/server for the Network Time Protocol, this program keeps your computer's clock accurate. It was specially designed to support systems with intermittent internet connections, but it also works well in permanently connected environments. It can use also hardware reference clocks, system real-time clock or manual input as time references. ", "edition": 2, "cvss3": {}, "published": "2015-04-22T22:53:53", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: chrony-1.31.1-1.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-22T22:53:53", "id": "FEDORA:3BBAC604947C", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "description": "A client/server for the Network Time Protocol, this program keeps your computer's clock accurate. It was specially designed to support systems with intermittent internet connections, but it also works well in permanently connected environments. It can use also hardware reference clocks, system real-time clock or manual input as time references. ", "edition": 2, "cvss3": {}, "published": "2015-04-22T22:43:07", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: chrony-2.0-0.3.pre2.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-22T22:43:07", "id": "FEDORA:282CF601EAA6", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "description": "A client/server for the Network Time Protocol, this program keeps your computer's clock accurate. It was specially designed to support systems with intermittent internet connections, but it also works well in permanently connected environments. It can use also hardware reference clocks, system real-time clock or manual input as time references. ", "edition": 2, "cvss3": {}, "published": "2015-04-24T22:50:08", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: chrony-1.31.1-1.fc20", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0021", "CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-24T22:50:08", "id": "FEDORA:8549C6087A7A", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2022-01-29T01:04:15", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3222-1 security@debian.org\nhttp://www.debian.org/security/ Alessandro Ghedini\nApril 12, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chrony\nCVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853\nDebian Bug : 782160\n\nMiroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony,\nan alternative NTP client and server:\n\nCVE-2015-1821\n\n Using particular address/subnet pairs when configuring access control\n would cause an invalid memory write. This could allow attackers to\n cause a denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1822\n\n When allocating memory to save unacknowledged replies to authenticated\n command requests, a pointer would be left uninitialized, which could\n trigger an invalid memory write. This could allow attackers to cause a\n denial of service (crash) or execute arbitrary code.\n\nCVE-2015-1853\n\n When peering with other NTP hosts using authenticated symmetric\n association, the internal state variables would be updated before the\n MAC of the NTP messages was validated. This could allow a remote\n attacker to cause a denial of service by impeding synchronization\n between NTP peers.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.24-3.1+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.30-2.\n\nWe recommend that you upgrade your chrony packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-04-12T15:34:48", "type": "debian", "title": "[SECURITY] [DSA 3222-1] chrony security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-12T15:34:48", "id": "DEBIAN:DSA-3222-1:D7848", "href": "https://lists.debian.org/debian-security-announce/2015/msg00110.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-23T22:29:51", "description": "Package : chrony\nVersion : 1.24-3+squeeze2\nCVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853\nDebian Bug : 782160\n\nCVE-2015-1853:\n\n Protect authenticated symmetric NTP associations against DoS attacks.\n\n An attacker knowing that NTP hosts A and B are peering with each other\n (symmetric association) can send a packet with random timestamps to host\n A with source address of B which will set the NTP state variables on A\n to the values sent by the attacker. Host A will then send on its next\n poll to B a packet with originate timestamp that doesn't match the\n transmit timestamp of B and the packet will be dropped. If the attacker\n does this periodically for both hosts, they won't be able to synchronize\n to each other. It is a denial-of-service attack.\n\n According to [1], NTP authentication is supposed to protect symmetric\n associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4\n (RFC 5905) specifications the state variables are updated before the\n authentication check is performed, which means the association is\n vulnerable to the attack even when authentication is enabled.\n\n To fix this problem, save the originate and local timestamps only when\n the authentication check (test5) passed.\n\n [1] https://www.eecis.udel.edu/~mills/onwire.html\n\nCVE-2015-1821:\n\n Fix access configuration with subnet size indivisible by 4.\n\n When NTP or cmdmon access was configured (from chrony.conf or via\n authenticated cmdmon) with a subnet size that is indivisible by 4 and\n an address that has nonzero bits in the 4-bit subnet remainder (e.g.\n 192.168.15.0/22 or f000::/3), the new setting was written to an\n incorrect location, possibly outside the allocated array.\n\n An attacker that has the command key and is allowed to access cmdmon\n (only localhost is allowed by default) could exploit this to crash\n chronyd or possibly execute arbitrary code with the privileges of the\n chronyd process.\n\nCVE-2015-1822:\n\n Fix initialization of reply slots for authenticated commands.\n\n When allocating memory to save unacknowledged replies to authenticated\n command requests, the last "next" pointer was not initialized to NULL.\n When all allocated reply slots were used, the next reply could be\n written to an invalid memory instead of allocating a new slot for it.\n\n An attacker that has the command key and is allowed to access cmdmon\n (only localhost is allowed by default) could exploit this to crash\n chronyd or possibly execute arbitrary code with the privileges of the\n chronyd process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-04-12T15:41:11", "type": "debian", "title": "[SECURITY] [DLA 193-1] chrony security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-04-12T15:41:11", "id": "DEBIAN:DLA-193-1:215A9", "href": "https://lists.debian.org/debian-lts-announce/2015/04/msg00008.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2022-02-27T16:06:33", "description": "**CentOS Errata and Security Advisory** CESA-2015:2241\n\n\nThe chrony suite, chronyd and chronyc, is an advanced implementation of the\nNetwork Time Protocol (NTP), specially designed to support systems with\nintermittent connections. It can synchronize the system clock with NTP\nservers, hardware reference clocks, and manual input. It can also operate\nas an NTPv4 (RFC 5905) server or peer to provide a time service to other\ncomputers in the network.\n\nAn out-of-bounds write flaw was found in the way chrony stored certain\naddresses when configuring NTP or cmdmon access. An attacker that has the\ncommand key and is allowed to access cmdmon (only localhost is allowed by\ndefault) could use this flaw to crash chronyd or, possibly, execute\narbitrary code with the privileges of the chronyd process. (CVE-2015-1821)\n\nAn uninitialized pointer use flaw was found when allocating memory to save\nunacknowledged replies to authenticated command requests. An attacker that\nhas the command key and is allowed to access cmdmon (only localhost is\nallowed by default) could use this flaw to crash chronyd or, possibly,\nexecute arbitrary code with the privileges of the chronyd process.\n(CVE-2015-1822)\n\nA denial of service flaw was found in the way chrony hosts that were\npeering with each other authenticated themselves before updating their\ninternal state variables. An attacker could send packets to one peer host,\nwhich could cascade to other peers, and stop the synchronization process\namong the reached peers. (CVE-2015-1853)\n\nThese issues were discovered by Miroslav Lichv\u00e1r of Red Hat.\n\nThe chrony packages have been upgraded to upstream version 2.1.1, which\nprovides a number of bug fixes and enhancements over the previous version.\nNotable enhancements include:\n\n* Updated to NTP version 4 (RFC 5905)\n\n* Added pool directive to specify pool of NTP servers\n\n* Added leapsecmode directive to select how to correct clock for leap\nsecond\n\n* Added smoothtime directive to smooth served time and enable leap smear\n\n* Added asynchronous name resolving with POSIX threads\n\n* Ready for year 2036 (next NTP era)\n\n* Improved clock control\n\n* Networking code reworked to open separate client sockets for each NTP\nserver\n\n(BZ#1117882)\n\nThis update also fixes the following bug:\n\n* The chronyd service previously assumed that network interfaces specified\nwith the \"bindaddress\" directive were ready when the service was started.\nThis could cause chronyd to fail to bind an NTP server socket to the\ninterface if the interface was not ready. With this update, chronyd uses\nthe IP_FREEBIND socket option, enabling it to bind to an interface later,\nnot only when the service starts. (BZ#1169353)\n\nIn addition, this update adds the following enhancement:\n\n* The chronyd service now supports four modes of handling leap seconds,\nconfigured using the \"leapsecmode\" option. The clock can be either stepped\nby the kernel (the default \"system\" mode), stepped by chronyd (\"step\"\nmode), slowly adjusted by slewing (\"slew\" mode), or the leap second can be\nignored and corrected later in normal operation (\"ignore\" mode). If you\nselect slewing, the correction will always start at 00:00:00 UTC and will\nbe applied at a rate specified in the \"maxslewrate\" option. (BZ#1206504)\n\nAll chrony users are advised to upgrade to these updated packages, which\ncorrect these issues and add these enhancements.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2015-November/015037.html\n\n**Affected packages:**\nchrony\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2015:2241", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-11-30T19:24:37", "type": "centos", "title": "chrony security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821", "CVE-2015-1822", "CVE-2015-1853"], "modified": "2015-11-30T19:24:37", "id": "CESA-2015:2241", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2015-November/015037.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:43:49", "description": "chrony before 1.31.1 does not initialize the last \"next\" pointer when\nsaving unacknowledged replies to command requests, which allows remote\nauthenticated users to cause a denial of service (uninitialized pointer\ndereference and daemon crash) or possibly execute arbitrary code via a\nlarge number of command requests.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782160>\n", "cvss3": {}, "published": "2015-04-16T00:00:00", "type": "ubuntucve", "title": "CVE-2015-1822", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1822"], "modified": "2015-04-16T00:00:00", "id": "UB:CVE-2015-1822", "href": "https://ubuntu.com/security/CVE-2015-1822", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-11-22T21:28:20", "description": "chrony before 1.31.1 does not properly protect state variables in\nauthenticated symmetric NTP associations, which allows remote attackers\nwith knowledge of NTP peering to cause a denial of service (inability to\nsynchronize) via random timestamps in crafted NTP data packets.\n\n#### Bugs\n\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782160>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-12-09T00:00:00", "type": "ubuntucve", "title": "CVE-2015-1853", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1853"], "modified": "2019-12-09T00:00:00", "id": "UB:CVE-2015-1853", "href": "https://ubuntu.com/security/CVE-2015-1853", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2021-11-22T21:49:43", "description": "Heap-based buffer overflow in chrony before 1.31.1 allows remote\nauthenticated users to cause a denial of service (chronyd crash) or\npossibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon\naccess with a subnet size that is indivisible by four and an address with a\nnonzero bit in the subnet remainder.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782160>\n", "cvss3": {}, "published": "2015-04-16T00:00:00", "type": "ubuntucve", "title": "CVE-2015-1821", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821"], "modified": "2015-04-16T00:00:00", "id": "UB:CVE-2015-1821", "href": "https://ubuntu.com/security/CVE-2015-1821", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-03-26T15:33:03", "description": "chrony before 1.31.1 does not initialize the last \"next\" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.", "cvss3": {}, "published": "2015-04-16T14:59:00", "type": "debiancve", "title": "CVE-2015-1822", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1822"], "modified": "2015-04-16T14:59:00", "id": "DEBIANCVE:CVE-2015-1822", "href": "https://security-tracker.debian.org/tracker/CVE-2015-1822", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-03-26T15:33:03", "description": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-09T19:15:00", "type": "debiancve", "title": "CVE-2015-1853", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1853"], "modified": "2019-12-09T19:15:00", "id": "DEBIANCVE:CVE-2015-1853", "href": "https://security-tracker.debian.org/tracker/CVE-2015-1853", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2022-03-26T15:33:03", "description": "Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.", "cvss3": {}, "published": "2015-04-16T14:59:00", "type": "debiancve", "title": "CVE-2015-1821", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821"], "modified": "2015-04-16T14:59:00", "id": "DEBIANCVE:CVE-2015-1821", "href": "https://security-tracker.debian.org/tracker/CVE-2015-1821", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:03:22", "description": "chrony before 1.31.1 does not initialize the last \"next\" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.", "cvss3": {}, "published": "2015-04-16T14:59:00", "type": "cve", "title": "CVE-2015-1822", "cwe": ["CWE-17"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1822"], "modified": "2017-07-01T01:29:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "cpe:/a:tuxfamily:chrony:1.31"], "id": "CVE-2015-1822", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1822", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:tuxfamily:chrony:1.31:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:03:55", "description": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-09T19:15:00", "type": "cve", "title": "CVE-2015-1853", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1853"], "modified": "2019-12-17T17:52:00", "cpe": [], "id": "CVE-2015-1853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1853", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T12:03:20", "description": "Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.", "cvss3": {}, "published": "2015-04-16T14:59:00", "type": "cve", "title": "CVE-2015-1821", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1821"], "modified": "2017-07-01T01:29:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "cpe:/a:tuxfamily:chrony:1.31"], "id": "CVE-2015-1821", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1821", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:tuxfamily:chrony:1.31:*:*:*:*:*:*:*"]}], "archlinux": [{"lastseen": "2016-09-02T18:44:44", "description": "CVE-2015-1853 (denial of service):\nThis issue is similiar to the "ntp CVE-2015-1799"-issue.\nAn attacker knowing that NTP hosts A and B are peering with each other\n(symmetric association) can send a packet to host A with source address of B\nwhich will set the NTP state variables on A to the values sent by the attacker.\nHost A will then send on its next poll to B a packet with originate timestamp\nthat doesn't match the transmit timestamp of B and the packet will be dropped.\nIf the attacker does this periodically for both hosts, they won't be able to\nsynchronize to each other. This is a known denial-of-service attack", "edition": 2, "cvss3": {}, "published": "2015-04-08T00:00:00", "type": "archlinux", "title": "chrony: denial of service", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1799", "CVE-2015-1853"], "modified": "2015-04-08T00:00:00", "id": "ASA-201504-9", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000278.html", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}]}