Debian 5.0 DSA-1992-1 Critical DoS Vulnerabilities in Chrony
debian
February 4, 2010
Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer
Topics Covered
Summary
Several vulnerabilities have been discovered in chrony, a pair of programs
which are used to maintain the accuracy of the system clock on a computer.
This issues are similar to the NTP security flaw CVE-2009-3563. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-0292
chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for
unauthorized hosts. An attacker can abuse this behaviour to force two
chronyd instances to play packet ping-pong by sending such a packet with
spoofed source address and port. This results in high CPU and network
usage and thus denial of service conditions.
CVE-2010-0293
The client logging facility of chronyd doesn't limit memory that is used
to store client information. An attacker can cause chronyd to allocate
large amounts of memory by sending NTP or cmdmon packets with spoofed
source addresses resulting in memory exhaustion.
CVE-2010-0294
chronyd lacks of a rate limit control to the syslog fa...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: chrony
CVE ID: CVE-2010-0292 CVE-2010-0293 CVE-2010-0294
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!