CVE-2016-1567

NameCVE-2016-1567
Descriptionchrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-414-1, DLA-742-1
NVD severitymedium
Debian Bugs812923

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chrony (PTS)stretch3.0-4+deb9u2fixed
buster3.4-4+deb10u1fixed
bullseye4.0-8fixed
bookworm, sid4.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chronysourcesqueeze1.24-3+squeeze3DLA-414-1
chronysourcewheezy1.24-3.1+deb7u4DLA-742-1
chronysourcejessie1.30-2+deb8u2
chronysource(unstable)2.2.1-1low812923

Notes

http://www.talosintel.com/reports/TALOS-2016-0071/
http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
Fix for 2.x http://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481ebff0e0c321294ba767f2c1d8
Fix for 1.x http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832

Search for package or bug name: Reporting problems