CVE-2016-1567

NameCVE-2016-1567
Descriptionchrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-414-1, DLA-742-1
Debian Bugs812923

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chrony (PTS)buster3.4-4+deb10u2fixed
bullseye4.0-8+deb11u2fixed
bookworm4.3-2+deb12u1fixed
sid, trixie4.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chronysourcesqueeze1.24-3+squeeze3DLA-414-1
chronysourcewheezy1.24-3.1+deb7u4DLA-742-1
chronysourcejessie1.30-2+deb8u2
chronysource(unstable)2.2.1-1low812923

Notes

http://www.talosintel.com/reports/TALOS-2016-0071/
http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
Fix for 2.x http://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481ebff0e0c321294ba767f2c1d8
Fix for 1.x http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832

Search for package or bug name: Reporting problems