CVE-2016-1567

NameCVE-2016-1567
Descriptionchrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-414-1, DLA-742-1
NVD severitymedium (attack range: remote)
Debian Bugs812923

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chrony (PTS)wheezy1.24-3.1+deb7u3vulnerable
wheezy (security)1.24-3.1+deb7u4fixed
jessie1.30-2+deb8u2fixed
stretch3.0-4+deb9u1fixed
buster, sid3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chronysource(unstable)2.2.1-1low812923
chronysourcejessie1.30-2+deb8u2medium
chronysourcesqueeze1.24-3+squeeze3mediumDLA-414-1
chronysourcewheezy1.24-3.1+deb7u4mediumDLA-742-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0071/
http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
Fix for 2.x http://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481ebff0e0c321294ba767f2c1d8
Fix for 1.x http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832

Search for package or bug name: Reporting problems