Vulnerability Description
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tuxfamily | Chrony | <= 1.31.1 |
Related Weaknesses (CWE)
References
- http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_Vendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.h
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.htPatch
- http://www.talosintel.com/reports/TALOS-2016-0071/Exploit
- http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_Vendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.h
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.htPatch
- http://www.talosintel.com/reports/TALOS-2016-0071/Exploit
FAQ
What is CVE-2016-1567?
CVE-2016-1567 is a vulnerability with a CVSS score of 8.1 (HIGH). chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbi...
How severe is CVE-2016-1567?
CVE-2016-1567 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-1567?
Check the references section above for vendor advisories and patch information. Affected products include: Tuxfamily Chrony.