CVE-2016-1567
Publication date 26 January 2016
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.”
From the Ubuntu Security Team
Matt Street discovered that chrony doesn’t verify peer associations of symmetric keys. A remote attacker could use this vulnerability impersonate another user.
Status
Package | Ubuntu Release | Status |
---|---|---|
chrony | ||
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Fixed 2.1.1-1ubuntu0.1
|
|
14.04 LTS trusty |
Fixed 1.29-1ubuntu0.1
|
|
Severity score breakdown
Parameter | Value |
---|---|
Base score |
|
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |