{"containers": {"cna": {"affected": [{"product": "chrony", "vendor": "chrony", "versions": [{"status": "affected", "version": "before 1.31.1"}]}], "datePublic": "2015-04-07T00:00:00", "descriptions": [{"lang": "en", "value": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-09T18:53:22", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.gentoo.org/glsa/201507-01"}, {"tags": ["x_refsource_MISC"], "url": "http://chrony.tuxfamily.org/News.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:54:16.335Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.gentoo.org/glsa/201507-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://chrony.tuxfamily.org/News.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-1853", "datePublished": "2019-12-09T18:53:22", "dateReserved": "2015-02-17T00:00:00", "dateUpdated": "2024-08-06T04:54:16.335Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuxfamily:chrony:*:*:*:*:*:*:*:*", "matchCriteriaId": "3849452D-7F13-44E3-B2E8-77C60EBB9541", "versionEndExcluding": "1.31.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets."}, {"lang": "es", "value": "chrony versiones anteriores a 1.31.1, no protege apropiadamente las variables de estado en asociaciones NTP sim\u00e9tricas autenticadas, lo que permite a atacantes remotos con conocimiento del emparejamiento NTP causar una denegaci\u00f3n de servicio (incapacidad de sincronizaci\u00f3n) mediante marcas de tiempo aleatorias en paquetes de datos NTP dise\u00f1ados."}], "id": "CVE-2015-1853", "lastModified": "2024-11-21T02:26:16.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-09T19:15:14.150", "references": [{"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://chrony.tuxfamily.org/News.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201507-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://chrony.tuxfamily.org/News.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201507-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Miroslav Lichv\u00e1r (Red Hat).", "affected_release": [{"advisory": "RHSA-2015:2241", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "chrony-0:2.1.1-1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}], "bugzilla": {"description": "chrony: authentication doesn't protect symmetric associations against DoS attacks", "id": "1209572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209572"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified"}, "cwe": "CWE-345", "details": ["chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers."], "name": "CVE-2015-1853", "public_date": "2015-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-1853\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1853"], "threat_severity": "Moderate"}