{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-19T00:00:00", "descriptions": [{"lang": "en", "value": "chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.talosintel.com/reports/TALOS-2016-0071/"}, {"name": "FEDORA-2016-6f783d1768", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html"}, {"name": "FEDORA-2016-6a0b0ab775", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-1567", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.talosintel.com/reports/TALOS-2016-0071/", "refsource": "MISC", "url": "http://www.talosintel.com/reports/TALOS-2016-0071/"}, {"name": "FEDORA-2016-6f783d1768", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html"}, {"name": "FEDORA-2016-6a0b0ab775", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html"}, {"name": "http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released", "refsource": "CONFIRM", "url": "http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:02:11.769Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.talosintel.com/reports/TALOS-2016-0071/"}, {"name": "FEDORA-2016-6f783d1768", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html"}, {"name": "FEDORA-2016-6a0b0ab775", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-1567", "datePublished": "2016-01-26T19:00:00", "dateReserved": "2016-01-08T00:00:00", "dateUpdated": "2024-08-05T23:02:11.769Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuxfamily:chrony:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E8A8582-01A0-4CED-B30D-3319B5174F26", "versionEndIncluding": "1.31.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tuxfamily:chrony:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "7CCFD400-0554-4328-8050-E99B22CD22B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:tuxfamily:chrony:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "4B7204DA-395F-427C-9980-7649CB636A97", "vulnerable": true}, {"criteria": "cpe:2.3:a:tuxfamily:chrony:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F9CF3097-1FD9-47F0-B34B-210E35ECB5DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:tuxfamily:chrony:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "E1A61900-971A-4A21-9BF0-C32696A9E1DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\""}, {"lang": "es", "value": "chrony en versiones anteriores a 1.31.2 y 2.x en versiones anteriores a 2.2.1 no verifica las asociaciones del par de las claves sim\u00e9tricas cuando autentica paquetes, lo que podr\u00eda permitir a atacantes remotos llevar a cabo ataques de suplantaci\u00f3n de identidad a trav\u00e9s de una clave de confianza arbitraria, tambi\u00e9n conocida como \"skeleton key\"."}], "id": "CVE-2016-1567", "lastModified": "2016-12-06T03:07:03.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-26T19:59:08.577", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.talosintel.com/reports/TALOS-2016-0071/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "chrony: missing key check allows impersonation between authenticated peers (VU#357792)", "id": "1297472", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1297472"}, "csaw": false, "cvss": {"cvss_base_score": "3.6", "cvss_scoring_vector": "AV:N/AC:H/Au:S/C:N/I:P/A:P", "status": "draft"}, "cwe": "CWE-304", "details": ["chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\""], "name": "CVE-2016-1567", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "chrony", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "chrony", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2016-01-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-1567\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-1567\nhttp://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released\nhttp://www.talosintel.com/reports/TALOS-2016-0071/"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}