Bug 1054790 (CVE-2014-0021)

Summary: CVE-2014-0021 chrony: DDoS via amplification in cmdmon protocol
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mlichvar, pfrields, redhat, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: chrony 1.19.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-25 17:53:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1053022, 1055003, 1061825    
Bug Blocks: 1054354    

Description Ratul Gupta 2014-01-17 13:35:09 UTC 
Miroslav Lichvar from Red Hat reports that the cmdmon protocol implemented in chrony was found to be vulnerable to DDoS attacks using traffic amplification. By default, commands are allowed only from localhost, but it's possible to configure chronyd to allow commands from any address. This could allow a remote attacker to cause a DoS, which could cause excessive resource usage.
Comment 1 Ratul Gupta 2014-01-17 13:41:26 UTC 
Acknowledgement:

This issue was discovered by Miroslav Lichvar of Red Hat.
Comment 6 Vincent Danen 2014-01-17 22:51:09 UTC 
This has been discussed upstream:

http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2014/01/msg00001.html

Miroslav, is it correct to state that EPEL would be affected by this (chrony 1.25)?  I've not looked at any code, but I suspect this issue has always existed (but is simply not exploitable "out of the box" due to chrony's defaults).
Comment 7 Vincent Danen 2014-01-17 22:55:37 UTC 
Created chrony tracking bugs for this issue:

Affects: fedora-all [bug 1055003]
Comment 8 Miroslav Lichvar 2014-01-20 13:11:13 UTC 
(In reply to Vincent Danen from comment #6)

Yes, all chrony versions have this problem. EPEL is affected too.
Comment 10 Tomas Hoger 2014-01-21 14:12:40 UTC 
Noting here details Miroslav posted to the upstream chrony-dev mailing list, including a detailed table with amplification factors of all chrony control commands.  Source:

http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2014/01/msg00005.html

  I've checked packet lengths for all commands and the biggest offender
  is MANUAL_LIST (chronyc manual list), which may amplify the traffic by
  up to factor of 17.2. The second worse is CLIENT_ACCESSES_BY_INDEX
  (chronyc clients) with factor of 6.5, but the client has to be
  authenticated to get the reply. Everything else is below 3. In the
  protocol there is at most one reply per request.
  
  The MANUAL_LIST command is used to list up to 32 manual measurements,
  which were entered by the SETTIME command when the manual mode is
  enabled. It's disabled by default and I think it's unlikely that
  someone would use the manual mode on a system connected to internet.
  
  ...
  
  The following table has details on all currently supported commands.
  The columns are name, flag if it's open to any client or requires
  authentication, minimum length of the request in IPv4 packet, maximum
  length of the reply in IPv4 packet and the ratio of the two values.
  MD5 authentication is assumed for commands with AUTH.
  
  MANUAL_LIST               OPEN   48  828  17.2
  CLIENT_ACCESSES_BY_INDEX  AUTH   72  468   6.5
  TRACKING                  OPEN   48  132   2.8
  SOURCESTATS               OPEN   52  112   2.2
  SOURCE_DATA               OPEN   52  104   2.0
  RTCREPORT                 OPEN   48   84   1.8
  ACTIVITY                  OPEN   48   76   1.6
  N_SOURCES                 OPEN   48   60   1.2
  NULL                      OPEN   48   56   1.2
  WRITERTC                  AUTH   64   72   1.1
  TRIMRTC                   AUTH   64   72   1.1
  SETTIME                   AUTH   76   84   1.1
  RESELECTDISTANCE          AUTH   68   72   1.1
  RESELECT                  AUTH   64   72   1.1
  REKEY                     AUTH   64   72   1.1
  MODIFY_MAXUPDATESKEW      AUTH   68   72   1.1
  MANUAL_DELETE             AUTH   68   72   1.1
  MANUAL                    AUTH   68   72   1.1
  MAKESTEP                  AUTH   64   72   1.1
  DUMP                      AUTH   68   72   1.1
  DFREQ                     AUTH   68   72   1.1
  CYCLELOGS                 AUTH   64   72   1.1
  LOCAL                     AUTH   72   72   1.0
  DOFFSET                   AUTH   72   72   1.0
  LOGON                     OPEN   60   56   0.9
  DEL_SOURCE                AUTH   84   72   0.9
  CMDACCHECK                AUTH   84   72   0.9
  ACCHECK                   AUTH   84   72   0.9
  MODIFY_POLLTARGET         AUTH   88   72   0.8
  MODIFY_MINSTRATUM         AUTH   88   72   0.8
  MODIFY_MINPOLL            AUTH   88   72   0.8
  MODIFY_MAXPOLL            AUTH   88   72   0.8
  MODIFY_MAXDELAYRATIO      AUTH   88   72   0.8
  MODIFY_MAXDELAYDEVRATIO   AUTH   88   72   0.8
  MODIFY_MAXDELAY           AUTH   88   72   0.8
  DENYALL                   AUTH   88   72   0.8
  DENY                      AUTH   88   72   0.8
  CMDDENYALL                AUTH   88   72   0.8
  CMDDENY                   AUTH   88   72   0.8
  CMDALLOWALL               AUTH   88   72   0.8
  CMDALLOW                  AUTH   88   72   0.8
  ALLOWALL                  AUTH   88   72   0.8
  ALLOW                     AUTH   88   72   0.8
  ONLINE                    AUTH  104   72   0.7
  OFFLINE                   AUTH  104   72   0.7
  BURST                     AUTH  112   72   0.6
  ADD_SERVER                AUTH  116   72   0.6
  ADD_PEER                  AUTH  116   72   0.6
Comment 16 Miroslav Lichvar 2014-01-28 16:41:03 UTC 
Proposed patches are here:

http://thread.gmane.org/gmane.comp.time.chrony.devel/1019
Comment 17 Miroslav Lichvar 2014-01-31 16:48:25 UTC 
chrony-1.29.1 was released. It fixes the amplification in the control protocol.

http://chrony.tuxfamily.org/News.html
Comment 18 Tomas Hoger 2014-02-05 17:21:32 UTC 
To summarize explicitly, chrony 1.19.1 has these changes to address this CVE:

- requires padding in cmdmon protocol requests.  As a consequence, cmdmon responses are no longer larger than requests, avoiding traffic amplification.
- no longer send any response to hosts on on the cmdallow list
Comment 19 Tomas Hoger 2014-02-05 17:22:10 UTC 
Created chrony tracking bugs for this issue:

Affects: epel-all [bug 1061825]
Comment 20 Fedora Update System 2014-02-06 03:50:41 UTC 
chrony-1.29.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2014-02-20 00:46:58 UTC 
chrony-1.29.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2014-07-29 19:27:13 UTC 
chrony-1.30-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-07-29 19:27:27 UTC 
chrony-1.30-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.