Bug 555367 (CVE-2010-0292, CVE-2010-0293, CVE-2010-0294)
| Summary: | CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Miroslav Lichvar <mlichvar> |
| Component: | chrony | Assignee: | Miroslav Lichvar <mlichvar> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | bressers, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.23-8.20081106gitbe42b4.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-06 00:07:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
Miroslav Lichvar
2010-01-14 15:21:48 UTC
Created attachment 383695 [details]
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Created attachment 383696 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch
Created attachment 383697 [details]
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Created attachment 383698 [details]
chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch
There is also a possible security bug in chrony versions before 1.24-pre1. The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed. The noclientlog option can be used to disable the logging facility, but it's not very clear from the documentation that there could be a problem with allocating too much memory. This was fixed in 1.24-pre1 by implementing clientloglimit option, set to 512KB by default. http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commitdiff;h=618f372e13c884585402e39d6ca244f78144b68f;hp=8f72155b438494e6d8e9e75920c36fd88d90f5b2 Created attachment 383702 [details]
chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch
Hi Miroslav, This bug isn't completely clear to me. This is certainly two flaws * chronyd replies to all cmdmon packets from unauthorized hosts * chronyd client memory use But what about the syslog limit. From what I can understand, a malicious remote user could fill up the syslog, or will the previous two fixes prevent this from happening? Once I know more, I can assign CVE ids. Thanks. Yes, I forgot to mention that. That's a third flaw. There are several ways how attacker can make chronyd log messages. Not sure if it includes the sendto calls addressed in the patch, I've included them just to be safe. Thanks. Created attachment 384593 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch
Missed one sendto call in ntp_io.c
CVE ids are assigned as such: CVE-2010-0292 cmdmon network DoS CVE-2010-0293 many client memory DoS CVE-2010-0294 syslog limit chrony-1.23-6.20081106gitbe42b4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. chrony-1.23-8.20081106gitbe42b4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |