Bug 555367 (CVE-2010-0292, CVE-2010-0293, CVE-2010-0294) - CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
Summary: CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
Status: CLOSED ERRATA
Alias: CVE-2010-0292, CVE-2010-0293, CVE-2010-0294
Product: Fedora
Classification: Fedora
Component: chrony (Show other bugs)
(Show other bugs)
Version: 12
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-14 15:21 UTC by Miroslav Lichvar
Modified: 2010-02-06 00:07 UTC (History)
2 users (show)

Fixed In Version: 1.23-8.20081106gitbe42b4.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-06 00:07:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch (3.07 KB, patch)
2010-01-14 15:23 UTC, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch (5.80 KB, patch)
2010-01-14 15:23 UTC, Miroslav Lichvar
no flags Details | Diff
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch (4.32 KB, patch)
2010-01-14 15:23 UTC, Miroslav Lichvar
no flags Details | Diff
chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch (6.20 KB, patch)
2010-01-14 15:24 UTC, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch (8.31 KB, patch)
2010-01-14 15:36 UTC, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch (6.34 KB, patch)
2010-01-15 11:56 UTC, Miroslav Lichvar
no flags Details | Diff

Description Miroslav Lichvar 2010-01-14 15:21:48 UTC
Description of problem:
This is similar to NTP security flaw CVE-2009-3563.

chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message.

This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.

The applies to all chrony versions including 1.24-pre1.

Comment 1 Miroslav Lichvar 2010-01-14 15:23:00 UTC
Created attachment 383695 [details]
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch

Comment 2 Miroslav Lichvar 2010-01-14 15:23:32 UTC
Created attachment 383696 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch

Comment 3 Miroslav Lichvar 2010-01-14 15:23:58 UTC
Created attachment 383697 [details]
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch

Comment 4 Miroslav Lichvar 2010-01-14 15:24:31 UTC
Created attachment 383698 [details]
chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch

Comment 5 Miroslav Lichvar 2010-01-14 15:35:59 UTC
There is also a possible security bug in chrony versions before 1.24-pre1.

The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed.

The noclientlog option can be used to disable the logging facility, but it's not very clear from the documentation that there could be a problem with allocating too much memory.

This was fixed in 1.24-pre1 by implementing clientloglimit option, set to 512KB by default.

http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commitdiff;h=618f372e13c884585402e39d6ca244f78144b68f;hp=8f72155b438494e6d8e9e75920c36fd88d90f5b2

Comment 6 Miroslav Lichvar 2010-01-14 15:36:31 UTC
Created attachment 383702 [details]
chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch

Comment 7 Josh Bressers 2010-01-14 21:10:10 UTC
Hi Miroslav,

This bug isn't completely clear to me. This is certainly two flaws

* chronyd replies to all cmdmon packets from unauthorized hosts
* chronyd client memory use

But what about the syslog limit. From what I can understand, a malicious remote user could fill up the syslog, or will the previous two fixes prevent this from happening?

Once I know more, I can assign CVE ids.

Thanks.

Comment 8 Miroslav Lichvar 2010-01-15 11:26:33 UTC
Yes, I forgot to mention that. That's a third flaw.

There are several ways how attacker can make chronyd log messages. Not sure if it includes the sendto calls addressed in the patch, I've included them just to be safe.

Thanks.

Comment 9 Miroslav Lichvar 2010-01-15 11:56:01 UTC
Created attachment 384593 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch

Missed one sendto call in ntp_io.c

Comment 10 Josh Bressers 2010-01-21 14:06:21 UTC
CVE ids are assigned as such:

CVE-2010-0292 cmdmon network DoS
CVE-2010-0293 many client memory DoS
CVE-2010-0294 syslog limit

Comment 11 Fedora Update System 2010-02-06 00:05:20 UTC
chrony-1.23-6.20081106gitbe42b4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-02-06 00:06:59 UTC
chrony-1.23-8.20081106gitbe42b4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.