Bug 555367 - (CVE-2010-0292, CVE-2010-0293, CVE-2010-0294) CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: chrony (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Lichvar
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-14 10:21 EST by Miroslav Lichvar
Modified: 2010-02-05 19:07 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.23-8.20081106gitbe42b4.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-05 19:07:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch (3.07 KB, patch)
2010-01-14 10:23 EST, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch (5.80 KB, patch)
2010-01-14 10:23 EST, Miroslav Lichvar
no flags Details | Diff
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch (4.32 KB, patch)
2010-01-14 10:23 EST, Miroslav Lichvar
no flags Details | Diff
chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch (6.20 KB, patch)
2010-01-14 10:24 EST, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch (8.31 KB, patch)
2010-01-14 10:36 EST, Miroslav Lichvar
no flags Details | Diff
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch (6.34 KB, patch)
2010-01-15 06:56 EST, Miroslav Lichvar
no flags Details | Diff

  None (edit)
Description Miroslav Lichvar 2010-01-14 10:21:48 EST
Description of problem:
This is similar to NTP security flaw CVE-2009-3563.

chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message.

This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.

The applies to all chrony versions including 1.24-pre1.
Comment 1 Miroslav Lichvar 2010-01-14 10:23:00 EST
Created attachment 383695 [details]
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Comment 2 Miroslav Lichvar 2010-01-14 10:23:32 EST
Created attachment 383696 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch
Comment 3 Miroslav Lichvar 2010-01-14 10:23:58 EST
Created attachment 383697 [details]
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Comment 4 Miroslav Lichvar 2010-01-14 10:24:31 EST
Created attachment 383698 [details]
chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch
Comment 5 Miroslav Lichvar 2010-01-14 10:35:59 EST
There is also a possible security bug in chrony versions before 1.24-pre1.

The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed.

The noclientlog option can be used to disable the logging facility, but it's not very clear from the documentation that there could be a problem with allocating too much memory.

This was fixed in 1.24-pre1 by implementing clientloglimit option, set to 512KB by default.

http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commitdiff;h=618f372e13c884585402e39d6ca244f78144b68f;hp=8f72155b438494e6d8e9e75920c36fd88d90f5b2
Comment 6 Miroslav Lichvar 2010-01-14 10:36:31 EST
Created attachment 383702 [details]
chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch
Comment 7 Josh Bressers 2010-01-14 16:10:10 EST
Hi Miroslav,

This bug isn't completely clear to me. This is certainly two flaws

* chronyd replies to all cmdmon packets from unauthorized hosts
* chronyd client memory use

But what about the syslog limit. From what I can understand, a malicious remote user could fill up the syslog, or will the previous two fixes prevent this from happening?

Once I know more, I can assign CVE ids.

Thanks.
Comment 8 Miroslav Lichvar 2010-01-15 06:26:33 EST
Yes, I forgot to mention that. That's a third flaw.

There are several ways how attacker can make chronyd log messages. Not sure if it includes the sendto calls addressed in the patch, I've included them just to be safe.

Thanks.
Comment 9 Miroslav Lichvar 2010-01-15 06:56:01 EST
Created attachment 384593 [details]
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch

Missed one sendto call in ntp_io.c
Comment 10 Josh Bressers 2010-01-21 09:06:21 EST
CVE ids are assigned as such:

CVE-2010-0292 cmdmon network DoS
CVE-2010-0293 many client memory DoS
CVE-2010-0294 syslog limit
Comment 11 Fedora Update System 2010-02-05 19:05:20 EST
chrony-1.23-6.20081106gitbe42b4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-02-05 19:06:59 EST
chrony-1.23-8.20081106gitbe42b4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.