Description of problem: This is similar to NTP security flaw CVE-2009-3563. chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message. This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage. The applies to all chrony versions including 1.24-pre1.
Created attachment 383695 [details] chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Created attachment 383696 [details] chrony-1.23-0002-Limit-rate-of-syslog-messages.patch
Created attachment 383697 [details] chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets.patch
Created attachment 383698 [details] chrony-1.24pre1-0002-Limit-rate-of-syslog-messages.patch
There is also a possible security bug in chrony versions before 1.24-pre1. The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed. The noclientlog option can be used to disable the logging facility, but it's not very clear from the documentation that there could be a problem with allocating too much memory. This was fixed in 1.24-pre1 by implementing clientloglimit option, set to 512KB by default. http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commitdiff;h=618f372e13c884585402e39d6ca244f78144b68f;hp=8f72155b438494e6d8e9e75920c36fd88d90f5b2
Created attachment 383702 [details] chrony-1.23-0003-Add-option-to-limit-clientlog-memory.patch
Hi Miroslav, This bug isn't completely clear to me. This is certainly two flaws * chronyd replies to all cmdmon packets from unauthorized hosts * chronyd client memory use But what about the syslog limit. From what I can understand, a malicious remote user could fill up the syslog, or will the previous two fixes prevent this from happening? Once I know more, I can assign CVE ids. Thanks.
Yes, I forgot to mention that. That's a third flaw. There are several ways how attacker can make chronyd log messages. Not sure if it includes the sendto calls addressed in the patch, I've included them just to be safe. Thanks.
Created attachment 384593 [details] chrony-1.23-0002-Limit-rate-of-syslog-messages.patch Missed one sendto call in ntp_io.c
CVE ids are assigned as such: CVE-2010-0292 cmdmon network DoS CVE-2010-0293 many client memory DoS CVE-2010-0294 syslog limit
chrony-1.23-6.20081106gitbe42b4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
chrony-1.23-8.20081106gitbe42b4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.