NewStart CGSL MAIN 6.02 : chrony Multiple Vulnerabilities (NS-SA-2021-0127)

high Nessus Plugin ID 154559

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has chrony packages installed that are affected by multiple vulnerabilities:

- Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. (CVE-2012-4502)

- cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply.
(CVE-2012-4503)

- Chrony before 1.29.1 has traffic amplification in cmdmon protocol (CVE-2014-0021)

- Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.
(CVE-2015-1821)

- chrony before 1.31.1 does not initialize the last next pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. (CVE-2015-1822)

- chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets. (CVE-2015-1853)

- chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a skeleton key. (CVE-2016-1567)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL chrony packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2021-0127

http://security.gd-linux.com/info/CVE-2012-4502

http://security.gd-linux.com/info/CVE-2012-4503

http://security.gd-linux.com/info/CVE-2014-0021

http://security.gd-linux.com/info/CVE-2015-1821

http://security.gd-linux.com/info/CVE-2015-1822

http://security.gd-linux.com/info/CVE-2015-1853

http://security.gd-linux.com/info/CVE-2016-1567

Plugin Details

Severity: High

ID: 154559

File Name: newstart_cgsl_NS-SA-2021-0127_chrony.nasl

Version: 1.3

Type: local

Published: 10/27/2021

Updated: 11/27/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-1567

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:chrony, p-cpe:/a:zte:cgsl_main:chrony-debuginfo, p-cpe:/a:zte:cgsl_main:chrony-debugsource, cpe:/o:zte:cgsl_main:6

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/24/2021

Vulnerability Publication Date: 8/8/2013

Reference Information

CVE: CVE-2012-4502, CVE-2012-4503, CVE-2014-0021, CVE-2015-1821, CVE-2015-1822, CVE-2015-1853, CVE-2016-1567