chrony multiple security vulnerabilities
Published:		05.02.2010
Source:		BUGTRAQ
SecurityVulns ID:		10591
Type:		remote
Level:		5/10
Description:		Traffic amplification, resources exhaustion.

Affected:		CHRONY : chrony 1.23
CVE:		CVE-2010-0294 (chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets.)
		CVE-2010-0293 (The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets.)
		CVE-2010-0292 (The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563.)

Original document

DEBIAN, [SECURITY] [DSA 1992-1] New chrony packages fix denial of service (05.02.2010)

Discuss:

Read or add your comments to this news (0 comments)