CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1822 – chrony: uninitialized pointer in cmdmon reply slots
https://notcve.org/view.php?id=CVE-2015-1822
chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. chrony anterior a 1.31.1 no inicializa el último puntero 'próximo' cuando guarda respuestas no reconocidas en solicitudes de comandos, lo que permite a usuarios remotos autenticados causar una denegación de servicio (referencia a puntero no inicializado y caída de demonio) o posiblemente ejecutar código arbitrario a través de un número grande de solicitudes de comandos. An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. • http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html http://www.debian.org/security/2015/dsa-3222 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/73956 https://security.gentoo.org/glsa/201507-01 https://access.redhat.com/security/cve/CVE-2015-1822 https://bugzilla.redhat.com/show_bug.cgi?id=1209632 • CWE-17: DEPRECATED: Code CWE-456: Missing Initialization of a Variable •
CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 0CVE-2012-4503
https://notcve.org/view.php?id=CVE-2012-4503
cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply. cmdmon.c en Chrony antes de 1.29 permite a atacantes remotos obtener información sensible de la pila de memoria a través de vectores relacionados con (1) una subred no válida en un comando RPY_SUBNETS_ACCESSED a la función handle_subnets_accessed o (2) un comando RPY_CLIENT_ACCESSES para la función handle_client_accesses cuando el inicio de sesión de cliente está desactivado, lo causa que datos no inicializados se incluyan en la respuesta. • http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3 http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 http://seclists.org/oss-sec/2013/q3/332 http://www.debian.org/security/2013/dsa-2760 https://bugzilla.redhat.com/show_bug.cgi?id=846392 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 1%CPEs: 24EXPL: 0CVE-2012-4502
https://notcve.org/view.php?id=CVE-2012-4502
Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. Múltiples desbordamientos de enteros en pktlength.c en Chrony anterior a 1.29 permite a atacantes remotos provocar una denegación de servicio (caída) a través de un (1) REQ_SUBNETS_ACCESSED manipulado o (2) comando REQ_CLIENT_ACCESSES a la función PKL_CommandLength o la manipulación de (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES), (5) RPY_CLIENT_ACCESSES_BY_INDEX, o (6) Respuesta del comando RPY_MANUAL_LIST por la función PKL_ReplyLength, lo que provoca un desbordamiento de buffer o lectura fuera de límite. NOTA: Las versiones 1.27 y 1.28 no requieren autenticación para su explotación. • http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=7712455d9aa33d0db0945effaa07e900b85987b1 http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 http://seclists.org/oss-sec/2013/q3/332 http://www.debian.org/security/2013/dsa-2760 https://bugzilla.redhat.com/show_bug.cgi?id=846392 • CWE-189: Numeric Errors •
CVSS: 5.0EPSS: 4%CPEs: 11EXPL: 0CVE-2010-0292
https://notcve.org/view.php?id=CVE-2010-0292
The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563. La función read_from_cmd_socket function en cmdmon.c en chronyd en Chrony anterior a v1.23.1, y v1.24-pre1, permite a atacantes remotos provocar una denegación de servicio (Consumo de CPU y ancho de banda) mediante el envío de un paquete cmdmon modificado que provoca un intercambio continuo de mensajes NOHOSTACCESS entre dos demonios. Relacionado con CVE-2009-3563. • http://chrony.tuxfamily.org/News.html http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git%3Ba=commit%3Bh=7864c7a70ce00369194e734eb2842ecc5f8db531 http://secunia.com/advisories/38428 http://secunia.com/advisories/38480 http://www.debian.org/security/2010/dsa-1992 http://www.securityfocus.com/bid/38106 https://bugzilla.redhat.com/show_bug.cgi?id=555367 • CWE-399: Resource Management Errors •
CVSS: 5.0EPSS: 4%CPEs: 11EXPL: 0CVE-2010-0294
https://notcve.org/view.php?id=CVE-2010-0294
chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets. chronyd en Chrony anterior a v1.23.1, y posiblemente v 1.24-pre1, genera un mensage syslog para cada paquete cmdmon no autorizado, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de disco) a través de un número elevado de paquetes no válidos. • http://chrony.tuxfamily.org/News.html http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git%3Ba=commit%3Bh=0b710499f994823bd938fc6895f097eefb9cc59f http://secunia.com/advisories/38428 http://secunia.com/advisories/38480 http://www.debian.org/security/2010/dsa-1992 http://www.securityfocus.com/bid/38106 https://bugzilla.redhat.com/show_bug.cgi?id=555367 • CWE-399: Resource Management Errors •