CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1822 – chrony: uninitialized pointer in cmdmon reply slots
https://notcve.org/view.php?id=CVE-2015-1822
chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. chrony anterior a 1.31.1 no inicializa el último puntero 'próximo' cuando guarda respuestas no reconocidas en solicitudes de comandos, lo que permite a usuarios remotos autenticados causar una denegación de servicio (referencia a puntero no inicializado y caída de demonio) o posiblemente ejecutar código arbitrario a través de un número grande de solicitudes de comandos. An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. • http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html http://www.debian.org/security/2015/dsa-3222 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/73956 https://security.gentoo.org/glsa/201507-01 https://access.redhat.com/security/cve/CVE-2015-1822 https://bugzilla.redhat.com/show_bug.cgi?id=1209632 • CWE-17: DEPRECATED: Code CWE-456: Missing Initialization of a Variable •
CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 0CVE-2012-4503
https://notcve.org/view.php?id=CVE-2012-4503
cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply. cmdmon.c en Chrony antes de 1.29 permite a atacantes remotos obtener información sensible de la pila de memoria a través de vectores relacionados con (1) una subred no válida en un comando RPY_SUBNETS_ACCESSED a la función handle_subnets_accessed o (2) un comando RPY_CLIENT_ACCESSES para la función handle_client_accesses cuando el inicio de sesión de cliente está desactivado, lo causa que datos no inicializados se incluyan en la respuesta. • http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3 http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 http://seclists.org/oss-sec/2013/q3/332 http://www.debian.org/security/2013/dsa-2760 https://bugzilla.redhat.com/show_bug.cgi?id=846392 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 1%CPEs: 24EXPL: 0CVE-2012-4502
https://notcve.org/view.php?id=CVE-2012-4502
Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. Múltiples desbordamientos de enteros en pktlength.c en Chrony anterior a 1.29 permite a atacantes remotos provocar una denegación de servicio (caída) a través de un (1) REQ_SUBNETS_ACCESSED manipulado o (2) comando REQ_CLIENT_ACCESSES a la función PKL_CommandLength o la manipulación de (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES), (5) RPY_CLIENT_ACCESSES_BY_INDEX, o (6) Respuesta del comando RPY_MANUAL_LIST por la función PKL_ReplyLength, lo que provoca un desbordamiento de buffer o lectura fuera de límite. NOTA: Las versiones 1.27 y 1.28 no requieren autenticación para su explotación. • http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=7712455d9aa33d0db0945effaa07e900b85987b1 http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 http://seclists.org/oss-sec/2013/q3/332 http://www.debian.org/security/2013/dsa-2760 https://bugzilla.redhat.com/show_bug.cgi?id=846392 • CWE-189: Numeric Errors •