CVE-2015-1822

chrony: uninitialized pointer in cmdmon reply slots

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.

chrony anterior a 1.31.1 no inicializa el último puntero 'próximo' cuando guarda respuestas no reconocidas en solicitudes de comandos, lo que permite a usuarios remotos autenticados causar una denegación de servicio (referencia a puntero no inicializado y caída de demonio) o posiblemente ejecutar código arbitrario a través de un número grande de solicitudes de comandos.

An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.

The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol, specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-02-17 CVE Reserved
2015-04-13 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-17: DEPRECATED: Code
CWE-456: Missing Initialization of a Variable

CAPEC

References (7)

URL	Tag	Source
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	X_refsource_confirm
http://www.securityfocus.com/bid/73956	Vdb Entry

URL	Date	SRC

URL	Date	SRC
http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html	2023-02-13

URL	Date	SRC
http://www.debian.org/security/2015/dsa-3222	2023-02-13
https://security.gentoo.org/glsa/201507-01	2023-02-13
https://access.redhat.com/security/cve/CVE-2015-1822	2015-11-19
https://bugzilla.redhat.com/show_bug.cgi?id=1209632	2015-11-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Tuxfamily Search vendor "Tuxfamily"		Chrony Search vendor "Tuxfamily" for product "Chrony"				<= 1.31 Search vendor "Tuxfamily" for product "Chrony" and version " <= 1.31"		-		Affected