[chrony-users] chrony-2.2.1 and chrony-1.31.2 released (security) |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]
chrony-2.2.1 and chrony-1.31.2 are now available. They fix a security vulnerability in authentication of NTP servers and peers. Update is recommended for users that have servers or peers specified with the key option and have more than one key in the key file. The sources can be downloaded here: http://download.tuxfamily.org/chrony/chrony-2.2.1.tar.gz http://download.tuxfamily.org/chrony/chrony-1.31.2.tar.gz MD5 and SHA1 sums: ce46990540aab3670d093311ee43fe17 chrony-2.2.1.tar.gz eb18099576efbc50fd0f8d60c0df988a chrony-1.31.2.tar.gz 290b761478dc90d4921c98b7030ead07c49f2afd chrony-2.2.1.tar.gz c0915e55f6515244e065a3435e99ed2943670bc2 chrony-1.31.2.tar.gz Security fixes -------------- * Restrict authentication of NTP server/peer to specified key (CVE-2016-1567) CVE-2016-1567: Impersonation between authenticated peers When a server/peer was specified with a key number to enable authentication with a symmetric key, packets received from the server/peer were accepted if they were authenticated with any of the keys contained in the key file and not just the specified key. This allowed an attacker who knew one key of a client/peer to modify packets from its servers/peers that were authenticated with other keys in a man-in-the-middle (MITM) attack. For example, in a network where each NTP association had a separate key and all hosts had only keys they needed, a client of a server could not attack other clients of the server, but it could attack the server and also attack its own clients (i.e. modify packets from other servers). To not allow the server/peer to be authenticated with other keys, the authentication test was extended to check if the key ID in the received packet is equal to the configured key number. As a consequence, it's no longer possible to authenticate two peers to each other with two different keys, both peers have to be configured to use the same key. This issue was discovered by Matt Street of Cisco ASIG. -- Miroslav Lichvar
Attachment:
signature.asc
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |