CVE-2016-1567
chrony - security update
8.1
HIGH
CVSS 3.1
EPSS 0.41%
Description
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
How to fix CVE-2016-1567
To remediate CVE-2016-1567, upgrade the affected package to a fixed version below.
- Debian/chrony—upgrade to 2.2.1-1 or later
- —upgrade to 1.24-3+squeeze3 or later
- —upgrade to 1.24-3.1+deb7u4 or later
Is CVE-2016-1567 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.2.1-1
- from 0, < 1.24-3+squeeze3
- from 0, < 1.24-3.1+deb7u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |