Bug 12347 - chrony new security issue CVE-2014-0021
Summary: chrony new security issue CVE-2014-0021
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/584548/
Whiteboard: has_procedure mga3-32-ok mga4-64-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-01-18 00:34 CET by David Walser
Modified: 2014-02-11 23:51 CET (History)
4 users (show)

See Also:
Source RPM: chrony-1.29-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-01-18 00:34:47 CET
chrony suffers from the same traffic amplification issue that ntp does (Bug 12326).  This has just been discovered and given a CVE:
http://openwall.com/lists/oss-security/2014/01/17/9

No fix is available yet.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-01-21 13:54:59 CET
Interesting note in that thread that this shouldn't be an issue by default, nor would it be much of an issue otherwise:
http://openwall.com/lists/oss-security/2014/01/19/1

If it is not vulnerable by default in our package, I think we should close this as WONTFIX.
Comment 2 David Walser 2014-02-01 20:14:13 CET
We are indeed not affected by default (no cmdallow directive in our configuration file), but perhaps we should still issue an update for those who have enabled it?

The issue is fixed in chrony 1.29.1, released on January 31:
http://chrony.tuxfamily.org/News.html
Comment 3 David Walser 2014-02-05 20:25:18 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Note to QA: this should also fix an issue where chrony's PID file, /var/run/chrony.pid was not being removed when the service was stopped.  Please verify this.  It should be a very minor issue for us, as we don't use SELinux, which is why I haven't listed it in the advisory.  Details are here:
https://bugzilla.redhat.com/show_bug.cgi?id=974305

Advisory:
========================

Updated chrony package fixes security vulnerability:

In the chrony control protocol some replies are significantly larger than
their requests, which allows an attacker to use it in an amplification attack
(CVE-2014-0021).

Note: in the default configuration, cmdallow is restricted to localhost, so
significant amplification is only possible if the configuration has been
changed to allow cmdallow from other hosts.  Even from hosts whose access is
denied, minor amplification is still possible.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021
http://chrony.tuxfamily.org/News.html
========================

Updated packages in core/updates_testing:
========================
chrony-1.29.1-1.mga4

from chrony-1.29.1-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2014-02-06 18:06:15 CET
Fedora has issued an advisory for this on February 3:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127837.html

URL: (none) => http://lwn.net/Vulnerabilities/584548/

Comment 5 Olivier Delaune 2014-02-08 21:43:49 CET
How to check if chrony is working well after installing the new package?

CC: (none) => olivier.delaune

Comment 6 David Walser 2014-02-08 22:06:55 CET
It should keep your computer's clock synchronized as it normally does.
Comment 7 Manuel Hiebel 2014-02-08 22:09:22 CET
fine here

Whiteboard: (none) => mga4-64-ok

claire robinson 2014-02-10 19:44:45 CET

Whiteboard: mga4-64-ok => has_procedure mga4-64-ok

Comment 8 Rémi Verschelde 2014-02-10 21:50:34 CET
Testing on Mageia 4 i586. I can confirm that before the fix, the file /var/run/chronyd.pid is not removed when the service is stopped.
The update candidate fixes it.

-- 

Validating update. Advisory in comment 3 (not pushed yet).
Could someone push the advisory and a sysadmin push the update from Mageia 4 core/updates_testing to core/updates?

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga3-32-ok mga4-64-ok
CC: (none) => remi, sysadmin-bugs

Comment 9 Thomas Backlund 2014-02-11 19:04:51 CET
advisory added

CC: (none) => tmb
Whiteboard: has_procedure mga3-32-ok mga4-64-ok => has_procedure mga3-32-ok mga4-64-ok advisory

Comment 10 Thomas Backlund 2014-02-11 23:51:49 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0052.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.