Vulnerability Details : CVE-2015-1821
Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2015-1821
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:tuxfamily:chrony:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1821
2.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1821
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2015-1821
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1821
-
http://www.debian.org/security/2015/dsa-3222
Debian -- Security Information -- DSA-3222-1 chrony
-
https://security.gentoo.org/glsa/201507-01
chrony: Multiple vulnerabilities (GLSA 201507-01) — Gentoo security
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html
[chrony-announce] chrony-1.31.1 released (security)Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/73955
Chrony CVE-2015-1821 Out of Bounds Write Heap Buffer Overflow Vulnerability
Jump to