Arch Linux Security Advisory ASA-201504-9 ========================================= Severity: Medium Date : 2015-04-08 CVE-ID : CVE-2015-1853 Package : chrony Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package chrony before version 1.31.1-1 is vulnerable to denial of service Resolution ========== Upgrade to 1.31.1-1 # pacman -Syu "chrony>=1.31.1-1" The problem has been fixed upstream. Workaround ========== None. Description =========== CVE-2015-1853 (denial of service): This issue is similiar to the "ntp CVE-2015-1799"-issue. An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack Impact ====== CVE-2015-1853 (denial of service): An attacker could stop the synchronizing process of chrony. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1853 https://access.redhat.com/security/cve/CVE-2015-1853 http://seclists.org/oss-sec/2015/q2/63