CVE-2012-4503: Infoleak
First published: Tue Nov 05 2013(Updated: )
cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Chrony | <=1.28 | |
| Chrony | =1.0 | |
| Chrony | =1.1 | |
| Chrony | =1.18 | |
| Chrony | =1.19 | |
| Chrony | =1.19.99.1 | |
| Chrony | =1.19.99.2 | |
| Chrony | =1.19.99.3 | |
| Chrony | =1.20 | |
| Chrony | =1.21 | |
| Chrony | =1.21-pre1 | |
| Chrony | =1.23 | |
| Chrony | =1.23-pre1 | |
| Chrony | =1.23.1 | |
| Chrony | =1.24 | |
| Chrony | =1.24-pre1 | |
| Chrony | =1.25 | |
| Chrony | =1.25-pre1 | |
| Chrony | =1.25-pre2 | |
| Chrony | =1.26 | |
| Chrony | =1.26-pre1 | |
| Chrony | =1.27 | |
| Chrony | =1.27-pre1 | |
| Chrony | =1.28-pre1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3
- http://permalink.gmane.org/gmane.comp.time.chrony.announce/15
- http://seclists.org/oss-sec/2013/q3/332
- http://www.debian.org/security/2013/dsa-2760
- https://bugzilla.redhat.com/show_bug.cgi?id=846392
- http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git%3Ba=commitdiff%3Bh=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3
Frequently Asked Questions
What is the severity of CVE-2012-4503?
CVE-2012-4503 is classified as a medium-severity vulnerability.
What does CVE-2012-4503 exploit?
CVE-2012-4503 allows remote attackers to obtain potentially sensitive information from stack memory.
How do I fix CVE-2012-4503?
To mitigate CVE-2012-4503, upgrade Chrony to version 1.29 or later.
Which versions of Chrony are affected by CVE-2012-4503?
Chrony versions before 1.29, including 1.28 and earlier, are affected by CVE-2012-4503.
What commands are involved in CVE-2012-4503?
CVE-2012-4503 involves the RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES commands.
- agent/remedy
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/tuxfamily
- canonical/chrony
- version/chrony/1.28
- version/chrony/1.0
- version/chrony/1.1
- version/chrony/1.18
- version/chrony/1.19
- version/chrony/1.19.99.1
- version/chrony/1.19.99.2
- version/chrony/1.19.99.3
- version/chrony/1.20
- version/chrony/1.21
- version/chrony/1.21-pre1
- version/chrony/1.23
- version/chrony/1.23-pre1
- version/chrony/1.23.1
- version/chrony/1.24
- version/chrony/1.24-pre1
- version/chrony/1.25
- version/chrony/1.25-pre1
- version/chrony/1.25-pre2
- version/chrony/1.26
- version/chrony/1.26-pre1
- version/chrony/1.27
- version/chrony/1.27-pre1
- version/chrony/1.28-pre1