NewStart CGSL MAIN 6.06 : chrony Multiple Vulnerabilities (NS-SA-2025-0212)

high Nessus Plugin ID 266273

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.06, has chrony packages installed that are affected by multiple vulnerabilities:

- chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a skeleton key. (CVE-2016-1567)

- The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563. (CVE-2010-0292)

- The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets. (CVE-2010-0293)

- chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets. (CVE-2010-0294)

- Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. (CVE-2012-4502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL chrony packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0212

https://security.gd-linux.com/info/CVE-2010-0292

https://security.gd-linux.com/info/CVE-2010-0293

https://security.gd-linux.com/info/CVE-2010-0294

https://security.gd-linux.com/info/CVE-2012-4502

https://security.gd-linux.com/info/CVE-2012-4503

https://security.gd-linux.com/info/CVE-2014-0021

https://security.gd-linux.com/info/CVE-2015-1821

https://security.gd-linux.com/info/CVE-2015-1822

https://security.gd-linux.com/info/CVE-2015-1853

https://security.gd-linux.com/info/CVE-2016-1567

Plugin Details

Severity: High

ID: 266273

File Name: newstart_cgsl_NS-SA-2025-0212_chrony.nasl

Version: 1.1

Type: local

Published: 9/30/2025

Updated: 9/30/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-1567

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:chrony

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/30/2025

Vulnerability Publication Date: 2/4/2010

Reference Information

CVE: CVE-2010-0292, CVE-2010-0293, CVE-2010-0294, CVE-2012-4502, CVE-2012-4503, CVE-2014-0021, CVE-2015-1821, CVE-2015-1822, CVE-2015-1853, CVE-2016-1567