CVE-2016-1567 | Vulnerability Database | Aqua Security

chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a skeleton key.

Affected Software

Name	Vendor	Start Version	End Version
Chrony	Tuxfamily	*	1.31.1 (including)
Chrony	Tuxfamily	2.0 (including)	2.0 (including)
Chrony	Tuxfamily	2.1 (including)	2.1 (including)
Chrony	Tuxfamily	2.1.1 (including)	2.1.1 (including)
Chrony	Tuxfamily	2.2 (including)	2.2 (including)
Chrony	Ubuntu	precise	*
Chrony	Ubuntu	trusty	*
Chrony	Ubuntu	upstream	*
Chrony	Ubuntu	vivid	*
Chrony	Ubuntu	wily	*
Chrony	Ubuntu	xenial	*
Chrony	Ubuntu	yakkety	*
Chrony	Ubuntu	zesty	*

References

http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176559.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html
http://www.talosintel.com/reports/TALOS-2016-0071/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-1567
CWE	https://cwe.mitre.org/data/definitions/254.html