CVE-2012-4503

Name of the Vulnerable Software and Affected Versions Chrony versions prior to 1.29

Description The issue allows remote attackers to obtain potentially sensitive information from stack memory. This can occur through two vectors: (1) an invalid subnet in a RPY SUBNETS ACCESSED command to the handle subnets accessed function or (2) a RPY CLIENT ACCESSES command to the handle client accesses function when client logging is disabled, resulting in uninitialized data being included in a reply.

Recommendations For Chrony versions prior to 1.29, update to version 1.29 or later to resolve the issue. As a temporary workaround, consider disabling client logging to minimize the risk of exploitation. Restrict access to the handle subnets accessed and handle client accesses functions until a patch is available. Avoid using the RPY SUBNETS ACCESSED and RPY CLIENT ACCESSES commands in the affected API endpoint until the issue is resolved.