Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> With the news about the traffic amplification issue in ntpd, one of
> our developers looked at chronyd

At cve-assign () mitre org, we've received a number of reports that have
protocol descriptions, and ask for CVE assignments for amplification
attacks. We've declined making assignments for those. One of the
criteria we're currently using is:

  - cases in which a vendor of a UDP protocol implementation announces
    that they made a security-relevant mistake by having configuration
    or code elements that allow amplification attacks, and publishes
    a fix for this mistake

One of the other CVE Numbering Authorities was also receiving similar
reports. We coordinated with them and learned that they were looking
at CVE eligibility in much the same way.

The "in which a vendor of a UDP protocol implementation" above was
what we had for the CVE-2013-5211 ntpd issue (with some definition of
"announces"). We don't know the ultimate outcome of how amplification
attacks will interact with the scope of CVE, but we did want to point
out that this CVE-2014-0021 assignment seemed inconsistent with what
we've been doing.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS2cuHAAoJEKllVAevmvmsurYIALjzoZDswrD9TcHR/ObNIU9G
6qIsWM49HJ0VRnY88DJj1aO3vB2bnGiPNVK7Xe3RNkIBW6OPZ4cQyypv2ZijjhSC
QLMlGgzgGAvJq4MQjOeq2RQinS3MUuqj4cHcoQ9Fy64avonXlfuJEsDu5WC3yEah
M6el74ZmwPZupfs0hTvq0aGjvSqRd2alSFsSRUwUxHMS8PZLj4bP/l/NfHMPLC9V
vdQFm90JhccAkn0uzPc87lOeVlqQCpX1KH8R587S2MneoommzKEBrVQI1xTlNjrR
gLyz58pHC9kxPwkbztBr5hS5isSyKpsmrcvKhLRQlLi/51Kd9zTAucj9RdF6gLU=
=S4od
-----END PGP SIGNATURE-----