CVE-2020-14367: user/chrony: PID file symlink attack
|Reporter||Max Rees (sroracle)|
|Assignee||Max Rees (sroracle)|
|Reported||2020-09-04 16:19:29 -0500|
|Modified||2020-09-04 16:19:29 -0500|
|Hardware||Adélie Linux / All|
|Importance||--- / normal|
A flaw was found in chrony versions before 3.5.1 when creating the PID
file under the /var/run/chrony folder. The file is created during
chronyd startup while still running as the root user, and when it's
opened for writing, chronyd does not check for an existing symbolic
link with the same file name. This flaw allows an attacker with
privileged access to create a symlink with the default PID file name
pointing to any destination file in the system, resulting in data loss
and a denial of service due to the path traversal.
Note that Adélie in its default configuration is not affected, since the pidfile defaults to /var/run/chronyd.pid in both /etc/init.d/chronyd and /etc/chrony/chrony.conf. /etc/conf.d/chronyd does not specify it.