FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

chrony <= 3.5.1 data corruption through symlink vulnerability writing the pidfile

Affected packages
chrony < 3.5.1

Details

VuXML ID 719f06af-e45e-11ea-95a1-c3b8167b8026
Discovery 2020-08-06
Entry 2020-08-22

Miroslav Lichvar reports:

chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.

When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

[source]

References

CVE Name CVE-2020-14367
URL https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.