CVE-2020-14367: Path Traversal
First published: Wed Aug 19 2020(Updated: )
A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it's opened for writing, chronyd does not check for an existing symbolic link with the same file name. This flaw allows an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system, resulting in data loss and a denial of service due to the path traversal.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/chrony | <3.5.1 | 3.5.1 |
| ubuntu/chrony | <3.2-4ubuntu4.5 | 3.2-4ubuntu4.5 |
| ubuntu/chrony | <3.5-6ubuntu6.2 | 3.5-6ubuntu6.2 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1ubuntu1 | 3.5.1-1ubuntu1 |
| ubuntu/chrony | <3.5.1-1 | 3.5.1-1 |
| debian/chrony | 4.0-8+deb11u2 4.3-2+deb12u1 4.5-3 | |
| Chrony | <3.5.1 | |
| Fedora | =32 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 |
Remedy
https://git.tuxfamily.org/chrony/chrony.git/patch/?id=f00fed20092b6a42283f29c6ee1f58244d74b545
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1870298
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WKABKNLCSC3MACCWU6OM2YGWVWFWFMU/
- https://security.gentoo.org/glsa/202008-23
- https://usn.ubuntu.com/4475-1/
- https://launchpad.net/bugs/cve/CVE-2020-14367
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1870299
- https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74
- https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3
- https://www.openwall.com/lists/oss-security/2020/08/21/1
- https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545
- https://security-tracker.debian.org/tracker/CVE-2020-14367
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WKABKNLCSC3MACCWU6OM2YGWVWFWFMU/
- https://ubuntu.com/security/notices/USN-4475-1
- https://www.cve.org/CVERecord?id=CVE-2020-14367
- https://nvd.nist.gov/vuln/detail/CVE-2020-14367
- https://git.tuxfamily.org/chrony/chrony.git/patch/?id=f00fed20092b6a42283f29c6ee1f58244d74b545
- https://ubuntu.com/security/CVE-2020-14367
Frequently Asked Questions
What is the severity of CVE-2020-14367?
CVE-2020-14367 is considered a medium severity vulnerability due to the potential for privilege escalation.
How do I fix CVE-2020-14367?
To mitigate CVE-2020-14367, upgrade chrony to version 3.5.1 or later for affected systems.
Which versions of chrony are affected by CVE-2020-14367?
Chrony versions prior to 3.5.1 are affected by CVE-2020-14367.
What systems are impacted by CVE-2020-14367?
CVE-2020-14367 impacts chrony installations on several Linux distributions, including certain versions of Fedora and Ubuntu.
Is CVE-2020-14367 actively being exploited?
There is currently no evidence to suggest that CVE-2020-14367 is being actively exploited in the wild.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14367
- agent/software-canonical-lookup
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian
- vendor/tuxfamily
- canonical/chrony
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- canonical/ubuntu
- version/ubuntu/18.04
- version/ubuntu/20.04