CVE-2020-14367 : A flaw was found in chrony versions before 3.5.1 when creating the PID file unde

A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it's opened for writing, chronyd does not check for an existing symbolic link with the same file name. This flaw allows an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system, resulting in data loss and a denial of service due to the path traversal.

Published 2020-08-24 15:15:13

Updated 2022-12-06 20:50:34

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversalDenial of service

Products affected by CVE-2020-14367

Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 20.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Tuxfamily » Chrony
Versions before (<) 3.5.1
cpe:2.3:a:tuxfamily:chrony:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-14367

EPSS FAQ

0.33%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-14367

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:P	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
6.0	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H	0.8	5.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2020-14367

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: secalert@redhat.com (Secondary)
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2020-14367

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WKABKNLCSC3MACCWU6OM2YGWVWFWFMU/

[SECURITY] Fedora 32 Update: chrony-3.5.1-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1870298

1870298 – (CVE-2020-14367) CVE-2020-14367 chrony: Insecure writing to PID file
Issue Tracking;Patch;Vendor Advisory
https://usn.ubuntu.com/4475-1/

USN-4475-1: Chrony vulnerability | Ubuntu security notices | Ubuntu
Third Party Advisory
https://security.gentoo.org/glsa/202008-23

chrony: Symlink vulnerability (GLSA 202008-23) — Gentoo security
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-14367

Products affected by CVE-2020-14367

Exploit prediction scoring system (EPSS) score for CVE-2020-14367

CVSS scores for CVE-2020-14367

CWE ids for CVE-2020-14367

References for CVE-2020-14367