Bug 1174911 - (CVE-2020-14367) VUL-0: CVE-2020-14367: chrony: unsafe pidfile creation allows privilege escalation from chrony user to root
(CVE-2020-14367)
VUL-0: CVE-2020-14367: chrony: unsafe pidfile creation allows privilege escal...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Normal (vote)
: Current
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-05 12:09 UTC by Matthias Gerstner
Modified: 2022-04-19 22:21 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2020-08-05 12:09:41 UTC
I just wrote the following message to the chrony upstream author
mlichvar@redhat.com:

In chronyd's main() function the call to `write_pidfile()` is made with
full root privileges, while the privilege drop logic is only performed
later via `SYS_DropRoot()`.

It seems a common default setup for chronyd is as follows:

- "chrony" user and group are used as unprivileged accounts to run
  chronyd as.
- The directory /run/chrony is created via systemd-tmpfiles (or during
  runtime by chronyd itself, in `CNF_CreateDirs()`). Ownership is passed
  to chrony:chrony, mode is 0750.
- The DEFAULT_PID_FILE path is set to /run/chrony/chronyd.pid.

This constellation means that a compromised chrony user account can
stage a symlink attack in /run/chrony/chronyd.pid like follows:

 ```
 root# systemctl stop chronyd.service
 root# sudo -u chrony /bin/bash

 chrony# cd /run/chrony
 chrony# ln -s /etc/fstab chronyd.pid
 chrony# exit

 # make sure to keep a backup of /etc/fstab if it is dear to you
 root# cp /etc/fstab /etc/fstab.back
 root# /usr/sbin/chronyd -n
 ^C
 # fstab content got replaced by the chronyd PID
 root# cat /etc/fstab
 11354
 ```

So this attack mostly poses denial-of-service attack vector. It could
also be used to pre-created a file with mode 0644 that would then later
be used by other programs to store sensitive data.

On recent systemd versions the issue is not severe as long as chronyd is
only started via the systemd service unit. This is the case because it
uses ProtectSystem=full and thus no write permission is granted for
system file locations.

To fix the issue I see different approaches:

- opening the PID file with O_NOFOLLOW. This should be easy in the
  current code on the master branch, where `UTI_OpenFile()` breaks down
  to an `open()` system call with flags. In older versions `fopen()` is
  still used, where this is more difficult to introduce.

- changing the PID file default location. On Debian it looks like they
  place the PID file into /run directly, thereby they're not affected by
  the issue.

- creating the PID file only as the unprivileged user. This would then
  break, however, in cases like with Debian, where they want to place
  the PID file into a privileged location.
Comment 1 Matthias Gerstner 2020-08-05 12:11:49 UTC
This issue will be handled according to our disclosure policy outlined in
https://en.opensuse.org/openSUSE:Security_disclosure_policy

The information listed here is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not make this bug public
- do not submit this into OBS (e.g. fix Leap) until this is public

In accordance with our policy we will make this issue public latest at
Internal CRD: 2020-11-03 preliminary
This is the latest possible date and we prefer to make it public earlier if the
situation allows it. In that case we'll post a comment here setting the new
date.

Only a member of the security team is allowed to make this issue public. Please speak
to us if you want to take part in  the public disclosure.

In doubt please talk to us on IRC (#security) or send us a mail (security@suse.de).
Comment 3 Matthias Gerstner 2020-08-07 12:49:29 UTC
Upstream communicated nicely with me over the last few days. We agreed upon
the classification of the security issue and on how to fix it. In attachment
840427 [details] is a preliminary patch for the issue. If all goes well this will also
be the final version.

I don't have a publication date yet so please sit tight until I get word from
upstream about it.
Comment 4 Matthias Gerstner 2020-08-19 13:45:53 UTC
CVE-2020-14367 was communited by upstream for this issue.
Comment 5 Matthias Gerstner 2020-08-21 08:25:21 UTC
Upstream published the CVE along with a new release [1]. Therefore I'm lifting
the embargo. Please submit updates to any affected codestreams now. Thank you!

SLE-15:Update is not affected, because the pidfile is created in /run/
directly there. The same goes for the SLE-12-SP2:Update codestream.  Also the
openSUSE:Leap codestreams seem unaffected.

This means that only the Factory package needs to be fixed.

[1]: https://chrony.tuxfamily.org/news.html
Comment 6 OBSbugzilla Bot 2020-09-14 14:20:11 UTC
This is an autogenerated message for OBS integration:
This bug (1174911) was mentioned in
https://build.opensuse.org/request/show/834313 Factory / chrony
Comment 7 Marcus Meissner 2021-08-09 15:20:25 UTC
fixed
Comment 10 Swamp Workflow Management 2021-12-22 14:35:59 UTC
SUSE-SU-2021:4147-1: An update that solves one vulnerability, contains three features and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1063704,1069468,1082318,1083597,1099272,1115529,1128846,1156884,1159840,1161119,1162964,1171806,1172113,1173277,1173760,1174075,1174911,1180689,1181826,1183783,1184400,1187906,1190926
CVE References: CVE-2020-14367
JIRA References: SLE-11424,SLE-22248,SLE-22292
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud Crowbar 8 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud 9 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud 8 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    chrony-4.1-5.9.1
HPE Helion Openstack 8 (src):    chrony-4.1-5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-03-15 14:19:20 UTC
SUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    augeas-1.10.1-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
SUSE Linux Enterprise Micro 5.1 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
SUSE Linux Enterprise Micro 5.0 (src):    augeas-1.10.1-3.9.1
SUSE Linux Enterprise Installer 15-SP3 (src):    augeas-1.10.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-03-15 14:27:32 UTC
openSUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
openSUSE Leap 15.3 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
Comment 14 Swamp Workflow Management 2022-04-19 22:21:39 UTC
SUSE-SU-2022:0845-2: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    augeas-1.10.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.