CVE-2020-14367: 
NixOS vulnerability analysis and mitigation

CVE-2020-14367 is a security vulnerability discovered in Chrony, a versatile implementation of the Network Time Protocol (NTP). The vulnerability was discovered on August 5, 2020, and publicly disclosed on August 19, 2020. The flaw affects Chrony version 3.5 and earlier versions, where the software incorrectly handles symbolic links during PID file creation (Openwall OSS).

The vulnerability occurs in chronyd's main() function where the call to writepidfile() is made with full root privileges, while the privilege drop logic is only performed later via SYSDropRoot(). The pidfile is created using fopen() without proper symlink checking. In the default setup, chronyd runs under the 'chrony' user and group, with the PID file located at /run/chrony/chronyd.pid (default since chrony 3.4) (Openwall OSS).

The vulnerability could allow an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system. This could result in data loss, denial of service, or the exposure of sensitive information through file overwriting with root privileges (Gentoo Security, Ubuntu Security).

The issue was fixed in Chrony version 3.5.1. On systems using recent systemd versions, the vulnerability's impact is reduced when chronyd is started via the systemd service unit, as it contains the ProtectSystem=full directive that restricts write permissions for system file locations. Users are advised to upgrade to Chrony version 3.5.1 or later (Openwall OSS, Fedora Update).