Expected behavior
No network services should be listening on network interfaces unless absolutely necessary.
Actual behavior
The chrony time daemon listens on the localhost interface on UDP port 323.
Information
chronyd, the chrony network time protocol daemon by default listens on port UDP 323, to allow remote monitoring and control of the daemon by chronyc. When run locally, chronyc uses the Unix socket at /var/run/chrony by default; it does not require the UDP listener.
While I’m not aware of a direct vulnerability that is exposed by this currently, and I realize the port is not open to the Internet, chrony has had known security vulnerabilities in the past, and might have more in the future. The d4m VM should have as little attack surface available as possible.
Steps to reproduce the behavior
- Run Docker for Mac; this will start the Alpine-based VM.
- As part of the VM boot process, chronyd starts. As no configuration is made in /etc/chrony/chrony.conf, it proceeds to listen on the default UDP port 323 on 127.0.0.1 and ::1.
Output from netstat:
moby:/# netstat -anp|grep chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 1960/chronyd
udp 0 0 ::1:323 :::* 1960/chronyd
Steps to fix this issue
Add the following line to /etc/chrony/chrony.conf:
cmdport 0