CVE-2024-27297

EUVD-2024-24524

11.03.2024, 22:15

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
GitHub_M	CNA	6.3 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
nixos	nix	𝑥 < 2.3.18
nixos	nix	2.4 ≤ 𝑥 < 2.18.2
nixos	nix	2.19.0 ≤ 𝑥 < 2.19.4
nixos	nix	2.20.0 ≤ 𝑥 < 2.20.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

guix

bookworm	no-dsa
bullseye	1.2.0-4+deb11u2 no-dsa
bullseye (security)	1.2.0-4+deb11u3 fixed
sid	1.4.0-9 fixed

nix

bookworm	no-dsa
bullseye	no-dsa
forky	2.26.3+dfsg-1 fixed
sid	2.26.3+dfsg-1 fixed
trixie	2.26.3+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

guix

focal	dne
jammy	needs-triage
mantic	ignored
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	dne

nix

focal	dne
jammy	not-affected
mantic	ignored
noble	Fixed 2.18.1+dfsg-1ubuntu5+esm2 released
oracular	ignored
plucky	not-affected
questing	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000

https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

https://hackmd.io/03UGerewRcy3db44JQoWvw

https://github.com/NixOS/nix/commit/f8170ce9f119e5e6724eb81ff1b5a2d4c0024000

https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/

https://hackmd.io/03UGerewRcy3db44JQoWvw