CVE-2024-32019

EUVD-2024-29857
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
netdatanetdata
1.44.0-60 ≤
𝑥
< 1.45.0-169
ADP
netdatanetdata
1.45.0 ≤
𝑥
< 1.45.3
ADP
Debian logo
Debian Releases
Debian Product
Codename
netdata
bookworm
1.37.1-2
fixed
bullseye
1.29.3-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
netdata
bionic
not-affected
focal
not-affected
jammy
not-affected
mantic
ignored
noble
not-affected
oracular
not-affected
Common Weakness Enumeration
References
https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93