Nix Package Manager Vulnerability: Hijacking Future Builds
CVE-2024-38531

3.6LOW

Key Information:

Vendor: Nixos
Status: Nix
Vendor: CVE Published:; 28 June 2024

What is CVE-2024-38531?

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nix >= 2.23.0, < 2.23.1 < 2.23.0, 2.23.1

nix >= 2.22.0, < 2.22.2 < 2.22.0, 2.22.2

nix >= 2.21.0, < 2.21.3 < 2.21.0, 2.21.3

References

https://github.com/NixOS/nix/security/advisories/GHSA-q82...

x_refsource_CONFIRM

https://github.com/NixOS/nix/pull/10501

x_refsource_MISC

CVSS V3.1

Score:

3.6

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 28, 2024
Vulnerability Reserved
Jun 18, 2024

JSON

Nixos

What is CVE-2024-38531?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.