cve-2024-47174
Vulnerability from cvelistv5
Published
2024-09-26 17:27
Modified
2024-09-26 17:49
Severity ?
EPSS score ?
Summary
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `<nix/fetchurl.nix>` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:49:17.234874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:49:28.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nix",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `\u003cnix/fetchurl.nix\u003e` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `\u003cnix/fetchurl.nix\u003e` is also known as the builtin derivation builder `builtin:fetchurl`. It\u0027s not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `\u003cnix/fetchurl.nix\u003e` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:27:53.966Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c"
},
{
"name": "https://github.com/NixOS/nix/pull/11585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/pull/11585"
},
{
"name": "https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90"
},
{
"name": "https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038"
}
],
"source": {
"advisory": "GHSA-6fjr-mq49-mm2c",
"discovery": "UNKNOWN"
},
"title": "Credential leak when credentials are used with `\u003cnix/fetchurl.nix\u003e`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47174",
"datePublished": "2024-09-26T17:27:53.966Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-09-26T17:49:28.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-47174\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-26T18:15:10.840\",\"lastModified\":\"2024-09-30T12:46:20.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `\u003cnix/fetchurl.nix\u003e` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `\u003cnix/fetchurl.nix\u003e` is also known as the builtin derivation builder `builtin:fetchurl`. It\u0027s not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `\u003cnix/fetchurl.nix\u003e` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed.\"},{\"lang\":\"es\",\"value\":\"Nix es un administrador de paquetes para Linux y otros sistemas Unix. A partir de la versi\u00f3n 1.11 y antes de las versiones 2.18.8 y 2.24.8, `` no verificaba los certificados TLS en las conexiones HTTPS. Esto podr\u00eda provocar que se filtraran detalles de la conexi\u00f3n, como URL completas o credenciales, en caso de un ataque de intermediario (MITM). `` tambi\u00e9n se conoce como el generador de derivaciones integrado `builtin:fetchurl`. No debe confundirse con la funci\u00f3n de tiempo de evaluaci\u00f3n `builtins.fetchurl`, que no se vio afectada por este problema. Un usuario puede verse afectado por el riesgo de filtrar credenciales si tiene un archivo `netrc` para la autenticaci\u00f3n o conf\u00eda en derivaciones con `impureEnvVars` configuradas para usar credenciales del entorno. Adem\u00e1s, la t\u00e9cnica com\u00fan de confianza en el primer uso (TOFU) de actualizar dependencias especificando un hash no v\u00e1lido y obteni\u00e9ndolo de un almac\u00e9n remoto tambi\u00e9n era vulnerable a un MITM que inyectara objetos de almac\u00e9n arbitrarios. Esto tambi\u00e9n se aplicaba a la caracter\u00edstica experimental de derivaciones impuras. Tenga en cuenta que esto tambi\u00e9n puede suceder cuando se utilizan los recuperadores de Nixpkgs para obtener nuevos hashes cuando no se utiliza el m\u00e9todo de hash falso, aunque ese mecanismo no est\u00e1 implementado en Nix en s\u00ed, sino en Nixpkgs que utiliza una derivaci\u00f3n de salida fija. El comportamiento se introdujo en la versi\u00f3n 1.11 para que fuera coherente con el `pkgs.fetchurl` de Nixpkgs y para que `` funcionara en el entorno limitado del generador de derivaciones, que en ese entonces no ten\u00eda acceso a los paquetes de CA de forma predeterminada. Hoy en d\u00eda, los paquetes de CA se montan mediante enlaces en Linux. Este problema se ha solucionado en Nix 2.18.8 y 2.24.8. Como workaround, implemente la obtenci\u00f3n (autenticada) con `pkgs.fetchurl` desde Nixpkgs, usando `impureEnvVars` y `curlOpts` seg\u00fan sea necesario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NixOS/nix/pull/11585\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.