Critical Flaw in NixOS Package Manager: CVE-2024-45593 Allows Arbitrary File Write with Root Permissions
A high-severity security flaw has been discovered in Nix, the popular package manager for Linux and Unix-based systems. Identified as CVE-2024-45593, this vulnerability poses a significant threat, allowing malicious users or compromised substituters to exploit the NAR unpacking process and write to arbitrary file system locations. With a CVSS score of 9.1, this issue demands immediate attention, especially for systems running the vulnerable Nix versions.
The vulnerability affects Nix versions 2.24.0 through 2.24.5 and is caused by unsafe NAR (Nix ARchive) unpacking. A malicious user can craft a specially designed NAR file, which, when unpacked by Nix, will overwrite or create files anywhere on the system to which the Nix process has access. This vulnerability becomes particularly dangerous when Nix is running as root, as in the case of using the Nix daemon, potentially allowing attackers to write files with elevated privileges and take control of critical system resources.
The NixOS team has acted quickly, releasing Nix 2.24.6, which patches the CVE-2024-45593 vulnerability and resolves the unsafe unpacking flaw. To protect your systems, users are strongly urged to upgrade to Nix 2.24.6 immediately. Failing to do so could leave systems vulnerable to unauthorized file writes, potentially leading to data corruption, privilege escalation, or even full system compromise.
For users unable to immediately upgrade, some workarounds can help reduce the risk:
- Use trusted substituters: Ensure you only allow package substitutions from trusted sources.
- Restrict allowed users: Use the allowed-users setting in Nix to limit which users can perform substitutions, further controlling who can access the system.
