CVE-2024-32019
📋 TL;DR
CVE-2024-32019 is a local privilege escalation vulnerability in Netdata's ndsudo tool that allows attackers to execute arbitrary programs with root permissions by manipulating the PATH environment variable. This affects all systems running vulnerable versions of Netdata Agent where ndsudo is installed with SUID bit set. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Netdata Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains root privileges, installs persistent backdoors, accesses sensitive data, and pivots to other systems.
Likely Case
Local privilege escalation allowing attackers to gain root access on compromised systems, potentially leading to data theft, service disruption, or lateral movement.
If Mitigated
Limited impact if proper access controls, least privilege principles, and network segmentation are implemented, though local privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.45.3 or 1.45.2-169
Vendor Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
Restart Required: No
Instructions:
1. Check current Netdata version. 2. Update using your package manager (apt/yum/dnf). 3. Verify ndsudo permissions are no longer SUID. 4. Test functionality.
🔧 Temporary Workarounds
Remove SUID bit from ndsudo
linuxTemporarily remove the SUID bit from ndsudo executable to prevent privilege escalation
sudo chmod u-s /usr/libexec/netdata/plugins.d/ndsudo
Remove ndsudo entirely
linuxCompletely remove the ndsudo binary if not needed
sudo rm /usr/libexec/netdata/plugins.d/ndsudo
🧯 If You Can't Patch
- Implement strict access controls to limit who can execute ndsudo
- Monitor for suspicious PATH environment variable modifications and ndsudo executions
🔍 How to Verify
Check if Vulnerable:
Check if ndsudo exists with SUID bit: ls -la /usr/libexec/netdata/plugins.d/ndsudo | grep '^...s'Check Version:
netdata -vVerify Fix Applied:
Verify ndsudo no longer has SUID bit: ls -la /usr/libexec/netdata/plugins.d/ndsudo | grep -v '^...s'📡 Detection & Monitoring
Log Indicators:
- Unusual ndsudo executions
- PATH environment variable modifications before ndsudo calls
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process.name='ndsudo' AND user.id!=0