CVE-2024-33599 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-33599?

CVE-2024-33599 has a CVSS score of 8.1 (HIGH). A stack-based buffer overflow vulnerability in nscd (Name Service Cache Daemon) allows attackers to execute arbitrary code or crash the service when netgroup cache is exhausted. This affects systems running glibc 2.15 or later with nscd enabled. Only the nscd binary itself is vulnerable, not other glibc components.

📋 TL;DR

A stack-based buffer overflow vulnerability in nscd (Name Service Cache Daemon) allows attackers to execute arbitrary code or crash the service when netgroup cache is exhausted. This affects systems running glibc 2.15 or later with nscd enabled. Only the nscd binary itself is vulnerable, not other glibc components.

💻 Affected Systems

Products:

glibc
nscd

Versions: glibc 2.15 and later

Operating Systems: Linux distributions using glibc 2.15+ (Debian, Ubuntu, RHEL, CentOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when nscd is running and netgroup caching is enabled. Many distributions enable nscd by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Glibc by Gnu

The GNU C Library (glibc) is the core C library for Linux systems, providing essential system calls and basic functions for all C programs. It is a fundamental component that nearly every Linux application depends on.

Learn more about Glibc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with nscd privileges (typically root), leading to complete system compromise.

🟠

Likely Case

Denial of service through nscd crash, disrupting name service caching and potentially affecting authentication/authorization.

🟢

If Mitigated

Limited impact if nscd is disabled or properly firewalled, with only local exploitation possible.

🌐 Internet-Facing: MEDIUM - nscd typically listens locally, but could be exposed via misconfiguration or network services.

🏢 Internal Only: HIGH - nscd runs with high privileges and is often enabled by default on affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires exhausting the fixed-size cache first, then triggering netgroup request. Local access typically needed unless nscd is network-exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: glibc 2.39 or distribution-specific backports

Vendor Advisory: https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005

Restart Required: Yes

Instructions:

1. Update glibc package via distribution package manager. 2. Restart nscd service: 'systemctl restart nscd' or '/etc/init.d/nscd restart'. 3. Verify nscd is running with updated glibc.

🔧 Temporary Workarounds

Disable nscd

linux

Stop and disable the nscd service if not required

systemctl stop nscd
systemctl disable nscd

Disable netgroup caching

linux

Configure nscd to disable netgroup caching

echo 'enable-cache netgroup no' >> /etc/nscd.conf
systemctl restart nscd

🧯 If You Can't Patch

Disable nscd service entirely if not needed
Restrict network access to nscd (port 0.0.0.0:0) and ensure it only listens locally

🔍 How to Verify

Check if Vulnerable:

Check glibc version: 'ldd --version | head -1' and verify nscd is running: 'systemctl status nscd' or 'ps aux | grep nscd'

Check Version:

ldd --version | head -1

Verify Fix Applied:

Verify glibc version is patched (2.39+ or distribution backport) and nscd restarted successfully

📡 Detection & Monitoring

Log Indicators:

nscd crash logs in /var/log/messages or journalctl
unusual netgroup query patterns

Network Indicators:

Excessive nscd requests from single source
nscd port (typically local) exposed to network

SIEM Query:

process_name:nscd AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2024-33599

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 6, 2024

Last Updated: June 18, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/22/5 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20240524-0011/ Third Party Advisory
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005 Broken Link
http://www.openwall.com/lists/oss-security/2024/07/22/5 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20240524-0011/ Third Party Advisory
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33599, you might also want to check these: