CVE-2024-47174
📋 TL;DR
This vulnerability in Nix package manager allows man-in-the-middle attacks to intercept HTTPS connections without certificate validation, potentially leaking credentials and allowing injection of malicious packages. It affects users with netrc authentication files or who use trust-on-first-use dependency updates. The issue impacts Nix versions 1.11 through 2.18.7 and 2.24.7.
💻 Affected Systems
- Nix package manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept package downloads to inject malicious code into systems, steal authentication credentials from netrc files, and compromise entire build pipelines.
Likely Case
Credential leakage from netrc files during package downloads, potentially exposing private repository access tokens or authentication secrets.
If Mitigated
Limited to denial of service or failed builds if proper network segmentation and certificate pinning are implemented.
🎯 Exploit Status
Requires MITM position on network, but no authentication needed to intercept connections. Exploitation is straightforward once network position is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.18.8 and 2.24.8
Vendor Advisory: https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c
Restart Required: No
Instructions:
1. Check current Nix version with 'nix --version'. 2. Update Nix using your package manager: 'nix-env -iA nixpkgs.nix' or system package manager. 3. Verify update with 'nix --version' showing 2.18.8+ or 2.24.8+.
🔧 Temporary Workarounds
Use pkgs.fetchurl with certificate validation
linuxReplace vulnerable builtin:fetchurl with Nixpkgs pkgs.fetchurl which properly validates TLS certificates
Replace '<nix/fetchurl.nix>' usage with 'pkgs.fetchurl' in Nix expressions
🧯 If You Can't Patch
- Implement network segmentation to isolate Nix traffic from potential MITM positions
- Use certificate pinning or VPN for all package downloads from external repositories
🔍 How to Verify
Check if Vulnerable:
Run 'nix --version' and check if version is between 1.11 and 2.18.7 or 2.24.7Check Version:
nix --versionVerify Fix Applied:
Confirm 'nix --version' shows 2.18.8 or higher, or 2.24.8 or higher📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation warnings in Nix logs
- Unexpected package hash mismatches
Network Indicators:
- Unencrypted or improperly validated HTTPS connections to package repositories
- Suspicious MITM activity on network paths to nix repositories
SIEM Query:
Search for Nix process network connections without TLS validation or to unexpected endpoints