CVE-2024-52867
📋 TL;DR
This vulnerability in GNU Guix's guix-daemon allows local users to escalate privileges by accessing build outputs before proper file metadata (like setuid/setgid permissions) is applied. It affects systems running vulnerable versions of GNU Guix where local users have access to the build environment. The issue stems from a race condition during package builds.
💻 Affected Systems
- GNU Guix
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local unprivileged user gains root privileges on the system, enabling complete system compromise, data theft, and persistence.
Likely Case
Local user escalates to root or another privileged user, gaining unauthorized access to sensitive files and system resources.
If Mitigated
With proper access controls and isolation, impact limited to the build environment only.
🎯 Exploit Status
Requires local access and knowledge of the build system. Exploitation involves timing attacks during build processes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commits 5ab3c4c and 5582241
Vendor Advisory: https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
Restart Required: Yes
Instructions:
1. Update Guix: guix pull 2. Reconfigure system: sudo guix system reconfigure /etc/config.scm 3. Restart guix-daemon: sudo herd restart guix-daemon
🔧 Temporary Workarounds
Disable guix-daemon
linuxTemporarily stop the guix-daemon service to prevent exploitation
sudo herd stop guix-daemon
Restrict build user access
linuxLimit which users can initiate builds through guix-daemon
Edit /etc/guix/daemon.conf to restrict allowed-users
🧯 If You Can't Patch
- Isolate build environments using containers or VMs
- Implement strict access controls to limit which users can interact with guix-daemon
🔍 How to Verify
Check if Vulnerable:
Check if guix-daemon is running and version is before commit 5ab3c4c: guix --versionCheck Version:
guix --versionVerify Fix Applied:
Verify guix version includes both commits 5ab3c4c and 5582241: guix describe📡 Detection & Monitoring
Log Indicators:
- Unusual build process activity from non-privileged users
- Multiple failed build attempts with timing patterns
Network Indicators:
- Local connections to guix-daemon socket with unusual patterns
SIEM Query:
process:guix-daemon AND user:non-privileged AND action:build🔗 References
- https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558224140dab669cabdaebabff18504a066c48d4
- https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab3c4c1e43ebb637551223791db0ea3519986e1
- https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00016.html
