Serious Flaws in GNU Guix Could Let Attackers Escalate Privileges Remotely

Four vulnerabilities in GNU Guix allow remote privilege escalation through malicious substitute servers and a path traversal in channel authentication.

CSBadmin
3 Min Read

Substitution Vulnerabilities

GNU Guix has disclosed four critical security issues that affect its package substitution and channel management features. The most serious flaws are in the guix substitute utility, which handles binary package downloads. A malicious substitute server or a man in the middle attacker could send a crafted archive that writes arbitrary files accessible to the daemon user. This attack does not require compromising the official Guix server. Any configured substitute server can deliver malicious content, including servers discovered automatically via the daemon’s discovery option. Even using HTTPS does not fully prevent exploitation because the vulnerable metadata fetching process did not properly bind download URLs to signed metadata.

A second substitution flaw allows a malicious source to return authorized metadata for a different store item than requested. This could trick the package manager into using an unintended but signed store item, potentially forcing systems to install outdated or insecure software versions. A third vulnerability involves file URLs. Untrusted local clients that can access the guix daemon socket could instruct the daemon to read local files. If a readable file triggers an error during metadata parsing, its contents may appear in an error backtrace exposed to the client.

Channel Authentication Issue

Separately, the guix pull and guix time machine commands contained a path traversal problem in channel authentication caching. An attacker controlling a channel file could use a crafted channel name to create or overwrite files writable by the user running the command. The project assesses the most likely impact as denial of service, though further abuse may be possible in unusual configurations.

Guix developers fixed all issues through a series of commits. Users should update guix and guix daemon to a version that includes commit 897832f374dcdc9eeaf19d01e70b9a92fccfc68c or later. Administrators on exposed systems may want to temporarily use the no substitutes option during upgrades while weighing that against the difficulty of building updates locally. Guix also provides a Scheme based checker to determine if a system remains vulnerable to these four flaws.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.