Security Advisory: Local privilege escalation in Lix and Nix

Summary

Nix and Lix daemon implementations are affected by buffer overflows vulnerabilities that allow a local attacker to gain arbitrary code execution as the daemon user (root in multi-user installations).

The vulnerabilities are identified as:

Nix: GHSA-vh5x-56v6-4368, CVE ID pending attribution by MITRE.

Lix: CVE ID pending attribution by MITRE.

This is a coordinated disclosure between the Nix and Lix projects.

Guix is NOT affected by this vulnerability.

Am I affected?

To exploit this issue, a local attacker needs access to talk to the Nix daemon. All systems that allow connections to their daemons are affected. Only users that are allowed to connect to the daemon (via allowed-users and trusted-users ) can reliably trigger the issue. Substituters can in theory trigger the issue but cannot make enough attempts to mount attacks in practice.

Additionally, this vulnerability requires ASLR weakening techniques to lead to a compromise.

Fixes

The vulnerabilities are fixed in the following versions:

Nix security release also includes patches that address an unrelated path traversal vulnerability GHSA-gr92-w2r5-qw5p (CVE ID pending attribution).

To make exploiting this class of vulnerabilities harder, NixOS has been patched to increase the effectiveness of ASLR #510943.

Acknowledgement