Recent disclosures from GNU Guix have exposed four significant security vulnerabilities within its package substitution and channel management features. These vulnerabilities pose serious risks including remote privilege escalation and potential data corruption.
Details of the Vulnerabilities
Three of these vulnerabilities are found within the ‘guix substitute’ utility. These flaws allow for remote privilege escalation, data corruption, and local file disclosure. A fourth vulnerability impacts ‘guix pull’ and ‘guix time-machine’.
Systems using Guix are vulnerable, irrespective of whether ‘guix-daemon’ operates with root privileges. However, the severity increases on systems where the daemon possesses root access, as attackers could manipulate sensitive files like ‘/etc/passwd’.
Specific Security Flaws
The most severe issue is linked to the ‘restore-file’ procedure used for unpacking binary substitutes. Previously, Guix extracted archives during downloads, prior to verifying their complete hash. This allowed malicious substitute servers or attackers to craft archives that could write files accessible to the daemon user.
Even without compromising official Guix servers, any configured substitute server could deliver malicious content. Exploitation is possible despite HTTPS usage, due to insecure binding of substitute download URLs to signed metadata.
Potential Impact and Mitigation
Another concern is the ability of substitute sources to return authorized metadata for incorrect store items, potentially causing systems to install outdated or insecure software. Additionally, vulnerabilities in ‘file://’ URLs could allow untrusted clients to expose sensitive information by accessing files via local URIs.
In separate issues, ‘guix pull’ and ‘guix time-machine’ were vulnerable to path traversal attacks in channel authentication caching. Attackers could manipulate channel files to create or overwrite files accessible by the user running commands.
GNU Guix developers have addressed these issues through a series of updates, urging users to upgrade to commit 897832f374dcdc9eeaf19d01e70b9a92fccfc68c or later. Administrators are advised to temporarily disable substitutes during upgrades to minimize risk, weighing this against the challenges of local updates.
Users can utilize a Scheme-based checker provided by Guix to determine if their systems remain susceptible to these vulnerabilities, ensuring system integrity and security.
