Bug 1222859 (CVE-2024-32019)

Summary: VUL-0: CVE-2024-32019: netdata: local privilege escalation and command execution via untrusted search path
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Mia Herkt <mia>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401694/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-32019:8.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-15 16:34:15 UTC 
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-32019
https://www.cve.org/CVERecord?id=CVE-2024-32019
https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
https://bugzilla.redhat.com/show_bug.cgi?id=2274984
Comment 1 Camila Camargo de Matos 2024-04-15 16:39:02 UTC 
As per the upstream advisory [0], affected versions include those lower than 1.45.3, meaning that this issue does not affect openSUSE:Factory, which is at version 1.45.3 as of 2024-04-15. openSUSE:Backports:SLE-15-SP5 also seems to not be affected, as there is no ndsudo reference present in the code.

[0] https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93