Bug 2274984 (CVE-2024-32019)

Summary: CVE-2024-32019 netdata: privilege escalation and command execution
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2274985, 2274986    
Bug Blocks:    

Description ybuenos 2024-04-14 14:22:57 UTC 
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
Comment 1 ybuenos 2024-04-14 14:23:14 UTC 
Created netdata tracking bugs for this issue:

Affects: epel-all [bug 2274986]
Affects: fedora-all [bug 2274985]
Comment 2 Didier Fabert (tartare) 2024-04-15 21:28:14 UTC 
netdata 1.45.3 has already be pushed for all fedora (38, 39, 40 and rawhide) and epel (epel8 and epel9) repositories, and before this bug report.