CVE-2024-3049: 
NixOS vulnerability analysis and mitigation

CVE-2024-3049 affects Booth, a cluster ticket manager that bridges high availability clusters spanning multiple sites. The vulnerability was discovered in March 2024 and affects versions up to (excluding) 1.1. The flaw allows specially-crafted hash inputs to gcrymdgetalgodlen() to potentially compromise the system's security (NVD, Red Hat).

The vulnerability occurs when an unknown or specially-crafted hash is passed to gcrymdgetalgodlen(), which returns 0. This returned value is then used for memcmp, potentially allowing an invalid HMAC to be accepted by the Booth server as valid. The vulnerability has a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (Red Hat Bugzilla).

If exploited, this vulnerability could allow an attacker to bypass HMAC validation in the Booth server, potentially leading to unauthorized access or manipulation of cluster tickets that control resource authorization across geographically distributed clusters (Red Hat).

Fixed versions have been released across multiple platforms. Red Hat has released updates for RHEL 8 and 9 versions through various security advisories. Debian has addressed the issue in version 1.0-237-gdd88847-2+deb11u2 for Debian 11 (Bullseye). Fedora has released version 1.2-1 for Fedora 40 and version 1.0-283.5.9d4029a.git.fc39 for Fedora 39 (Debian LTS, Fedora).