Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-47174
CVE-2024-47174:
Linux Debian vulnerability analysis and mitigation
Overview
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, <nix/fetchurl.nix> did not verify TLS certificates on HTTPS connections. This vulnerability, tracked as CVE-2024-47174, could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. The affected component is also known as the builtin derivation builder builtin:fetchurl, not to be confused with the evaluation-time function builtins.fetchurl, which was not affected by this issue (GitHub Advisory).
Technical details
The vulnerability was introduced in version 1.11 to make it consistent with the Nixpkgs pkgs.fetchurl and to make <nix/fetchurl.nix> work in the derivation builder sandbox, which at that time did not have access to the CA bundles by default. The issue stems from the disabled TLS certificate verification on HTTPS connections. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector with high complexity, no privileges required, and potential for high confidentiality impact (GitHub Advisory).
Impact
Users may be affected by the risk of leaking credentials if they have a netrc file for authentication or rely on derivations with impureEnvVars set to use credentials from the environment. Additionally, the trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was vulnerable to a MITM injecting arbitrary store objects. This vulnerability also affected the impure derivations experimental feature (GitHub Advisory).
Mitigation and workarounds
The issue has been fixed in Nix versions 2.18.8 and 2.24.8. As a workaround, users can implement authenticated fetching with pkgs.fetchurl from Nixpkgs, using impureEnvVars and curlOpts as needed. On modern systems, CA bundles are now bind-mounted on Linux, addressing the original reason for disabling TLS verification (GitHub Advisory).
Community reactions
The vulnerability was discussed on the NixOS Discourse platform, leading to the release of Nix 2.24.8 specifically to address this security issue. The community has acknowledged the importance of this fix, particularly given the widespread use of the trust-on-first-use technique in dependency management (NixOS Discourse).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management