CVE-2024-33600: nscd Null Pointer Crashes After Notfound Response in Glibc 2.15

A vulnerability has been discovered in the Name Service Cache Daemon (nscd), which can cause a null pointer crash after a not-found response is not added to the cache properly. This issue, identified as CVE-2024-33600, was introduced in glibc 2.15 when the cache was added to nscd and is only present in the nscd binary.

Description

The Name Service Cache Daemon (nscd) can result in a crash due to a null pointer dereference if the cache fails to add a not-found netgroup response. This vulnerability lies in the nscd binary and can pose serious risks when exploited. It was first introduced in glibc 2.15 with the addition of the cache to nscd.

Code Snippet

To understand this vulnerability, let's take a look at a code snippet (pseudo-code) that demonstrates this:

function nscd_request_handler(request) {
    ...
    cached_response = cache_lookup(request)
    if not cached_response {
        response = resolve_request(request)
        if response and response.notFound {
            cache_add(request, response) // This can fail in some cases
        }
    }

    if response {
        send_response(response)
    } else {
        // NULL Pointer Dereference if cache_add() failed above
        ...
        send_null_response() 
    }
    ...
}

In the code above, if cache_add(request, response) fails (i.e., the not-found response is not added to the cache), then the subsequent call to send_null_response() can cause a null pointer dereference crash.

Exploit Details

An attacker could potentially exploit this vulnerability by sending a specially crafted request to nscd that triggers the cache to fail while adding a not-found response. This would cause the nscd binary to crash due to a null pointer dereference, leading to a denial-of-service (DoS) situation.

It is important to note that this vulnerability is not trivial to exploit, as it requires a specific set of conditions for the cache to fail while adding a not-found response. As a result, the risk of exploitation in the wild may be low, but it is not impossible.

Links to Original References

- CVE-2024-33600 - Official vulnerability entry on MITRE's webpage.
- Glibc 2.15 Release Notes - The release notes for glibc 2.15, where the issue was first introduced.
- Name Service Cache Daemon (nscd) - GNU C Library manual on nscd.

Conclusion

To conclude, CVE-2024-33600 is a vulnerability in Name Service Cache Daemon (nscd) that crashes due to a null pointer dereference when a not-found response is not added to the cache. It was introduced in glibc 2.15 and is only present in the nscd binary. While the risk of exploitation may be low, it is still crucial for developers and administrators to be aware of this vulnerability and take appropriate actions to mitigate the risks.

Timeline

Published on: 05/06/2024 20:15:11 UTC
Last modified on: 02/13/2025 18:18:03 UTC