CVE-2024-52867 is a vulnerability in the guix-daemon component of GNU Guix, a functional package management tool. The issue stems from the premature accessibility of build outputs to local users before the system properly applies critical file metadata, including setuid and setgid bits. This improper handling allows local users to escalate privileges by exploiting the window where build outputs are exposed without correct permissions. The vulnerability is classified under CWE-276 (Incorrect Default Permissions). The CVSS v3.1 score is 8.1, indicating high severity, with attack vector local (AV:L), attack complexity high (AC:H), no privileges required (PR:N), no user interaction (UI:N), and scope changed (S:C). The impact includes potential full system compromise due to unauthorized privilege escalation, affecting confidentiality, integrity, and availability. The fix requires applying two specific commits (5ab3c4c and 5582241) to the guix-daemon codebase, followed by reconfiguration and restarting the daemon to ensure proper file metadata enforcement. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user environments where GNU Guix is deployed.

The vulnerability allows local attackers to escalate privileges on systems running vulnerable versions of guix-daemon, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, modification or deletion of critical files, and disruption of system availability. Since guix-daemon manages package builds and outputs, exploitation could undermine the integrity of software deployed on affected systems. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially vulnerable component, increasing the risk profile. Organizations relying on GNU Guix in shared or multi-user environments, such as research institutions, open-source development environments, and certain Linux distributions, face elevated risk. The lack of required user interaction and privileges lowers the barrier for exploitation once local access is obtained, emphasizing the need for timely patching.

1. Immediately apply the patches corresponding to commits 5ab3c4c and 5582241 to the guix-daemon source code. 2. Reconfigure the guix-daemon service after patching to ensure new configurations take effect. 3. Restart the guix-daemon to apply changes and enforce proper file metadata handling. 4. Restrict local user access to systems running guix-daemon to trusted personnel only, minimizing the risk of local exploitation. 5. Monitor system logs for unusual file permission changes or unauthorized access attempts related to build outputs. 6. Consider isolating guix-daemon processes using containerization or sandboxing techniques to limit the impact of potential exploits. 7. Regularly audit and update GNU Guix installations to incorporate security fixes promptly. 8. Educate system administrators about the importance of applying these patches and monitoring for suspicious activity.