CVE-2024-33601

nscd: netgroup cache may terminate daemon on memory allocation failure

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or
xrealloc and these functions may terminate the process due to a memory
allocation failure resulting in a denial of service to the clients. The
flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

nscd: la caché de netgroup puede terminar el daemon ante una falla en la asignación de memoria La caché de netgroup del daemon de caché del servicio de nombres (nscd) usa xmalloc o xrealloc y estas funciones pueden terminar el proceso debido a una falla en la asignación de memoria que resulta en una denegación de servicio a los clientes. La falla se introdujo en glibc 2.15 cuando se agregó el caché a nscd. Esta vulnerabilidad sólo está presente en el binario nscd.

A flaw was found in the glibc netgroup cache. The netgroup cache uses xmalloc/xrealloc and may terminate the process due to a memory allocation failure.

nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

It was discovered that GNU C Library nscd daemon contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service. It was discovered that GNU C Library nscd daemon did not properly check the cache content, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-24 CVE Reserved
2024-05-06 CVE Published
2025-03-18 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-617: Reachable Assertion
CWE-703: Improper Check or Handling of Exceptional Conditions

CAPEC

CAPEC-130: Excessive Allocation

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/07/22/5
https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html
https://security.netapp.com/advisory/ntap-20240524-0014
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-33601	2024-06-26
https://bugzilla.redhat.com/show_bug.cgi?id=2277205	2024-06-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
The GNU C Library Search vendor "The GNU C Library"		Glibc Search vendor "The GNU C Library" for product "Glibc"				>= 2.15 < 2.40 Search vendor "The GNU C Library" for product "Glibc" and version " >= 2.15 < 2.40"		en		Affected