Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-9050

Опубликовано: 22 окт. 2024
Источник: redhat
CVSS3: 7.8
EPSS Низкий

Описание

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the leftupdownkey. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Отчет

This issue marked with an Important severity due to its potential to enable local privilege escalation and arbitrary code execution. Since NetworkManager uses Polkit to allow unprivileged users to manage network configurations, the failure to properly sanitize the VPN configuration, particularly the leftupdown key, creates a direct attack vector. By leveraging this vulnerability, an attacker can inject malicious commands into the VPN configuration, bypassing user privilege boundaries and gaining root access.

Меры по смягчению последствий

A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. One potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10NetworkManager-libreswanAffected
Red Hat Enterprise Linux 7.7 Advanced Update SupportNetworkManager-libreswanFixedRHSA-2024:833822.10.2024
Red Hat Enterprise Linux 7 Extended Lifecycle SupportNetworkManager-libreswanFixedRHSA-2024:835723.10.2024
Red Hat Enterprise Linux 8NetworkManager-libreswanFixedRHSA-2024:835323.10.2024
Red Hat Enterprise Linux 8.2 Advanced Update SupportNetworkManager-libreswanFixedRHSA-2024:835823.10.2024
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportNetworkManager-libreswanFixedRHSA-2024:835523.10.2024
Red Hat Enterprise Linux 8.4 Telecommunications Update ServiceNetworkManager-libreswanFixedRHSA-2024:835523.10.2024
Red Hat Enterprise Linux 8.4 Update Services for SAP SolutionsNetworkManager-libreswanFixedRHSA-2024:835523.10.2024
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportNetworkManager-libreswanFixedRHSA-2024:835623.10.2024
Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceNetworkManager-libreswanFixedRHSA-2024:835623.10.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=2313828NetworkManager-libreswan: Local privilege escalation via leftupdown

EPSS

Процентиль: 21%
0.00067
Низкий

7.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-9050

CVSS3: 7.8
nvd
10 месяцев назад

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

debian логотип

CVE-2024-9050

CVSS3: 7.8
debian
10 месяцев назад

A flaw was found in the libreswan client plugin for NetworkManager (Ne ...

redos логотип

ROS-20241029-01

CVSS3: 7.8
redos
9 месяцев назад

Уязвимость NetworkManager-libreswan

rocky логотип

RLSA-2024:8353

rocky
3 месяца назад

Important: NetworkManager-libreswan security update

oracle-oval логотип

ELSA-2024-9555

oracle-oval
9 месяцев назад

ELSA-2024-9555: NetworkManager-libreswan security update (IMPORTANT)

EPSS

Процентиль: 21%
0.00067
Низкий

7.8 High

CVSS3