CVE-2024-9050

HIGH

Red Hat Enterprise Linux NetworkManager-libreswan - Local Privilege Escalation via VPN Configuration Injection

Title source: llm

Description

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

References (15)

Core 15

Core References

Mailing List

https://www.openwall.com/lists/oss-security/2024/10/25/1

Mailing List

http://www.openwall.com/lists/oss-security/2024/10/25/1

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8312

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8338

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8352

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8353

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8354

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8355

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8356

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8357

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:8358

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:9555

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:9556

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-9050

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2313828

Scores

CVSS v3 7.8

EPSS 0.0006

EPSS Percentile 17.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (16)

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 7 Extended Lifecycle Support 0:1.2.4-4.el7_9

Red Hat/Red Hat Enterprise Linux 7.7 Advanced Update Support 0:1.2.4-4.el7_7

Red Hat/Red Hat Enterprise Linux 8 0:1.2.10-7.el8_10

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 0:1.2.10-6.el8_2

Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 0:1.2.10-6.el8_4

Red Hat/Red Hat Enterprise Linux 8.4 Telecommunications Update Service 0:1.2.10-6.el8_4

Red Hat/Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions 0:1.2.10-6.el8_4

Red Hat/Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support 0:1.2.10-6.el8_6

Red Hat/Red Hat Enterprise Linux 8.6 Telecommunications Update Service 0:1.2.10-6.el8_6

... and 6 more

Published Oct 22, 2024

Tracked Since Feb 18, 2026