fkie_nvd - fkie_cve-2024-9050

fkie_cve-2024-9050

Vulnerability from fkie_nvd

Published

2024-10-22 13:15

Modified

2024-12-18 17:15

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

References

▶	URL	Tags
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8312
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8338
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8352
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8353
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8354
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8355
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8356
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8357
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:8358
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:9555
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2024:9556
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2024-9050
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2313828
	secalert@redhat.com	https://www.openwall.com/lists/oss-security/2024/10/25/1
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/10/25/1

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system\u0027s network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en el complemento de cliente de libreswan para NetworkManager (NetkworkManager-libreswan), donde no puede desinfectar correctamente la configuraci\u00f3n de VPN del usuario local sin privilegios. En esta configuraci\u00f3n, compuesta por un formato clave-valor, el complemento no puede escapar caracteres especiales, lo que lleva a la aplicaci\u00f3n a interpretar los valores como claves. Uno de los par\u00e1metros m\u00e1s cr\u00edticos que un usuario malintencionado podr\u00eda abusar es la clave `leftupdown`. Esta clave toma un comando ejecutable como valor y se utiliza para especificar lo que se ejecuta como una devoluci\u00f3n de llamada en NetworkManager-libreswan para recuperar los ajustes de configuraci\u00f3n de nuevo a NetworkManager. Como NetworkManager utiliza Polkit para permitir que un usuario sin privilegios controle la configuraci\u00f3n de red del sistema, un actor malintencionado podr\u00eda lograr una escalada de privilegios local y una posible ejecuci\u00f3n de c\u00f3digo como root en la m\u00e1quina de destino."
    }
  ],
  "id": "CVE-2024-9050",
  "lastModified": "2024-12-18T17:15:15.420",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-22T13:15:02.410",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8312"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8338"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8352"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8353"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8354"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8355"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8356"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8357"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8358"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:9555"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:9556"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9050"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313828"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://www.openwall.com/lists/oss-security/2024/10/25/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2024/10/25/1"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}

CVE-2024-9050 (GCVE-0-2024-9050)

Vulnerability from cvelistv5

Published

2024-10-22 12:14

Modified

2025-07-05 02:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2024:8312	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8338	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8352	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8353	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8354	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8355	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8356	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8357	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:8358	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:9555	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:9556	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-9050	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2313828	issue-tracking, x_refsource_REDHAT
	https://www.openwall.com/lists/oss-security/2024/10/25/1

Impacted products

Vendor

Product

Version

►

Version: 0 ≤

Red Hat	Red Hat Enterprise Linux 7.7 Advanced Update Support	Unaffected: 0:1.2.4-4.el7_7 < * cpe:/o:redhat:rhel_aus:7.7::server
Red Hat	Red Hat Enterprise Linux 7 Extended Lifecycle Support	Unaffected: 0:1.2.4-4.el7_9 < * cpe:/o:redhat:rhel_els:7
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:1.2.10-7.el8_10 < * cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	Unaffected: 0:1.2.10-6.el8_2 < * cpe:/a:redhat:rhel_aus:8.2::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Unaffected: 0:1.2.10-6.el8_4 < * cpe:/a:redhat:rhel_tus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Unaffected: 0:1.2.10-6.el8_4 < * cpe:/a:redhat:rhel_tus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Unaffected: 0:1.2.10-6.el8_4 < * cpe:/a:redhat:rhel_tus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	Unaffected: 0:1.2.10-6.el8_6 < * cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	Unaffected: 0:1.2.10-6.el8_6 < * cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	Unaffected: 0:1.2.10-6.el8_6 < * cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.8 Extended Update Support	Unaffected: 0:1.2.10-6.el8_8 < * cpe:/a:redhat:rhel_eus:8.8::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.2.22-4.el9_5 < * cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	Unaffected: 0:1.2.14-3.el9_0 < * cpe:/a:redhat:rhel_e4s:9.0::appstream
Red Hat	Red Hat Enterprise Linux 9.2 Extended Update Support	Unaffected: 0:1.2.14-6.el9_2 < * cpe:/a:redhat:rhel_eus:9.2::appstream
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:1.2.18-6.el9_4 < * cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10

Show details on NVD website