CVE-2024-9050

EUVD-2024-50427

22.10.2024, 13:15

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Red Hat Enterprise Linux Releases

Red Hat Product

Release

NetworkManager-libreswan

RHEL 8	0:1.2.10-7.el8_10 fixed
RHEL 8.2 AUS	0:1.2.10-6.el8_2 fixed
RHEL 8.4 AUS	0:1.2.10-6.el8_4 fixed
RHEL 8.4 E4S	0:1.2.10-6.el8_4 fixed
RHEL 8.4 TUS	0:1.2.10-6.el8_4 fixed
RHEL 8.6 AUS	0:1.2.10-6.el8_6 fixed
RHEL 8.6 E4S	0:1.2.10-6.el8_6 fixed
RHEL 8.6 TUS	0:1.2.10-6.el8_6 fixed
RHEL 8.8 AUS	0:1.2.10-6.el8_8 fixed
RHEL 8.8 E4S	0:1.2.10-6.el8_8 fixed
RHEL 8.8 EUS	0:1.2.10-6.el8_8 fixed
RHEL 8.8 TUS	0:1.2.10-6.el8_8 fixed
RHEL 9	0:1.2.22-4.el9_5 fixed

NetworkManager-libreswan-gnome

RHEL 8	0:1.2.10-7.el8_10 fixed
RHEL 8.2 AUS	0:1.2.10-6.el8_2 fixed
RHEL 8.4 AUS	0:1.2.10-6.el8_4 fixed
RHEL 8.4 E4S	0:1.2.10-6.el8_4 fixed
RHEL 8.4 TUS	0:1.2.10-6.el8_4 fixed
RHEL 8.6 AUS	0:1.2.10-6.el8_6 fixed
RHEL 8.6 E4S	0:1.2.10-6.el8_6 fixed
RHEL 8.6 TUS	0:1.2.10-6.el8_6 fixed
RHEL 8.8 AUS	0:1.2.10-6.el8_8 fixed
RHEL 8.8 E4S	0:1.2.10-6.el8_8 fixed
RHEL 8.8 EUS	0:1.2.10-6.el8_8 fixed
RHEL 8.8 TUS	0:1.2.10-6.el8_8 fixed
RHEL 9	0:1.2.22-4.el9_5 fixed

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://access.redhat.com/errata/RHSA-2024:8312

https://access.redhat.com/errata/RHSA-2024:8338

https://access.redhat.com/errata/RHSA-2024:8352

https://access.redhat.com/errata/RHSA-2024:8353

https://access.redhat.com/errata/RHSA-2024:8354

https://access.redhat.com/errata/RHSA-2024:8355

https://access.redhat.com/errata/RHSA-2024:8356

https://access.redhat.com/errata/RHSA-2024:8357

https://access.redhat.com/errata/RHSA-2024:8358

https://access.redhat.com/errata/RHSA-2024:9555

https://access.redhat.com/errata/RHSA-2024:9556

https://access.redhat.com/security/cve/CVE-2024-9050

https://bugzilla.redhat.com/show_bug.cgi?id=2313828

https://www.openwall.com/lists/oss-security/2024/10/25/1

http://www.openwall.com/lists/oss-security/2024/10/25/1