CVE-2024-5290

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:w1.fi:wpa_supplicant:-:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*

History

17 Sep 2024, 13:09

Type Values Removed Values Added
CPE cpe:2.3:a:w1.fi:wpa_supplicant:-:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 7.8
First Time Canonical ubuntu Linux
W1.fi wpa Supplicant
Canonical
W1.fi
References () https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 - () https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 - Exploit, Issue Tracking
References () https://snyk.io/blog/abusing-ubuntu-root-privilege-escalation/ - () https://snyk.io/blog/abusing-ubuntu-root-privilege-escalation/ - Exploit, Third Party Advisory
References () https://ubuntu.com/security/notices/USN-6945-1 - () https://ubuntu.com/security/notices/USN-6945-1 - Vendor Advisory

11 Sep 2024, 16:15

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en Ubuntu wpa_supplicant que resultó en la carga de objetos compartidos arbitrarios, lo que permite a un atacante local sin privilegios escalar privilegios al usuario con el que se ejecuta wpa_supplicant (generalmente root). La membresía en el grupo netdev o el acceso a la interfaz dbus de wpa_supplicant permiten a un usuario sin privilegios especificar una ruta arbitraria a un módulo que el proceso wpa_supplicant cargará; podrían existir otras vías de escalada.
References
  • () https://snyk.io/blog/abusing-ubuntu-root-privilege-escalation/ -

07 Aug 2024, 09:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-07 09:16

Updated : 2024-09-17 13:09


NVD link : CVE-2024-5290

Mitre link : CVE-2024-5290

CVE.ORG link : CVE-2024-5290


JSON object : View

Products Affected

w1.fi

  • wpa_supplicant

canonical

  • ubuntu_linux
CWE
CWE-427

Uncontrolled Search Path Element