CVE-2024-9050

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-9050
A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:8312
https://access.redhat.com/errata/RHSA-2024:8338
https://access.redhat.com/errata/RHSA-2024:8352
https://access.redhat.com/errata/RHSA-2024:8353
https://access.redhat.com/errata/RHSA-2024:8354
https://access.redhat.com/errata/RHSA-2024:8355
https://access.redhat.com/errata/RHSA-2024:8356
https://access.redhat.com/errata/RHSA-2024:8357
https://access.redhat.com/errata/RHSA-2024:8358
https://access.redhat.com/security/cve/CVE-2024-9050
https://bugzilla.redhat.com/show_bug.cgi?id=2313828
Configurations

No configuration.

History

12 Nov 2024, 21:15

Type Values Removed Values Added
CWE CWE-94

23 Oct 2024, 14:15

Type Values Removed Values Added
Summary
  • (es) Se encontró una falla en el complemento de cliente de libreswan para NetworkManager (NetkworkManager-libreswan), donde no puede desinfectar correctamente la configuración de VPN del usuario local sin privilegios. En esta configuración, compuesta por un formato clave-valor, el complemento no puede escapar caracteres especiales, lo que lleva a la aplicación a interpretar los valores como claves. Uno de los parámetros más críticos que un usuario malintencionado podría abusar es la clave `leftupdown`. Esta clave toma un comando ejecutable como valor y se utiliza para especificar lo que se ejecuta como una devolución de llamada en NetworkManager-libreswan para recuperar los ajustes de configuración de nuevo a NetworkManager. Como NetworkManager utiliza Polkit para permitir que un usuario sin privilegios controle la configuración de red del sistema, un actor malintencionado podría lograr una escalada de privilegios local y una posible ejecución de código como root en la máquina de destino.
Summary (en) A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine. (en) A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

23 Oct 2024, 11:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:8352 -
  • () https://access.redhat.com/errata/RHSA-2024:8353 -
  • () https://access.redhat.com/errata/RHSA-2024:8354 -
  • () https://access.redhat.com/errata/RHSA-2024:8355 -
  • () https://access.redhat.com/errata/RHSA-2024:8356 -
  • () https://access.redhat.com/errata/RHSA-2024:8357 -
  • () https://access.redhat.com/errata/RHSA-2024:8358 -

22 Oct 2024, 23:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:8338 -

22 Oct 2024, 17:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:8312 -

22 Oct 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-22 13:15

Updated : 2024-11-12 21:15

NVD link : CVE-2024-9050

Mitre link : CVE-2024-9050

CVE.ORG link : CVE-2024-9050

JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024