CVE-2024-9050

Networkmanager-libreswan: local privilege escalation via leftupdown

Description

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Remediation

Workaround:

  • A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. One potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat Enterprise Linux 7.7 Advanced Update Support
Affected: Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2024:8312 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8338 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8352 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8353 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8354 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8355 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8356 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8357 vendor advisory
https://access.redhat.com/errata/RHSA-2024:8358 vendor advisory
https://access.redhat.com/errata/RHSA-2024:9555 vendor advisory
https://access.redhat.com/errata/RHSA-2024:9556 vendor advisory
https://access.redhat.com/security/cve/CVE-2024-9050 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2313828 issue tracking
https://www.openwall.com/lists/oss-security/2024/10/25/1
http://www.openwall.com/lists/oss-security/2024/10/25/1

Frequently Asked Questions

What is the severity of CVE-2024-9050?
CVE-2024-9050 has been scored as a high severity vulnerability.
How to fix CVE-2024-9050?
As a workaround for remediating CVE-2024-9050: A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. One potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug.
Is CVE-2024-9050 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-9050 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-9050?
CVE-2024-9050 affects Red Hat Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.