CVE-2024-9050 - Vulnerability Details

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7.7 Advanced Update Support
NetworkManager-libreswan-0:1.2.4-4.el7_7	cpe:/o:redhat:rhel_aus:7.7	RHSA-2024:8338	2024-10-22T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
NetworkManager-libreswan-0:1.2.4-4.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2024:8357	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8
NetworkManager-libreswan-0:1.2.10-7.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:8353	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:8358	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:8355	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
NetworkManager-libreswan-0:1.2.10-6.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:8355	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.10-6.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:8355	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:8356	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
NetworkManager-libreswan-0:1.2.10-6.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:8356	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.10-6.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:8356	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:8354	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 9
NetworkManager-libreswan-0:1.2.22-4.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9555	2024-11-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.14-3.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:8312	2024-10-22T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
NetworkManager-libreswan-0:1.2.14-6.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:8352	2024-10-23T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
NetworkManager-libreswan-0:1.2.18-6.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:9556	2024-11-13T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/10/25/1
https://access.redhat.com/errata/RHSA-2024:8312
https://access.redhat.com/errata/RHSA-2024:8338
https://access.redhat.com/errata/RHSA-2024:8352
https://access.redhat.com/errata/RHSA-2024:8353
https://access.redhat.com/errata/RHSA-2024:8354
https://access.redhat.com/errata/RHSA-2024:8355
https://access.redhat.com/errata/RHSA-2024:8356
https://access.redhat.com/errata/RHSA-2024:8357
https://access.redhat.com/errata/RHSA-2024:8358
https://access.redhat.com/errata/RHSA-2024:9555
https://access.redhat.com/errata/RHSA-2024:9556
https://access.redhat.com/security/cve/CVE-2024-9050
https://bugzilla.redhat.com/show_bug.cgi?id=2313828
https://nvd.nist.gov/vuln/detail/CVE-2024-9050
https://www.cve.org/CVERecord?id=CVE-2024-9050
https://www.openwall.com/lists/oss-security/2024/10/25/1

History

Wed, 18 Dec 2024 16:30:00 +0000

Type	Values Removed	Values Added
References		https://www.openwall.com/lists/oss-security/2024/10/25/1

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/10/25/1

Thu, 21 Nov 2024 18:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:rhel_eus:9.4::appstream
References		https://access.redhat.com/errata/RHSA-2024:9555 https://access.redhat.com/errata/RHSA-2024:9556

Sat, 16 Nov 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_eus:9.4

Tue, 12 Nov 2024 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

Wed, 23 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6

Wed, 23 Oct 2024 13:30:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine.	A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Wed, 23 Oct 2024 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
CPEs	cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_eus:8.8::appstream cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/a:redhat:rhel_tus:8.4::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2024:8352 https://access.redhat.com/errata/RHSA-2024:8353 https://access.redhat.com/errata/RHSA-2024:8354 https://access.redhat.com/errata/RHSA-2024:8355 https://access.redhat.com/errata/RHSA-2024:8356 https://access.redhat.com/errata/RHSA-2024:8357 https://access.redhat.com/errata/RHSA-2024:8358

Wed, 23 Oct 2024 01:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0 cpe:/o:redhat:rhel_aus:7.7
References		https://nvd.nist.gov/vuln/detail/CVE-2024-9050 https://www.cve.org/CVERecord?id=CVE-2024-9050
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 22 Oct 2024 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus
CPEs		cpe:/o:redhat:rhel_aus:7.7::server
Vendors & Products		Redhat rhel Aus
References		https://access.redhat.com/errata/RHSA-2024:8338

Tue, 22 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
Vendors & Products		Redhat rhel E4s
References		https://access.redhat.com/errata/RHSA-2024:8312

Tue, 22 Oct 2024 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Oct 2024 12:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine.
Title		Networkmanager-libreswan: local privilege escalation via leftupdown
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2024-9050 https://bugzilla.redhat.com/show_bug.cgi?id=2313828
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-10-22T12:14:31.701Z

Updated: 2024-12-18T16:14:08.430Z

Reserved: 2024-09-20T18:25:24.574Z

Link: CVE-2024-9050

Vulnrichment

Updated: 2024-10-25T03:09:04.241Z

NVD

Status : Awaiting Analysis

Published: 2024-10-22T13:15:02.410

Modified: 2024-12-18T17:15:15.420

Link: CVE-2024-9050

Redhat

Severity : Important

Publid Date: 2024-10-22T12:00:00Z

Links: CVE-2024-9050 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9050", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-20T18:25:24.574Z", "datePublished": "2024-10-22T12:14:31.701Z", "dateUpdated": "2024-12-18T16:14:08.430Z"}, "containers": {"cna": {"title": "Networkmanager-libreswan: local privilege escalation via leftupdown", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "1.2.24", "versionType": "semver"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.4-4.el7_7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_aus:7.7::server"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.4-4.el7_9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_els:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-7.el8_10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.10-6.el8_8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.22-4.el9_5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.14-3.el9_0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.14-6.el9_2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "NetworkManager-libreswan", "defaultStatus": "affected", "versions": [{"version": "0:1.2.18-6.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:8312", "name": "RHSA-2024:8312", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8338", "name": "RHSA-2024:8338", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8352", "name": "RHSA-2024:8352", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8353", "name": "RHSA-2024:8353", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8354", "name": "RHSA-2024:8354", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8355", "name": "RHSA-2024:8355", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8356", "name": "RHSA-2024:8356", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8357", "name": "RHSA-2024:8357", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8358", "name": "RHSA-2024:8358", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9555", "name": "RHSA-2024:9555", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9556", "name": "RHSA-2024:9556", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-9050", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313828", "name": "RHBZ#2313828", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/10/25/1"}], "datePublic": "2024-10-22T12:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "workarounds": [{"lang": "en", "value": "A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. \n\nOne potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug."}], "timeline": [{"lang": "en", "time": "2024-09-19T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-22T12:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-18T16:14:08.430Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T13:03:43.771304Z", "id": "CVE-2024-9050", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:08:22.196Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/25/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-25T03:09:04.241Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/25/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-25T03:09:04.241Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-22T13:03:43.771304Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:08:17.580Z"}}], "cna": {"title": "Networkmanager-libreswan: local privilege escalation via leftupdown", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "1.2.24", "versionType": "semver"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:rhel_aus:7.7::server"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.4-4.el7_7", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhel_els:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "versions": [{"status": "unaffected", "version": "0:1.2.4-4.el7_9", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:1.2.10-7.el8_10", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_2", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.10-6.el8_8", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:1.2.22-4.el9_5", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:1.2.14-3.el9_0", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.14-6.el9_2", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:1.2.18-6.el9_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "NetworkManager-libreswan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-19T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-22T12:00:00+00:00", "value": "Made public."}], "datePublic": "2024-10-22T12:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:8312", "name": "RHSA-2024:8312", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8338", "name": "RHSA-2024:8338", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8352", "name": "RHSA-2024:8352", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8353", "name": "RHSA-2024:8353", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8354", "name": "RHSA-2024:8354", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8355", "name": "RHSA-2024:8355", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8356", "name": "RHSA-2024:8356", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8357", "name": "RHSA-2024:8357", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8358", "name": "RHSA-2024:8358", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9555", "name": "RHSA-2024:9555", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9556", "name": "RHSA-2024:9556", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-9050", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313828", "name": "RHBZ#2313828", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/10/25/1"}], "workarounds": [{"lang": "en", "value": "A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. \n\nOne potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-18T16:14:08.430Z"}, "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}}, "cveMetadata": {"cveId": "CVE-2024-9050", "state": "PUBLISHED", "dateUpdated": "2024-12-18T16:14:08.430Z", "dateReserved": "2024-09-20T18:25:24.574Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-10-22T12:14:31.701Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el complemento de cliente de libreswan para NetworkManager (NetkworkManager-libreswan), donde no puede desinfectar correctamente la configuraci\u00f3n de VPN del usuario local sin privilegios. En esta configuraci\u00f3n, compuesta por un formato clave-valor, el complemento no puede escapar caracteres especiales, lo que lleva a la aplicaci\u00f3n a interpretar los valores como claves. Uno de los par\u00e1metros m\u00e1s cr\u00edticos que un usuario malintencionado podr\u00eda abusar es la clave `leftupdown`. Esta clave toma un comando ejecutable como valor y se utiliza para especificar lo que se ejecuta como una devoluci\u00f3n de llamada en NetworkManager-libreswan para recuperar los ajustes de configuraci\u00f3n de nuevo a NetworkManager. Como NetworkManager utiliza Polkit para permitir que un usuario sin privilegios controle la configuraci\u00f3n de red del sistema, un actor malintencionado podr\u00eda lograr una escalada de privilegios local y una posible ejecuci\u00f3n de c\u00f3digo como root en la m\u00e1quina de destino."}], "id": "CVE-2024-9050", "lastModified": "2024-12-18T17:15:15.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-10-22T13:15:02.410", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8312"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8338"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8352"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8353"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8354"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8355"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8356"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8357"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8358"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:9555"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:9556"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-9050"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313828"}, {"source": "secalert@redhat.com", "url": "https://www.openwall.com/lists/oss-security/2024/10/25/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/25/1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8338", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "NetworkManager-libreswan-0:1.2.4-4.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8357", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "NetworkManager-libreswan-0:1.2.4-4.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8353", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "NetworkManager-libreswan-0:1.2.10-7.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8358", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8355", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8355", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8355", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8356", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8356", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8356", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:8354", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "NetworkManager-libreswan-0:1.2.10-6.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:9555", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "NetworkManager-libreswan-0:1.2.22-4.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:8312", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "NetworkManager-libreswan-0:1.2.14-3.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8352", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "NetworkManager-libreswan-0:1.2.14-6.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-23T00:00:00Z"}, {"advisory": "RHSA-2024:9556", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "NetworkManager-libreswan-0:1.2.18-6.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "NetworkManager-libreswan: Local privilege escalation via leftupdown", "id": "2313828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313828"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.", "A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration."], "mitigation": {"lang": "en:us", "value": "A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. \nOne potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug."}, "name": "CVE-2024-9050", "public_date": "2024-10-22T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9050\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9050\nhttps://www.openwall.com/lists/oss-security/2024/10/25/1"], "statement": "This issue marked with an Important severity due to its potential to enable local privilege escalation and arbitrary code execution. Since NetworkManager uses Polkit to allow unprivileged users to manage network configurations, the failure to properly sanitize the VPN configuration, particularly the `leftupdown` key, creates a direct attack vector. By leveraging this vulnerability, an attacker can inject malicious commands into the VPN configuration, bypassing user privilege boundaries and gaining root access.", "threat_severity": "Important"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object