Bug 2313828 (CVE-2024-9050)

Summary: CVE-2024-9050 NetworkManager-libreswan: Local privilege escalation via leftupdown
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: VERIFIED --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jiahuja, lrintel, rgreene, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2320956    
Bug Blocks:    
Deadline: 2024-10-22   

Description OSIDB Bzimport 2024-09-20 18:30:55 UTC 
A security issue in NM-libreswan, where we fail to sanitize the VPN configuration from a local unprivileged user and pass it directly to Libreswan.

The libreswan connection configuration is simple key=value format, but we fail to check for or escape special characters, including newlines, which makes it possible for the user to trick us to treat values as key.

Unfortunately, there's one particular key that takes an executable command as an argument: leftupdown (couldn't find more in ipsec.conf(5)). We normally use it to specify the NM-libreswan callback, that would pass L3 configuration back to NM. It can be abused to execute arbitrary code.
Comment 4 errata-xmlrpc 2024-10-22 12:22:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:8312 https://access.redhat.com/errata/RHSA-2024:8312
Comment 5 errata-xmlrpc 2024-10-22 18:15:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:8338 https://access.redhat.com/errata/RHSA-2024:8338
Comment 6 errata-xmlrpc 2024-10-23 09:59:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:8356 https://access.redhat.com/errata/RHSA-2024:8356
Comment 7 errata-xmlrpc 2024-10-23 10:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:8358 https://access.redhat.com/errata/RHSA-2024:8358
Comment 8 errata-xmlrpc 2024-10-23 10:02:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:8357 https://access.redhat.com/errata/RHSA-2024:8357
Comment 9 errata-xmlrpc 2024-10-23 10:07:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:8353 https://access.redhat.com/errata/RHSA-2024:8353
Comment 10 errata-xmlrpc 2024-10-23 10:09:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:8354 https://access.redhat.com/errata/RHSA-2024:8354
Comment 11 errata-xmlrpc 2024-10-23 10:12:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:8355 https://access.redhat.com/errata/RHSA-2024:8355
Comment 12 errata-xmlrpc 2024-10-23 10:17:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:8352 https://access.redhat.com/errata/RHSA-2024:8352
Comment 14 errata-xmlrpc 2024-11-13 15:18:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9555 https://access.redhat.com/errata/RHSA-2024:9555
Comment 15 errata-xmlrpc 2024-11-13 15:45:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:9556 https://access.redhat.com/errata/RHSA-2024:9556