CVE-2024-9050

A flaw in the libreswan client plugin for NetworkManager (NetworkManager-libreswan) fails to properly sanitize VPN configuration supplied by a local unprivileged user. The configuration uses a key-value format, and the plugin does not escape special characters, allowing values to be interpreted as keys [1],[2]. This injection vulnerability can be exploited through the leftupdown key, which specifies a callback executable command used to retrieve configuration settings back to NetworkManager. Since NetworkManager leverages Polkit to grant unprivileged users control over the system's network configuration, a malicious user can craft a configuration entry where the leftupdown value includes arbitrary commands [3],[4]. An attacker with local unprivileged access can exploit this flaw to execute arbitrary code as root, gaining full control over the affected system. Red Hat has released security updates for multiple RHEL versions (RHSA-2024:9555, RHSA-2024:8352, RHSA-2024:9556, RHSA-2024:8354) to address this vulnerability; affected users should apply the updates promptly [1],[2],[3],[4].