{"id":"CVE-2024-9050","summary":"Networkmanager-libreswan: local privilege escalation via leftupdown","details":"A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.","modified":"2026-07-08T08:11:54.405033351Z","published":"2024-10-22T12:14:31.701Z","related":["ALSA-2024:8353","ALSA-2024:9555","openSUSE-SU-2024:14422-1"],"database_specific":{"cna_assigner":"redhat","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9050.json","cwe_ids":["CWE-94"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/25/1"},{"type":"WEB","url":"https://access.redhat.com/downloads/content/package-browser/"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/10/25/1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8312"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8338"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8352"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8353"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8354"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8355"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8356"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8357"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8358"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9555"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9556"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2024-9050"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9050.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9050"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2313828"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/dcf8acfb25bd31e4b8cbd20c229da660238b5c1b"},{"type":"PACKAGE","url":"https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/gnome/networkmanager-libreswan","events":[{"introduced":"0"},{"fixed":"dcf8acfb25bd31e4b8cbd20c229da660238b5c1b"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.2.24"}]}}],"versions":["1.2.22","1.2.21-dev","1.2.20","1.2.19-dev","1.2.18","1.2.17-dev","1.2.16","1.2.15-dev","1.2.14","1.2.13-dev","1.2.10","1.2.12","1.2.11-dev","1.2.9-dev","1.2.8","1.2.7-dev","1.2.6","1.2.5-dev","1.2.4","1.2.3-dev","1.2.2","1.2.1-dev","1.2.0","1.2-rc1","1.2-beta3","1.2-beta2","1.2-beta1","0.9.8.0","0.9.6.0","0.9.4-beta1","0.9.3.995","0.9.2.0","0.9.2","0.9.2-rc1","0.9.1.95","0.9.0","0.9-rc2","0.8.999"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9050.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}