A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Rhel Aus
  • Rhel E4s
  • Rhel Els
  • Rhel Eus
  • Rhel Tus

No data.

Package CPE Advisory Released Date
Red Hat Enterprise Linux 7.7 Advanced Update Support
NetworkManager-libreswan-0:1.2.4-4.el7_7 cpe:/o:redhat:rhel_aus:7.7 RHSA-2024:8338 2024-10-22T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
NetworkManager-libreswan-0:1.2.4-4.el7_9 cpe:/o:redhat:rhel_els:7 RHSA-2024:8357 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8
NetworkManager-libreswan-0:1.2.10-7.el8_10 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:8353 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_2 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:8358 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:8355 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
NetworkManager-libreswan-0:1.2.10-6.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:8355 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.10-6.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:8355 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_6 cpe:/a:redhat:rhel_aus:8.6 RHSA-2024:8356 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
NetworkManager-libreswan-0:1.2.10-6.el8_6 cpe:/a:redhat:rhel_tus:8.6 RHSA-2024:8356 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.10-6.el8_6 cpe:/a:redhat:rhel_e4s:8.6 RHSA-2024:8356 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
NetworkManager-libreswan-0:1.2.10-6.el8_8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:8354 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 9
NetworkManager-libreswan-0:1.2.22-4.el9_5 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:9555 2024-11-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
NetworkManager-libreswan-0:1.2.14-3.el9_0 cpe:/a:redhat:rhel_e4s:9.0 RHSA-2024:8312 2024-10-22T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
NetworkManager-libreswan-0:1.2.14-6.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:8352 2024-10-23T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
NetworkManager-libreswan-0:1.2.18-6.el9_4 cpe:/a:redhat:rhel_eus:9.4 RHSA-2024:9556 2024-11-13T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

A mitigation for this issue is either unavailable or the existing options do not meet Red Hat Product Security's standards for ease of use, deployment, widespread applicability, or stability. One potential approach is to prevent local users from controlling networking through polkit. However, this would also block them from connecting to new Wi-Fi networks, which is not ideal for laptops but might be acceptable for workstations. Server customers typically don't need to be concerned, as they generally don't have local users capable of exploiting the bug.

References
Link Providers
http://www.openwall.com/lists/oss-security/2024/10/25/1 cve-icon
https://access.redhat.com/errata/RHSA-2024:8312 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8338 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8352 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8353 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8354 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8355 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8356 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8357 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:8358 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:9555 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:9556 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-9050 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2313828 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-9050 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-9050 cve-icon
https://www.openwall.com/lists/oss-security/2024/10/25/1 cve-icon cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00061}

 epss

{'score': 0.00049}

Sat, 05 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10

Wed, 18 Dec 2024 16:30:00 +0000

Type Values Removed Values Added
References

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Thu, 21 Nov 2024 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:rhel_eus:9.4::appstream
References

Sat, 16 Nov 2024 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_eus:9.4

Tue, 12 Nov 2024 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Wed, 23 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6

Wed, 23 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine. A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Wed, 23 Oct 2024 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8		 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.4::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_eus:8.8::appstream
cpe:/a:redhat:rhel_eus:9.2::appstream
cpe:/a:redhat:rhel_tus:8.4::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
References

Wed, 23 Oct 2024 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/o:redhat:rhel_aus:7.7
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 22 Oct 2024 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/o:redhat:rhel_aus:7.7::server
Vendors & Products Redhat rhel Aus
References

Tue, 22 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
Vendors & Products Redhat rhel E4s
References

Tue, 22 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Oct 2024 12:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine.
Title Networkmanager-libreswan: local privilege escalation via leftupdown
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-10-01T08:51:11.561Z

Reserved: 2024-09-20T18:25:24.574Z

Link: CVE-2024-9050

cve-icon Vulnrichment

Updated: 2024-10-25T03:09:04.241Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-22T13:15:02.410

Modified: 2024-12-18T17:15:15.420

Link: CVE-2024-9050

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-22T12:00:00Z

Links: CVE-2024-9050 - Bugzilla

cve-icon OpenCVE Enrichment

No data.