CVE-2024-52336
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in the Tuned package. A local non-privileged user can exploit the unauthenticated D-Bus instance_create() function to inject and execute arbitrary scripts with root privileges. This affects systems running vulnerable versions of Tuned with local user access.
💻 Affected Systems
- Tuned
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user escalates privileges to root, gaining administrative control over the affected system.
If Mitigated
Attack fails due to patched system, restricted D-Bus access, or lack of local user accounts.
🎯 Exploit Status
Exploitation requires local user access but no authentication to D-Bus function. Script injection is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories (RHSA-2024:10384, RHSA-2025:0879, RHSA-2025:0880)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-52336
Restart Required: Yes
Instructions:
1. Update Tuned package using system package manager. 2. Restart Tuned service or reboot system. 3. Verify patch installation with version check.
🔧 Temporary Workarounds
Restrict D-Bus Access
linuxConfigure D-Bus policy to restrict access to Tuned's instance_create() function to privileged users only.
Edit /etc/dbus-1/system.d/tuned.conf to add appropriate policy restrictions
Disable Tuned Service
linuxStop and disable Tuned service if not required for system performance tuning.
systemctl stop tuned
systemctl disable tuned
🧯 If You Can't Patch
- Implement strict access controls to limit local user accounts on affected systems.
- Monitor for suspicious D-Bus calls to Tuned service and script execution with root privileges.
🔍 How to Verify
Check if Vulnerable:
Check Tuned package version against patched versions in Red Hat advisories. Verify D-Bus policy allows unauthenticated calls to instance_create().Check Version:
rpm -q tunedVerify Fix Applied:
Confirm Tuned package is updated to patched version and test that unauthenticated D-Bus calls to instance_create() with script options are rejected.📡 Detection & Monitoring
Log Indicators:
- D-Bus authorization failures or successes for Tuned service
- Unexpected script execution with root privileges from Tuned context
Network Indicators:
- Local D-Bus communication patterns to Tuned service
SIEM Query:
Process execution where parent_process contains 'tuned' and user='root' for unexpected scripts🔗 References
- https://access.redhat.com/errata/RHSA-2024:10384
- https://access.redhat.com/errata/RHSA-2025:0879
- https://access.redhat.com/errata/RHSA-2025:0880
- https://access.redhat.com/security/cve/CVE-2024-52336
- https://bugzilla.redhat.com/show_bug.cgi?id=2324540
- https://security.opensuse.org/2024/11/26/tuned-instance-create.html
- https://www.openwall.com/lists/oss-security/2024/11/28/1
- https://security.opensuse.org/2024/11/26/tuned-instance-create.html
- https://www.openwall.com/lists/oss-security/2024/11/28/2
