Login Sign Up

CVE-2024-9050

7.8 HIGH

📋 TL;DR

This vulnerability allows local unprivileged users to achieve privilege escalation and potentially execute arbitrary code as root. The flaw exists in the libreswan client plugin for NetworkManager where improper sanitization of VPN configuration parameters enables command injection. Affected systems are those running vulnerable versions of NetworkManager-libreswan with Polkit-enabled network configuration.

💻 Affected Systems

Products:
  • NetworkManager-libreswan
  • libreswan client plugin for NetworkManager
Versions: Specific versions referenced in Red Hat advisories (check RHSA-2024:8312, RHSA-2024:8338, RHSA-2024:8352, RHSA-2024:8353, RHSA-2024:8354)
Operating Systems: Linux distributions using NetworkManager with libreswan plugin (primarily Red Hat-based systems)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Polkit to be enabled for network configuration management, which is common in desktop Linux environments.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local unprivileged user gains full root access and executes arbitrary code on the system, potentially leading to complete system compromise.

🟠

Likely Case

Local privilege escalation allowing attackers to execute commands with root privileges, potentially installing malware, accessing sensitive data, or pivoting to other systems.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though local users could still potentially exploit the vulnerability.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Any local user account, including compromised low-privilege accounts, can potentially exploit this to gain root access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but appears straightforward once the vulnerability details are understood. The leftupdown parameter accepts executable commands that run with elevated privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific Red Hat advisories for patched versions

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:8312

Restart Required: Yes

Instructions:

1. Check your distribution's security advisories
2. Update NetworkManager-libreswan package using your package manager
3. Restart NetworkManager service or reboot the system
4. Verify the patch is applied

🔧 Temporary Workarounds

Restrict VPN configuration permissions

linux

Limit which users can configure VPN settings through Polkit policies

Modify /etc/polkit-1/rules.d/ to restrict network configuration permissions

Disable libreswan plugin if unused

linux

Remove or disable the vulnerable plugin if not required

sudo systemctl stop NetworkManager
sudo apt remove network-manager-libreswan (Debian/Ubuntu)
sudo yum remove NetworkManager-libreswan (RHEL/CentOS)
sudo systemctl start NetworkManager

🧯 If You Can't Patch

  • Restrict local user access to systems with vulnerable software
  • Implement strict monitoring for privilege escalation attempts and unusual root activity

🔍 How to Verify

Check if Vulnerable:

Check installed version of NetworkManager-libreswan and compare with patched versions in Red Hat advisories

Check Version:

rpm -q NetworkManager-libreswan (RHEL/CentOS) or dpkg -l network-manager-libreswan (Debian/Ubuntu)

Verify Fix Applied:

Verify the package version matches or exceeds the patched version from vendor advisories

📡 Detection & Monitoring

Log Indicators:

  • Unusual VPN configuration changes by non-privileged users
  • Polkit authorization logs showing network configuration requests
  • Sudden privilege escalation from user to root

Network Indicators:

  • None - this is a local exploitation vulnerability

SIEM Query:

Search for: 'user privilege escalation', 'polkit network configuration', 'unusual root command execution from user session'

📊 Metadata

CVE ID: CVE-2024-9050
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: October 22, 2024
Last Updated: December 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9050, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)