NetworkManager-libreswan-1.2.22-4.el9_5
エラータID: AXSA:2024-9430:08
リリース日:
2024/12/19 Thursday - 22:43
題名:
NetworkManager-libreswan-1.2.22-4.el9_5
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- NetworkManager の libreswan クライアントプラグイン
には、キーバリュー形式の設定値を処理する際の特殊文字
のエスケープ処理に問題があるため、ローカルの攻撃者
により、細工された設定の処理を介して、特権昇格、
および特権での任意のコードの実行を可能とする脆弱性
が存在します。(CVE-2024-9050)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-9050
A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.
A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.
追加情報:
N/A
ダウンロード:
SRPMS
- NetworkManager-libreswan-1.2.22-4.el9_5.src.rpm
MD5: e2d63b6630feed95710f4df0c6f202e4
SHA-256: c6a29eb8927c2ef4fbe5819e80780dcbe9c67146830d1f58a7b929526a44c6aa
Size: 443.32 kB
Asianux Server 9 for x86_64
- NetworkManager-libreswan-1.2.22-4.el9_5.x86_64.rpm
MD5: e66880293639ac9a7ce3b992e67c4691
SHA-256: c7041a6cfee40fe0c2cbc4a2babbf99d706e57739d116cd676eb03607111d5a1
Size: 163.64 kB - NetworkManager-libreswan-gnome-1.2.22-4.el9_5.x86_64.rpm
MD5: 1f6f62d99ba196b4b93bd0c12c748b41
SHA-256: d0e973bd97b086263d5b4df67ffe2712ac2d42cff11340b63a406158ccfc0d81
Size: 36.06 kB
English