CVE-2024-52337: 
Alma Linux vulnerability analysis and mitigation

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. The vulnerability, tracked as CVE-2024-52337, was discovered in November 2024 and affects tuned versions >= 2.23. The issue exists in the instance_create() D-Bus method, which is accessible to locally logged-in users (NVD, OpenSUSE).

The vulnerability stems from the lack of sanitization of the instancename parameter in the instancecreate() method. This string is used in logging and in the output of utilities like tuned-adm get_instances, as well as other third-party programs that use Tuned's D-Bus interface. The flaw allows an attacker to pass controlled sequences of characters, including newlines that can be inserted into the log. The CVSS v3.1 base score for this vulnerability is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (OpenSUSE, Red Hat).

An attacker could exploit this vulnerability to perform log spoofing by mimicking valid TuneD log lines and potentially trick administrators. The quotes are usually used in TuneD logs citing raw user input, so there will always be a quote character ending the spoofed input, which administrators might overlook. The logged string is later used in logging and in the output of utilities, such as tuned-adm get_instances or other third-party programs that use Tuned's D-Bus interface (NVD, OpenSUSE).

The issue has been fixed in tuned version 2.24.1. The fix includes rejecting user-supplied strings that contain disallowed characters through the implementation of an isvalidname() function. Additionally, the tuned Polkit policy for instance_create and other actions has been tightened to prevent access by local unprivileged users (OpenSUSE).