CVE-2024-9050: 
Rocky Linux vulnerability analysis and mitigation

A security vulnerability (CVE-2024-9050) was discovered in the NetworkManager-libreswan client plugin for NetworkManager, where it fails to properly sanitize VPN configurations from local unprivileged users. The vulnerability was discovered and fixed in NetworkManager-libreswan.git version 1.2.24. The issue affects various versions of Red Hat Enterprise Linux and was assigned a CVSS v3.1 base score of 7.8 (High) (NVD, Red Hat).

The vulnerability stems from the plugin's failure to escape special characters in the VPN configuration's key-value format. This allows malicious users to manipulate the configuration by injecting newline characters, causing values to be interpreted as keys. The most critical parameter that can be exploited is the 'leftupdown' key, which accepts an executable command as a value and is normally used to specify the NM-libreswan callback for retrieving configuration settings. Since NetworkManager uses Polkit to allow unprivileged users to control network configuration, this flaw can be exploited to achieve privilege escalation (OSS Security).

The vulnerability allows a local unprivileged user to achieve local privilege escalation and potentially execute arbitrary code with root privileges on the targeted machine through malicious VPN configuration. This is possible because the 'leftupdown' parameter can be manipulated to execute arbitrary commands with elevated privileges (NVD).

The vulnerability has been fixed in NetworkManager-libreswan.git version 1.2.24 through commit dcf8acfb25bd ('all: rework formatting of ipsec.conf'). Red Hat has released security updates for affected versions of Red Hat Enterprise Linux through multiple security advisories. Users are advised to update to the patched versions available through their respective distribution channels (Red Hat).