CVE Vulnerabilities

CVE-2024-52336

Improper Privilege Management

Published: Nov 26, 2024 | Modified: Feb 03, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.8 IMPORTANT
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

A script injection vulnerability was identified in the Tuned package. The instance_create() D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with script_pre or script_post options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Fast Datapath for Red Hat Enterprise Linux 8 RedHat tuned-0:2.24.0-2.1.20240819gitc082797f.el8fdp *
Fast Datapath for Red Hat Enterprise Linux 9 RedHat tuned-0:2.24.0-2.1.20240819gitc082797f.el9fdp *
Red Hat Enterprise Linux 9 RedHat tuned-0:2.24.0-2.el9_5 *
Red Hat Enterprise Linux 9 RedHat tuned-0:2.24.0-2.el9_5 *

Potential Mitigations

References