A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the leftupdown
key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the systems network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Red Hat Enterprise Linux 7.7 Advanced Update Support | RedHat | NetworkManager-libreswan-0:1.2.4-4.el7_7 | * |
Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | NetworkManager-libreswan-0:1.2.4-4.el7_9 | * |
Red Hat Enterprise Linux 8 | RedHat | NetworkManager-libreswan-0:1.2.10-7.el8_10 | * |
Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_2 | * |
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_4 | * |
Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_4 | * |
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_4 | * |
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_6 | * |
Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_6 | * |
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_6 | * |
Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | NetworkManager-libreswan-0:1.2.10-6.el8_8 | * |
Red Hat Enterprise Linux 9 | RedHat | NetworkManager-libreswan-0:1.2.22-4.el9_5 | * |
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | NetworkManager-libreswan-0:1.2.14-3.el9_0 | * |
Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | NetworkManager-libreswan-0:1.2.14-6.el9_2 | * |
Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | NetworkManager-libreswan-0:1.2.18-6.el9_4 | * |