Description
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Problem types
Product status
2.23.0 (semver) before 2.24.1
0:2.24.0-2.1.20240819gitc082797f.el8fdp (rpm) before *
0:2.24.0-2.1.20240819gitc082797f.el9fdp (rpm) before *
0:2.24.0-2.el9_5 (rpm) before *
0:2.24.0-2.el9_5 (rpm) before *
Timeline
| 2024-11-08: | Reported to Red Hat. |
| 2024-11-26: | Made public. |
Credits
Red Hat would like to thank Matthias Gerstner (SUSE Security Team) for reporting this issue.
References
www.openwall.com/lists/oss-security/2024/11/28/2
security.opensuse.org/2024/11/26/tuned-instance-create.html
access.redhat.com/errata/RHSA-2024:10384 (RHSA-2024:10384)
access.redhat.com/errata/RHSA-2025:0879 (RHSA-2025:0879)
access.redhat.com/errata/RHSA-2025:0880 (RHSA-2025:0880)
access.redhat.com/security/cve/CVE-2024-52336
bugzilla.redhat.com/show_bug.cgi?id=2324540 (RHBZ#2324540)
github.com/redhat-performance/tuned/releases/tag/v2.24.1
security.opensuse.org/2024/11/26/tuned-instance-create.html
www.openwall.com/lists/oss-security/2024/11/28/1