CVE-2024-52336: Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root

Description

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

Classification

CVE ID: CVE-2024-52336

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 9

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:10384
https://access.redhat.com/security/cve/CVE-2024-52336
https://bugzilla.redhat.com/show_bug.cgi?id=2324540

Timeline

2024-11-27 14:42:04 UTC
CVE

Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root