CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon

by do son · December 1, 2024

The SUSE Security Team has uncovered two vulnerabilities in the Linux Tuned daemon, a critical tool for runtime hardware and kernel optimization. These vulnerabilities, tracked as CVE-2024-52336 (CVSS 7.8) and CVE-2024-52337 (CVSS 5.5), highlight significant security risks that could allow attackers to escalate privileges or manipulate logs.

Tuned is a privileged daemon designed to optimize system performance by dynamically adjusting hardware and kernel settings. It operates via a comprehensive D-Bus interface, which is safeguarded by Polkit authentication. According to the SUSE Security Team, “Tuned sees frequent additions to its D-Bus interface and this is already the tenth review of it that we carried out since 2019”. This time, researchers discovered two critical flaws within the instance_create() D-Bus method.

CVE-2024-52336: Local Root Exploit via Arbitrary Script Execution

This vulnerability allows local, non-privileged users to exploit the script_pre and script_post parameters of the instance_create() method. These parameters accept user-controlled absolute file paths that are executed with root privileges, enabling a potential local root exploit.

“Scripts under control of an unprivileged user can be passed here. This allows for a local root exploit,” the SUSE report explains. A locally logged-in attacker can issue the following command to exploit this vulnerability:

$ gdbus call -y -d com.redhat.tuned -o /Tuned \
        -m com.redhat.tuned.control.instance_create cpu myinstance \
        '{"script_pre": "/path/to/myscript.sh", "devices": "*"}'

CVE-2024-52337: Log Spoofing via Unsanitized Instance Names

This flaw involves insufficient sanitization of the instance_name parameter in the instance_create() method. Attackers can inject arbitrary data, including control sequences and newlines, into logs and utilities such as tuned-adm get_instances.

The report states: “By placing newline characters into the name, seemingly independent, legitimate-looking entries can be added to the tuned log.”

EVIL=`echo -e "this is\nevil\033[?1047h"`
gdbus call -y -d com.redhat.tuned -o /Tuned -m com.redhat.tuned.control.instance_create cpu "$EVIL" '{"devices": "*"}'

Proof-of-Concept

This can deceive administrators or even manipulate terminal emulators, posing a risk to system integrity.

Upstream has released version v2.24.1 of Tuned, which addresses these vulnerabilities:

CVE-2024-52336: Ensures scripts are only loaded from trusted locations and strengthens the Polkit policy for instance_create.
CVE-2024-52337: Introduces validation to reject user-supplied strings containing disallowed characters.

The fixes were consolidated under commit 90c24eea, which provides enhanced security to the D-Bus methods.