CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon
The SUSE Security Team has uncovered two vulnerabilities in the Linux Tuned daemon, a critical tool for runtime hardware and kernel optimization. These vulnerabilities, tracked as CVE-2024-52336 (CVSS 7.8) and CVE-2024-52337 (CVSS 5.5), highlight significant security risks that could allow attackers to escalate privileges or manipulate logs.
Tuned is a privileged daemon designed to optimize system performance by dynamically adjusting hardware and kernel settings. It operates via a comprehensive D-Bus interface, which is safeguarded by Polkit authentication. According to the SUSE Security Team, “Tuned sees frequent additions to its D-Bus interface and this is already the tenth review of it that we carried out since 2019”. This time, researchers discovered two critical flaws within the instance_create() D-Bus method.
CVE-2024-52336: Local Root Exploit via Arbitrary Script Execution
This vulnerability allows local, non-privileged users to exploit the script_pre and script_post parameters of the instance_create() method. These parameters accept user-controlled absolute file paths that are executed with root privileges, enabling a potential local root exploit.
“Scripts under control of an unprivileged user can be passed here. This allows for a local root exploit,” the SUSE report explains. A locally logged-in attacker can issue the following command to exploit this vulnerability:
CVE-2024-52337: Log Spoofing via Unsanitized Instance Names
This flaw involves insufficient sanitization of the instance_name parameter in the instance_create() method. Attackers can inject arbitrary data, including control sequences and newlines, into logs and utilities such as tuned-adm get_instances.
The report states: “By placing newline characters into the name, seemingly independent, legitimate-looking entries can be added to the tuned log.”
This can deceive administrators or even manipulate terminal emulators, posing a risk to system integrity.
Upstream has released version v2.24.1 of Tuned, which addresses these vulnerabilities:
- CVE-2024-52336: Ensures scripts are only loaded from trusted locations and strengthens the Polkit policy for instance_create.
- CVE-2024-52337: Introduces validation to reject user-supplied strings containing disallowed characters.
The fixes were consolidated under commit 90c24eea, which provides enhanced security to the D-Bus methods.