CVE-2024-52336 is a vulnerability in the Tuned package version 2.23.0 that allows local privilege escalation through improper privilege management of the D-Bus interface. Specifically, the instance_create() function can be invoked by any locally logged-in user without authentication, permitting them to pass arbitrary scripts via the script_pre or script_post options. These scripts, executed by Tuned with root privileges, enable attackers to run arbitrary code as root, effectively escalating their privileges from a non-privileged user to full system administrator. The vulnerability exploits the lack of authentication and insufficient access controls on the D-Bus method, combined with the ability to specify absolute paths to executable scripts. This flaw affects Linux systems where Tuned is installed and running, particularly those using version 2.23.0. The CVSS v3.1 base score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the vulnerability poses a significant risk due to the potential for complete system compromise. The vulnerability was published on November 26, 2024, and is tracked by Red Hat and CISA. Mitigation involves patching the Tuned package once updates are available and restricting local user access to the D-Bus interface. Monitoring for unusual D-Bus calls and script executions can also help detect exploitation attempts.

The vulnerability allows local non-privileged users to execute arbitrary scripts with root privileges, leading to full system compromise. This can result in unauthorized access to sensitive data, modification or deletion of critical system files, installation of persistent malware, and disruption of system availability. Organizations relying on Linux systems with the affected Tuned version are at risk of privilege escalation attacks that bypass normal security controls. The impact extends to confidentiality, integrity, and availability, making it a critical concern for servers, workstations, and any systems where local user accounts exist. Attackers gaining root access can pivot to other systems, exfiltrate data, or disrupt operations. The lack of required user interaction and low complexity of exploitation increase the likelihood of successful attacks in environments where local access is possible. This vulnerability is particularly dangerous in multi-user environments, shared hosting, or systems with weak local access controls.

1. Apply patches or updates to the Tuned package as soon as they become available from the vendor or distribution maintainers. 2. Restrict local user access to systems running the affected Tuned version, limiting login capabilities to trusted users only. 3. Implement strict access controls on the D-Bus interface, using policies to restrict which users can invoke instance_create() or other sensitive methods. 4. Monitor D-Bus activity and system logs for unusual calls to instance_create() or execution of scripts via script_pre or script_post options. 5. Use mandatory access control frameworks like SELinux or AppArmor to confine the Tuned service and limit its ability to execute arbitrary scripts. 6. Regularly audit local user accounts and remove or disable unnecessary accounts to reduce the attack surface. 7. Employ endpoint detection and response (EDR) tools to detect suspicious script executions or privilege escalations. 8. Educate system administrators about the risks of local privilege escalation and the importance of timely patching and access control.