Uploaded image for project: 'RHEL Documentation'
  1. RHEL Documentation
  2. RHELDOCS-21618

NetworkManager: release notes and knowledge base article for CVE-2025-9615

XMLWordPrintable

    • None
    • rhel-sst-ccs
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Known Issue
    • Hide
      Cause:
      Consequence:
      Workaround:
      Result:
      Show
      Cause: Consequence: Workaround: Result:
    • Unspecified
    • Unspecified
    • Unspecified

      Document link:

      Section number and name:

      Describe the issue:

      NetworkManager was affected by CVE-2025-9615. In this vulnerability, a normal user (non-admin) can use other users' certificates by specifying the path to that file in properties that accept paths to certificates such as `802-1x.client-cert` and similar properties. As the daemon runs as root it can access to those files disregarding their file permissions.

      The vulnerability can be exploited in two different ways:

      1. The user creates a private connection (owned by a single user) and specify a path to other user's certificate.
      2. The user creates a system-wide connection (not owned by any user). This is allowed in RHEL when the user is physically interacting with the system, but not if the user is remotely connected (like ssh).

      The first attack method is prevented after the fix in https://issues.redhat.com/browse/RHEL-111772 and https://issues.redhat.com/browse/RHEL-111783.

      The second attack method can only be prevented by not allowing normal users to create system wide connection. However, this would be a change in behaviour in the middle of a RHEL major version, so it's not going to be applied to RHEL 9 nor 10.

      Impact of this issue:

      Users will remain vulnerable to the attack unless they apply some changes by themselves.

      Suggestions for improvement:

      Add a release note and knowledge base article explaining how sysadmins can harden their systems to prevent the second attack method. What they need to do is to add a custom Polkit rule to a file `/etc/polkit-1/rules.d/20-nm-non-admin.rules` with the following content:

       

      // Non-admin users can create NetworkManager system-wide connections if they're
// physically connected. This allows them to override administrator's defined
// settings and may be a security issue. Forbid it.polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        !subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_ADMIN_KEEP;  // or polkit.Result.NO
    }
});

       

       

              rhn-support-vaashiro Valentina Ashirova
              ihuguet@redhat.com Inigo Huguet
              Marc Muehlfeld Marc Muehlfeld
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: