The DBus interface com.redhat.RHSM1 exposes a significant number of methods to all users that will change the state of the registration. A non-privileged user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. By using the com.redhat.RHSM1.Config.SetAll() method, an unprivileged user can perform a local privilege escalation to unconfined root.
Statement: The vulnerable method SetAll() allows the non-root user to Local Privilege Escalation. The vulnerable method is present since subscription-manager-1.26.15-1. Currently, RHEL-8.2. and above contains the vulnerable code. However, before the SetAll() was introduced, the worst thing that could happen is to unregister the system and cut off system from updates. No privilege escalation is possible in RHEL-7.9, and RHEL-8.1 as those streams ships subscription-manager-1.25.17.1-1 and prior. Making it Moderate issue for those streams. So, the vulnerability has always been there, the SetAll() method that introduced with later version in subscription-manager turned it to a to Local Privilege Escalation.
Lifting Embargo, This CVE is now public. https://access.redhat.com/security/cve/CVE-2023-3899
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:4702 https://access.redhat.com/errata/RHSA-2023:4702
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4703 https://access.redhat.com/errata/RHSA-2023:4703
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4704 https://access.redhat.com/errata/RHSA-2023:4704
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:4701 https://access.redhat.com/errata/RHSA-2023:4701
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4707 https://access.redhat.com/errata/RHSA-2023:4707
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4705 https://access.redhat.com/errata/RHSA-2023:4705
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4708 https://access.redhat.com/errata/RHSA-2023:4708
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4706 https://access.redhat.com/errata/RHSA-2023:4706
Created subscription-manager tracking bugs for this issue: Affects: fedora-37 [bug 2233724] Affects: fedora-38 [bug 2233725]