Bug 2225407 (CVE-2023-3899)

Summary: CVE-2023-3899 subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus interface allows local users to modify configuration
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: csi-client-tools-bugs, csnyder, gtanzill, jcastran, jhnidek, jsefler, ptoscano, redakkan, security-response-team, tguittet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subscription-manager 1.29.37, subscription-manager 1.28.36 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2225440, 2225441, 2225442, 2225443, 2225444, 2225445, 2225446, 2229752, 2229753, 2229754, 2233724, 2233725    
Bug Blocks: 2224941    

Description TEJ RATHI 2023-07-25 09:22:11 UTC 
The DBus interface com.redhat.RHSM1 exposes a significant number of methods to all users that will change the state of the registration. A non-privileged user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. By using the com.redhat.RHSM1.Config.SetAll() method, an unprivileged user can perform a local privilege escalation to unconfined root.
Comment 4 TEJ RATHI 2023-08-18 11:25:40 UTC 
Statement:

The vulnerable method SetAll() allows the non-root user to Local Privilege Escalation. The vulnerable method is present since subscription-manager-1.26.15-1. Currently, RHEL-8.2. and above contains the vulnerable code.

However, before the SetAll() was introduced, the worst thing that could happen is to unregister the system and cut off system from updates. No privilege escalation is possible in RHEL-7.9, and RHEL-8.1 as those streams ships subscription-manager-1.25.17.1-1 and prior. Making it Moderate issue for those streams.

So, the vulnerability has always been there, the SetAll() method that introduced with later version in subscription-manager turned it to a to Local Privilege Escalation.
Comment 6 TEJ RATHI 2023-08-22 14:00:54 UTC 
Lifting Embargo, This CVE is now public.
https://access.redhat.com/security/cve/CVE-2023-3899
Comment 7 errata-xmlrpc 2023-08-22 15:41:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4702 https://access.redhat.com/errata/RHSA-2023:4702
Comment 8 errata-xmlrpc 2023-08-22 15:51:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4703 https://access.redhat.com/errata/RHSA-2023:4703
Comment 9 errata-xmlrpc 2023-08-22 15:59:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4704 https://access.redhat.com/errata/RHSA-2023:4704
Comment 10 errata-xmlrpc 2023-08-22 16:00:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4701 https://access.redhat.com/errata/RHSA-2023:4701
Comment 11 errata-xmlrpc 2023-08-22 16:17:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4707 https://access.redhat.com/errata/RHSA-2023:4707
Comment 12 errata-xmlrpc 2023-08-22 16:30:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4705 https://access.redhat.com/errata/RHSA-2023:4705
Comment 13 errata-xmlrpc 2023-08-22 16:30:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4708 https://access.redhat.com/errata/RHSA-2023:4708
Comment 14 errata-xmlrpc 2023-08-22 16:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4706 https://access.redhat.com/errata/RHSA-2023:4706
Comment 15 TEJ RATHI 2023-08-23 06:35:38 UTC 
Created subscription-manager tracking bugs for this issue:

Affects: fedora-37 [bug 2233724]
Affects: fedora-38 [bug 2233725]