Bug 2362345 (CVE-2025-3931)

Summary: CVE-2025-3931 yggdrasil: Local privilege escalation in yggdrasil
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, ehelms, ggainey, jhnidek, juwatts, lpardo, mbenatto, mhorky, mhulan, mmilev, nmoumoul, osousa, pcreech, rchan, security-response-team, smallamp, thoger, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2367712, 2367714, 2367713    
Bug Blocks:    
Deadline: 2025-05-14   

Description OSIDB Bzimport 2025-04-25 17:13:12 UTC 
The yggdrasil application does not perform any kind of authentication or authorization check on com.redhat.Yggdrasil.Dispatch() DBus method, allowing attacker to abuse of the yggdrasil-worker-package-manager to perform a local privilege escalation
Comment 3 errata-xmlrpc 2025-05-14 11:49:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7592 https://access.redhat.com/errata/RHSA-2025:7592