When registering a system through GNOME Control Center, Red Hat Customer Portal password gets sent to the system log and it is passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.
When registering a Red Hat system to Red Hat Subscription Manager with the UI provided through GNOME Control Center, the Red Hat Customer Portal password provided by the user is passed as argument to gnome-settings-daemon helper. The command is logged on the system, password included, which is not a good practice. However, those logs could only be read by other admin users, but at the same time it could still be possible for a local unprivileged user to see the command being executed and find out the password to the Red Hat Customer Portal.
As the subscription of a Red Hat system is usually an operation performed at installation time, before any untrusted user has the chance to have access to the system, the likelihood of this flaw being abused is considered low.
Mitigation: Use `subscription-manager` directly from the terminal and do not use the `--password` flag.
Statement: This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14391
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0266 https://access.redhat.com/errata/RHSA-2021:0266