Subscription-manager's new DBus interface allows unprivileged local user to have access to information known to root only, and/or to modify subscription-manager configuration file.
An attacker could use this flaw to escalate its privileges, or to gain access to private information.
Commit enabling the dbus interface (subscription-manager-1.19.0) :
Required patches :
* Lock down Facts object to be accessible to root only.
* 1434094: Deny D-BUS Config.Set from non-root
Created subscription-manager tracking bugs for this issue:
Affects: fedora-all [bug 1434493]
This issue did not affect the versions of subscription-manager as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for the DBus interface.
Name: Cedric Buissart (Red Hat)