Bug 1434100 (CVE-2017-2663) - CVE-2017-2663 subscription-manager: unsafe dbus interface
Summary: CVE-2017-2663 subscription-manager: unsafe dbus interface
Alias: CVE-2017-2663
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1434493
Blocks: 1433383
TreeView+ depends on / blocked
Reported: 2017-03-20 17:35 UTC by Cedric Buissart 🐶
Modified: 2019-09-29 14:08 UTC (History)
6 users (show)

Fixed In Version: subscription-manager 1.19.4
Doc Type: If docs needed, set a value
Doc Text:
It was found that subscription-manager's DBus interface let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch a privilege escalation attack.
Clone Of:
Last Closed: 2017-03-22 08:51:30 UTC

Attachments (Terms of Use)

Description Cedric Buissart 🐶 2017-03-20 17:35:18 UTC
Subscription-manager's new DBus interface allows unprivileged local user to have access to information known to root only, and/or to modify subscription-manager configuration file.
An attacker could use this flaw to escalate its privileges, or to gain access to private information.

Commit enabling the dbus interface (subscription-manager-1.19.0) :

Comment 1 Cedric Buissart 🐶 2017-03-21 10:18:03 UTC
Required patches :
 * Lock down Facts object to be accessible to root only.
 * 1434094: Deny D-BUS Config.Set from non-root

Comment 2 Cedric Buissart 🐶 2017-03-21 15:43:25 UTC
Created subscription-manager tracking bugs for this issue:

Affects: fedora-all [bug 1434493]

Comment 3 Cedric Buissart 🐶 2017-03-21 15:45:59 UTC

This issue did not affect the versions of subscription-manager as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for the DBus interface.

Comment 4 Cedric Buissart 🐶 2017-03-21 16:27:00 UTC

Name: Cedric Buissart (Red Hat)

Note You need to log in before you can comment on or make changes to this bug.