RedHat subscription-manager Privilege Escalation Vulnerability (CVE-2023-3899)
Fleury, Terry
CI Operators:
A vulnerability in the "subscription-manager" command (included with RedHat Linux variants) has been discovered [1] which could allow a local user to escalate privileges to root. This vulnerability has a CVSSv3 score of 7.8 and is tracked as CVS-2023-3899 [2].
Impact:
A local user could abuse configuration directives for the "subscription-manager" command to escalate their privileges to root.
Affected Software:
RHEL 7 (CVSSv3: 6.1 [3]), 8, 9, including variants such as CentOS, Rocky Linux [4], and AlmaLinux [5].
Recommendation:
Update subscription-manager as soon as possible. Patches are available for most affected versions of RedHat Linux.
The vulnerability can be mitigated temporarily by masking rhsm.service as follows:
systemctl mask rhsm.service
When the rhsm.service is masked, all D-Bus calls will be terminated with error "Call failed: Could not activate remote peer." However, all applications using D-Bus API will not work until the service is unmasked with "systemctl unmask rhsm.service".
References:
[1] https://access.redhat.com/security/cve/CVE-2023-3899
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3899
[3] https://access.redhat.com/errata/RHSA-2023:4701
[4] https://security.snyk.io/vuln/SNYK-ROCKY9-SUBSCRIPTIONMANAGER-5855790
[5] https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2023-3899/
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.