CVE-2023-3972

Summary

A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 70:3.1.9-1.el7_9 < *unaffected
Red HatRed Hat Enterprise Linux 80:3.2.2-1.el8_8 < *unaffected
Red HatRed Hat Enterprise Linux 8.1 Update Services for SAP Solutions0:3.2.3-1.el8_1 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support0:3.2.3-1.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Telecommunications Update Service0:3.2.3-1.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Update Services for SAP Solutions0:3.2.3-1.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:3.2.3-1.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Service0:3.2.3-1.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutions0:3.2.3-1.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support0:3.2.2-1.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.2.2-1.el9_2 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:3.2.2-1.el9_0 < *unaffected

Weaknesses

  • CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Workarounds

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References