CVE-2023-3899: 
Rocky Linux vulnerability analysis and mitigation

CVE-2023-3899 affects the subscription-manager package, discovered and disclosed in July 2023. The vulnerability exists in the D-Bus interface com.redhat.RHSM1 which exposes methods that could change the registration state. This security issue affects Red Hat Enterprise Linux systems and related products running subscription-manager versions from 1.26.15-1 and above (Red Hat CVE).

The vulnerability stems from inadequate authorization in the D-Bus interface com.redhat.RHSM1, specifically in the Config.SetAll() method. The interface exposes numerous methods to all users that can modify the registration state. The CVSS base score is 7.8 HIGH with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability allows a low-privileged local user to tamper with the system's registration state, including the ability to unregister the system or modify current entitlements. More critically, through the Config.SetAll() method, attackers can set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be exploited to achieve local privilege escalation to unconfined root (Red Hat Bugzilla).

Red Hat has released security updates to address this vulnerability across multiple product versions. Updates are available through RHSA-2023:4701 through RHSA-2023:4708 advisories for various versions of Red Hat Enterprise Linux. Fedora has also released fixes in subscription-manager version 1.29.37 for Fedora 37 and 38 (Fedora Update).