CVE-2014-3585 – CVE-2014-3585 is a critical vulnerability in Re... (How to Fix)

📋 TL;DR

CVE-2014-3585 is a critical vulnerability in Red Hat's upgrade-tool that fails to verify GPG signatures during system upgrades. This allows attackers to supply malicious packages that would be installed without validation, potentially leading to complete system compromise. Affected systems are those running Red Hat Enterprise Linux versions using the vulnerable upgrade-tool.

💻 Affected Systems

Products:

redhat-upgrade-tool

Versions: Versions prior to the fix in Red Hat Enterprise Linux 6 and 7

Operating Systems: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the redhat-upgrade-tool for upgrades. Standard yum/dnf package management is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover via installation of malicious packages with root privileges, enabling persistent backdoors, data theft, or ransomware deployment.

🟠

Likely Case

Privilege escalation to root through malicious package installation, allowing attackers to execute arbitrary code and maintain persistence.

🟢

If Mitigated

Minimal impact if proper network segmentation, least privilege, and package verification controls are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to supply malicious packages to the upgrade process, typically through man-in-the-middle attacks or compromised repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated redhat-upgrade-tool packages with GPG signature verification

Vendor Advisory: https://access.redhat.com/security/cve/cve-2014-3585

Restart Required: No

Instructions:

1. Update redhat-upgrade-tool via yum: sudo yum update redhat-upgrade-tool
2. Verify GPG signature checking is enabled in configuration
3. Test upgrade process with known good packages

🔧 Temporary Workarounds

Disable redhat-upgrade-tool

linux

Remove or disable the vulnerable upgrade-tool and use alternative upgrade methods

sudo yum remove redhat-upgrade-tool

Use signed repository only

linux

Ensure all package repositories have valid GPG signatures and disable unsigned sources

sudo yum-config-manager --setopt=gpgcheck=1 --save

🧯 If You Can't Patch

Network segmentation to isolate upgrade traffic from untrusted networks
Implement strict access controls and monitoring on systems using upgrade-tool

🔍 How to Verify

Check if Vulnerable:

Check redhat-upgrade-tool version: rpm -q redhat-upgrade-tool

Check Version:

rpm -q redhat-upgrade-tool --queryformat '%{VERSION}-%{RELEASE}\n'

Verify Fix Applied:

Verify updated package is installed and check configuration for GPG signature enforcement

📡 Detection & Monitoring

Log Indicators:

Unusual package installations during upgrades
Failed GPG signature checks in system logs

Network Indicators:

Unexpected network connections during upgrade process
Downloads from untrusted repositories

SIEM Query:

source="system_logs" AND ("redhat-upgrade-tool" OR "package install") AND NOT "GPG signature verified"

📊 Metadata

CVE ID: CVE-2014-3585

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-347

Published: November 22, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/cve-2014-3585 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3585 Issue Tracking,Vendor Advisory
https://access.redhat.com/security/cve/cve-2014-3585 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3585 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-3585, you might also want to check these: