CVE-2022-31254
📋 TL;DR
This vulnerability allows local attackers with access to the _rmt user account to escalate privileges to root due to incorrect default permissions in the rmt-server-regsharing service. It affects SUSE Linux Enterprise Server for SAP and openSUSE Leap systems running vulnerable versions of rmt-server. The flaw enables complete system compromise through privilege escalation.
💻 Affected Systems
- SUSE Linux Enterprise Server for SAP
- SUSE Manager Server
- openSUSE Leap
📦 What is this software?
Rmt Server by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover by local attackers gaining root privileges, allowing installation of persistent backdoors, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation by authenticated attackers or compromised _rmt accounts leading to full administrative control of affected systems.
If Mitigated
Limited impact if proper access controls restrict _rmt user access and privilege escalation paths are monitored.
🎯 Exploit Status
Exploitation requires local access to the _rmt user account. The vulnerability is in default permissions, making exploitation straightforward for attackers with the required access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: rmt-server version 2.10 or later
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1204285
Restart Required: Yes
Instructions:
1. Update rmt-server package to version 2.10 or later using your distribution's package manager. 2. For SUSE systems: 'zypper update rmt-server'. 3. For openSUSE systems: 'zypper update rmt-server'. 4. Restart the rmt-server service or reboot the system.
🔧 Temporary Workarounds
Restrict _rmt user access
linuxLimit access to the _rmt user account to only authorized personnel and monitor for unauthorized access attempts.
# Review _rmt user permissions and access logs
# Check who has access: grep '_rmt' /etc/passwd /etc/shadow
# Monitor authentication logs: tail -f /var/log/auth.log | grep '_rmt'
Disable unnecessary services
linuxIf rmt-server-regsharing service is not required, disable it to reduce attack surface.
# Check service status: systemctl status rmt-server-regsharing
# Disable service: systemctl disable rmt-server-regsharing
# Stop service: systemctl stop rmt-server-regsharing
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized access to the _rmt user account
- Monitor system logs for privilege escalation attempts and unauthorized root access
🔍 How to Verify
Check if Vulnerable:
Check rmt-server version: rpm -q rmt-server. If version is earlier than 2.10, the system is vulnerable.Check Version:
rpm -q rmt-serverVerify Fix Applied:
Verify rmt-server version is 2.10 or later: rpm -q rmt-server | grep -E '2\.10|2\.1[1-9]|2\.[2-9]|3\.'📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation from _rmt user to root
- Failed or successful authentication attempts to _rmt account
- Changes to system files or permissions by _rmt user
Network Indicators:
- Unusual SSH or local login patterns involving _rmt user
SIEM Query:
source="*auth.log*" AND (_rmt AND (su OR sudo OR "privilege escalation"))