CVE-2023-3972
📋 TL;DR
This vulnerability allows unprivileged local users to escalate privileges to root by exploiting insecure temporary directory handling in insights-client. Attackers can create and control the /var/tmp/insights-client directory before root registration, then execute arbitrary code as root after registration. This affects systems running vulnerable versions of insights-client before root registration occurs.
💻 Affected Systems
- insights-client
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Big Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Big Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Scientific Computing by Redhat
View all CVEs affecting Enterprise Linux For Scientific Computing →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise with arbitrary code execution, bypassing SELinux protections system-wide, leading to complete system takeover and potential lateral movement.
Likely Case
Local privilege escalation allowing attackers to gain root access on affected systems, potentially installing persistent backdoors or accessing sensitive data.
If Mitigated
No impact if proper patching is applied before root registration or if directory permissions are properly secured.
🎯 Exploit Status
Exploitation requires local access and timing (before root registration). The attack vector is straightforward once the directory creation opportunity exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched versions in Red Hat advisories RHSA-2023:6264, RHSA-2023:6282, RHSA-2023:6283, RHSA-2023:6284, RHSA-2023:6795
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:6264
Restart Required: No
Instructions:
1. Update insights-client using yum update insights-client. 2. Verify the update completed successfully. 3. Ensure insights-client is registered by root if not already done.
🔧 Temporary Workarounds
Secure directory permissions
linuxManually secure the /var/tmp/insights-client directory permissions to prevent unauthorized creation or modification.
mkdir -p /var/tmp/insights-client
chmod 700 /var/tmp/insights-client
chown root:root /var/tmp/insights-client
Early root registration
linuxRegister insights-client with root privileges immediately to close the vulnerability window.
insights-client --register
🧯 If You Can't Patch
- Ensure insights-client is registered by root immediately to close the vulnerability window
- Monitor for unauthorized directory creation in /var/tmp/ and implement strict file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check if /var/tmp/insights-client exists and is writable by non-root users before root registration: ls -ld /var/tmp/insights-clientCheck Version:
rpm -q insights-clientVerify Fix Applied:
Verify insights-client version is patched: rpm -q insights-client and ensure directory permissions are secure: ls -ld /var/tmp/insights-client should show root ownership and 700 permissions📡 Detection & Monitoring
Log Indicators:
- Unauthorized directory creation in /var/tmp/
- Unexpected processes running as root from /var/tmp/insights-client/
- Failed attempts to modify /var/tmp/insights-client directory
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
Process creation where parent process is insights-client and command line contains paths in /var/tmp/insights-client/🔗 References
- https://access.redhat.com/errata/RHSA-2023:6264
- https://access.redhat.com/errata/RHSA-2023:6282
- https://access.redhat.com/errata/RHSA-2023:6283
- https://access.redhat.com/errata/RHSA-2023:6284
- https://access.redhat.com/errata/RHSA-2023:6795
- https://access.redhat.com/errata/RHSA-2023:6796
- https://access.redhat.com/errata/RHSA-2023:6798
- https://access.redhat.com/errata/RHSA-2023:6811
- https://access.redhat.com/security/cve/CVE-2023-3972
- https://bugzilla.redhat.com/show_bug.cgi?id=2227027
- https://github.com/RedHatInsights/insights-core/pull/3878
- https://access.redhat.com/errata/RHSA-2023:6264
- https://access.redhat.com/errata/RHSA-2023:6282
- https://access.redhat.com/errata/RHSA-2023:6283
- https://access.redhat.com/errata/RHSA-2023:6284
- https://access.redhat.com/errata/RHSA-2023:6795
- https://access.redhat.com/errata/RHSA-2023:6796
- https://access.redhat.com/errata/RHSA-2023:6798
- https://access.redhat.com/errata/RHSA-2023:6811
- https://access.redhat.com/security/cve/CVE-2023-3972
- https://bugzilla.redhat.com/show_bug.cgi?id=2227027
- https://github.com/RedHatInsights/insights-core/pull/3878
