Headline
CVE-2022-0852: [RHELC-432] Pass the rhsm password securely to subscription-manager
There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.
When convert2rhel registers a system with subscription-manager, it shells out to the subscription-manager program. If the user gave convert2rhel a password to authenticate with subscription-manager, this ends up being passed on the subscription-manager command line. Passing secrets on the command line is insecure because unprivileged users can read the process list which includes the command and all arguments to the command.
In the short term we can handle this problem by invoking subscription-manager via pexpect.spawn() without giving it the password. In this case, subscription-manager will interactively prompt for the password and we can then use pexpect to send the password.
Longer term, subscription-manager is going to add the ability to pass the password via a file and we can then use that to pass in the password:
https://issues.redhat.com/browse/ENT-4724
Embargo lift date: TBD