Skip to content
Threat Feed
high advisory

Multiple Vulnerabilities in Red Hat Hardened Images RPMs

Multiple vulnerabilities in Red Hat Hardened Images RPMs can be exploited by an attacker to bypass security measures, escalate privileges, disclose sensitive information, manipulate data, or cause a denial-of-service condition.

Red Hat Hardened Images RPMs are susceptible to multiple vulnerabilities that could be exploited by a malicious actor. These vulnerabilities, if successfully exploited, can allow an attacker to bypass existing security controls, escalate their privileges within the system, gain unauthorized access to sensitive information, manipulate critical data, or trigger a denial-of-service (DoS) condition, impacting system availability and integrity. This advisory highlights the potential risks associated with these vulnerabilities in Red Hat Hardened Images RPMs, urging defenders to take immediate action.

Attack Chain

  1. An attacker identifies a vulnerable Red Hat Hardened Images RPM package.
  2. The attacker crafts a malicious RPM package or exploits an existing package.
  3. The attacker gains initial access to the system, potentially through social engineering or exploiting a separate vulnerability.
  4. The attacker installs the malicious or compromised RPM package, or triggers the vulnerable code path in the existing package.
  5. Exploitation occurs, potentially leading to privilege escalation, data manipulation, or information disclosure.
  6. The attacker leverages escalated privileges to access sensitive files and configurations.
  7. Data is exfiltrated, manipulated, or deleted, depending on the attacker’s objectives.
  8. The attacker achieves their final objective, such as disrupting services, stealing sensitive data, or establishing persistent access.

Impact

Successful exploitation of these vulnerabilities could lead to significant damage, including unauthorized access to sensitive data, manipulation of critical system configurations, and denial-of-service conditions. The number of affected systems depends on the deployment of Red Hat Hardened Images RPMs. A successful attack could result in financial losses, reputational damage, and disruption of critical services.

Recommendation

  • Deploy the Sigma rule detecting RPM package installations from unusual locations or by suspicious processes to identify potential exploitation attempts.
  • Investigate and validate any RPM installations originating from outside the standard Red Hat repositories.
  • Monitor process creation events for suspicious commands executed after RPM package installations.

Detection coverage 2

Detect RPM Package Installation from Unusual Location

medium

Detects RPM package installations from locations other than the standard repositories.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, linux

Detect Suspicious Process Executed After RPM Install

high

Detects suspicious processes executed shortly after an RPM package installation, indicating potential exploitation.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →