CVE-2023-3972: Creation of Temporary File in Directory with Insecure Permissions in Red Hat Red Hat Enterprise Linux 7
A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).
AI Analysis
Technical Summary
CVE-2023-3972 is a vulnerability in the insights-client component of Red Hat Enterprise Linux 7, classified under CWE-379 (Creation of Temporary File in Directory with Insecure Permissions). The flaw stems from the insecure creation and handling of the /var/tmp/insights-client directory. Before the insights-client is registered by the root user, an unprivileged local user can create this directory and gain ownership with full permissions (read, write, execute). When the insights-client subsequently registers as root, it uses this directory and its contents without verifying ownership or permissions, allowing the attacker to place malicious scripts or files. These scripts execute with root privileges, effectively granting local privilege escalation. The vulnerability bypasses SELinux protections because the insights-client process is permitted to disable SELinux system-wide, making SELinux ineffective as a defense in this context. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's ease of exploitation by a local attacker with low privileges, no user interaction required, and the potential for full system compromise. No public exploits have been reported yet, but the vulnerability poses a significant risk to systems running RHEL 7 with insights-client installed.
Potential Impact
For European organizations, this vulnerability presents a serious risk of local privilege escalation, potentially leading to full system compromise. Attackers with local access can gain root privileges, undermining system confidentiality, integrity, and availability. This is particularly critical for organizations in sectors such as government, finance, healthcare, and critical infrastructure, where RHEL 7 is commonly deployed. The ability to bypass SELinux protections exacerbates the threat, reducing the effectiveness of a common security control in Linux environments. Exploitation could lead to unauthorized data access, disruption of services, and persistent footholds within networks. Given that RHEL 7 remains widely used in enterprise and legacy systems across Europe, the vulnerability could affect a broad range of organizations, especially those with less frequent patching cycles or limited local user controls.
Mitigation Recommendations
1. Immediately verify and restrict permissions on the /var/tmp/insights-client directory to prevent unprivileged users from creating or owning it before insights-client registration. 2. Implement strict local user access controls to limit who can create directories or files in /var/tmp. 3. Monitor the /var/tmp directory for unauthorized changes or creations related to insights-client. 4. Apply any vendor patches or updates addressing this vulnerability as soon as they become available from Red Hat. 5. Consider disabling or restricting the insights-client service if it is not essential, or run it in a more isolated environment. 6. Employ file integrity monitoring solutions to detect unauthorized modifications to critical directories and files. 7. Review SELinux policies and consider additional mandatory access controls or sandboxing to limit the impact of potential exploitation. 8. Educate system administrators about the risk and ensure local user privileges are minimized to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2023-3972: Creation of Temporary File in Directory with Insecure Permissions in Red Hat Red Hat Enterprise Linux 7
Description
A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).
AI-Powered Analysis
Technical Analysis
CVE-2023-3972 is a vulnerability in the insights-client component of Red Hat Enterprise Linux 7, classified under CWE-379 (Creation of Temporary File in Directory with Insecure Permissions). The flaw stems from the insecure creation and handling of the /var/tmp/insights-client directory. Before the insights-client is registered by the root user, an unprivileged local user can create this directory and gain ownership with full permissions (read, write, execute). When the insights-client subsequently registers as root, it uses this directory and its contents without verifying ownership or permissions, allowing the attacker to place malicious scripts or files. These scripts execute with root privileges, effectively granting local privilege escalation. The vulnerability bypasses SELinux protections because the insights-client process is permitted to disable SELinux system-wide, making SELinux ineffective as a defense in this context. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's ease of exploitation by a local attacker with low privileges, no user interaction required, and the potential for full system compromise. No public exploits have been reported yet, but the vulnerability poses a significant risk to systems running RHEL 7 with insights-client installed.
Potential Impact
For European organizations, this vulnerability presents a serious risk of local privilege escalation, potentially leading to full system compromise. Attackers with local access can gain root privileges, undermining system confidentiality, integrity, and availability. This is particularly critical for organizations in sectors such as government, finance, healthcare, and critical infrastructure, where RHEL 7 is commonly deployed. The ability to bypass SELinux protections exacerbates the threat, reducing the effectiveness of a common security control in Linux environments. Exploitation could lead to unauthorized data access, disruption of services, and persistent footholds within networks. Given that RHEL 7 remains widely used in enterprise and legacy systems across Europe, the vulnerability could affect a broad range of organizations, especially those with less frequent patching cycles or limited local user controls.
Mitigation Recommendations
1. Immediately verify and restrict permissions on the /var/tmp/insights-client directory to prevent unprivileged users from creating or owning it before insights-client registration. 2. Implement strict local user access controls to limit who can create directories or files in /var/tmp. 3. Monitor the /var/tmp directory for unauthorized changes or creations related to insights-client. 4. Apply any vendor patches or updates addressing this vulnerability as soon as they become available from Red Hat. 5. Consider disabling or restricting the insights-client service if it is not essential, or run it in a more isolated environment. 6. Employ file integrity monitoring solutions to detect unauthorized modifications to critical directories and files. 7. Review SELinux policies and consider additional mandatory access controls or sandboxing to limit the impact of potential exploitation. 8. Educate system administrators about the risk and ensure local user privileges are minimized to reduce attack surface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2023-07-27T12:10:37.684Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68e0f3c1b66c7f7acdd3e95c
Added to database: 10/4/2025, 10:15:29 AM
Last enriched: 10/12/2025, 3:46:29 AM
Last updated: 10/16/2025, 2:40:30 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-54658: Escalation of privilege in Fortinet FortiDLP
HighCVE-2025-53951: Escalation of privilege in Fortinet FortiDLP
MediumCVE-2025-53950: Information disclosure in Fortinet FortiDLP
MediumCVE-2025-46752: Information disclosure in Fortinet FortiDLP
MediumCVE-2025-11839: Unchecked Return Value in GNU Binutils
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.