CVE-2022-1662 - Convert2RHEL Playbook Exposes Red Hat Subscription Passwords in Process List

Convert2RHEL is a tool developed by Red Hat to make it easier for organizations to convert existing Linux systems (such as CentOS or Oracle Linux) to official Red Hat Enterprise Linux (RHEL). In the course of using Convert2RHEL, system administrators often need to register their systems with Red Hat, using their subscription credentials. However, a vulnerability was discovered in one of the project’s example playbooks, which could accidentally expose sensitive subscription passwords to any local user while the conversion is running.

This post explains CVE-2022-1662 in simple terms, offers practical code examples, shows how the bug can be exploited, and wraps up with mitigation steps and further reading.

Software: convert2rhel (Example Ansible Playbook, upstream repo)

- File: ansible/run-convert2rhel.yml
- Vulnerability: The Red Hat Subscription password is passed to the convert2rhel tool via the command line. This allows any other user on the local system to see the password in clear text, by looking at running processes.
- Severity: Medium (since it requires local access and is not present in official supported releases)
- CVE ID: CVE-2022-1662

Understanding the Issue

This flaw exists only in an example Ansible playbook, ansible/run-convert2rhel.yml, included in the Convert2RHEL upstream (development) repository. It is _not_ present in the official, Red Hat supported Convert2RHEL packages.

The problem comes from how the playbook runs the convert2rhel command. It passes the subscription password as a command-line parameter. In Unix systems, anyone can see how a running command was started — including all the arguments passed to it — simply by running ps, top, or similar tools.

Consider the following code snippet from the affected playbook

- name: run convert2rhel
  command: >
    convert2rhel --username {{ rhsm_user }} --password {{ rhsm_password }} --auto

If, for example, you invoked this with rhsm_user set to admin and rhsm_password set to supersecret, the running process would include:

convert2rhel --username admin --password supersecret --auto

Now, while this command is running, any local user could run ps aux or pgrep -a convert2rhel to see the command line including --password supersecret.

Exploiting the Flaw — Step-by-Step

Let’s simulate a scenario where multiple users exist on a system. One user (Alice) is running the convert2rhel playbook; another user (Bob) is logged into the same machine and is curious.

Step 1: Alice runs the playbook

ansible-playbook ansible/run-convert2rhel.yml --extra-vars "rhsm_user=admin rhsm_password=supersecret"

Open a new terminal as Bob and type

ps aux | grep convert2rhel

or

pgrep -af convert2rhel

Output

alice  12587  .  .1  14532  234 pts/    S    11:12   :00 convert2rhel --username admin --password supersecret --auto

Bob can now easily see Alice’s Red Hat username and, worse, her password in clear text.

Why This Matters

Red Hat Subscription credentials are very powerful — they grant access to software updates, security patches, and potentially sensitive repositories. If an attacker or even a curious colleague can read these from the process list, they could use them to:

Leak credentials to the public

However: This attack is only possible from a local unprivileged account (i.e., you can’t exploit it remotely). Still, on shared systems or in environments where users have shell access, this is a real risk.

Mitigations and Recommendations

1. Don’t use the Example Playbook Unmodified: The affected playbook (ansible/run-convert2rhel.yml) is not used in supported Red Hat workflows. If you use Ansible to manage convert2rhel, check your playbooks!

Avoid passing secrets on the command line.

- Use environment variables, files with limited permissions, or secure Ansible Vault variables for sensitive information.
  - Tools like convert2rhel may support interactive password prompts or reading passwords from a file — use those if possible.
3. Restrict Local User Access: On sensitive systems, avoid granting shell access to users who shouldn’t see each others’ processes.

Secure Playbook Example

Here’s how you could avoid passing the password via CLI in your own playbook, instead using an environment variable (assuming convert2rhel supports it):

- name: run convert2rhel securely
  shell: convert2rhel --username {{ rhsm_user }} --auto
  environment:
    RHSM_PASSWORD: "{{ rhsm_password }}"
  no_log: true  # hides password from ansible logs

Or, ideally, update your system to use an officially supported workflow.

Additional References

- Red Hat Bugzilla Bug 2080223
- CVE-2022-1662 at NIST
- Official convert2rhel project on GitHub

In Conclusion

CVE-2022-1662 is a good lesson for anyone writing automation or scripting system tools: never pass passwords via the command line. Even if everything else is locked down, other local users can easily snoop on secrets in the process list.

If you use Convert2RHEL, stick to official documentation and supported packages. If you do use the example Ansible playbook, edit it to avoid this risky practice.

Timeline

Published on: 07/14/2022 15:15:00 UTC
Last modified on: 07/20/2022 13:21:00 UTC