While a privilege escalation vulnerability has been discovered in the Polkit service that could be exploited by an unprivileged attacker to bypass authorization and escalate permissions as a root user.
The vulnerability which is tracked as CVE-2021-3560 (with CVSS score of 7.8) affects Polkit versions 0.113 to 0.118 and was discovered by Kevin Backhouse, GitHub security researcher, who stated that the issue was introduced in a code commit made in 2013.
How the Polkit Flaw allow Unprivileged Linux users Root Access?
The function `polkit_system_bus_name_get_creds_sync` is employed to get the uid and pid of the process requesting the action, and it does this by sending the unique bus name of the requesting process, typically something like ":1.96", to `dbus-daemon`.
These unique names are assigned and managed by `dbus-daemon` and cannot be forged, so this is a good way to check the privileges of the requesting process. The vulnerability happens if the requesting process disconnects from `dbus-daemon` before the call to `polkit_system_bus_name_get_creds_sync` begins.
In this instance, the unique bus name is no longer valid, so `dbus-daemon` sends back an error reply, which error case is handled in `polkit_system_bus_name_get_creds_sync` by setting the value of the `error` parameter, but it still returns `TRUE`, rather than `FALSE`.
This means that all callers of `polkit_system_bus_name_get_creds_sync` need to carefully check whether an error was set.
How to Mitigate against the Polkit Vulnerability?
Some of the popular Linux distributions affected by the polkit vulnerability includes Fedora 21 (or later), RHEL 8, Debian "Bullseye," and Ubuntu 20.04; albeit the issue has been fixed in Polkit version 0.119, released on June 3.
Therefore, Linux users are advised to update their Linux installations in order to mitigate any potential risk that may arise from the Polkit flaw.
No comments