An authentication bypass vulnerability in the polkit auth system service, tracked as CVE-2021-3560, which is used on most Linux distros can allow an unprivileged attacker to get a root shell.
“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” reads the description published by the security advisory. “The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”
polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes, it is installed by default on several Linux distributions.
Every Linux system using a vulnerable polkit version is potentially exposed to cyber attacks exploiting the CVE-2021-3560 flaw.
Backhouse published a video PoC of an attack exploiting this vulnerability demonstrating that it is easy to trigger.
“The vulnerability enables an unprivileged local user to get a root shell on the system. It’s easy to exploit with a few standard command line tools, as you can see in this short video.” wrote the expert in a blog post.
The researcher published the following table containing the list of currently vulnerable distros:
|Fedora 20 (or earlier)||No|
|Fedora 21 (or later)||Yes|
|Debian 10 (“buster”)||No|
|Debian testing (“bullseye”)||Yes|
“CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable.” conlcudes the researcher.
(SecurityAffairs – hacking, polkit)