An authentication bypass vulnerability in the polkit auth system service, tracked as CVE-2021-3560, which is used on most Linux distros can allow an unprivileged attacker to get a root shell.
“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” reads the description published by the security advisory. “The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”
polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes, it is installed by default on several Linux distributions.
Every Linux system using a vulnerable polkit version is potentially exposed to cyber attacks exploiting the CVE-2021-3560 flaw.
Backhouse published a video PoC of an attack exploiting this vulnerability demonstrating that it is easy to trigger.
“The vulnerability enables an unprivileged local user to get a root shell on the system. It’s easy to exploit with a few standard command line tools, as you can see in this short video.” wrote the expert in a blog post.
The researcher published the following table containing the list of currently vulnerable distros:
|Fedora 20 (or earlier)||No|
|Fedora 21 (or later)||Yes|
|Debian 10 (“buster”)||No|
|Debian testing (“bullseye”)||Yes|
“CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable.” conlcudes the researcher.
(SecurityAffairs – hacking, polkit)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.