Security researchers recently discovered a vulnerability in Linux systemd’s polkit. Identified as CVE-2021-3560, the flaw appears to have been around for at least seven years. Since polkit is used in many Linux distributions, the impact of the vulnerability should not be underestimated.
Fortunately, CVE-2021-3560 has now been patched.
Related: CVE-2020-28588: Information Disclosure Vulnerability in Linux Kernel
polkit Flaw Has Been Around for Seven Years
Unfortunately, since systemd utilitizes polkit instead of sudo, the vulnerability could have granted unauthorized users with the ability to run privileged processes. Such privileged processes couldn’t be run in any other way. In other words, polkit could have been abused to get root access to the vulnerable Linux system.
According to the official Red Hat advisory, the polkit vulnerability happens because of the following condition:
When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Is there any mitigation against the polkit flaw? Red Hat researchers say they have investigated whether a mitigation exists, but they weren’t able to identify a practical example. This means that the available update should be applied immediately.
CVE-2021-3560 polkit Bug Background
The CVE-2021-3560 vulnerability was discovered by security researcher Kevin Blackhouse. “A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team. It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned CVE-2021-3560,” he wrote in an article detailing his discovery. He also warns that the vulnerability is easy to exploit.
The bug Blackhouse discovered was introduced seven years ago in commit bfa5036, and first shipped with polkit version 0.113. The good news is that many of the most popular Linux distros didn’t ship the vulnerable version until more recently, he says.
However, the impact of the polkit bug is much more different for Debian and its derivatives, like Ubuntu. The reason? Debian utilizes a fork of polkit with a different version numbering scheme.
“In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable. However, some Debian derivatives, such as Ubuntu, are based on Debian unstable, which is vulnerable,” the researcher says.
Here’s a list of vulnerable versions, according to Blackhouse:
- RHEL 8;
- Fedora 21 or later;
- Debian testing “bullseye”’;
- Ubuntu 20.04.
The polkit bug is “surprisingly easy to exploit.” Exploitation requires a few commands in the terminal using only standard tools such as bash, kill, and dbus-send. Shortly said, any system with polkit version 0.113 (or later) installed is vulnerable. According to Red Hat, “the highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.” So, patch as soon as possible.
More technical details are available in Kevin Blackhouse’s GitHub blog.