Linux Root Bug - ThreatWire Crosspost
Added 2021-06-15 18:25:59 +0000 UTCBy Shannon Morse, ThreatWire
A privilege escalation vulnerability was recently discovered in Linux distros that was introduced seven years ago, back in 2013, and was never fixed. This exists within PolicyKit AKA Polkit, which is a toolkit that handles authorizations in Linux distros so unprivileged processes can still ‘talk’ to privileged processes. The flaw could allow a threat actor to gain escalated privileges to a root user from unprivileged access.
A fix is now available as of June 3, so upgrade your Linux installation ASAP if possible for polkit version 0.119. The vulnerability is tracked as CVE-2021-3560 with a score of 7.8, and it affects any systems that have polkit version 0.113 or later installed on them, including Ubuntu 20.04 and RedHat Enterprise Linux 8. Security researcher Kevin Backhouse, who originally discovered this issue, posted a technical analysis of this vulnerability and explained that it’s fairly easy to exploit, so it’s crucial to update. An attacker could open a terminal and use commands such as bash, kill, and triggering the flaw with dbus-send, and terminating while polkit is in the middle of processing a request. That causes an authentication bypass, treating this as if it has root privileges.
According to his post, this flaw was first introduced to polkit back in 2013 in a code commit on November 9. It affects versions 0.113 and 0.118, along with Debian based distros including polkit 0.105. According to a RedHat advisory, this happens due to the process not being able to verify privileges of a requesting process. To quote, “When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”
Since an attacker has to trigger the flaw at the correct time, this can vary from machine to machine. And that may be a reason why it was never discovered previously. A demo video was created via the Github Youtube channel, and shows it takes less than three minutes to accomplish along with very few terminal commands. I’ve provided the link to the demo in the notes for this segment.
https://gitlab.freedesktop.org/polkit/polkit/
https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
https://access.redhat.com/security/cve/CVE-2021-3560
https://www.youtube.com/watch?v=QZhz64yEd0g
