CVE-2021-3560 flaw in polkit auth system service affects most of Linux distros

An authentication bypass flaw in the polkit auth system service used on most Linux distros can allow to get a root shell.

An authentication bypass vulnerability in the polkit auth system service, tracked as CVE-2021-3560, which is used on most Linux distros can allow an unprivileged attacker to get a root shell.

“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” reads the description published by the security advisory. “The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”

polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes, it is installed by default on several Linux distributions.

The vulnerability was introduced in version 0.113 seven years ago (commit bfa5036) and was fixed on June 3 after its recent disclosure by security researcher Kevin Backhouse.

Every Linux system using a vulnerable polkit version is potentially exposed to cyber attacks exploiting the CVE-2021-3560 flaw.

Backhouse published a video PoC of an attack exploiting this vulnerability demonstrating that it is easy to trigger.

“The vulnerability enables an unprivileged local user to get a root shell on the system. It’s easy to exploit with a few standard command line tools, as you can see in this short video.” wrote the expert in a blog post.

The researcher published the following table containing the list of currently vulnerable distros:

Distribution	Vulnerable?
RHEL 7	No
RHEL 8	Yes
Fedora 20 (or earlier)	No
Fedora 21 (or later)	Yes
Debian 10 (“buster”)	No
Debian testing (“bullseye”)	Yes
Ubuntu 18.04	No
Ubuntu 20.04	Yes

“CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable.” conlcudes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, polkit)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.