Opened 3 weeks ago
Closed 2 weeks ago
New minor version
This is to report a vulnerability in the `polkit` component
(https://gitlab.freedesktop.org/polkit/polkit/). This vulnerability is
rated Important by Red Hat
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
The vulnerability can be reliably used by an unprivileged local attacker
to bypass authorization and escalate permissions up to the root user.
Red Hat proposes a disclosure on Thursday June 3rd (2021/06/03), around
7:00 AM UTC
== issue description ==
The function `polkit_system_bus_name_get_creds_sync` is used to get the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like ":1.96", to `dbus-daemon`. These unique names
are assigned and managed by `dbus-daemon` and cannot be forged, so this
is a good way to check the privileges of the requesting process.
The vulnerability happens when the requesting process disconnects from
`dbus-daemon` just before the call to
`polkit_system_bus_name_get_creds_sync` starts. In this scenario, the
unique bus name is no longer valid, so `dbus-daemon` sends back an error
reply. This error case is handled in
`polkit_system_bus_name_get_creds_sync` by setting the value of the
`error` parameter, but it still returns `TRUE`, rather than `FALSE`.
This behavior means that all callers of
`polkit_system_bus_name_get_creds_sync` need to carefully check whether
an error was set. If the calling function forgets to check for errors
then it will think that the uid of the requesting process is 0 (because
the `AsyncGetBusNameCredsData` struct is zero initialized). In other
words, it will think that the action was requested by a root process,
and will therefore allow it.
Most of the callers of `polkit_system_bus_name_get_creds_sync` check the
error value correctly, and are therefore not vulnerable. But the error
value is not checked in the following call path:
0 in polkit_system_bus_name_get_creds_sync of polkitsystembusname.c:393
1 in polkit_system_bus_name_get_user_sync of polkitsystembusname.c:511
2 in polkit_backend_session_monitor_get_user_for_subject=20
3 in check_authorization_sync of polkitbackendinteractiveauthority.c:1113
4 in check_authorization_sync of polkitbackendinteractiveauthority.c:1223
5 in polkit_backend_interactive_authority_check_authorization=20
6 in server_handle_check_authorization of polkitbackendauthority.c:795
7 in server_handle_method_call of polkitbackendauthority.c:1274
== Analysis ==
It is believed that the vulnerability was introduced in polkit 0.113,
However, some Debian based distros (e.g.: Ubuntu 20.04), based on 0.105,
appear to also be vulnerable, as the commit was backported.
== Misc and summary ==
- CVE ID & Title: CVE-2021-3560 polkit: local privilege escalation using
- Disclosure date/time : Thursday June 3rd (2021/06/03), ~ 7:00 AM UTC
- Upstream fix:
- Red Hat's current CVSS Score: 7.8 -
- Original report:
- Vulnerable versions: from 0.113 until 0.118, but some distributions
may have backported the vulnerability.
- Fixed version : 0.119 (to be released)
- Original reporter of the vulnerability :
Kevin Backhouse (GitHub Security Lab)
Red Hat & upstream would like to thank Kevin Backhouse (GitHub Security
Lab) for the detailed report & analysis of the flaw.
Red Hat Product Security
Grab some GNOME dependencies, such as Samba and Pipewire.
Fixed at commit f12bb9570102523f60dd62f98d871a96c3f7c876
Update to mpg123-1.28.0.
Update to at-spi2-core-2.40.2.
Update to polkit-0.119.
Update to pipewire-0.3.29.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.