Seven-year-old make-me-root bug in Linux service polkit patched

A seven-year-old privilege escalation vulnerability that's been lurking in several Linux distributions was patched last week in a coordinated disclosure.

In a blog post on Thursday, GitHub security researcher Kevin Backhouse recounted how he found the bug (CVE-2021-3560) in a service called polkit associated with systemd, a common Linux system and service manager component.

Introduced in commit bfa5036 seven years ago and initially shipped in polkit version 0.113, the bug traveled different paths in different Linux distributions. For example, it missed Debian 10 but it made it to the unstable version of Debian, upon which other distros like Ubuntu are based.

Formerly known as PolicyKit, polkit is a service that evaluates whether specific Linux activities require higher privileges than those currently available. It comes into play if, for example, you try to create a new user account.

Backhouse says the flaw is surprisingly easy to exploit, requiring only a few commands using standard terminal tools like bash, kill, and dbus-send.

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse.

Killing dbus-send – an interprocess communication command – in the midst of an authentication request causes an error that arises from polkit asking for the UID of a connection that no longer exists (because the connection was killed).

• ALPACA gnaws through TLS protection to snarf cookies and steal data
• How to use Google's new dependency mapping tool to find security flaws buried in your projects
• OpenSSL shuts down two high-severity bugs: Flaws enable cert shenanigans, denial-of-service attacks
• Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

This doesn't happen all the time, because polkit's UID query to the dbus-daemon occurs multiple times over different code paths. Usually, those code paths handle the error correctly, said Backhouse, but one code path is vulnerable – and if the disconnection happens when that code path is active, that's when the privilege elevation occurs. It's all a matter of timing, which varies in unpredictable ways because multiple processes are involved.

The intermittent nature of the bug, Backhouse speculates, is why it remained undetected for seven years.

Linux systems that have polkit version 0.113 or later installed – like Debian (unstable), RHEL 8, Fedora 21+, and Ubuntu 20.04 – are affected.

"CVE-2021-3560 enables an unprivileged local attacker to gain root privileges," said Backhouse. "It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible." ®