Ancient Linux bug gives unprivileged users root access

The bug was introduced seven years ago and only fixed last week

A security researcher has discovered a seven-year-old vulnerability in several Linux distributions, which unprivileged local users could use to bypass authorisation and gain root access.

The bug, which was patched last week, exists in Polkit System Service, a toolkit used to evaluate whether specific Linux activities require higher privileges than those currently available. Polkit is installed by default on several Linux distributions, and allows unprivileged processes to speak to privileged processes.

Because the Polkit service is associated with systemd, any Linux distribution that uses systemd also uses Polkit.

The vulnerability is tracked as CVE-2021-3560, and carries a CVSS score of 7.8. It was uncovered by GitHub security researcher Kevin Backhouse, who noted that the issue was introduced in code commit bfa5036 - way back in 2013.

It initially shipped in Polkit version 0.113, but has travelled to different Linux distributions in the past seven years.

'When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process,' Red Hat said in an advisory.

'The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.'

In a blog post, Backhouse said exploiting the vulnerability is very easy, requiring only a few commands using standard terminal tools like bash, kill and dbus-send.

The flaw impacts Polkit versions between 0.113 and 0.118. Cedric Buissart of Red Hat said it also impacts Debian-based distributions, based on Polkit 0.105.

Debian "Bullseye," Fedora 21 (or later), Ubuntu 20.04 and RHEL 8 among the popular Linux distributions affected.

Polkit v.0.119, released on 3^rd June, addresses the issue. Users are advised to update their Linux installations as soon as possible to prevent threat actors from exploiting the bug.

CVE-2021-3560 is the latest in the series of years-old vulnerabilities impacting Linux distributions.

In 2017, Positive Technologies' researcher Alexander Popov found a flaw in a Linux kernel that was introduced to the code in 2009. Tracked as CVE-2017-2636, this flaw was eventually patched in 2017.

Another old Linux security flaw, indexed as CVE-2016-5195, was introduced in 2007 and patched in 2016. Also referred to as 'Dirty COW' zero-day, the bug was used in many attacks before being patched.