Bug 1961710 (CVE-2021-3560)

Summary: CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cperry, dblechte, dfediuck, eedri, jrybar, mcatanza, mgoldboi, michal.skrivanek, mitr, nobody, polkit-devel, sbonazzo, security-response-team, sherold, tgunders, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: polkit 0.119 Doc Type: If docs needed, set a value
Doc Text:
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-03 11:32:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1962568, 1961982, 1961983, 1961984, 1961985, 1962612, 1964800, 1967424, 1970754    
Bug Blocks: 1959164, 1962471    

Description Cedric Buissart 2021-05-18 14:32:58 UTC 
The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is typically something like “:1.96”, to dbus-daemon. These unique names are
assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. 

This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling
function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct
is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it. 

Certain calltraces in polkit were found to be vulnerable, and could be used by any local attacker to run Polkit method calls as if there were run by root.

To summarize : this allows to call certain DBus methods as if it was requested by the root users. Depending on the available DBus destinations, this could allow any local user to install packages, create new administrators, etc.
Comment 13 Cedric Buissart 2021-06-03 06:56:48 UTC 
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1967424]
Comment 14 errata-xmlrpc 2021-06-03 10:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2236 https://access.redhat.com/errata/RHSA-2021:2236
Comment 15 errata-xmlrpc 2021-06-03 10:57:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2237 https://access.redhat.com/errata/RHSA-2021:2237
Comment 16 errata-xmlrpc 2021-06-03 11:06:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2238 https://access.redhat.com/errata/RHSA-2021:2238
Comment 17 Product Security DevOps Team 2021-06-03 11:32:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3560
Comment 18 Cedric Buissart 2021-06-03 14:33:10 UTC 
Upstream fix :
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81
Comment 19 Cedric Buissart 2021-06-03 14:50:22 UTC 
Original report (currently private):
https://gitlab.freedesktop.org/polkit/polkit/-/issues/140
Comment 23 errata-xmlrpc 2021-06-22 14:55:03 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522
Comment 24 errata-xmlrpc 2021-06-22 15:27:11 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522
Comment 26 errata-xmlrpc 2021-07-06 11:29:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2555 https://access.redhat.com/errata/RHSA-2021:2555