1961710 – (CVE-2021-3560) CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()

Bug 1961710 (CVE-2021-3560) - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()

Summary: CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3560
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1962568 1961982 1961983 1961984 1961985 1962612 1964800 1967424 1970754
Blocks:	1959164 1962471
TreeView+	depends on / blocked

Reported:	2021-05-18 14:32 UTC by Cedric Buissart
Modified:	2023-10-09 12:38 UTC (History)
CC List:	16 users (show)
Fixed In Version:	polkit 0.119
Doc Type:	If docs needed, set a value
Doc Text:	It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-06-03 11:32:20 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2522	0	None	None	None	2021-06-22 15:27:27 UTC
Red Hat Product Errata	RHSA-2021:2555	0	None	None	None	2021-07-06 11:29:14 UTC

Description Cedric Buissart 2021-05-18 14:32:58 UTC

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is typically something like “:1.96”, to dbus-daemon. These unique names are
assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. 

This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling
function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct
is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it. 

Certain calltraces in polkit were found to be vulnerable, and could be used by any local attacker to run Polkit method calls as if there were run by root.

To summarize : this allows to call certain DBus methods as if it was requested by the root users. Depending on the available DBus destinations, this could allow any local user to install packages, create new administrators, etc.

Comment 13 Cedric Buissart 2021-06-03 06:56:48 UTC

Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1967424]

Comment 14 errata-xmlrpc 2021-06-03 10:06:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2236 https://access.redhat.com/errata/RHSA-2021:2236

Comment 15 errata-xmlrpc 2021-06-03 10:57:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2237 https://access.redhat.com/errata/RHSA-2021:2237

Comment 16 errata-xmlrpc 2021-06-03 11:06:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2238 https://access.redhat.com/errata/RHSA-2021:2238

Comment 17 Product Security DevOps Team 2021-06-03 11:32:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3560

Comment 18 Cedric Buissart 2021-06-03 14:33:10 UTC

Upstream fix :
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81

Comment 19 Cedric Buissart 2021-06-03 14:50:22 UTC

Original report (currently private):
https://gitlab.freedesktop.org/polkit/polkit/-/issues/140

Comment 23 errata-xmlrpc 2021-06-22 14:55:03 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522

Comment 24 errata-xmlrpc 2021-06-22 15:27:11 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522

Comment 26 errata-xmlrpc 2021-07-06 11:29:13 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2555 https://access.redhat.com/errata/RHSA-2021:2555

Note You need to log in before you can comment on or make changes to this bug.