GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

There’s another revelation last week in the cyber industry, GitHub has disclosed the details of a Linux vulnerability that is quite easy to exploit. It can be leveraged to escalate privileges to root on the targeted system.

The indicated flaw has been classified as high severity and tracked as CVE-2021-3560. It impacts polkit that is an authorization service present by default in many Linux distributions.

Kevin Backhouse, a member of the GitHub Security Lab has discovered this loophole in security, who later shared his research by publishing a blog post covering the entire detail of his findings. He even shared a video that shows the exploit in action. There are lots of attention-grabbing things to know about this disclosure that may leave you surprised.

Here you can read the key highlights from the research findings of Backhouse that explains the detected flaw in Linux distribution.

Typically, systemd uses polkit, so any Linux distribution using systemd also uses polkit. And, while carrying out his core job of finding and reporting vulnerabilities to help improve the security of open-source software, Backhouse found privilege escalation vulnerability in polkit.

“A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team. It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned CVE-2021-3560.”

The vulnerability has been confirmed to impact some versions of Red Hat Enterprise Linux, Fedora, Debian and Ubuntu. Backhouse underlined that the vulnerability is easy to exploit with a few standard command line tools. Even a local, unprivileged attacker is said to be capable of using the flaw to escalate privileges to root shell on the system with commands executed in the terminal.
The most unexpected fact indicated in this discovery is that the bug is not new and has a historical background.

“The bug I found was quite old,” Backhouse said. “It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently.”

However, the history of this bug is slightly different on Debian and its derivatives (such as Ubuntu). The bug in the Debian fork was introduced in commit f81d021 and first shipped with version 0.105-26. Further in the research, it was found that that the most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which signals that it is not vulnerable. However, some Debian derivatives are vulnerable, such as Ubuntu that is based on Debian unstable.

About Polkit
The vulnerable component, polkit, is a system service designed to control system-wide privileges. It provides a way for non-privileged processes for communicating with privileged processes.

According to Backhouse, it is a service that is more like a judge that determines whether an action initiated by a user requiring higher privileges can be further carried out directly or requires additional authorization.

“It essentially plays the role of a judge. If you want to do something that requires higher privileges—for example, creating a new user account—then it’s polkit’s job to decide whether or not you’re allowed to do it. For some requests, polkit will make an instant decision to allow or deny, and for others, it will pop up a dialog box so that an administrator can grant authorization by entering their password,” Backhouse said.

The discovered vulnerability though easy to exploit with just a few commands in the terminal typically takes a few attempts for the exploit to be successful. This is due to some timing requirements.

While explaining the polkit architecture, Backhouse specified that dbus-daemon, controlling all the communications, plays a very important role in the security of polkit. dbus-daemon also assigns every connection a “unique bus name:” typically something like “:1.96”. It is capable of handling situations where polkit asks for the UID of connection :1.96, but connection :1.96 no longer exists, by returning an error. But here it appeared that polkit could not handle the error.

Backhouse explained, “polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0. In other words, it immediately authorizes the request because it thinks the request has come from a root process.”

However, he also highlighted the reason why this loophole was not detected in the past seven years. He said, “To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that “right moment” varies from one run to the next. That’s why it usually takes a few tries for the exploit to succeed. I’d guess it’s also the reason why the bug wasn’t previously discovered. If you could trigger the vulnerability by killing the dbus-send command immediately, then I expect it would have been discovered a long time ago, because that’s a much more obvious thing to test for.”

“CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04,” Backhouse concluded.