Tuesday, March 19, 2024

7 Years Old Critical Linux Privilege Escalation Bug Let Hackers Gain Root Access

GitHub security researcher Kevin Backhouse has recently discovered a seven-year-old critical Linux privilege escalation bug in the polkit system service, which was previously called PoilcyKit, which could allow any hackers to bypass authorization to gain root access on the affected system.

If you don’t know the work of polkit, then let me justify it in short; it’s a toolkit, and if an application needs root privileges for a task, then polkit asks for the appropriate or relevant password.

The recently discovered bug has been tracked as, CVE-2021-3560 and it’s mainly found in polkit service that is actually associated with a typical Linux system and service manager component, “systemd.”

Seven-year-old Polkit Flaw

This vulnerability was integrated into Commit bfa5036b which was introduced seven years ago, and this bug explored several paths in various Linux distributions since it’s initially directed in polkit version 0.113.

  • CVE ID: CVE-2021-3560
  • CVSS v3 Base Score: 7.8
  • Attack Vector: Local
  • Privileges Required: Low
  • User Interaction: None
  • Integrity Impact: High

This bug requires only a few commands using the terminal tools like bash, kill, and dbus-send, in short, this bug is easy to exploit.

By starting a dbus-send command this bug could be triggered, but, when polkit is still in the midst of concocting the request, it kills it. When polkit asks for the UID of a connection that doesn’t exist, an error arises due to the execution of this during the midst of an authentication request.

Vulnerable Distributions

Here’s the list of all the distribution that are vulnerable to this bug:-

  • RHEL 8: Yes
  • Fedora 21 (or later): Yes
  • Debian testing (“bullseye”): Yes
  • Ubuntu 20.04: Yes

Exploitation

Kevin Backhouse notes that this bug is a possible privilege escalation that was very easy and quick to execute and with only a few commands it can be exploited.

Here, the query that had already ended incorrectly the polkit handles it. Instead of canceling the process, Polkit feigned that the request had come from a process with the UID 0.

This implies that here in this stage the Polkit simply assumes this process request arrived from a root process, and it immediately approves the request. Though this didn’t always work perfectly, but still it is frequently enough to keep the effort low.

Mitigation

According to the Red Hat report, currently, there are no such proper mitigations are available, if any available then they don’t need the criteria of Red Hat Product Security.

However, to remediate any possible risk that may emerge due to this bug, the experts have strongly recommended every user to immediately update their Linux installations as soon as possible.

Website

Latest articles

How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within...

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hacked AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles