External risk intelligence

Polkit Local Privilege Escalation Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-3560

An unprivileged local user can exploit a flaw in polkit to bypass security checks and gain root privileges. This could impact data integrity, confidentiality, and system availability for affected organizations. The primary business risk involves unauthorized administrative access.

1Halo Surface Signal

Polkit Project Polkit

before 0.11911.020.044.04.7

External exposure likelihood

Halo Surface Signal score for CVE-2021-3560

This vulnerability exists within the local D-Bus system communication framework and requires a local attacker to execute requests on the host machine. It is not reachable via the public internet, as it involves internal inter-process communication mechanisms restricted to the local operating system environment.

Horizon Alert

Summary of the vulnerability and why it matters

The polkit component, used for managing system privileges, contains a flaw that allows for the circumvention of security checks on specific requests. This vulnerability could enable an unauthorized local user to gain elevated privileges, potentially allowing them to create new administrator accounts. The primary risks associated with this issue are to the confidentiality and integrity of data, as well as the availability of systems.

Vulnerable component: polkit
Core weakness: Bypasses credential checks
Main business impact: Privilege escalation to root

Attack Path

How an attacker could exploit the issue

An unprivileged local attacker can exploit this vulnerability to gain root-level privileges on a system. The attack involves tricking the polkit system into bypassing normal credential checks for requests made over D-Bus. This allows an attacker with low-level access to execute commands with the highest level of system authority. The impact on affected organizations can include unauthorized data access, modification, or deletion, as well as system unavailability.

Local access to the system.
Attacker bypasses credential checks.
Attacker gains root control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unprivileged local attacker to gain root-level privileges on a system. This elevation of privileges could enable an attacker to create new local administrators, impacting data confidentiality, integrity, and system availability. The highest risk is to systems where local access is not adequately restricted.

Attackers with low skill needed.
Requires local system access.
Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unprivileged local attacker to gain root privileges. This could impact data confidentiality, integrity, and system availability for affected organizations. The highest threat arises from potential unauthorized administrative access.

Find affected assets.
Reduce exposure or isolate risk.
Apply vendor fix, verify, and monitor.

Frequently asked questions

What is the core issue with polkit that leads to privilege escalation?

The polkit component has a flaw that allows it to bypass credential checks for D-Bus requests. This weakness, classified as CWE-863, enables an unprivileged local attacker to escalate their privileges to the root user.

How can an attacker exploit the polkit vulnerability?

An attacker with local access can trick the polkit system into bypassing credential checks for D-Bus requests. This allows them to execute commands with root-level authority, potentially creating new local administrators.

What types of systems are affected by this polkit vulnerability?

The vulnerability affects systems using polkit, including various versions of Debian Linux, Ubuntu Linux, and Red Hat products such as Virtualization, Virtualization Host, and OpenShift Container Platform.

What is the practical impact of the polkit privilege escalation vulnerability on business operations?

The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability. An attacker gaining root privileges could lead to unauthorized data access, modification, or deletion, and system downtime.

What steps should be taken to respond to the polkit privilege escalation vulnerability?

Organizations should identify affected assets, reduce exposure or isolate risk, and apply vendor-provided fixes. Verifying the fix and ongoing monitoring are also crucial steps to mitigate this vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.