A dangerous Linux systemd root level security flaw has been discovered and patched

The good news is that a seven-year-old security flaw in Linux systemd's polkit, which is used in many Linux distributions, has been fixed. The bad news is that it was ever there to begin with. Polkit, which systemd uses in place of sudo, allows unauthorized users to run privileged processes that they would not be able to run otherwise. It was discovered that you could also use polkit to gain root access to a system.

In Unix and Linux systems, the ability to gain root privileges is the ultimate evil. Kevin Backhouse, a member of the GitHub Security Lab, discovered the polkit security flaw while performing his duties. He told the polkit maintainers and Red Hat's security team about it. Then, on June 3, 2021, a fix was released, and it was publicly disclosed as CVE-2021-3560.

Backhouse discovered that an unauthorized local user could easily obtain a root shell on a system by using standard shell tools like bash, kill, and dbus-send. Surprisingly, despite the fact that the bug has been around for a while, it has only recently begun to appear in the most popular Linux distributions. For instance, if you're running Red Hat Enterprise Linux (RHEL) 7, Debian 10, or Ubuntu 18.04, you're immune to this security flaw. However, if you are running a newer version of RHEL 8, Debian testing, or Ubuntu 20.04, you may be attacked with it.

What's the reason? Because most Linux distributions did not use this buggy code. However, the vulnerable code was recently backported into polkit shipping versions. An old security hole has been resurrected.

That's not the only reason this bug remained hidden for so long. Backhouse clarified that the security flaw is not activated every time you run programs that can call it. Why? It turns out that polkit requests the UID or User ID of the requesting process from dbus-daemon multiple times, on different codepaths. The majority of those codepaths handle the error correctly, but one does not. If you terminate the dbus-send command before it completes, the request is handled by one of the correct codepaths and rejected. To activate the vulnerable codepath, you must disconnect at precisely the right time. Because there are multiple processes at work, the timing of the "right moment" varies from run to run. As a result, the exploit usually requires several attempts before it succeeds. I'm guessing it's also why the bug wasn't discovered earlier. It's a cunning little thing.

But, even though Backhouse stated that it cannot always be exploited, that is no reason not to be concerned. You can easily create a script that will activate it after a few minutes of attempting. According to Red Hat, "the greatest risk posed by this vulnerability is to data confidentiality and integrity, as well as system availability."

As a result, as Backhouse points out, "it's critical that you update your Linux installations as soon as possible" because it's "very simple and quick to exploit."

So, you know what to do now, don't you? Put your patching skills to the test: You should update polkit to version 0.119 or later.