In the polkit/a> used in distributions for organizing execution of unprivileged users of actions requiring increased access rights (for example, mounting USB drive), detected Vulnerability ( CVE-2021-3560 ), allowing the local user to get root rights in the system. Vulnerability eliminated in version Polkit 0.119 .
Problem manifests starting from release 0.113, but many distributions, including RHEL , Ubuntu , Debian and Suse , barkported vulnerable functionality in packets based on older Polkit issues (package corrections are already available in distributions).
The problem is manifested in the polkit_system_bus_name_get_creds_sync () function, receiving identifiers (UID and PID) of the process requesting an increase in privileges. The process is identified by the Polkit through the assignment of a unique name in DBUS, which is later used to check the privileges. If the process is disconnected from DBUS-Daemon Before starting the POLKIT_SYSTEM_BUS_NAME_GET_CREDS_SYNC processor, then instead of a unique name, the handler receives an error code.
The vulnerability is caused by the fact that the return error code is not processed properly and the Polkit_System_Bus_name_Get_creds_Sync () function returns True instead of FALSE, despite the fact that it was not able to compare the process with the UID / PID and check the requested privileges. The code from which the Polkit_System_BUS_NAME_GET_CREDS_SYNC () function was called, believes that the verification was completed successfully and the request for increasing privileges came from root, and not from an unprivileged user, which makes it possible to perform preferred actions without additional authentication and confirmation of authority.