A vulnerability (CVE-2021-3560) has been identified in the Polkit component, which is used in distributions to allow unprivileged users to perform actions that require elevated access rights (for example, mounting a USB drive), a vulnerability (CVE-0.119-XNUMX) has been identified that allows a local user to gain root rights in the system. The vulnerability has been fixed in Polkit XNUMX.
The problem has been present since release 0.113, but many distributions, including RHEL, Ubuntu, Debian, and SUSE, have backported the vulnerable functionality into packages based on older Polkit releases (package fixes are already available in the distributions).
The problem manifests itself in the polkit_system_bus_name_get_creds_sync() function, which receives the identifiers (uid and pid) of the process requesting privilege escalation. The process is identified by Polkit by assigning a unique name in the DBus, which is then used to check privileges. If a process disconnects from the dbus-daemon just before the polkit_system_bus_name_get_creds_sync handler is started, the handler gets an error code instead of a unique name.
The vulnerability is caused by the returned error code not being handled properly and the polkit_system_bus_name_get_creds_sync() function returning TRUE instead of FALSE despite failing to match the process with uid/pid and verify the requested privileges for the process. The code from which the polkit_system_bus_name_get_creds_sync() function was called considers that the check was successful and the request for privilege escalation came from root, and not from an unprivileged user, which makes it possible to perform privileged actions without additional authentication and confirmation of credentials.
Source: opennet.ru