Nasty Linux systemd root level security bug revealed and patched

This obnoxious Linux systemd bug has been fixed, which means if you're running most recent Linux distributions, you'll need to patch it now.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The good news is the seven-year-old security bug in Linux systemd's polkit, used in many Linux distros, has been patched. The bad news is that it was ever there in the first place. Polkit, which systemd uses in place of sudo, enables unauthorized users to run privileged processes they'd otherwise couldn't run. It turned out that you could also abuse polkit to get root access to a system. 

Can you say, "Ow!"? 

The power to grab root privileges is the ultimate evil in Unix and Linux systems. Kevin Backhouse, a member of the GitHub Security Lab, found the polkit security hole in the course of his duties. He revealed it to the polkit maintainers and Red Hat's security team. Then, when a fix was released on June 3, 2021, it was publicly disclosed as CVE-2021-3560.

Backhouse found an unauthorized local user could easily get a root shell on a system using a few standard shell tools such as bash, kill, and dbus-send. Oddly enough, while the bug is quite old, it only recently started shipping in the most popular Linux distributions. For example, if you're running Red Hat Enterprise Linux (RHEL) 7; Debian 10; or Ubuntu 18.04; you're invulnerable to this security hole. But, if you're running the newer RHEL 8, Debian testing; or Ubuntu 20.04, you can be attacked with it.

Why? Because this buggy code hadn't been used in most Linux distros. Recently, however, the vulnerable code was backported into shipping versions of polkit. An old security hole was given a new lease on life. 

That's not the only reason this bug hid in plain sight for so long. Backhouse explained the security hole isn't triggered every time you run programs that can call it. Why? It turns out that polkit asks dbus-daemon for the UID [User ID] of the requesting process multiple times, on different codepaths. Most of those codepaths handle the error correctly, but one of them doesn't. If you kill the dbus-send command early, it's handled by one of the correct codepaths and the request is rejected. To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that "right moment" varies from one run to the next. That's why it usually takes a few tries for the exploit to succeed. I'd guess it's also the reason why the bug wasn't previously discovered.

It's a sneaky little thing. 

But, when Backhouse said it can't always be exploited, that's no reason not to worry about it. You can easily write a script that's sure to activate it after a few minutes of trying. Red Hat warns "The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." 

Therefore, as Backhouse points out, since it's "very simple and quick to exploit … it's important that you update your Linux installations as soon as possible."

So, you know what to do now right? Get to work patching: You'll want to upgrade polkit to version 0.119 or later.

Related Stories:

Editorial standards