High Severity Bug in Linux Enables Privilege Escalation to Root

[post-views]
June 17, 2021 · 3 min read
High Severity Bug in Linux Enables Privilege Escalation to Root

A notorious security hole in the polkit authentication system service exposes the majority of modern Linux distributions to the risk of privilege escalation attacks. A high-severity issue (CVE-2021-3560) allows a hacker to obtain root rights via a set of simple commands in the terminal. The bug has been confirmed in Red Hat Enterprise Linux, Fedora, Debian, and Ubuntu. Yet, the good news is the patch was issued on June 3, 2021.

CVE-2021-3560 Description

According to the research from Kevin Backhouse, an expert at GitHub Security Lab, CVE-2021-3560 was introduced almost a decade ago with the release of polkit version 0.113. The reason why it has been unnoticed for such a long period is that modern Linux distros haven’t shipped the buggy polkit version until recently. 

The flaw itself is an authentication bypass issue that occurs due to the mishandling of interrupted authorization requests by lower privileged processes. As a result, an unprivileged hacker can obtain a root shell by launching timing attacks. Notably, the exploitation routine is straightforward. Adversaries only require standard tools like bash, kill, or dbus-send and a couple of commands in the terminal. Kevin Backhouse released a video of a proof-of-concept (PoC) exploit for this flaw, which demonstrates an easy and quick way to trigger it. 

Currently, such Linux distros as RHEL 8, Fedora 21 (and later), Ubuntu 20.04, Red Hat Enterprise Linux 8 alongside Debian testing (“bullseye”) were found affected. Simple exploitation and a broad number of vulnerable installations make this flaw highly dangerous. Users are urged to patch ASAP since there are no possible mitigations for this issue.

CVE-2021-3560 Detection

To secure your infrastructure and detect malicious commands used in manual privilege escalation, you can download an exclusive Sigma rule release by the SOC Prime Team. 

https://tdm.socprime.com/tdm/info/OzudSRuln53K/#sigma 

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye

EDR: SentinelOne, Carbon Black

MITRE ATT&CK: 

Tactics: Privilege Escalation

Techniques: Exploitation for Privilege Escalation (T1068)

Get a free subscription to Threat Detection Marketplace to boost your cyber defense capabilities! Our SOC content library aggregates over 100K detection and response algorithms mapped directly to CVE and MITRE ATT&CK® frameworks so you can withstand the notorious cyber-attacks at the earliest stages of intrusion. Enthusiastic about crafting your own detections? Join our Threat Bounty program for a safer future!

Go to Platform Join Threat Bounty

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts