A notorious security hole in the polkit authentication system service exposes the majority of modern Linux distributions to the risk of privilege escalation attacks. A high-severity issue (CVE-2021-3560) allows a hacker to obtain root rights via a set of simple commands in the terminal. The bug has been confirmed in Red Hat Enterprise Linux, Fedora, Debian, and Ubuntu. Yet, the good news is the patch was issued on June 3, 2021.
According to the research from Kevin Backhouse, an expert at GitHub Security Lab, CVE-2021-3560 was introduced almost a decade ago with the release of polkit version 0.113. The reason why it has been unnoticed for such a long period is that modern Linux distros haven’t shipped the buggy polkit version until recently.
The flaw itself is an authentication bypass issue that occurs due to the mishandling of interrupted authorization requests by lower privileged processes. As a result, an unprivileged hacker can obtain a root shell by launching timing attacks. Notably, the exploitation routine is straightforward. Adversaries only require standard tools like bash, kill, or dbus-send and a couple of commands in the terminal. Kevin Backhouse released a video of a proof-of-concept (PoC) exploit for this flaw, which demonstrates an easy and quick way to trigger it.
Currently, such Linux distros as RHEL 8, Fedora 21 (and later), Ubuntu 20.04, Red Hat Enterprise Linux 8 alongside Debian testing (“bullseye”) were found affected. Simple exploitation and a broad number of vulnerable installations make this flaw highly dangerous. Users are urged to patch ASAP since there are no possible mitigations for this issue.
To secure your infrastructure and detect malicious commands used in manual privilege escalation, you can download an exclusive Sigma rule release by the SOC Prime Team.
The rule has translations to the following languages:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye
EDR: SentinelOne, Carbon Black
Tactics: Privilege Escalation
Techniques: Exploitation for Privilege Escalation (T1068)
Get a free subscription to Threat Detection Marketplace to boost your cyber defense capabilities! Our SOC content library aggregates over 100K detection and response algorithms mapped directly to CVE and MITRE ATT&CK® frameworks so you can withstand the notorious cyber-attacks at the earliest stages of intrusion. Enthusiastic about crafting your own detections? Join our Threat Bounty program for a safer future!