Gentoo FoundationGLSA-202107-31

HistoryJul 13, 2021 - 12:00 a.m.

polkit: Privilege escalation

2021-07-1300:00:00

Gentoo Foundation

security.gentoo.org

0.012 Low

EPSS

Percentile

84.9%

JSON

Background

polkit is a toolkit for managing policies related to unprivileged processes communicating with privileged process.

Description

The function polkit_system_bus_name_get_creds_sync() was called without checking for error, and as such temporarily treats the authentication request as coming from root.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All polkit users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=sys-auth/polkit-0.119"

OSVersionArchitecturePackageVersionFilename
Gentooanyallsys-auth/polkit< 0.119UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	sys-auth/polkit	< 0.119	UNKNOWN

githubexploit

Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit

2021-07-02 10:03:26

Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit

2021-06-14 03:45:38

Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit

2021-07-30 11:41:34

altlinux

Security fix for the ALT Linux 9 package polkit version 0.116-alt2.M90P.2

2021-06-15 00:00:00

suse

Security update for polkit (important)

2021-07-11 00:00:00

Security update for polkit (important)

2021-06-04 00:00:00

nessus

CentOS 8 : polkit (CESA-2021:2238)

2021-06-09 00:00:00

Rocky Linux 8 : polkit (RLSA-2021:2238)

2022-02-09 00:00:00

RHEL 8 : polkit (RHSA-2021:2236)

2022-09-15 00:00:00

cbl_mariner

CVE-2021-3560 affecting package polkit 0.116-7

2022-02-01 04:53:56

openvas

SUSE: Security Advisory (SUSE-SU-2021:1843-1)

2021-06-09 00:00:00

Huawei EulerOS: Security Advisory for polkit (EulerOS-SA-2021-2537)

2021-09-28 00:00:00

Huawei EulerOS: Security Advisory for polkit (EulerOS-SA-2021-2738)

2021-11-17 00:00:00

cisa_kev

Red Hat Polkit Incorrect Authorization Vulnerability

2023-05-12 00:00:00

redhatcve

CVE-2021-3560

2021-06-03 07:20:59

redhat

(RHSA-2021:2236) Important: polkit security update

2021-06-03 07:54:08

(RHSA-2021:2238) Important: polkit security update

2021-06-03 07:54:47

(RHSA-2021:2237) Important: polkit security update

2021-06-03 07:54:25

almalinux

Important: polkit security update

2021-06-03 07:54:47

osv

CVE-2021-3560

2022-02-16 19:15:08

policykit-1 vulnerability

2021-06-03 10:51:20

Important: polkit security update

2021-06-03 07:54:47

packetstorm

Polkit D-Bus Authentication Bypass

2021-07-09 00:00:00

Polkit 0.105-26 0.117-2 Privilege Escalation

2021-06-15 00:00:00

K41410307 : polkit vulnerability CVE-2021-3560

2021-07-14 00:00:00

ubuntu

polkit vulnerability

2021-06-03 00:00:00

fedora

[SECURITY] Fedora 34 Update: polkit-0.117-3.fc34.1

2021-06-07 01:16:40

[SECURITY] Fedora 33 Update: polkit-0.117-2.fc33.1

2021-06-19 01:14:12

cvelist

CVE-2021-3560

2022-02-16 00:00:00

cve

CVE-2021-3560

2022-02-16 19:15:00

redos

ROS-20211223-06

2021-12-23 00:00:00

photon

Important Photon OS Security Update - PHSA-2021-0037

2021-06-03 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0397

2021-06-03 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0350

2021-06-04 00:00:00

attackerkb

CVE-2021-3560

2022-02-16 00:00:00

thn

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

2021-06-11 07:47:00

12-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

2022-01-26 05:39:00

Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions

2023-10-04 07:21:00

veracode

Denial Of Service (DoS)

2021-06-04 22:46:32

archlinux

[ASA-202106-24] polkit: privilege escalation

2021-06-09 00:00:00

rocky

polkit security update

2021-06-03 07:54:47

alpinelinux

CVE-2021-3560

2022-02-16 19:15:00

zdt

Polkit D-Bus Authentication Bypass Exploit

2021-07-10 00:00:00

Polkit 0.105-26 0.117-2 - Local Privilege Escalation Exploit

2021-06-15 00:00:00

debiancve

CVE-2021-3560

2022-02-16 19:15:00

mageia

Updated polkit packages fix a security vulnerability

2021-06-09 00:45:12

freebsd

polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync

2021-06-03 00:00:00

slackware

[slackware-security] polkit

2021-06-07 19:07:33

prion

Design/Logic Flaw

2022-02-16 19:15:00

ubuntucve

CVE-2021-3560

2021-06-03 00:00:00

oraclelinux

polkit security update

2021-06-04 00:00:00

exploitdb

Polkit 0.105-26 0.117-2 - Local Privilege Escalation

2021-06-15 00:00:00

seebug

Linux Polkit权限提升漏洞（CVE-2021-3560）

2021-06-15 00:00:00

github

Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug

2021-06-10 16:00:52

The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects

2023-09-21 20:56:46

rapid7blog

Metasploit Wrap-Up

2021-07-16 19:47:06

trellix

The Bug Report - January 2022 Edition

2022-02-02 00:00:00

The Bug Report - January 2022 Edition

2022-02-02 00:00:00

oracle

Oracle Critical Patch Update Advisory - July 2021

2021-07-20 00:00:00