7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.012 Low
EPSS
Percentile
84.8%
Cedric Buissart reports:
The function polkit_system_bus_name_get_creds_sync is used to get the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like β:1.96β, to dbus-daemon. These unique names
are assigned and managed by dbus-daemon and cannot be forged, so this
is a good way to check the privileges of the requesting process.
The vulnerability happens when the requesting process disconnects from
dbus-daemon just before the call to
polkit_system_bus_name_get_creds_sync starts. In this scenario, the
unique bus name is no longer valid, so dbus-daemon sends back an error
reply. This error case is handled in
polkit_system_bus_name_get_creds_sync by setting the value of the
error parameter, but it still returns TRUE, rather than FALSE.
This behavior means that all callers of
polkit_system_bus_name_get_creds_sync need to carefully check whether
an error was set. If the calling function forgets to check for errors
then it will think that the uid of the requesting process is 0 (because
the AsyncGetBusNameCredsData struct is zero initialized). In other
words, it will think that the action was requested by a root process,
and will therefore allow it.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.012 Low
EPSS
Percentile
84.8%