Patch Released for 7-Year-Old Privilege Escalation Bug In Linux Service Polkit

Long-time Slashdot reader wildstoo writes: In a blog post on Thursday, GitHub security researcher Kevin Backhouse announced that Polkit, a Linux system service included in several modern Linux distros that provides an organized way for non-privileged processes to communicate with privileged ones, has been harbouring a major security bug for seven years.

The bug, assigned (CVE-2021-3560) allows a non-privileged user to gain administrative shell access with a handful of standard command line tools. The bug was fixed on June 3, 2021 in a coordinated disclosure.
"It's used by systemd," GitHub's blog post points out, "so any Linux distribution that uses systemd also uses polkit..."

"It's very simple and quick to exploit, so it's important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04."

Re:

[retiredJan]

It is NOT part of the kernel, it is a package used by systemd. The fixed version is 0.119

Re:

[thegarbz]

It is NOT part of the kernel, it is a package used by systemd. The fixed version is 0.119

It's a package that predates systemd by well over a year, and predates systemd-logind by 4 years. It was included in distributions before systemd existed and is part of systemd free systems such as Gentoo and Devuan.

Re:

[Typing_Ptarmigan]

... is part of systemd free systems such as Gentoo and Devuan.

Also, PCLinuxOS.

Not in this house.

[Ostracus]

7 year old? No no no, that's something that happens to that other OS.

Re:Not in this house.

[ArchieBunker]

I guess the many eyes missed this one.

Re:

[Anonymous Coward]

I guess they were too busy watching reruns of Microsoft's 90s/00s antitrust trial whilst circle jerking each other off.

Just like with heartbleed.

Just like with shellshock.

The reality is many eyes doesn't work for the same reason we never got the year of Linux on the desktop and most FOSS software is horrible to use - developers developing in their spare time just don't want to do the boring stuff like UX, testing, and security auditing. A closed source proprietary product paying developers to do the boring

Twice a day

[raymorris]

> closed source proprietary product paying developers to do the boring stuff will always produce better software than a bunch of open source developers

If you want to Ra Ra Ra cheer for "your team" that's cool. Have fun with that. Each year when something comes up with Linux you can cheer and have a great time.

If security actually matters to you at all, if you're in any way responsible for a system that handles others people data -
Microsoft averages 76 new vulnerabilities each patch Tuesday. 76 per month.

Re:

[drinkypoo]

They couldn't find it in that obfuscated clusterfuck

Nope. Nobody said "all bugs are don't exist"

[raymorris]

ESR didn't say "all bugs are don't exist".

I'm pretty sure I've explained this to you before, so I think you actually know better.

ESR didn't say "all bugs are don't exist", if that's what you thought. He didn't say "there are never any bugs in open source software".

Around that time, Internet Explorer had a known issue that Microsoft had listed on MSDN for two years, with no fix. Two years after publication of CATB, four years after the issue was known, Microsoft released a partial fix - because they couldn't figure out how to actually fix it. It was another three years before the responsible team at Microsoft finally fixed the bug. Seven years from finding the bug to a proper fix.

The "many eyes" quote you referred to is:

--
Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.

Or, less formally, "Given enough eyeballs, all bugs are shallow.'' I dub this: "Linus's Law''.

My original formulation was that every problem "will be transparent to somebody''. Linus demurred that the person who understands and fixes the problem is not necessarily or even usually the person who first characterizes it. "Somebody finds the problem,'' he says, "and ***somebody else understands it.***"

--

When Shellshock came out, just on one mailing list alone there were about 150 of us looking at it and trying to find the best solution. People were proposing different patches and adjustments to the functionality. We were digging deep into the problem. A few hours after Shellshock came out, Florian Weimer said on the list that the issue could not be "fixed", the feature couldn't be patched to make it safe. He said the feature needed to just be disabled, removed, because it could not be made safe. Over the next two days several people submitted patches to make it safe. For every suggested patch, someone found a way around it. None of the patches made it secure.

About 2 1/2 days in, it became apparent to everyone that every patch was bound to fail; we started to see why you simply couldn't have that function and be secure. We started to see what Florian had seen immediately. We had been digging deep, trying to understand the implications of every possible change. For Florian it was shallow, the fix was obvious to someone, and that time someone was Florian. "Given enough eyeballs, all bugs are shallow; the fix will be obvious to someone". Not "all bugs are not exist".

Contrast the 2 1/2 days to come to a thorough understanding and proper fix for the bug in the open source vs the seven years the issue languished in IE, with a broken half-fix for three years.

For the current issue, it was fixed June 3rd. "Problem will be characterized quickly" - already fixed, not a known vulnerability languishing for years while script kiddies hit it over and over and over.

Re:

[wildstoo]

Also, I think the main reason it wasn't found earlier is that most distros that ship polkit only started shipping affected versions relatively recently. If it had been in wide circulation earlier, it would probably have been discovered earlier. The bug existed for in polkit for 7 years, but affected distros have only been vulnerable for a 1-2 years at most.

Shellshock was a design flaw...

[Larsen E Whipsnade]

more than a "bug" in the usual sense.

The trouble with design flaws is that they're harder for people to accept than something not working as designed. The problem goes deeper, and it calls everything into question - the very rationale of the code.

Dare we ask why or whether there should even be embedded macros in documents? Or Javascript? Or multiple commands separated by semicolons in an SQL query? Or cross site image loading in HTML? It's emotionally easier to pretend we can just make these things safe...

Yeah and Florian had no trouble with that

[raymorris]

Agreed. Many people were trying to fix it. Fortunately, there were enough eyeballs quickly enough that one pair, Florian, saw what others didn't.

He saw immediately that the bug was having the feature in the first place. He had an intuitive sense that it's fundamentally impossible to give an unknown user control while being safe, and said there would be no such thing as fixing it to be secure.

Seven years!

[93 Escort Wagon]

Microsoft says "Bah! Child's play! Hold my beer"...

20 years [komando.com]

17 years [msn.com]

In related news - I didn't realize systemd had been inflicted on us for seven years already! Seems more like 100...

Re:

[thegreatbob]

11 years. Almost exactly 11 years since the foistening, at least in Fedora-land.

Re:

[cas2000]

The "foistening" - what a great word! and guaranteed to piss off people who hate "moist" too.

Re:

[Mononymous]

If that other OS is proprietary, then it's illegal for anyone but the maker to fix the bugs.
The legality of even searching for bugs is questionable.
I'll take an OS that's legal to fix over one that's not.

My systemd-free Gentoo is just fine

[AcidFnTonic]

No issue with my opted out systemd-free Gentoo install....

#Toldyaso.

Re:My systemd-free Gentoo is just fine

[Randseed]

No issue with my opted out systemd-free Gentoo install....

#Toldyaso.

^^^ This. I know the arguments for systemd vs. the traditional init system, but in reality systemd is more trouble than it's worth in many cases. That entire paradigm of ideas leads to not even having easily accessible logs for processes. I mean, I want to be able to look at syslog and see everything. If I need to filter it, I can either use pipes and shell level tools, or I can write a program that goes off and intelligently filters the logs. Systemd, to me, at least, always seemed like somebody's idea of chasing the badly designed Windows Registry and whatever passes for their error reporting system.

Re:

[Anonymous Coward]

Journalctl seems to be filled with everything except for what actually matters.

Re:

[thegreatbob]

No problem, we can just blame the myriad project developers for not wrapping up their logging services to avoid whatever weirdness systemd is having with the standard pipes.

Re:

[thegreatbob]

For all its faults, I'll go to bat for Windows error logging/instrumentation services: they're actually very low-impact on system resources... there is merit to a binary log format. The Windows Event Viewer, on the other hand is more than a little lacking in optimization.

Re:

[thegarbz]

^^^ This. I know the arguments for systemd vs. the traditional init system, but in reality systemd is more trouble than it's worth in many cases.

Congratulations on the low effort post. I mean polkit has nothing to do with systemd, and it was a core component of elogind long before systemd even attempted to take over that portion of linux systems.

But hey you got to say the word systemd and trouble in the same sentence so no doubt there's lots of +5 informatives coming your way.

Re:

[geantvert]

polkit (or policykit) is not part of systemd so I am not sure why systemd is mentioned in the article. As far as I know, this is not even a dependency of systemd.

Re:

[wildstoo]

Correct, polkit is not a dependency of systemd. Systemd is a dependency of polkit, obviously, since polkit uses dbus.

Re:

[wildstoo]

I'm talking garbage, of course. dbus has nothing to do with systemd. It's late here and I'm tired.

Re:

[FoxMcCloud]

I'm talking garbage, of course. dbus has nothing to do with systemd. It's late here and I'm tired.

Don't beat yourself up, it's not a bad first guess to assume any particular piece of software has already been ingested into systemd until it's been demonstrated otherwise.

If not it's probably just a matter of time anyway.

Re:

[thegarbz]

No issue with my opted out systemd-free Gentoo install....

Are you sure? Did you just see the word systemd and assume you're safe not realising that this program long predates polkit, and is a default install for any system that includes elogind (as opposed to systemd-logind) which includes basically the default install of nearly every KDE / Gnome system?

Re: My systemd-free Gentoo is just fine

[AcidFnTonic]

I also opted out of KDE and Gnome. One of those Crazy terminal Vim users who prefers the command line. Xfce4 if I have to X.

Re:

[AntisocialNetworker]

Just because you don't have systemd it doesn't mean you don't have polkit. You have to do quite a bit more to remove it from Gentoo than just using OpenRC.

Re:

[Teun]

A search in the source did return nothing for "kernal".
Maybe you still live in the Commodore era?

Well, no systemd here

[gweihir]

I prefer to use well-written software.

No problem here

[huiac]

The article says Polkit 0.113 and later are vulnerable, so my stock Debian systems (0.109) are fine.

Also, the subject line says 7 years - a bit misleading, as 0.113 from github) appears to be only 5 years old, and RHEL 8 and Ubuntu 20.04 (the only affected distributions the precis actually names) are much newer than that (2019 and 2020, respectively).

Re:

[wildstoo]

The commit with the bug is 7 years old, which is what the subject line refers to.