Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix of CVE-2019-6133, PID reuse via slow fork

  - Resolves: rhbz#1667310

An updated rhev-hypervisor6 package that fixes one security issue and various bugs is now available.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization Hypervisor through the 3.2 Manager administration portal, the Host may appear with the status of 'Install Failed'. If this happens, place the host into maintenance mode, then activate it again to get the host back to an 'Up' state

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote attacker able to initiate a SPICE connection to the guest could use this flaw to crash the guest. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2013-4162 and CVE-2013-4299 (kernel issues)

CVE-2013-4296 and CVE-2013-4311 (libvirt issues)

CVE-2013-4288 (polkit issue)

This update also contains the fixes from the following advisories :

* vdsm: https://rhn.redhat.com/errata/RHBA-2013-1462.html

* ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1461.html

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.

The remote host is affected by the vulnerability described in GLSA-201406-27 (polkit, Spice-Gtk, systemd, HPLIP, libvirt: Privilege escalation)

    polkit has a race condition which potentially allows a process to change       its UID/EUID via suid or pkexec before authentication is completed.
  Impact :

    A local attacker could start a suid or pkexec process through a       polkit-enabled application, which could result in privilege escalation or       bypass of polkit restrictions.
  Workaround :

    There is no known workaround at this time.

the following security issue was fixed for HPLIP 3.13.10: usage of an insecure polkit DBUS API (fix for bnc#836937 and CVE-2013-4325 that are related to CVE-2013-4288 and bnc#835827).

This systemd update fixes several security issue.

  - polkit-Avoid-race-condition-in-scraping-proc.patch     VUL-0: polkit: process subject race condition     (bnc#836932) CVE-2013-4288.

This systemd update fixes several security and non-security issues.

  - polkit-Avoid-race-condition-in-scraping-proc.patch:
    VUL-0: polkit: process subject race condition     (bnc#836932) CVE-2013-4288.

  - Don't use a trigger to create symlink for sysctl.conf,     always run the test on %post (bnc#840864).

  - Move symlink migration trigger to post (bnc#821800).

  - Add systemd-fix-crash-listing-session-files.patch     (bnc#840055).

Updated polkit packages fix security vulnerability :

A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges (CVE-2013-4288).

Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly.

Because of the change in the PolicyKit API, hplip (CVE-2013-4325), rtkit (CVE-2013-4326), and systemd (CVE-2013-4327) packages have been updated to use a different API that is not affected by this PolicyKit vulnerability.

This release fixes CVE-2013-4288: Race condition with process subjects that do not have securely determined uid.

pkcheck(1) now supports a new format for the --process argument; all applications need to use the new format to avoid a race condition (or use --system-bus-name to identify the process instead).

Similarly, applications using the API should always use polkit_unix_process_new_for_owner(). polkit_unix_process_new() and polkit_unix_process_new_full() are unsafe and have been deprecated.

Thanks to Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges. (CVE-2013-4288)

Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly.

The system must be rebooted for this update to take effect.

Updated polkit packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

PolicyKit is a toolkit for defining and handling authorizations.

A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges. (CVE-2013-4288)

Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly.

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

All polkit users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-1270 advisory.

    - Include fix for CVE-2013-4288
    - Include fixes for CVE-2011-1485

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that polkit didn't allow applications to use the pkcheck tool in a way which prevented a race condition in the UID lookup. A local attacker could use this flaw to possibly escalate privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
122573	OracleVM 3.3 / 3.4 : polkit (OVMSA-2019-0008)	Nessus	OracleVM Local Security Checks	medium
78977	RHEL 6 : rhev-hypervisor6 (RHSA-2013:1460)	Nessus	Red Hat Local Security Checks	high
76271	GLSA-201406-27 : polkit, Spice-Gtk, systemd, HPLIP, libvirt: Privilege escalation	Nessus	Gentoo Local Security Checks	high
75183	openSUSE Security Update : hplip (openSUSE-SU-2013:1617-1)	Nessus	SuSE Local Security Checks	high
75159	openSUSE Security Update : systemd (openSUSE-SU-2013:1527-1)	Nessus	SuSE Local Security Checks	high
75158	openSUSE Security Update : systemd (openSUSE-SU-2013:1528-1)	Nessus	SuSE Local Security Checks	high
70185	Mandriva Linux Security Advisory : polkit (MDVSA-2013:243)	Nessus	Mandriva Local Security Checks	high
70063	Fedora 20 : polkit-0.112-1.fc20 (2013-17160)	Nessus	Fedora Local Security Checks	high
70047	Fedora 18 : polkit-0.107-6.fc18 (2013-17197)	Nessus	Fedora Local Security Checks	high
70038	Fedora 19 : polkit-0.112-1.fc19 (2013-17191)	Nessus	Fedora Local Security Checks	high
70016	Scientific Linux Security Update : polkit on SL6.x i386/x86_64 (20130919)	Nessus	Scientific Linux Local Security Checks	high
70010	RHEL 6 : polkit (RHSA-2013:1270)	Nessus	Red Hat Local Security Checks	high
70006	Oracle Linux 6 : polkit (ELSA-2013-1270)	Nessus	Oracle Linux Local Security Checks	high
69998	CentOS 6 : polkit (CESA-2013:1270)	Nessus	CentOS Local Security Checks	high
69971	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : policykit-1 vulnerability (USN-1953-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2013-4288

high

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high