FreeBSD : polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync (36a35d83-c560-11eb-84ab-e0d55e2a8bf9)

high Nessus Plugin ID 150314

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Cedric Buissart reports :

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ':1.96', to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.

Solution

Update the affected package.

See Also

https://seclists.org/oss-sec/2021/q2/180

https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a

http://www.nessus.org/u?3d4c0e75

Plugin Details

Severity: High

ID: 150314

File Name: freebsd_pkg_36a35d83c56011eb84abe0d55e2a8bf9.nasl

Version: 1.2

Type: local

Published: 6/7/2021

Updated: 7/12/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:polkit, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/4/2021

Vulnerability Publication Date: 6/3/2021

Exploitable With

Metasploit (Polkit D-Bus Authentication Bypass)

Reference Information

CVE: CVE-2021-3560