Detections
Analytics

FreeBSD : polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync (36a35d83-c560-11eb-84ab-e0d55e2a8bf9)

high Nessus Plugin ID 150314

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Cedric Buissart reports :

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ':1.96', to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.

Solution

Update the affected package.

See Also

https://seclists.org/oss-sec/2021/q2/180

https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a

http://www.nessus.org/u?3d4c0e75

Plugin Details

Severity: High

ID: 150314

File Name: freebsd_pkg_36a35d83c56011eb84abe0d55e2a8bf9.nasl

Version: 1.5

Type: local

Published: 6/7/2021

Updated: 12/27/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-3560

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:polkit, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/4/2021

Vulnerability Publication Date: 6/3/2021

CISA Known Exploited Vulnerability Due Dates: 6/2/2023

Exploitable With

Metasploit (Polkit D-Bus Authentication Bypass)

Reference Information

CVE: CVE-2021-3560