Nasty Linux systemd root level security bug revealed and patched:
This obnoxious Linux systemd bug has been fixed, which means if you're running most recent Linux distributions, you'll need to patch it now.
The good news is the seven-year-old security bug in Linux systemd's polkit, used in many Linux distros, has been patched. The bad news is that it was ever there in the first place. Polkit, which systemd uses in place of sudo, enables unauthorized users to run privileged processes they'd otherwise couldn't run. It turned out that you could also abuse polkit to get root access to a system.
The power to grab root privileges is the ultimate evil in Unix and Linux systems. Kevin Backhouse, a member of the GitHub Security Lab, found the polkit security hole in the course of his duties. He revealed it to the polkit maintainers and Red Hat's security team. Then, when a fix was released on June 3, 2021, it was publicly disclosed as CVE-2021-3560.
Backhouse found an unauthorized local user could easily get a root shell on a system using a few standard shell tools such as bash, kill, and dbus-send. Oddly enough, while the bug is quite old, it only recently started shipping in the most popular Linux distributions. For example, if you're running Red Hat Enterprise Linux (RHEL) 7; Debian 10; or Ubuntu 18.04; you're invulnerable to this security hole. But, if you're running the newer RHEL 8, Debian testing; or Ubuntu 20.04, you can be attacked with it.
Why? Because this buggy code hadn't been used in most Linux distros. Recently, however, the vulnerable code was backported into shipping versions of polkit. An old security hole was given a new lease on life.
That's not the only reason this bug hid in plain sight for so long. Backhouse explained the security hole isn't triggered every time you run programs that can call it. Why? It turns out that polkit asks dbus-daemon for the UID [User ID] of the requesting process multiple times, on different codepaths. Most of those codepaths handle the error correctly, but one of them doesn't. If you kill the dbus-send command early, it's handled by one of the correct codepaths and the request is rejected. To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that "right moment" varies from one run to the next. That's why it usually takes a few tries for the exploit to succeed. I'd guess it's also the reason why the bug wasn't previously discovered.
(Score: 2, Touché) by Anonymous Coward on Thursday June 17, @01:17PM
>> The power to grab root privileges is the ultimate evil in Unix and Linux systems
No, I think this article proves that Poettering is the ultimate evil.
(Score: 2, Insightful) by Anonymous Coward on Thursday June 17, @01:18PM (2 children)
Put this on the same pile as "just rewrite it in Rust"(*).
Things that have been around for a long time work; rewriting them in the new-language-hotness-of-the-day or new fancy javascript framework that won't last longer than a carton of milk kept outside of your fridge, opens you up to reintroducing bugs (blatant, hidden, subtle, and hidden) that your original project took years to weed out and eliminate.
I predict that the whole "just rewrite it in Rust" is going to produce a bunch of similar things like this in the years to come.
(*) I realize I'm picking on Rust here, and that this is not localized to just that movement.
(Score: 2) by isostatic on Thursday June 17, @01:31PM
systemd is a special type of awfulness though.
After faced with a nodejs smoking hole of crap that a developer had dumped on me and was constantly breaking and requiring pm2 restarts etc, then unceremoniously broke one day, I spend 3 hours rewriting the whole thing in 200 lines of perl and a bit of jquery, because I've got better things to do.
Developer of course had got bored and moved on to the latest and greatest thing. nodejs/react is very 2020, he's now on something else (I forget what).
(Score: 0) by Anonymous Coward on Thursday June 17, @01:36PM
The rust rewrite is to be memory safe, something that is hard to control (or if you prefer, easy to use wrongly) in C and C++. that alone is the source of a huge amount of security problems
This bug was bad application design (wrong error handling and bad fallback), something that would fail in all languages.
So the rust argument here doesn't apply
(Score: 2) by JoeMerchant on Thursday June 17, @01:19PM
This is why our kiosk systems absolutely forbid shell access (including ssh) to unknown users.
