A dangerous seven-year-old vulnerability revealed in the polkit service allows a local user with a minimum set of rights to easily elevate them to the root level. The problem is relevant for some Linux distributions; the key workers of the Polkit project (formerly PolicyKit) released the patch on June 3.

The above-mentioned system service, associated with the systemd daemon, controls the interaction of programs with different levels of privileges in the system, allowing or denying access in accordance with the established authorization policies. Vulnerability CVE-2021-3560 allows to bypass this arbiter and get to information inaccessible for the ordinary user.

A dangerous bug was introduced in a code on November 9, 2013 and successfully traveled to all toolkit builds released after that date (from 0.113 to 0.118). Thanks to the vigilance of the Backhouse, who discovered this issue, it was finally eliminated with the release of polkit-0.119.

CVE-2021-3560 has been confirmed for RHEL 8, Fedora 21 and later, Debian 11 (Bullseye), and Ubuntu 20.04 LTS, 20.10 and 21.04. The manufacturers have already released the relevant updates.

Source: anti-malware.ru