Threat Alert

by IthacaLabs™

THREAT LEVEL/High 11/06/2021

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.


We have observed that a seven-year-old privilege escalation vulnerability affecting the “polkit” system service, has been identified.

The vulnerability could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user.

Polkit is a system service installed by default on many Linux distributions. It’s used by “systemd”, so any Linux distribution that uses “systemd” also uses “polkit”.

Tracked as CVE-2021-3560 the vulnerability can be exploited with a few standard command line tools, like bash, kill, and dbus-send.

In more detail, when a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.



Affected Systems

  • Any Linux distribution that uses systemd.


You should proceed and apply the patches as soon as possible to mitigate the risk and avoid attacks that could exploit the aforementioned weaknesses.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.


Get the latest Threat Alerts in your inbox.