The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of PolicyKit: privilege elevation via pkexec

Synthesis of the vulnerability 

A local attacker can use pkexec, in order to execute code with root privileges.
Impacted systems: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity of this alert: 2/4.
Creation date: 20/04/2011.
Références of this alert: BID-47496, CERTA-2003-AVI-005, CVE-2011-1485, DSA-2319-1, FEDORA-2011-5676, MDVSA-2011:086, openSUSE-SU-2011:0412-1, openSUSE-SU-2011:0413-1, RHSA-2011:0455-01, SSA:2011-109-01, SUSE-SR:2011:008, VIGILANCE-VUL-10583.

Description of the vulnerability 

The PolicyKit suite provides the pkexec utility which is used to exec a command with an uid (user id) different from the uid of the current user.

The pkexec determines the uid of the process which called it, in order to know the uid of the pkexec user. However, if this process used exec() to be replaced by a suid root process, pkexec obtains the uid zero, and deduce that root called pkexec. Security measures are then bypassed.

A local attacker can therefore use pkexec, in order to execute code with root privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability impacts software or systems such as Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability note.

Solutions for this threat 

PolicyKit: patch.
Five patches are available in information sources.
The version 0.102 will be corrected:
  http://hal.freedesktop.org/releases/

Debian: new policykit-1 packages.
New packages are available:
  policykit-1 0.96-4+squeeze1

Fedora 14: new polkit packages.
New packages are available:
  Fedora 14: polkit-0.98-5.fc14

Mandriva: new polkit packages.
New packages are available:
 - Mandriva Linux 2010.1: libpolkit1_0-0.96-2.1

openSUSE: new polkit packages.
New packages are available:
  openSUSE 11.3 : polkit-doc-0.96-5.3.1
  openSUSE 11.4 : polkit-doc-0.99-5.6.1

RHEL 6.0: new polkit packages.
New packages are available:
  polkit-0.96-2.el6_0.1

Slackware: new polkit packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/polkit-1_14bdfd8-i486-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/polkit-1_14bdfd8-x86_64-2_slack13.1.txz

SUSE: new libtiff packages (03/05/2011).
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities bulletin. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.