CVE-2021-3560
Published: 16 February 2022
Summary
CVE-2021-3560 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2021-3560 is a privilege escalation flaw in polkit that allows the component to be tricked into bypassing credential checks for D-Bus requests. Successful exploitation elevates the privileges of the requestor to the root user. The vulnerability is tracked under CWE-863 and CWE-754 and carries a CVSS 3.1 base score of 7.8.
An unprivileged local attacker can exploit the issue to perform actions such as creating a new local administrator account. The attack requires local access, low attack complexity, and no user interaction, resulting in high impact to confidentiality, integrity, and availability.
Public references, including a Red Hat Bugzilla entry and a detailed analysis on the GitHub Security Lab blog, discuss the flaw and link to related proof-of-concept material on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-26871
Vulnerability details
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create…
more
a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- CWE(s)
- KEV Date Added
- 12 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces credential-based access decisions for D-Bus requests, preventing the exact bypass that allows unauthorized privilege elevation to root.
Limits privileges assigned to processes and users so that even a successful polkit bypass cannot trivially grant full root/administrator rights.
Requires reliable identification and authentication of the requestor before any privileged D-Bus operation is authorized by polkit.