CVE-2021-3560

What is Polkit?

Polkit (PolicyKit) is a component used across essentially all major Linux distributions to handle authorization for privileged operations performed by unprivileged processes. When a non-root process (such as a user-space application) needs to perform an action requiring elevated privileges — like changing the system clock, installing software, or creating a new user — it makes a D-Bus request to polkit, which checks whether the requesting process is authorized based on system policies. Because polkit mediates all such privileged-action requests on Linux, a privilege escalation vulnerability in polkit affects the fundamental security boundary between user and root on Linux systems.

Overview

CVE-2021-3560 is an incorrect authorization vulnerability (CWE-863) in polkit that allows a local attacker to bypass credential checks for D-Bus requests, escalating from a low-privileged user to root. The exploit works by timing a race condition: when a process sends a D-Bus authorization request to polkit and then dies very quickly, polkit cannot find the originating process to verify its UID. In some cases, polkit can be tricked into granting the request despite the process death, effectively authorizing an action without valid credentials. Kevin Backhouse of GitHub Security Lab discovered and disclosed this vulnerability. The exploit is reliably triggered with precise timing on affected systems.

Affected Versions

Technical Details

The race condition in polkit's D-Bus request handling:

• Root cause: Incorrect authorization (CWE-863) — when polkit handles a D-Bus authentication request, it looks up the requesting process's UID using the PID provided in the D-Bus message. If the process dies between the request being sent and polkit performing the lookup, polkit cannot find the process
• Race window: The race must be timed so that the requesting process dies after polkit accepts the D-Bus connection but before polkit can look up the process credentials
• Authorization bypass: When polkit fails to find the requesting process's UID, under certain conditions it can grant the authorization request rather than denying it — the authorization succeeds without credential validation
• Practical exploitation: Kevin Backhouse demonstrated reliable exploitation by scripting the timing with sleep commands and using specific combinations of D-Bus service calls. The exploit script creates a new root user account on the target system
• Attack Complexity: Low — despite involving a race condition, the exploit is reliably triggered with scripted timing on affected systems

Discovery

Discovered by Kevin Backhouse at GitHub Security Lab. Backhouse coordinated disclosure with Red Hat/polkit maintainers and published a detailed blog post with proof-of-concept exploit code after the patch was released. The exploit demonstrates creating a new privileged user account from a low-privilege shell.

Exploitation Context

Polkit privilege escalation bugs are valuable for post-exploitation privilege escalation after initial access via another vulnerability. An attacker who has achieved unprivileged code execution on a Linux server (via web shell, SSH, or application exploitation) can use CVE-2021-3560 to elevate to root without requiring a password. CISA added this to KEV in May 2023 following confirmed exploitation, reflecting the vulnerability's continued value as a local privilege escalation tool in Linux intrusions.

Remediation

1. Update the polkit package to version 0.119 or later on all affected Linux systems
2. On RHEL/CentOS: yum update polkit or dnf update polkit
3. On Ubuntu/Debian: apt-get update && apt-get upgrade policykit-1
4. Verify patched version: pkexec --version or rpm -q polkit / dpkg -l policykit-1
5. This fix is included in distribution security updates — enabling automatic security updates ensures timely patching of polkit and similar system components