CVE-2013-4288
published 2013-10-03CVE-2013-4288: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec…
PriorityP431high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.34%
26.1th percentile
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
Affected
126 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | apt-xapian-index | — | — |
| canonical | apt-xapian-index | — | — |
| canonical | apt-xapian-index | >= 0 < 0.47 | 0.47 |
| canonical | apt-xapian-index | >= 0 < 0.47 | 0.47 |
| canonical | apt-xapian-index | >= 0 < 0.47 | 0.47 |
| canonical | apt-xapian-index | >= 0.45ubuntu1 < 0.45ubuntu2.1 | 0.45ubuntu2.1 |
| canonical | software-properties | >= 0 < 0.92.18 | 0.92.18 |
| canonical | software-properties | >= 0 < 0.92.18 | 0.92.18 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | apt-xapian-index | < apt-xapian-index 0.47 (bookworm) | apt-xapian-index 0.47 (bookworm) |
| debian | debian_linux | — | — |
| debian | libvirt | < libvirt 1.1.3~rc1-1 (bookworm) | libvirt 1.1.3~rc1-1 (bookworm) |
| debian | policykit-1 | < policykit-1 0.105-3+nmu1 (bookworm) | policykit-1 0.105-3+nmu1 (bookworm) |
| debian | rtkit | < rtkit 0.10-3 (bookworm) | rtkit 0.10-3 (bookworm) |
| debian | software-properties | < software-properties 0.92.18 (bookworm) | software-properties 0.92.18 (bookworm) |
| debian | spice-gtk | < spice-gtk 0.21-0nocelt1 (bookworm) | spice-gtk 0.21-0nocelt1 (bookworm) |
| debian | systemd | < systemd 204-5 (bookworm) | systemd 204-5 (bookworm) |
| evan_dandrea | usb-creator | — | — |
| evan_dandrea | usb-creator | — | — |
| evan_dandrea | usb-creator | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gq7p-4c9q-2h5w: ubuntu-system-service 0
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2013-1062 [HIGH] GHSA-gq7p-4c9q-2h5w: ubuntu-system-service 0
ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and 0.2.2 before 0.2.2.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-pf27-g8mf-ccwq: backend
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2013-1065 [HIGH] GHSA-pf27-g8mf-ccwq: backend
backend.py in Jockey before 0.9.7-0ubuntu7.11 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-vjq3-454q-w3j4: language-selector 0
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2013-1066 [HIGH] GHSA-vjq3-454q-w3j4: language-selector 0
language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1, and 0.79.x before 0.79.4 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-gh63-q3pg-7q7r: KDE kdelibs before 4
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2014-5033 [HIGH] CWE-362 GHSA-gh63-q3pg-7q7r: KDE kdelibs before 4
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
GHSA
GHSA-58qf-hw52-9h34: usb-creator 0
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2013-1063 [HIGH] GHSA-58qf-hw52-9h34: usb-creator 0
usb-creator 0.2.47 before 0.2.47.1, 0.2.40 before 0.2.40ubuntu2, and 0.2.38 before 0.2.38.2 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-f8vv-fqj4-phcp: dbus/SoftwarePropertiesDBus
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2013-1061 [HIGH] GHSA-f8vv-fqj4-phcp: dbus/SoftwarePropertiesDBus
dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, 0.92.9 before 0.92.9.3, and 0.82.7 before 0.82.7.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-4qg9-qqgj-hw85: spice-gtk 0
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2013-4324 [HIGH] GHSA-4qg9-qqgj-hw85: spice-gtk 0
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-pr6p-rw96-x62r: libvirt 1
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2013-4311 [HIGH] GHSA-pr6p-rw96-x62r: libvirt 1
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-63rr-v2vx-w3jw: RealtimeKit (aka rtkit) 0
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2013-4326 [HIGH] GHSA-63rr-v2vx-w3jw: RealtimeKit (aka rtkit) 0
RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-f46w-pmxr-fvq6: apt-xapian-index before 0
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2013-1064 [HIGH] GHSA-f46w-pmxr-fvq6: apt-xapian-index before 0
apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-v982-v47w-8j5p: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve
ghsa_unreviewed·2022-05-13·CVSS 7.2
CVE-2013-4327 [HIGH] CWE-362 GHSA-v982-v47w-8j5p: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
GHSA
GHSA-6wv7-fpg8-f44q: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkex
ghsa_unreviewed·2022-05-13
CVE-2013-4288 [HIGH] CWE-362 GHSA-6wv7-fpg8-f44q: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkex
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
OSV
CVE-2014-5033: KDE kdelibs before 4
osv·2014-07-23·CVSS 7.2
CVE-2014-5033 [HIGH] CVE-2014-5033: KDE kdelibs before 4
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
OSV
CVE-2013-4324: spice-gtk 0
osv·2013-10-03·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324: spice-gtk 0
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-1061: dbus/SoftwarePropertiesDBus
osv·2013-10-03·CVSS 4.6
CVE-2013-1061 [MEDIUM] CVE-2013-1061: dbus/SoftwarePropertiesDBus
dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, 0.92.9 before 0.92.9.3, and 0.82.7 before 0.82.7.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-4288: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkex
osv·2013-10-03·CVSS 7.2
CVE-2013-4288 [HIGH] CVE-2013-4288: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkex
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
OSV
CVE-2013-1064: apt-xapian-index before 0
osv·2013-10-03·CVSS 4.6
CVE-2013-1064 [MEDIUM] CVE-2013-1064: apt-xapian-index before 0
apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-4326: RealtimeKit (aka rtkit) 0
osv·2013-10-03·CVSS 7.2
CVE-2013-4326 [HIGH] CVE-2013-4326: RealtimeKit (aka rtkit) 0
RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-4311: libvirt 1
osv·2013-10-03·CVSS 7.2
CVE-2013-4311 [HIGH] CVE-2013-4311: libvirt 1
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-4327: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve
osv·2013-10-03·CVSS 7.2
CVE-2013-4327 [HIGH] CVE-2013-4327: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Red Hat
polkit-qt: insecure calling of polkit
vendor_redhat·2014-03-24·CVSS 7.2
CVE-2014-5033 [HIGH] CWE-362 polkit-qt: insecure calling of polkit
polkit-qt: insecure calling of polkit
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.
Red Hat
systemd: insecure calling of polkit
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4327 [HIGH] systemd: insecure calling of polkit
systemd: insecure calling of polkit
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Package: systemd (Red Hat Enterprise Linux 7) - Not affected
Red Hat
spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4324 [HIGH] spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Package: spice-gtk (Red Hat Enterprise Linux 7) - Not affected
Red Hat
libvirt: insecure calling of polkit
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4311 [HIGH] libvirt: insecure calling of polkit
libvirt: insecure calling of polkit
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Package: libvirt (Red Hat Enterprise Linux 5) - Not affected
Package: libvirt (Red Hat Enterprise Linux 7) - Not affected
Package: libvirt (Red Hat Storage 2.0) - Affected
Package: libvirt (Red Hat Storage 2.1) - Affected
Red Hat
rtkit: insecure calling of polkit
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4326 [HIGH] rtkit: insecure calling of polkit
rtkit: insecure calling of polkit
RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Package: rtkit (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
polkit vulnerability
vendor_ubuntu·2013-09-18
CVE-2013-4288 polkit vulnerability
Title: polkit vulnerability
Summary: polkit could be tricked into giving out improper authorization.
It was discovered that polkit didn't allow applications to use the pkcheck
tool in a way which prevented a race condition in the UID lookup. A local
attacker could use this flaw to possibly escalate privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
polkit: unix-process subject for authorization is racy
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4288 [HIGH] CWE-362 polkit: unix-process subject for authorization is racy
polkit: unix-process subject for authorization is racy
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
Package: polkit (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4288: policykit-1 - Race condition in PolicyKit (aka polkit) allows local users to bypass intended P...
vendor_debian·2013·CVSS 7.2
CVE-2013-4288 [HIGH] CVE-2013-4288: policykit-1 - Race condition in PolicyKit (aka polkit) allows local users to bypass intended P...
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
Scope: local
bookworm: resolved (fixed in 0.105-3+nmu1)
bullseye: resolved (fixed in 0.105-3+nmu1)
forky: resolved (fixed in 0.105-3+nmu1)
sid: resolved (fixed in 0.105-3+nmu1)
trixie: resolved (fixed in 0.105-3+nmu1)
Debian
CVE-2013-4326: rtkit - RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a...
vendor_debian·2013·CVSS 7.2
CVE-2013-4326 [HIGH] CVE-2013-4326: rtkit - RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a...
RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 0.10-3)
bullseye: resolved (fixed in 0.10-3)
forky: resolved (fixed in 0.10-3)
sid: resolved (fixed in 0.10-3)
trixie: resolved (fixed in 0.10-3)
Debian
CVE-2013-1064: apt-xapian-index - apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5.1 does not...
vendor_debian·2013·CVSS 4.6
CVE-2013-1064 [MEDIUM] CVE-2013-1064: apt-xapian-index - apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5.1 does not...
apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 0.47)
bullseye: resolved (fixed in 0.47)
forky: resolved (fixed in 0.47)
sid: resolved (fixed in 0.47)
Debian
CVE-2013-4327: systemd - systemd does not properly use D-Bus for communication with a polkit authority, w...
vendor_debian·2013·CVSS 7.2
CVE-2013-4327 [HIGH] CVE-2013-4327: systemd - systemd does not properly use D-Bus for communication with a polkit authority, w...
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 204-5)
bullseye: resolved (fixed in 204-5)
forky: resolved (fixed in 204-5)
sid: resolved (fixed in 204-5)
trixie: resolved (fixed in 204-5)
Debian
CVE-2013-1061: software-properties - dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, ...
vendor_debian·2013·CVSS 4.6
CVE-2013-1061 [MEDIUM] CVE-2013-1061: software-properties - dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, ...
dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, 0.92.9 before 0.92.9.3, and 0.82.7 before 0.82.7.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 0.92.18)
bullseye: resolved (fixed in 0.92.18)
sid: resolved (fixed in 0.92.18)
Debian
CVE-2013-4311: libvirt - libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0....
vendor_debian·2013·CVSS 7.2
CVE-2013-4311 [HIGH] CVE-2013-4311: libvirt - libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0....
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 1.1.3~rc1-1)
bullseye: resolved (fixed in 1.1.3~rc1-1)
forky: resolved (fixed in 1.1.3~rc1-1)
sid: resolved (fixed in 1.1.3~rc1-1)
trixie: resolved (fixed in 1.1.3~rc1-1)
Debian
CVE-2013-4324: spice-gtk - spice-gtk 0.14, and possibly other versions, invokes the polkit authority using ...
vendor_debian·2013·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324: spice-gtk - spice-gtk 0.14, and possibly other versions, invokes the polkit authority using ...
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 0.21-0nocelt1)
bullseye: resolved (fixed in 0.21-0nocelt1)
forky: resolved (fixed in 0.21-0nocelt1)
sid: resolved (fixed in 0.21-0nocelt1)
trixie: resolved (fixed in 0.21-0nocelt1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-5033 polkit-qt: insecure calling of polkit
bugzilla·2014-05-06·CVSS 7.2
CVE-2014-5033 [HIGH] CVE-2014-5033 polkit-qt: insecure calling of polkit
CVE-2014-5033 polkit-qt: insecure calling of polkit
Sebastian Krahmer reported a security issue in polkit (CVE-2013-4288, bz 1002375). He also since reported [1],[2] that KAuth (which uses polkit-qt) is vulnerable to the same issue. The vulnerable function in this case is using:
PolkitQt1::UnixProcessSubject subject(pid)
The SUSE bug has more details and discussions with suggested patches, however they are currently not complete as they seem to not be obtaining much response/help from upstream. There has not been any activity in the SUSE bug for over a month, however the issue is not resolved and no CVE has been assigned as of yet.
[1] http://seclists.org/oss-sec/2014/q1/642
[2] https://bugzilla.novell.com/show_bug.cgi?id=864716
Discussion:
Created polkit-qt tracking bugs for this i
Bugzilla
CVE-2013-4288 polkit: unix-process subject for authorization is racy [fedora-all]
bugzilla·2013-09-18·CVSS 7.2
CVE-2013-4288 [HIGH] CVE-2013-4288 polkit: unix-process subject for authorization is racy [fedora-all]
CVE-2013-4288 polkit: unix-process subject for authorization is racy [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue
Bugzilla
CVE-2013-4327 systemd: insecure calling of polkit
bugzilla·2013-09-11·CVSS 7.2
CVE-2013-4327 [HIGH] CVE-2013-4327 systemd: insecure calling of polkit
CVE-2013-4327 systemd: insecure calling of polkit
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375).
It was found that systemd was vulnerable to this issue as well, since it communicated to polkit authority using an unsafe DBUS interface.
This issue has been assigned CVE-2013-4327
Discussion:
Created attachment 796254
systemd patch
---
This is now public:
http://www.openwall.com/lists/oss-security/2013/09/18/4
---
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1009544]
---
systemd-204-15.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
---
systemd-201-2.fc18.8 has been pushed to the Fedora 18 stable repository. If problems still persi
Bugzilla
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
bugzilla·2013-09-11·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375).
It was found that spice-gtk was vulnerable to this issue as well, since it communicated to polkit authority using the unsafe polkit_unix_process_new() interface. Consequently polkit has now deprecated the use of polkit_unix_process_new() and spice-gtk has been patched to use the safer (already existing) polkit_unix_process_new_for_owner() interface.
This issue has been assigned CVE-2013-4324.
Discussion:
Created attachment 796257
spice-gtk patch
---
This is now public:
http://www.openwall.com/lists/oss-security/2013/09/18/4
---
Created spice-gtk tracking bugs for this issue:
Affects: fedora-all [bug 1009540]
Bugzilla
CVE-2013-4325 hplip: Insecure calling of polkit
bugzilla·2013-09-11·CVSS 7.2
CVE-2013-4325 [HIGH] CVE-2013-4325 hplip: Insecure calling of polkit
CVE-2013-4325 hplip: Insecure calling of polkit
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375).
It was found that hplip was vulnerable to this issue as well, since it communicated to polkit authority using an unsafe DBUS interface.
This issue has been assigned CVE-2013-4325
Discussion:
Created attachment 796256
hplip patch
---
This is now public:
http://www.openwall.com/lists/oss-security/2013/09/18/4
---
Created hplip tracking bugs for this issue:
Affects: fedora-all [bug 1009541]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1274 https://rhn.redhat.com/errata/RHSA-2013-1274.html
---
hplip-3.13.9-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persi
Bugzilla
CVE-2013-4326 rtkit: insecure calling of polkit
bugzilla·2013-09-11·CVSS 7.2
CVE-2013-4326 [HIGH] CVE-2013-4326 rtkit: insecure calling of polkit
CVE-2013-4326 rtkit: insecure calling of polkit
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288
bz 1002375).
It was found that rtkit was vulnerable to this issue as well, since it
communicated to polkit authority using an unsafe DBUS interface.
This issue has been assigned CVE-2013-4326
Discussion:
Created attachment 796255
rtkit patch
---
This is now public:
http://www.openwall.com/lists/oss-security/2013/09/18/4
---
Created rtkit tracking bugs for this issue:
Affects: fedora-all [bug 1009543]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1282 https://rhn.redhat.com/errata/RHSA-2013-1282.html
Bugzilla
CVE-2013-4311 libvirt: insecure calling of polkit
bugzilla·2013-09-06·CVSS 7.2
CVE-2013-4311 [HIGH] CVE-2013-4311 libvirt: insecure calling of polkit
CVE-2013-4311 libvirt: insecure calling of polkit
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288
bz 1002375).
As part of the investigation of this issue it was found that an issue also
occurs in libvirt, specifically in how it invokes polkit. There are two ways
for polkit to be invoked, one is via the API which supports passing a UID to
the secure function polkit_unix_process_new_for_owner(), the second is via the
command line (pkcheck) which does not support passing a UID to the function
polkit_unix_process_new_full(). libvirt used the insecure way to invoke
polkit, resulting in a privilege escalation vulnerability.
Discussion:
Created attachment 795917
Fix for git master 1/3
---
Created attachment 795918
Fix for git master 2/3
---
Created attachmen
Bugzilla
CVE-2013-4288 polkit: unix-process subject for authorization is racy
bugzilla·2013-08-29·CVSS 7.2
CVE-2013-4288 [HIGH] CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4288 polkit: unix-process subject for authorization is racy
Sebastian Krahmer reported a race condition in the polkit unix-process subject for authorization. It depended on the (PID, startup_time) pair to be passed to pokkit, which then used /proc/PID/status to find the UID the process belongs to. A local attacker could exploit this issue via a polkit enabled application, by starting a suid or pkexec process, changing the eud and/or uid at will. This could result in bypass polkit authorizations or even privilege escalation in some cases.
Discussion:
Created attachment 795472
polkit patch
---
Created attachment 795473
spice-gtk patch
Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()
---
Created att
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1002375http://lists.opensuse.org/opensuse-updates/2013-10/msg00004.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00062.htmlhttp://lists.opensuse.org/opensuse-updates/2013-11/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1270.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1460.htmlhttp://seclists.org/oss-sec/2013/q3/626http://www.openwall.com/lists/oss-security/2013/09/18/4http://www.ubuntu.com/usn/USN-1953-1http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1002375http://lists.opensuse.org/opensuse-updates/2013-10/msg00004.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00062.htmlhttp://lists.opensuse.org/opensuse-updates/2013-11/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1270.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1460.htmlhttp://seclists.org/oss-sec/2013/q3/626http://www.openwall.com/lists/oss-security/2013/09/18/4http://www.ubuntu.com/usn/USN-1953-1
2013-10-03
Published