cbcvebase.
CVE-2018-19788
published 2018-12-03

CVE-2018-19788: A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

PriorityP357high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
11.48%
95.5th percentile
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

Affected

9 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianpolicykit-1< policykit-1 0.105-23 (bookworm)policykit-1 0.105-23 (bookworm)
polkit_projectpolkit

Detection & IOCsextracted from sources · hover to see the quote

  • Detect creation or existence of local user accounts with UID greater than 2147483647 (INT_MAX), which can be used to bypass PolicyKit authentication
  • Monitor for non-privileged users executing systemctl commands that would normally require elevated privileges, potentially indicating exploitation of this bypass
  • Alert on creation of users or groups with UID/GID above INT32_MAX (2147483647), as these cause integer wrap-around in polkit leading to authentication bypass
  • ·Vulnerability is specific to polkit version 0.115; Red Hat Enterprise Linux 8 and Debian bookworm/bullseye/sid/trixie/forky with polkit 0.105-23 or later are not affected
  • ·Mitigation (if patching is not possible): enforce that no UIDs or GIDs greater than 2147483647 are permitted on the system
  • ·Red Hat Enterprise Linux 6 will not receive a fix for this issue; environments running RHEL 6 polkit remain permanently exposed

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.