CVE-2018-19788
published 2018-12-03CVE-2018-19788: A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
PriorityP357high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
11.48%
95.5th percentile
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | policykit-1 | < policykit-1 0.105-23 (bookworm) | policykit-1 0.105-23 (bookworm) |
| polkit_project | polkit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect creation or existence of local user accounts with UID greater than 2147483647 (INT_MAX), which can be used to bypass PolicyKit authentication ↗
- →Monitor for non-privileged users executing systemctl commands that would normally require elevated privileges, potentially indicating exploitation of this bypass ↗
- →Alert on creation of users or groups with UID/GID above INT32_MAX (2147483647), as these cause integer wrap-around in polkit leading to authentication bypass ↗
- ·Vulnerability is specific to polkit version 0.115; Red Hat Enterprise Linux 8 and Debian bookworm/bullseye/sid/trixie/forky with polkit 0.105-23 or later are not affected ↗
- ·Mitigation (if patching is not possible): enforce that no UIDs or GIDs greater than 2147483647 are permitted on the system ↗
- ·Red Hat Enterprise Linux 6 will not receive a fix for this issue; environments running RHEL 6 polkit remain permanently exposed ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PolicyKit vulnerability
vendor_ubuntu·2019-01-16
CVE-2018-19788 PolicyKit vulnerability
Title: PolicyKit vulnerability
Summary: PolicyKit could allow unintended access.
It was discovered that PolicyKit incorrectly handled certain large user
UIDs. A local attacker with a large UID could possibly use this issue to
perform privileged actions.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
PolicyKit vulnerability
vendor_ubuntu·2019-01-16
CVE-2018-19788 PolicyKit vulnerability
Title: PolicyKit vulnerability
Summary: PolicyKit could allow unintended access.
USN-3861-1 fixed a vulnerability in PolicyKit. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that PolicyKit incorrectly handled certain large user
UIDs. A local attacker with a large UID could possibly use this issue to
perform privileged actions.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
vendor_redhat·2018-12-03·CVSS 8.8
CVE-2018-19788 [HIGH] CWE-287 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
Statement: This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7.
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue affects the versions of polkit as shipped with Red Hat Virtualization 4. System us
Debian
CVE-2018-19788: policykit-1 - A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid g...
vendor_debian·2018·CVSS 8.8
CVE-2018-19788 [HIGH] CVE-2018-19788: policykit-1 - A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid g...
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
Scope: local
bookworm: resolved (fixed in 0.105-23)
bullseye: resolved (fixed in 0.105-23)
forky: resolved (fixed in 0.105-23)
sid: resolved (fixed in 0.105-23)
trixie: resolved (fixed in 0.105-23)
GHSA
GHSA-4569-2jp2-r7vf: A flaw was found in PolicyKit (aka polkit) 0
ghsa_unreviewed·2022-05-14
CVE-2018-19788 [HIGH] CWE-20 GHSA-4569-2jp2-r7vf: A flaw was found in PolicyKit (aka polkit) 0
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
OSV
CVE-2018-19788: A flaw was found in PolicyKit (aka polkit) 0
osv·2018-12-03·CVSS 8.8
CVE-2018-19788 [HIGH] CVE-2018-19788: A flaw was found in PolicyKit (aka polkit) 0
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
bugzilla·2018-12-04·CVSS 8.8
CVE-2018-19788 [HIGH] CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass
It was found that creating a user of group above INT32_MAX would wrap around the numeric uid or gid. Polkit is not able to handle this properly, resulting in an authentication bypass.
References:
https://seclists.org/oss-sec/2018/q4/198
Upstream issue:
https://gitlab.freedesktop.org/polkit/polkit/issues/74
Proposed patch:
https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc
Discussion:
Created polkit tracking bugs for this issue:
Affects: fedora-all [bug 1655926]
---
Patches:
https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc
https://gitlab.freedesktop.org/zbyszek/polkit/commit/7c8c3abdedbb991a69
Bugzilla
CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass [fedora-all]
bugzilla·2018-12-04·CVSS 8.8
CVE-2018-19788 [HIGH] CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass [fedora-all]
CVE-2018-19788 polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
https://access.redhat.com/errata/RHSA-2019:2046https://access.redhat.com/errata/RHSA-2019:3232https://bugs.debian.org/915332https://gitlab.freedesktop.org/polkit/polkit/issues/74https://lists.debian.org/debian-lts-announce/2019/01/msg00021.htmlhttps://security.gentoo.org/glsa/201908-14https://usn.ubuntu.com/3861-1/https://usn.ubuntu.com/3861-2/https://www.debian.org/security/2018/dsa-4350https://access.redhat.com/errata/RHSA-2019:2046https://access.redhat.com/errata/RHSA-2019:3232https://bugs.debian.org/915332https://gitlab.freedesktop.org/polkit/polkit/issues/74https://lists.debian.org/debian-lts-announce/2019/01/msg00021.htmlhttps://security.gentoo.org/glsa/201908-14https://security.netapp.com/advisory/ntap-20240816-0001/https://usn.ubuntu.com/3861-1/https://usn.ubuntu.com/3861-2/https://www.debian.org/security/2018/dsa-4350
2018-12-03
Published