CVE-2021-3560 Overview
CVE-2021-3560 is a privilege escalation vulnerability in polkit (formerly PolicyKit), a component used for controlling system-wide privileges in Unix-like operating systems. The vulnerability allows polkit to be tricked into bypassing credential checks for D-Bus requests, effectively elevating the privileges of an unprivileged local attacker to the root user. This flaw enables attackers to perform unauthorized administrative actions, such as creating new local administrator accounts.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog and allows unprivileged local attackers to gain root-level access, threatening data confidentiality, integrity, and system availability.
Affected Products
- Polkit Project Polkit (all vulnerable versions prior to patch)
- Debian Linux 11.0
- Canonical Ubuntu Linux 20.04
- Red Hat Enterprise Linux 7.0 and 8.0
- Red Hat Virtualization 4.0
- Red Hat Virtualization Host 4.0
- Red Hat OpenShift Container Platform 4.7
Discovery Timeline
- 2022-02-16 - CVE-2021-3560 published to NVD
- 2025-11-06 - Last updated in NVD database
Technical Details for CVE-2021-3560
Vulnerability Analysis
CVE-2021-3560 is classified under CWE-863 (Incorrect Authorization) and CWE-754 (Improper Check for Unusual or Exceptional Conditions). The vulnerability exists in how polkit handles D-Bus message authentication during inter-process communication. When a D-Bus request is made to polkit, there is a race condition in the authentication verification process that can be exploited through precise timing.
The attack leverages a timing window where if a D-Bus request is terminated at just the right moment during the authentication check, polkit incorrectly assumes the request came from a privileged process (UID 0). This occurs because polkit attempts to look up the UID of the requesting process, but if that process has already exited, the lookup fails in a way that causes polkit to default to root privileges.
Root Cause
The root cause of CVE-2021-3560 lies in polkit's handling of D-Bus message sender verification. When polkit receives a privileged operation request, it queries the D-Bus daemon to verify the UID of the requesting process. However, if the requesting process terminates before polkit completes this verification, the error handling path incorrectly treats the request as coming from UID 0 (root). This improper check for an exceptional condition (process termination during authentication) allows the bypass.
Attack Vector
The attack is executed locally and requires the attacker to have unprivileged access to the target system. The exploitation technique involves:
- Initiating a D-Bus request to polkit for a privileged action (such as creating a new user account)
- Precisely timing the termination of the request process during the authentication verification window
- When successful, polkit grants root-level privileges to the action
Due to the timing-sensitive nature of the exploit, multiple attempts may be required. However, the exploit is highly reliable once the timing is calibrated for the target system. The attack does not require user interaction and can be automated through shell scripting by repeatedly sending requests with controlled timing delays.
The exploitation mechanism involves sending a D-Bus message to the org.freedesktop.Accounts service and killing the process at a precise moment (typically around 5-20 milliseconds after sending the request). For detailed technical analysis, refer to the GitHub Privilege Escalation Analysis.
Detection Methods for CVE-2021-3560
Indicators of Compromise
- Unexpected user accounts created with administrative privileges, particularly accounts created without corresponding authentication logs
- Rapid succession of D-Bus requests to org.freedesktop.Accounts.CreateUser or similar privileged services
- Polkit authentication logs showing requests from processes that quickly terminated
- Anomalous activity patterns involving the dbus-send command with unusual timing patterns
Detection Strategies
- Monitor system authentication logs (/var/log/auth.log or /var/log/secure) for user creation events without proper authentication chains
- Implement D-Bus activity monitoring to detect rapid-fire requests to polkit-managed services
- Use SentinelOne's behavioral AI to detect privilege escalation patterns characteristic of this exploitation technique
- Deploy file integrity monitoring on /etc/passwd, /etc/shadow, and /etc/sudoers to detect unauthorized account modifications
- Configure auditd rules to monitor for dbus-send executions targeting accounts or systemd services
Monitoring Recommendations
- Enable verbose logging for polkit daemon to capture authentication bypass attempts
- Monitor for new user account creation events in combination with short-lived processes
- Implement real-time alerting for any changes to user privilege assignments
- Track D-Bus message patterns using tools like dbus-monitor for forensic analysis capabilities
How to Mitigate CVE-2021-3560
Immediate Actions Required
- Update polkit to the latest patched version provided by your Linux distribution immediately
- Review all user accounts for unauthorized administrative privileges, particularly accounts created recently
- Audit sudo and polkit policies to ensure principle of least privilege
- Restrict local access to systems where possible until patching is complete
Patch Information
Security patches for CVE-2021-3560 have been released by major Linux distributions. Consult your distribution's security advisories for specific package versions:
- Red Hat: Refer to Red Hat Bug Report #1961710 for patch details and affected versions
- Debian: Security updates available for Debian 11 (Bullseye)
- Ubuntu: Updates available for Ubuntu 20.04 LTS and later
Apply updates using your distribution's package manager (e.g., apt update && apt upgrade for Debian/Ubuntu or yum update polkit for Red Hat-based systems).
Workarounds
- If patching is not immediately possible, consider restricting local user access to affected systems
- Implement additional monitoring on user creation and privilege modification operations
- Use application whitelisting to restrict execution of dbus-send and similar utilities to authorized users only
- Consider temporarily disabling polkit-dependent services if they are not critical to operations
# Check current polkit version
pkaction --version
# Update polkit on Red Hat-based systems
sudo yum update polkit
# Update polkit on Debian/Ubuntu systems
sudo apt update && sudo apt install --only-upgrade policykit-1
# Verify no unauthorized users have been created
awk -F: '$3 >= 1000 && $3 < 65534 {print $1}' /etc/passwd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
