12-Year-Old Linux Vulnerability Grants Root Access
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
- fstjohn
- Level 5
- Posts: 534
- Joined: Fri Jan 02, 2015 3:21 pm
- Location: The beautiful North Georgia mountains
12-Year-Old Linux Vulnerability Grants Root Access
Any thoughts about this? How-to-geek article today
https://tinyurl.com/ybujeqyy
https://tinyurl.com/ybujeqyy
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: 12-Year-Old Linux Vulnerability Grants Root Access
I guess that explains the update for polkit this morning. Not anything to be worried about. This is why Linux is superior - many, many eyes on various code (because open source) find possible issues and the fixes are almost instantaneous. You don't have to wait for a specific day each month to have a possible patch become available, if a patch is ever created without some media outlet making it news.
This is a signature. It is original.
Re: 12-Year-Old Linux Vulnerability Grants Root Access
Hi, folks.
Users of Linux Mint 19.x and 20.x should be safe from the reported policykit vulnerability thanks to Ubuntu's recent policykit bugfix. Cf. USN-5252-1: PolicyKit vulnerability. This statement will apply, provided you have accepted and installed the available policykit bugfix.
Cheers,
Karl
Users of Linux Mint 19.x and 20.x should be safe from the reported policykit vulnerability thanks to Ubuntu's recent policykit bugfix. Cf. USN-5252-1: PolicyKit vulnerability. This statement will apply, provided you have accepted and installed the available policykit bugfix.
Cheers,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- JoeFootball
- Level 13
- Posts: 4673
- Joined: Tue Nov 24, 2009 1:52 pm
- Location: /home/usa/mn/minneapolis/joe
Re: 12-Year-Old Linux Vulnerability Grants Root Access
My thoughts are that I will continue to keep my systems updated, and keep my network behind a proper router.fstjohn wrote: Any thoughts about this?
- AZgl1800
- Level 20
- Posts: 11184
- Joined: Thu Dec 31, 2015 3:20 am
- Location: Oklahoma where the wind comes Sweeping down the Plains
- Contact:
Re: 12-Year-Old Linux Vulnerability Grants Root Access
if you read that article, Mint and Ubuntu have already fixed this
-
- Level 5
- Posts: 633
- Joined: Sat Dec 26, 2009 3:36 pm
Re: 12-Year-Old Linux Vulnerability Grants Root Access
Yes, this was a particularly nasty one. It potentially allowed a user to obtain root access.
Fortunately not many will actually be affected. Since:
1. An attacker to utilize this has to already have local access to the machine. It's a privilege escalation vulnerability.
2. They would have to know about the vulnerability and execute a pkexec command carefully designed to exploit it.
3. This has already been patched by most distributions (though debian testing seems to still be vulnerable). Researchers gave a little time for it to be patched before publicly announcing it.
So for a desktop user, mainly don't allow a user you don't trust to have access to your machine. But if you do have a linux system which can't be patched yet, and do need to allow other users access to it, it is suggested you can temporarily remove SUID permissios from pkexec (sudo chmod g-s /usr/bin/pkexec). But this won't be needed for users of Mint (and would prevent proper fuctioning of pkexec).
Fortunately not many will actually be affected. Since:
1. An attacker to utilize this has to already have local access to the machine. It's a privilege escalation vulnerability.
2. They would have to know about the vulnerability and execute a pkexec command carefully designed to exploit it.
3. This has already been patched by most distributions (though debian testing seems to still be vulnerable). Researchers gave a little time for it to be patched before publicly announcing it.
So for a desktop user, mainly don't allow a user you don't trust to have access to your machine. But if you do have a linux system which can't be patched yet, and do need to allow other users access to it, it is suggested you can temporarily remove SUID permissios from pkexec (sudo chmod g-s /usr/bin/pkexec). But this won't be needed for users of Mint (and would prevent proper fuctioning of pkexec).
Re: 12-Year-Old Linux Vulnerability Grants Root Access
Yet another non issue.
Took 12 years to discover, affected zero people.
I'm guessing, you have to invite the "attacker" into your house, start, and log into your pc, and then hand it (the vulnerable host) to them ?
Took 12 years to discover, affected zero people.
And just how does "someone" get access to the machine to run commands in the first place ?This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host
I'm guessing, you have to invite the "attacker" into your house, start, and log into your pc, and then hand it (the vulnerable host) to them ?
Mint 20.0, and 21.0 MATE on Thinkpads, 3 X T420, T450, T470, and X200
Re: 12-Year-Old Linux Vulnerability Grants Root Access
The Ubuntu article, which I had linked to, is not based on any click-bait article.
I suggest
This is purely my personal point of view and my personal approach to newly detected vulnerabilities.
I suggest
- not to get into panic when reading click-bait articles about the latest software vulnerability on the one hand
- but also not to be impressed too much by those experts, who, based on missing pieces of information in the click-bait articles, immediately explain that the found vulnerability could not be exploited on your Linux Mint desktop machines, on the other hand.
- to spend a thought or two on trying to imagine the malicious unprivileged local user on your system might actually not be a single entity, but two:
the unprivileged local user (you) and a not so benevolent piece of software, exploiting the vulnerability.
Not all users get all their software exclusively from trustworthy sources. - to take into consideration that the Ubuntu developers do not publish security notes for fun and that the policykit maintainers did not fix the vulnerability for fun.
- to install the security updates offered by Update Manager in a timely fashion. - Better safe than sorry.
This is purely my personal point of view and my personal approach to newly detected vulnerabilities.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
Re: 12-Year-Old Linux Vulnerability Grants Root Access
Not for "us" though, i.e., one's average desktop Linux user without malicious users nor infected by on desktop Linux for all even halfway practical purposes nonexistent malware.
Which wouldn't be to say that it wouldn't be good to not have this bug of course, but otherwise, and as always, yawn...
Re: 12-Year-Old Linux Vulnerability Grants Root Access
That argument would be a LOT more convincing if the bug wasn't 12 years old.sydbat wrote: ⤴Wed Jan 26, 2022 1:56 pm I guess that explains the update for polkit this morning. Not anything to be worried about. This is why Linux is superior - many, many eyes on various code (because open source) find possible issues and the fixes are almost instantaneous. You don't have to wait for a specific day each month to have a possible patch become available, if a patch is ever created without some media outlet making it news.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
Re: 12-Year-Old Linux Vulnerability Grants Root Access
My point, which seems like you missed, is that now that it's out in the open, it is an issue. It doesn't matter whether you or I don't have someone around our computers we don't trust. After all, we are only 2 people, out of how many in the world?rene wrote: ⤴Thu Jan 27, 2022 10:16 am Not for "us" though, i.e., one's average desktop Linux user without malicious users nor infected by on desktop Linux for all even halfway practical purposes nonexistent malware.
Which wouldn't be to say that it wouldn't be good to not have this bug of course, but otherwise, and as always, yawn...
Yawn
Re: 12-Year-Old Linux Vulnerability Grants Root Access
I clearly did not miss said point since I explicitly responded to it saying that for us your point is wrong; that for us, with the above definition of such, it is not an issue. That we desktop Linux users can, as always we can, continue to pick our noses and not care.
Sure; for not private, non desktop Linux users it can be an issue. I here on the Linux Mint desktop Linux operating system forum however don't give a fluing fyck.
Re: 12-Year-Old Linux Vulnerability Grants Root Access
How can I check if my system is patched? I've ran update on my Mint 19.0 a few times last few days but don't remember seeing a polkit update, and neither does it show up when I do apt-get update && apt-get upgrade
Re: 12-Year-Old Linux Vulnerability Grants Root Access
See this post by JoeFootball: viewtopic.php?p=2130247#p2130247
Re: 12-Year-Old Linux Vulnerability Grants Root Access
Thanks, the apt changelog does indeed show the Jan 2022 update (0.105-20ubuntu0.18.04.6)Schultz wrote: ⤴Thu Jan 27, 2022 10:37 pmSee this post by JoeFootball: viewtopic.php?p=2130247#p2130247