CVE-2021-3560 – CVE-2021-3560 is a privilege escalation vulnera... (How to Fix)

Q: What is the severity of CVE-2021-3560?

CVE-2021-3560 has a CVSS score of 7.8 (HIGH). CVE-2021-3560 is a privilege escalation vulnerability in polkit's D-Bus authentication mechanism that allows unprivileged local users to bypass credential checks and gain root privileges. This affects Linux systems using polkit versions 0.113 through 0.119. Attackers can exploit this to create new administrator accounts or execute arbitrary commands as root.

📋 TL;DR

CVE-2021-3560 is a privilege escalation vulnerability in polkit's D-Bus authentication mechanism that allows unprivileged local users to bypass credential checks and gain root privileges. This affects Linux systems using polkit versions 0.113 through 0.119. Attackers can exploit this to create new administrator accounts or execute arbitrary commands as root.

💻 Affected Systems

Products:

polkit (formerly PolicyKit)

Versions: 0.113 through 0.119

Operating Systems: Linux distributions including RHEL, CentOS, Fedora, Ubuntu, Debian, SUSE

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with polkit installed and running, which is common on most Linux desktop and server distributions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or render systems unusable.

🟠

Likely Case

Local privilege escalation leading to unauthorized administrative access, user account creation, and potential lateral movement within the environment.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented to restrict local user access.

🌐 Internet-Facing: LOW - Requires local access to the system, cannot be exploited remotely without existing access.

🏢 Internal Only: HIGH - Any local user account (including compromised low-privilege accounts) can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public proof-of-concept exploits exist, and the vulnerability is easily weaponized with simple command-line tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: polkit 0.120 or later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2021-3560

Restart Required: No

Instructions:

1. Update polkit package using your distribution's package manager. 2. For RHEL/CentOS: 'sudo yum update polkit'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade policykit-1'. 4. Verify the update installed polkit version 0.120 or higher.

🔧 Temporary Workarounds

Remove polkit setuid binary permissions

linux

Temporarily remove setuid permissions from pkexec to prevent privilege escalation

sudo chmod 0755 /usr/bin/pkexec

Disable polkit service

linux

Stop and disable polkit service (may break some system functionality)

sudo systemctl stop polkit
sudo systemctl disable polkit

🧯 If You Can't Patch

Restrict local user access to systems through strict access controls and monitoring
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check polkit version with: 'pkaction --version' or 'dpkg -l policykit-1' (Debian) or 'rpm -q polkit' (RHEL). If version is between 0.113 and 0.119 inclusive, system is vulnerable.

Check Version:

pkaction --version

Verify Fix Applied:

Verify polkit version is 0.120 or higher using the same commands. Test with known exploit POC to confirm failure.

📡 Detection & Monitoring

Log Indicators:

Unusual pkexec executions in system logs
Failed authentication attempts followed by successful privileged operations
Unexpected user privilege escalation events

Network Indicators:

N/A - Local exploitation only

SIEM Query:

Process creation where parent process is unprivileged user and child process is pkexec or other privileged binaries

📊 Metadata

CVE ID: CVE-2021-3560

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: February 16, 2022

Last Updated: November 6, 2025

🔗 References

http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1961710 Issue Tracking,Patch,Vendor Advisory
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1961710 Issue Tracking,Patch,Vendor Advisory
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3560 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3560, you might also want to check these: