|Number of vulnerabilities||1|
|CVE ID|| CVE-2018-19788
|Public exploit||Public exploit code for vulnerability #1 is available.|
|Vulnerable software versions||
The vulnerability allows a local authenticated attacker to execute arbitrary commands on the target system.
The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX, a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). A local authenticated attacker with a uid greater than INT_MAX can execute any systemctl command.Remediation
The patch just refuses to initialize uid and gid values to negative. A nicer fix is to change the underlying type to e.g. gint64 to allow
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.