#VU16966 Security restrictions bypass in PolicyKit - CVE-2019-6133
Published: January 11, 2019 / Updated: January 14, 2019
Vulnerability identifier: #VU16966
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-6133
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PolicyKit
PolicyKit
Software vendor:
Freedesktop.org
Freedesktop.org
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to fork() is not atomic, and therefore authorization decisions are improperly cached, related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. A remote unauthenticated attacker can bypass the "start time" protection mechanism
Remediation
Cybersecurity Help is currently unaware of any official solution to address the vulnerability.