據數位鑑識專家Rich Mirch分析,多數流行Linux發行版,如Red Hat、Debian、Ubuntu、CentOS,皆有共同漏洞,讓未授權用戶得以執行系統指令,癥結在於應用工具組PolicyKit,儘管PolicyKit目的在於控制權限分配,但遇到特別的帳號,其UID大於INT_MAX(2147483647),亦即變數儲存上限值(0x7FFFFFFF),則該帳號擺脫授權驗證機制,若某新建帳號UID為3000000000,則用戶搖身一變為管理者,能執行systemctl指令,搭配各種參數,控制OS各項背景程式、工具、函式庫,決定全部service啟動與否,目前僅Debian系列已釋出policykit-1改良版,餘尚未獲得全面修補方案,系統管理者請檢查可疑帳號UID,並關注更新進度。
影響產品:PolicyKit 0.115
解決辦法:
- 系統管理者檢查帳號,毋使UID超過2147483646者啟用。
- Debian Linux用戶可參考https://sources.debian.org/src/policykit-1/,取得policykit-1 0.105-18+deb9u1或較新版本。
資料來源:
- https://www.youtube.com/watch?v=GTIwS9zzuhk
- https://www.securitynewspaper.com/2018/12/08/linux-users-with-limited-privileges-could-execute-any-command/
- https://thehackernews.com/2018/12/linux-user-privilege-policykit.html
- https://packetstormsecurity.com/files/150686/Debian-Security-Advisory-4350-1.html
- https://security-tracker.debian.org/tracker/DSA-4350-1
- https://security-tracker.debian.org/tracker/CVE-2018-19788
- https://www.debian.org/security/2018/dsa-4350
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915332
- https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19788.html
- https://gitlab.freedesktop.org/polkit/polkit/issues/74
- https://github.com/systemd/systemd/issues/11026
- https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
- https://linux.cn/article-5926-1.html
- http://linux.vbird.org/linux_basic/0560daemons.php#systemctl_cmd
- http://man.linuxde.net/systemctl
- https://www.anquanke.com/vul/id/1419341
- https://sources.debian.org/src/policykit-1/
