📄 Description (English)
Red Hat Polkit Incorrect Authorization Vulnerability — Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.
🤖 AI Executive Summary
CVE-2021-3560 is a critical privilege escalation vulnerability in Red Hat Polkit that allows unauthenticated local attackers to bypass authorization checks via D-Bus requests, achieving root-level access without valid credentials. With a CVSS score of 9.0 and publicly available exploits, this vulnerability poses an immediate threat to Linux-based infrastructure across Saudi organizations. Patching is urgent and should be prioritized across all affected systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 00:31
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability critically impacts Saudi government agencies (NCA, NCSC), banking sector (SAMA-regulated institutions, major banks), healthcare systems (MOH), energy sector (Saudi Aramco, SEC), and telecommunications (STC, Mobily). Linux-based servers, containerized environments, and cloud infrastructure are particularly vulnerable. The privilege escalation capability enables attackers to compromise critical systems, access sensitive data, and establish persistent backdoors across essential national infrastructure.
🏢 Affected Saudi Sectors
Government (NCA, NCSC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated banks)
Healthcare (Ministry of Health)
Energy (Saudi Aramco, SEC)
Telecommunications (STC, Mobily, Zain)
Education (Universities, Research Institutions)
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Red Hat Polkit (check: rpm -qa | grep polkit)
2. Isolate critical systems from untrusted networks pending patching
3. Review system logs for suspicious D-Bus activity and privilege escalation attempts
4. Restrict local access to vulnerable systems where possible
PATCHING GUIDANCE:
1. Apply Red Hat security updates: yum update polkit
2. Verify patch installation: rpm -qa polkit (confirm version ≥ 0.117-3 or later)
3. Restart affected services: systemctl restart polkit
4. Test functionality post-patch in non-production environment first
COMPENSATING CONTROLS (if immediate patching delayed):
1. Disable unnecessary D-Bus services
2. Implement strict access controls limiting local user access
3. Monitor D-Bus activity for unauthorized privilege escalation attempts
4. Use SELinux/AppArmor to restrict Polkit capabilities
DETECTION RULES:
1. Monitor for D-Bus method calls to org.freedesktop.PolicyKit1.Authority
2. Alert on uid=0 process spawning from unprivileged user sessions
3. Track failed and successful Polkit authorization attempts in audit logs
4. Search logs for: 'polkit' AND ('unauthorized' OR 'denied' OR 'privilege')
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ Red Hat Polkit (تحقق: rpm -qa | grep polkit)
2. عزل الأنظمة الحرجة عن الشبكات غير الموثوقة قبل التصحيح
3. مراجعة سجلات النظام للنشاط المريب في D-Bus ومحاولات تصعيد الامتيازات
4. تقييد الوصول المحلي للأنظمة الضعيفة حيث أمكن
إرشادات التصحيح:
1. تطبيق تحديثات أمان Red Hat: yum update polkit
2. التحقق من تثبيت التصحيح: rpm -qa polkit (تأكد من الإصدار ≥ 0.117-3 أو أحدث)
3. إعادة تشغيل الخدمات المتأثرة: systemctl restart polkit
4. اختبر الوظائف بعد التصحيح في بيئة غير إنتاجية أولاً
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تعطيل خدمات D-Bus غير الضرورية
2. تطبيق ضوابط وصول صارمة تحد من وصول المستخدم المحلي
3. مراقبة نشاط D-Bus لمحاولات تصعيد الامتيازات غير المصرح بها
4. استخدام SELinux/AppArmor لتقييد قدرات Polkit
قواعد الكشف:
1. مراقبة استدعاءات طرق D-Bus إلى org.freedesktop.PolicyKit1.Authority
2. تنبيه على عمليات uid=0 التي تنشأ من جلسات المستخدم غير المميزة
3. تتبع محاولات التفويض الفاشلة والناجحة في سجلات التدقيق
4. البحث في السجلات عن: 'polkit' و ('unauthorized' أو 'denied' أو 'privilege')
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.5.3.1 - Password Management
ECC 2024 A.8.1.1 - Information Security Incident Management
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software, Hardware and Services Inventory
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights and Privileges
SAMA CSF DE.CM-1 - The network is monitored for unauthorized connections
SAMA CSF RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.12.6.1 - Management of Technical Vulnerabilities
ISO 27001:2022 A.16.1 - Planning and Preparation of Information Security Incident Management
🟣 PCI DSS v4.0
PCI DSS 2.1 - Security Configuration Standards
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 10.2 - Implement Automated Audit Trails
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Red Hat:Polkit