Does linpeas still detect CVE-2021-3560?

[LevitatingBusinessMan]

I was doing the HackTheBox box "Paper", which uses the polkit CVE-2021-3560 for privilege escalation.

In the walkthrough for this box, linpeas suggests the CVE in the CVEs Check section with a red on yellow background. But on the latest release of linpeas the CVE is not even suggested.

[LevitatingBusinessMan]

I just saw it falsely detect it on another box (investigation).

[jordytello]

Can confirm the same is occurring in my case as well while working on Paper. I see this has been previously reported 2 times as well at least(#332 and #269)?

Trying to see what may be behind this.

[jordytello]

If you run this command,

yum list installed | grep polkit

Then Polkit does not even appear to show up as an installed package if I understand this correctly (it's a CentOS server).

Welcome any correction to my understanding; thanks! the suggestion in #332 does appear to work though (at least the raw command appears to meet the condition.

[LevitatingBusinessMan]

Ah, sorry for the duplicate. These issues should probably be merged.

The walkthrough of paper says that it should detect it, so something must've changed. Diving into the commits changing that code might give some clarity. Might do that later.

[carlospolop]

hi guys! did you figure this out?

[LevitatingBusinessMan]

My only guess is that the changes in 999fcff broke the detection. I will investigate further.

[LevitatingBusinessMan]

So there's two issues with that commit that breaks detection on the paper box. The first issue is the polkit package is searched with yum installed of rpm.

yum list installed does not show any polkit packages on paper.

In this box the package was most likely manually installed with rpm which is why it doesn't show up in yum.

The new query also only searches for version 0.117-2. The CVE was patched in 0.119 so it's missing out on a lot of vulnerable versions.

It used to also check 0.115-6 which is installed on the box.

I am also not sure why it would search for those exact pkgrel versions.

I also think searching for packages via rpm should always be preferred.

There's currently also an entirely unused variable polkitVersion which gets the version from systemctl.

[hydr0nium]

I can confirm that this is still a problem

[carlospolop]

Hi guys!
Hopefully this was re-added in 08746a3
However, notice that LinPEAS goal is to find misconfigurations, not to have a database of CVEs and check for them (thats why linux exploit suggester is also embedded and executed).
Moreover, next time feel free to send a PR to fix any bug if you would like to contribute!