TLP Polkit Authentication Bypass Vulnerability in Power Profiles Daemon

A vulnerability allowing improper authentication has been identified in TLP version 1.9.0, prior to 1.9.1. This issue allows local users to bypass Polkit authorization checks in the TLP power profiles daemon, which runs with root privileges and accepts D-Bus connections from any user. Exploitation of this vulnerability enables arbitrary control over the power profile settings and the daemon's logging configuration.

Impact

Exploitation of this vulnerability leads to a complete bypass of Polkit authentication, allowing unauthorized control over power profile management and logging settings within the TLP daemon.

Reproduction

The vulnerability can be reproduced by invoking the 'ReleaseProfile' method of the D-Bus service 'org.freedesktop.UPower.PowerProfiles' with a non-integer 'cookie' parameter. This causes the daemon to throw an unhandled exception, which, while not crashing the daemon, demonstrates the lack of proper input validation.

Remediation

Users can upgrade to TLP version 1.9.1, which addresses the authentication bypass and the associated issues. The TLP GitHub repository contains the latest release.