A Polkit Vulnerability Gives Root on All Major Linux Distros

Security vendor Qualys found the flaw and published details in a coordinated disclosure.

Previously called PolicyKit, Polkit manages system-wide privileges in Linux. It provides a mechanism for nonprivileged processes to safely interact with privileged processes and it’s installed by default in every major Linux distribution.

Yesterday, researchers from Qualys published an advisory about a local privilege escalation vulnerability in the pkexec tool, that is installed as part of the Polkit. The pkexec tool, which is a command line tool, is used to define which authorized user can execute a program as another user.

The security flaw is identified as CVE-2021-4034 and named PwnKit has been around for more than 12 years. In other words, Pkexec has been vulnerable since its creation in May 2009.

This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Qualys Researchers

If you are already wondering how dangerous is it, there is only one short answer. Very! Exploiting the flaw is trivial and, by some accounts, 100 percent reliable.

The root cause of the issue is an out-of-bounds memory write that is created when pkexecโ€™s main function processes command-line arguments and attempts to locate the program to be executed. An attacker can introduce an โ€œunsecuredโ€ variable into pkexecโ€™s environment.

As a result, an arbitrary code can be loaded and run by the program as root.

As of this writing, the Common Vulnerabilities and Exposures website did not yet have a listing for CVE-2021-4034. There is serious cause for concern because attackers probably will start exploiting it soon.

This is especially dangerous for any multi-user system that allows shell access to users. In fact, any unprivileged local user can exploit this vulnerability to get full root privileges.

Bojan Zdrnja, a penetration tester and a handler at SANS, tried the exploit on a fully patched Ubuntu 20.04 system for testing purposes.

Polkit Vulnerability - PwnKit

The security hole was reported in November 2021 and a patch was issued on January 11, 2022. You should obtain and apply a patch ASAP.

Patches for PwnKit are already dropping โ€“ Red Hat and Ubuntu users can find out more here and here.

If no patches are available for your Linux distro, as a short-term solution, you can remove the SUID-bit from pkexec:

chmod 0755 /usr/bin/pkexec

Qualys also notes that the exploitation technique leaves traces in logs, that say either โ€œThe value for the SHELL variable was not found the /etc/shells file…โ€ or โ€œThe value for environment variable โ€ฆ contains suspicious content.โ€

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 69%