Previously called PolicyKit, Polkit manages system-wide privileges in Linux. It provides a mechanism for nonprivileged processes to safely interact with privileged processes and it’s installed by default in every major Linux distribution.
Yesterday, researchers from Qualys published an advisory about a local privilege escalation vulnerability in the pkexec
tool, that is installed as part of the Polkit. The pkexec
tool, which is a command line tool, is used to define which authorized user can execute a program as another user.
The security flaw is identified as CVE-2021-4034 and named PwnKit has been around for more than 12 years. In other words, Pkexec has been vulnerable since its creation in May 2009.
This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
Qualys Researchers
If you are already wondering how dangerous is it, there is only one short answer. Very! Exploiting the flaw is trivial and, by some accounts, 100 percent reliable.
The root cause of the issue is an out-of-bounds memory write that is created when pkexecโs main function processes command-line arguments and attempts to locate the program to be executed. An attacker can introduce an โunsecuredโ variable into pkexecโs environment.
As a result, an arbitrary code can be loaded and run by the program as root.
As of this writing, the Common Vulnerabilities and Exposures website did not yet have a listing for CVE-2021-4034. There is serious cause for concern because attackers probably will start exploiting it soon.
This is especially dangerous for any multi-user system that allows shell access to users. In fact, any unprivileged local user can exploit this vulnerability to get full root privileges.
Bojan Zdrnja, a penetration tester and a handler at SANS, tried the exploit on a fully patched Ubuntu 20.04 system for testing purposes.
The security hole was reported in November 2021 and a patch was issued on January 11, 2022. You should obtain and apply a patch ASAP.
Patches for PwnKit are already dropping โ Red Hat and Ubuntu users can find out more here and here.
If no patches are available for your Linux distro, as a short-term solution, you can remove the SUID-bit from pkexec
:
chmod 0755 /usr/bin/pkexec
Qualys also notes that the exploitation technique leaves traces in logs, that say either โThe value for the SHELL variable was not found the /etc/shells file…โ or โThe value for environment variable โฆ contains suspicious content.โ