Yesterday, it was reported that a memory corruption vulnerability, tracked as CVE-2021-4034, was discovered in Polkit’s pkexec – a SUID-root program installed by default on every major Linux distribution. CVE-2021-4034, also known as PwnKit, could allow unprivileged users to gain root privileges on the vulnerable host by exploiting it in its default configuration.
The vulnerability was discovered in November 2021 by the Qualys Research Team but was not disclosed to the public until yesterday, January 25, 2022, via a coordinated disclosure with both vendor and open-source distributions. The researchers at Qualys were able to independently verify the vulnerability, develop the exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. There are also other Linux distributions that are likely to be vulnerable and exploitable. While Qualys did not release the exploit publicly, they provided enough technical detail for others to recreate it. Avertium threat researchers have discovered a working exploit online, so it is only a matter of time before attackers start exploiting this vulnerability in the wild.
According to Bharat Jogi, Qualys’ Director of Vulnerability and Threat Research, Polkit controls system-wide privileges in Unix-like operating systems and provides an organized way for non-privileged processes to communicate with privileged processes. One can also use Polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). This means that pkexec allows an authorized user to execute commands as another user. If a username isn’t specified, the command to be executed will be run as the administrative super user (root).
Hiding in plain sight for 12 years, PwnKit affects all versions of pkexec dating back to the first version from May 2009 (commit c8c3d83, “Add a pkexec(1) command”). Avertium recommends that users apply patches for PwnKit as they become available. Qualys will release the detections (QIDs) on their website as they become available, starting with vulnsigs version VULNSIGS-2.5.87-2 and in Linux Cloud Agent manifest version lx_manifest-2.5.387.2.1. Since pkexec is installed by default on most Linux systems and the vulnerability is exploitable in pkexec’s default configuration, Linux systems should be assumed to be vulnerable until patched or mitigated.
The following IoCs were discovered by Avertium’s Cyber Threat Intelligence Team: