PolicyKit Vulnerability Exposed After 12 Years: Why You Need to Patch Your Linux Today
Security company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit’s pkexec, CVE-2021-4034, dubbed “PwnKit”. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It’s installed by default in every major Linux distribution, which means that tens of millions of devices are vulnerable to this easily-exploitable bug. What makes this flaw even more threatening is that it’s been hidden for more than a decade, meaning it has become ubiquitous by nature.
How dangerous is it?
This vulnerability is trivial to exploit and fully operational exploits were already released to the public yesterday afternoon. And, with PwnKit, any ordinary user can gain full root privileges on a vulnerable Linux device by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: “This vulnerability is an attacker’s dream come true.”
Why is it so bad?
- Pkexec is installed by default on all major Linux distributions.
- Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they’re sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way. This makes it trivial for the same exploit code to be used against all major Linux distros and likely will make PwnKit easier to weaponize.
- And, last but not least, it’s exploitable even if the polkit daemon itself is not running.
It is important to note that an attacker needs the ability to run code on an affected machine in order to exploit it. PwnKit is not exploitable from an unauthenticated perspective. But that doesn’t mean this isn’t a huge deal.
It is highly likely that attackers will take advantage of this vulnerability by chaining it together with other existing vulnerabilities. For example, let’s say an attacker has previously exploited a vulnerability that allows them to run commands on your company’s public-facing web server, running on Linux. However, the attacker was thwarted by the server being mostly locked down and running with the fewest possible permissions, limiting the actions they can take. Enter: PwnKit. With one or two commands, that attacker is now able to easily escalate privileges to ‘root’ and obtain complete control over the server.
What action do you need to take today?
Vendors have already started releasing patches for affected operating systems, and more are certain to be released in the coming days.
As a temporary mitigation, if no patches are yet available for your operating system, you can remove the SUID-bit from pkexec. For example, run the following command to stop this exploit from working: ‘sudo chmod 0755 /usr/bin/pkexec’.
If you have exposed Linux devices that you’re concerned may have already been exploited, you can look for traces in the logs. Typically, this will be either “The value for the SHELL variable was not found in the /etc/shells file” or “The value for environment variable […] contains suspicious content.” However, bear in mind that a sophisticated attacker can readily exploit PwnKit without leaving any traces in the logs.
If you need further assistance in patching this vulnerability, we can help! Contact us today.