A research team at cybersecurity firm Qualys has discovered a memory corruption vulnerability, “PwnKit,” in polkit’s pkexec that makes all major Linux distributions vulnerable to local elevation of authority (LPE) attacks.
According to the introduction, Polkit (formerly known as PolicyKit) is a component used to control system-wide privileges in Unix-like operating systems, providing a mechanism for unprivileged processes to communicate with privileged processes. pkexec is a SUID-root program that is installed on every major Linux distribution by default. This easily exploitable vulnerability allows unprivileged logged-in users to gain full root access to the system by default configuration. The vulnerability is currently designated as CVE-2021-4034, CVSS rating 7.8.
Bharat Jogi, director of vulnerability and threat research at Qualys, noted that the pkexec vulnerability opens the door for attackers to gain root privileges. The most likely attack scenario comes from an insider threat, where a malicious user can escalate from having no privileges to gaining full root privileges. From an external threat perspective, if an attacker is able to get a foothold on the system through another vulnerability or password exploit, then that attacker can escalate through this vulnerability to gain full root privileges. The vulnerability requires local authenticated access to the vulnerable machine and cannot be run remotely without such authentication.
Qualys researchers have demonstrated that exploiting this vulnerability would allow full root privileges to be obtained under the default installation of some Linux distributions such as Ubuntu, Debian, Fedora, and CentOS, and that some other Linux distributions may also be vulnerable to attack and exploitation.
This vulnerability has been hidden for over 12 years and affects all versions of pkexec since the first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
Vulnerability disclosure schedule.
- 2021-11-18: bulletin sent to secalert@redhat.
- 2022-01-11: Public notice and patch sent to distros@openwall.
- 2022-01-25: Coordinated release date (5:00 PM UTC).
More technical details about the PwnKit vulnerability can be view blog entry.