Qualys Research Team Warns of Significant polkit Vulnerability Affecting All Linux Users
The Qualys Research Team reached out to LinuxSecurity after discovering a memory corruption vulnerability in polkit’s pkexec. Pkexec is a SUID-root program that is installed by default on every major Linux distribution of the open-source operating system. This vulnerability is easily exploited and gives hackers the opportunity to gain full root privileges on a vulnerable host. Much like the Log4j vulnerability, the severity of this flaw is high and it is imperative that vulnerabilities are reported in a timely fashion. Experts also expressed that due to the simple possibility for exploitation the vulnerability needs to be patched and mitigated immediately.
Formerly known as PolicyKit, Polkit is a component in Unix-like operating systems designed for controlling system-wide privileges. The technology works by providing an organized method of communications between non-privileged processes and privileged processes. With root permission, it is entirely possible to use polkit to perform commands with elevated privileges using the command pkexec followed by the command intended to be executed.
Pkexec contained the memory-corruption vulnerability since 2009, making it so that people with limited control of a vulnerable machine can exploit to escalate privileges all the way to root. Hackers who may already have leverage on a vulnerable machine can exploit the flaw to secure a malicious payload of command runs with the highest available system rights. Researchers are calling the vulnerability ‘Pwnkit’ which can be exploited even if the Polkit daemon isn’t running.
- 2021-11-18: Advisory sent to secalert@redhat.
- 2022-01-11: Advisory and patch sent to distros@openwall.
- 2022-01-25: Coordinated Release Date (5:00 PM UTC).
Experts were shocked to find that the vulnerability has been undetected for 12+ years and has directly affected each version since the initial release in 2009. If hackers are successful in exploiting the vulnerability, it would allow an unprivileged user access to full root privileges on a vulnerable host. Security researchers at Qualys have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. As it affects all major Linux distributions and is easily exploitable, other distributions are likely vulnerable and probably exploitable. Due to the fact that this vulnerability is considered extremely severe, the Qualys Research Team will not publish the exploit.
Mitigations & Additional Resources
Qualys recommends that users apply patches for this vulnerability immediately. Customers can search our vulnerability knowledge base for CVE-2021-4034. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as temporary mitigation; for example: # chmod 0755 /usr/bin/pkexec.