PwnKit: Polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)

The Qualys Research Team identified a memory corruption flaw in Polkit’s pkexec, a SUID-root tool that comes pre-installed on every major Linux distribution. By exploiting this easily exploited vulnerability (CVE-2021-4034) in its default configuration, any unprivileged user can gain full root privileges on a vulnerable host. 
Polkit (previously PolicyKit) is a Unix-like operating system component for managing system-wide privileges. It allows non-privileged processes to communicate with privileged processes in a structured manner. The command pkexec, followed by the command to be executed, can also be used to execute commands with elevated privileges using Polkit (with root permission). 
An unprivileged user can get root access to the vulnerable system if this vulnerability is successfully exploited. Qualys security researchers were able to independently verify the vulnerability, create an exploit, and gain full root capabilities on Ubuntu, Debian, Fedora, and CentOS default installations. Other Linux distributions are almost certainly vulnerable and exploitable as well. Since its first release in May 2009 (commit c8c3d83, “Add a pkexec(1) command”), this vulnerability has been hidden in plain sight for over a decade. It affects all versions of pkexec. 
Affected versions  
All versions of PolKit are affected by this vulnerability. 
Customers are advised to patch to the latest version of Polkit to mitigate the vulnerability. Customers can visit the advisories released by different vendors like RedHat and Ubuntu to gain more information about this vulnerability.  

Workaround/Mitigation Detection

Qualys Policy Compliance customers can evaluate workaround based on following Control

22844    Status of the SUID bit for /usr/bin/pkexec
Qualys Detection  
Qualys customers can scan their devices with QID 376287 to detect vulnerable assets.  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *