January 28, 2022
Prepared by Deepwatch Threat Intel Team
Key Points:
- Exploit code was publicly released hours after Qualys published technical details of a vulnerability, dubbed PwnKit and tracked as CVE-2021-4034, in Polkit’s pkexec component.
- If a threat actor already has initial local access with user-level privileges, they could elevate to root-level privileges through the successful exploitation of the vulnerability. It is unknown if threat actors have exploited this vulnerability at this time.
- Deepwatch Threat Intel Team assesses with moderate confidence that threat actors are likely to use the publicly available exploit code to escalate privileges on systems in which they have already initially compromised. Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.
Overview
CVE-2021-4034, with a CVSS score of 7.8 and dubbed PwnKit, is a vulnerability in Polkit’s pkexec component discovered by Qualys researchers and available in the default configuration of all major Linux distributions. It may be exploited to get full root privileges on the machine. Proof-of-concept exploit code was released just hours after Qualys published their technical analysis of the vulnerability.
What is Polkit’s pkexec component?
Polkit (previously PolicyKit) is a Unix-like operating system component for managing system-wide privileges. It allows non-privileged processes to communicate with privileged processes in a structured manner. For example, the command pkexec, followed by the command to be executed, can also execute commands with elevated privileges using Polkit (with root permission).
What is the Impact of this Vulnerability?
If a threat actor already has initial access with user-level privileges, they could elevate to root-level privileges by successfully exploiting PwnKit. On default Ubuntu, Debian, Fedora, and CentOS installations, Qualys security researchers were able to get full root privileges.
However, other Linux distributions are almost certainly susceptible and exploitable as well. Since its initial release in May 2009 (commit c8c3d83, “Add a pkexec(1) command”), this vulnerability, which affects all versions of pkexec, has been present for almost a decade. It is unknown if threat actors have exploited this vulnerability at this time.
How Can I Identify Vulnerable Systems?
To aid in identifying vulnerable systems, both Qualys and Tenable have released plugin IDs:
- Qualys has published QID 376287 starting with vulnsigs version VULNSIGS-2.5.387-2 and Linux Cloud Agent manifest version lx_manifest-2.5.387.2-1.
Customers can find Tenable’s plugin IDs here.
What Do I Need to Do?
- Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.
- The authors of PolKit have released patches via GitLab.
- Customers running Ubuntu versions 14.04 and 16.04 ESM (extended security maintenance) and more recent versions 18.04, 20.04, and 21.04 have already received PolicyKit patches to mitigate the problem. Customers only need to execute a routine system update and reboot their computer.
- For customers running RedHat supported architectures and extended life cycle support, TUS, and AUS, a security update was released for polkit on Workstation and Enterprise systems.
- For customers using operating systems that have not released a patch at this time, a mitigation step that has been reported includes using the following command to strip pkexec of the setuid bit until a patch is released:
chmod 0755 /usr/bin/pkexec |
How Can I Verify My System(s) Are Updated?
Please refer to the table below. To identify a package version, use the following commands in a terminal:
Ubuntu:
- apt show policykit-1
RedHat/CentOS/Debian:
- yum info polkit
Operating System | Updated Package (Patch) | Advisory/Update |
Red Hat Enterprise Linux 8 | polkit-0.115-13 | RHSA-2022:0267 |
Red Hat Enterprise Linux 8.4.0 Extended Update Support [2] | polkit-0.115-11 | RHSA-2022:0266 |
Red Hat Enterprise Linux 8.2.0 Extended Update Support [2] | polkit-0.115-11 | RHSA-2022:0265 |
Red Hat Enterprise Linux 8.1.0 Update Services for SAP Solutions, Advanced Update Support [3],[4] | polkit-0.115-9 | RHSA-2022:0268 |
Red Hat Enterprise Linux 7 | polkit-0.112-26 | RHSA-2022:0274 |
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions, Advanced Update Support [3],[4] | polkit-0.112-22 | RHSA-2022:0273 |
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Advanced Update Support [3],[4] | polkit-0.112-18 | RHSA-2022:0271 |
Red Hat Enterprise Linux 7.4 Advanced Update Support [4] | polkit-0.112-12 | RHSA-2022:0272 |
Red Hat Enterprise Linux 7.3 Advanced Update Support [4] | polkit-0.112-12 | RHSA-2022:0270 |
Red Hat Enterprise Linux 6 Extended Lifecycle Support [5] | polkit-0.96-11 | RHSA-2022:0269 |
Ubuntu 21.10 | policykit-1-0.105-31ubuntu0.1 | USN-5252-1 |
Ubuntu 20.04 | policykit-1-0.105-26ubuntu1.2 | USN-5252-1 |
Ubuntu 18.04 | policykit-1-0.105-20ubuntu0.18.04.6 | USN-5252-1 |
Ubuntu 16.04 | policykit-1-0.105-14.1ubuntu0.5+esm1 | USN-5252-2 |
Ubuntu 14.04 | policykit-1-0.105-4ubuntu3.14.04.6+esm1 | USN-5252-2 |
Debian 11 (“bullseye”) | 0.105-31+deb11u1 | CVE-2021-4034 |
Debian 10 (“buster”) | 0.105-25+deb10u1 | CVE-2021-4034 |
Debian 9 (“stretch”) | 0.105-18+deb9u2 | CVE-2021-4034 |
Can I Observe Possible Exploitation?
Possibly, the logs may show that this exploitation technique was used. According to Qualys, customers should look for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” However, please keep in mind that this vulnerability may be exploited without leaving any evidence in the logs.
Deepwatch Threat Intelligence Outlook
Deepwatch Threat Intel Team assesses with moderate confidence that threat actors are likely to use the publicly available exploit code for PwnKit to escalate privileges on systems in which they have already initially compromised. Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.
↑
Share