Customer Advisory | PwnKit: Exploit Released for Polkit’s pkexec Component

January 28, 2022
Prepared by Deepwatch Threat Intel Team

Key Points:

  • Exploit code was publicly released hours after Qualys published technical details of a vulnerability, dubbed PwnKit and tracked as CVE-2021-4034, in Polkit’s pkexec component.
  • If a threat actor already has initial local access with user-level privileges, they could elevate to root-level privileges through the successful exploitation of the vulnerability. It is unknown if threat actors have exploited this vulnerability at this time.
  • Deepwatch Threat Intel Team assesses with moderate confidence that threat actors are likely to use the publicly available exploit code to escalate privileges on systems in which they have already initially compromised. Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.

Overview

CVE-2021-4034, with a CVSS score of 7.8 and dubbed PwnKit, is a vulnerability in Polkit’s pkexec component discovered by Qualys researchers and available in the default configuration of all major Linux distributions. It may be exploited to get full root privileges on the machine. Proof-of-concept exploit code was released just hours after Qualys published their technical analysis of the vulnerability.

What is Polkit’s pkexec component?

Polkit (previously PolicyKit) is a Unix-like operating system component for managing system-wide privileges. It allows non-privileged processes to communicate with privileged processes in a structured manner. For example, the command pkexec, followed by the command to be executed, can also execute commands with elevated privileges using Polkit (with root permission).

What is the Impact of this Vulnerability?

If a threat actor already has initial access with user-level privileges, they could elevate to root-level privileges by successfully exploiting PwnKit. On default Ubuntu, Debian, Fedora, and CentOS installations, Qualys security researchers were able to get full root privileges.

However, other Linux distributions are almost certainly susceptible and exploitable as well. Since its initial release in May 2009 (commit c8c3d83, “Add a pkexec(1) command”), this vulnerability, which affects all versions of pkexec, has been present for almost a decade. It is unknown if threat actors have exploited this vulnerability at this time.

How Can I Identify Vulnerable Systems?

To aid in identifying vulnerable systems, both Qualys and Tenable have released plugin IDs:

  • Qualys has published QID 376287 starting with vulnsigs version VULNSIGS-2.5.387-2 and Linux Cloud Agent manifest version lx_manifest-2.5.387.2-1.

Customers can find Tenable’s plugin IDs here.

What Do I Need to Do?

  • Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.
  • The authors of PolKit have released patches via GitLab.
  • Customers running Ubuntu versions 14.04 and 16.04 ESM (extended security maintenance) and more recent versions 18.04, 20.04, and 21.04 have already received PolicyKit patches to mitigate the problem. Customers only need to execute a routine system update and reboot their computer.
  • For customers running RedHat supported architectures and extended life cycle support, TUS, and AUS, a security update was released for polkit on Workstation and Enterprise systems.
  • For customers using operating systems that have not released a patch at this time, a mitigation step that has been reported includes using the following command to strip pkexec of the setuid bit until a patch is released:
chmod 0755 /usr/bin/pkexec

How Can I Verify My System(s) Are Updated?

Please refer to the table below. To identify a package version, use the following commands in a terminal:

Ubuntu:

  • apt show policykit-1

RedHat/CentOS/Debian:

  • yum info polkit
Operating SystemUpdated Package (Patch)Advisory/Update
Red Hat Enterprise Linux 8polkit-0.115-13RHSA-2022:0267
Red Hat Enterprise Linux 8.4.0 Extended Update Support [2]polkit-0.115-11RHSA-2022:0266
Red Hat Enterprise Linux 8.2.0 Extended Update Support [2]polkit-0.115-11RHSA-2022:0265
Red Hat Enterprise Linux 8.1.0 Update Services for SAP Solutions, Advanced Update Support [3],[4]polkit-0.115-9RHSA-2022:0268
Red Hat Enterprise Linux 7polkit-0.112-26RHSA-2022:0274
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions, Advanced Update Support [3],[4]polkit-0.112-22RHSA-2022:0273
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Advanced Update Support [3],[4]polkit-0.112-18RHSA-2022:0271
Red Hat Enterprise Linux 7.4 Advanced Update Support [4]polkit-0.112-12RHSA-2022:0272
Red Hat Enterprise Linux 7.3 Advanced Update Support [4]polkit-0.112-12RHSA-2022:0270
Red Hat Enterprise Linux 6 Extended Lifecycle Support [5]polkit-0.96-11RHSA-2022:0269
Ubuntu 21.10policykit-1-0.105-31ubuntu0.1USN-5252-1
Ubuntu 20.04policykit-1-0.105-26ubuntu1.2USN-5252-1
Ubuntu 18.04policykit-1-0.105-20ubuntu0.18.04.6USN-5252-1
Ubuntu 16.04policykit-1-0.105-14.1ubuntu0.5+esm1USN-5252-2
Ubuntu 14.04policykit-1-0.105-4ubuntu3.14.04.6+esm1USN-5252-2
Debian 11 (“bullseye”)0.105-31+deb11u1CVE-2021-4034
Debian 10 (“buster”)0.105-25+deb10u1CVE-2021-4034
Debian 9 (“stretch”)0.105-18+deb9u2CVE-2021-4034

Can I Observe Possible Exploitation?

Possibly, the logs may show that this exploitation technique was used. According to Qualys, customers should look for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” However, please keep in mind that this vulnerability may be exploited without leaving any evidence in the logs.

Deepwatch Threat Intelligence Outlook

Deepwatch Threat Intel Team assesses with moderate confidence that threat actors are likely to use the publicly available exploit code for PwnKit to escalate privileges on systems in which they have already initially compromised. Given the breadth of the attack surface for this vulnerability across Unix-like operating systems, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog