Researchers at Qualys have uncovered a 12-year-old bug found in pkexec Polkit (formerly PolicyKit) code. The vulnerability has been given the identifier CVE-2021-4034 and the name PwnKit, and it can be used to gain superuser privileges.
Polkit is part of an open source framework that coordinates the interaction between privileged and unprivileged processes, and specifically pkexec allows an authorized user to execute commands on behalf of another user, being a kind of alternative to sudo.
Experts write that they discovered the problem as early as November 2021, but did not report it publicly until this week, giving the developers of all major Linux distributions time to release fixes.
It is reported that pkexec can certainly be used by attackers for local elevation of privileges on Ubuntu, Debian, Fedora and CentOS, but other Linux distributions can also be affected.
The problem has been present in the code since 2009, that is, from the release of the first version of pkexec. The video below demonstrates the operation of this problem.
The researchers warned that the exploitation of the vulnerability is so simple that a PoC exploit is likely to spread throughout the Internet in a few days. Unfortunately, this is exactly what happened: the first working exploit appeared in the public domain less than three hours after the publication of the Qualys report. CERT/CC Analyst Will Dormann said the PoC is simple and versatile and tested it on an ARM64-based system, showing that the exploit actually works.
Qualys recommends that administrators apply the patches that the Polkit authors have published on GitLab as soon as possible.
The Linux distribution developers got access to the fix a few weeks ago, and updated pkexec packages are published. So, Ubuntu has already released updates to fix the vulnerability in versions 14.04 and 16.04 ESM, as well as newer versions 18.04, 20.04 and 21.04. Users just need to run a standard system update and then reboot the machine for the changes to take effect.
Red Hat has also published a polkit patch for Workstation and Enterprise products, as well as extended support cycle solutions (TUS and AUS).
Edition Bleeping Computer notes that for the OS, where there is no patch yet, a temporary option is available to mitigate the problem. It consists in using the following command: chmod 0755 /usr/bin/pkexec.
Users who wish to look for signs of PwnKit exploitation can do so by checking the logs for the entries “The value for the SHELL variable was not found the /etc/shells file” and “The value for environment variable […] contains suspicious content”. However, Qualys experts warn that it is possible to use the PwnKit vulnerability without leaving a trace.
Let me remind you that we talked about Microsoft patches OMIGOD vulnerabilities on Azure Linux VMs, and we also talked about Apache Vulnerability May Lead to Remote Code Execution.