Polkit pkexec Could Allow For Local Privilege Escalation

Fortify Security Team
Jan 26, 2022

A vulnerability in Polkit’s pkexec component could allow for local privilege escalation. Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit is installed by default on all major Linux distributions. Successful exploitation of this vulnerability could result in privilege escalation to root privileges.

THREAT INTELLIGENCE:

Qualys and Bleeping Computer have mentioned this vulnerability is extremely easy to exploit. Bleeping Computer has confirmed exploitation code has been released to the public.

SYSTEMS AFFECTED:

  • All Linux systems with the policykit package installed
  • Ubuntu versions 14.04, 16.04, 18.04, 20.04, 21.10
  • Debian Distributions
  • Fedora Distributions
  • CentOS Distributions
  • Red Hat Enterprise Linux 6 Extended Lifecycle Support
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 7.3 Advanced Update Support
  • Red Hat Enterprise Linux 7.4 Advanced Update Support
  • Red Hat Enterprise Linux 7.6 Advanced Update Support
  • Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  • Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 7.7 Advanced Update Support
  • Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  • Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 8.2 Extended Update Support
  • Red Hat Enterprise Linux 8.4 Extended Update Support

RISK:

Government:

  • Large and medium government entities: Medium
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: Medium
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability in Polkit ‘s pkexec component could allow for local privilege escalation. The current version of pkexec doesn’t handle the calling parameters count correctly and ends up trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. Successful exploitation of this vulnerability could result in privilege escalation to root privileges.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches to vulnerable systems immediately after appropriate testing.
  • If a patch is not available for your distribution of Linux, you can remove the SUID-bit from pkexec as a temporary mitigation: chmod 0755 /usr/bin/pkexec
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034

Qualys:

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Bleeping Computer:

https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

Redhat:

https://access.redhat.com/security/cve/CVE-2021-4034

Ubuntu:

https://ubuntu.com/security/notices/USN-5252-2

https://ubuntu.com/security/notices/USN-5252-1

Debian:

https://security-tracker.debian.org/tracker/CVE-2021-4034

Recent Posts

Mozilla Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web...

Apple Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. macOS Ventura is the 19th and current major release of macOS iOS is a mobile operating system for mobile devices, including the iPhone,...

Citrix ADC and Gateway Could Allow for Authentication Bypass

Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Citrix ADC and Gateway is an Application Delivery Controller and a gateway service to products respectively. Successful...