Skip to main content

PwnKit Linux Privilege Escalation Vulnerability

A new privilege escalation vulnerability known as PwnKit has been discovered in the PolKit policy management tool. This vulnerability affects nearly all Unix-like operating systems, including most Linux distributions such as RedHat, Ubuntu, and CentOS.

Threat ID:
CC-4025
Threat Severity:
Medium
Published:
26 January 2022 2:17 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A new privilege escalation vulnerability known as PwnKit has been discovered in the PolKit policy management tool. This vulnerability affects nearly all Unix-like operating systems, including most Linux distributions such as RedHat, Ubuntu, and CentOS.

Affected platforms

The following platforms are known to be affected:

Versions: almost all Linux distributions

Linux

Threat details

Introduction

Security researchers have discovered a privilege escalation vulnerability in the popular PolKit Unix component. Known as PwnKit (or CVE-2021-4034), the researchers claim it could be exploited to obtain root permissions on affected systems, or chained with other exploits to take control of affected systems. PolKit is a default component in almost all Linux distributions and is present in all popular distributions.

Vulnerability details

PwnKit appears to be the result of a flaw in PolKit's pkexec function where it improperly validates variables that are passed to in arguments. If a user is able to force pkexec to accept certain PATH variables, then pkexec will write these variables to an out-of-bound memory space, allowing the user to introduce unsecured variables. These variables will then be executed by pkexec with root privileges.

pkexec is present in all versions of PolKit dating back to May 2009.

Exploitation of CVE-2021-4034 in the wild

CISA has added CVE-2021-4034 (PwnKit) to their Known Exploited Vulnerabilities Catalog. This catalogue is used to list vulnerabilities that are a frequent attack vector for malicious cyber actors. There are several publicly available exploits for PwnKit.

Remediation advice

Affected organisations are encouraged to contact their relevant Linux IT suppliers and apply the relevant updates. Organisations may also consider removing the SUID-bit from pkexec but please note this is only a partial mitigation.

 

Last edited: 29 June 2022 12:42 pm