Managed WAF Start at $99

Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)

Posted DateJanuary 31, 2022
Posted Time 2   min Read

What is Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)?

A privilege escalation vulnerability has been disclosed in Polkit, formerly known as PolicyKit. Polkit is a SUID-root program installed by default on all major Linux distributions that is used for controlling system-wide privileges. The vulnerability exists in the Polkit’s main executable i.e., pkexec processes, leading to memory corruption. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. This has been dubbed as “PwnKit”.

What Are the Risks?

pkexec has been vulnerable since its creation in May 2009. The vulnerability is exploitable in default configurations in most of the Linux platforms, and it is most likely to be exploited as POCs are already available in public. Exploitation happens locally as it requires access to the vulnerable system. It can also be paired with any remote code execution vulnerability to become a part of the critical attack chain.

Severity: High
CVSSv3.1: Base Score: 7.8 High
Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSSv2: Base Score: 4.6 Medium
Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploit available in public: Yes
Exploit complexity: Low


Do You Need to Worry About it?

Most of the vendors have released security patches, and we strongly advise our customers to install the patches as soon as possible.

Mitigation Steps:

  1. Apply patches released by Polkit’s authors on their GitLab.
  2. Administrators can temporarily mitigate the exploitation by removing the SUID-bit from pkexec until a patch can be put in place.

For example:
# chmod 0755 /usr/bin/pkexec

  1. On RedHat:

The following steps can be run as mitigation on systems that don’t have the Secure Boot feature enabled:

  1. Install required systemtap packages and dependencies aspointed by
  2. Install polkit debug info:
    debuginfo-install polkit
  3. Create the following systemtap script and name it pkexec-block.stp:
    probe process("/usr/bin/pkexec").function("main")  {
    if (cmdline_arg(1) == "")
  4. Load the systemtap module into the running kernel:
    stap -g -F -m stap_pkexec_block pkexec_block.stp
  5. Ensure the module is loaded:
    lsmod | grep -i stap_pkexec_block
    stap_pkexec_block     434176  0
  6. Once the polkit package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
    rmmod stap_pkexec_block

This mitigation doesn’t work for Secure Boot enabled systems as SystemTap would require an external compiling server to be able to sign the generated kernel module
with a key enrolled into the Kernel’s keyring.

Product Coverage:

Indusface AppTrana platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect any arbitrary code execution vulnerabilities paired with the Pwnkit vulnerability.

Indusface WAS performs external scans on the server and the Pwnkit detection will not come into the scope of automated scans. But a vulnerability audit can be used to scan for local exposures by updating the credentials. It is recommended to perform credentialed vulnerability audit scans to detect this vulnerability.

Found this article interesting? Follow Indusface on FacebookTwitter, and LinkedIn to read more exclusive content we post.

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.