A privilege escalation vulnerability has been disclosed in Polkit, formerly known as PolicyKit. Polkit is a SUID-root program installed by default on all major Linux distributions that is used for controlling system-wide privileges. The vulnerability exists in the Polkit’s main executable i.e., pkexec processes, leading to memory corruption. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. This has been dubbed as “PwnKit”.
pkexec has been vulnerable since its creation in May 2009. The vulnerability is exploitable in default configurations in most of the Linux platforms, and it is most likely to be exploited as POCs are already available in public. Exploitation happens locally as it requires access to the vulnerable system. It can also be paired with any remote code execution vulnerability to become a part of the critical attack chain.
Most of the vendors have released security patches, and we strongly advise our customers to install the patches as soon as possible.
https://ubuntu.com/security/CVE-2021-4034
https://access.redhat.com/security/cve/CVE-2021-4034
https://linux.oracle.com/errata/ELSA-2022-0267.html
https://security-tracker.debian.org/tracker/CVE-2021-4034
For example:
# chmod 0755 /usr/bin/pkexec
The following steps can be run as mitigation on systems that don’t have the Secure Boot feature enabled:
debuginfo-install polkit
probe process("/usr/bin/pkexec").function("main") {
if (cmdline_arg(1) == "")
raise(9);
}
stap -g -F -m stap_pkexec_block pkexec_block.stp
lsmod | grep -i stap_pkexec_block
stap_pkexec_block 434176 0
rmmod stap_pkexec_block
This mitigation doesn’t work for Secure Boot enabled systems as SystemTap would require an external compiling server to be able to sign the generated kernel module
with a key enrolled into the Kernel’s keyring.
Product Coverage:
Indusface AppTrana platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect any arbitrary code execution vulnerabilities paired with the Pwnkit vulnerability.
Indusface WAS performs external scans on the server and the Pwnkit detection will not come into the scope of automated scans. But a vulnerability audit can be used to scan for local exposures by updating the credentials. It is recommended to perform credentialed vulnerability audit scans to detect this vulnerability.
Found this article interesting? Follow Indusface on Facebook, Twitter, and LinkedIn to read more exclusive content we post.
This post was last modified on November 28, 2023 20:06
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More