High Severity Vulnerability Affecting All Major Linux Distros Exploited in the Wild
June 30, 2022
High Severity Vulnerability Affecting All Major Linux Distros Exploited in the Wild
A high severity privilege escalation vulnerability in the ‘Polkit’s ‘pkexec’ component, used by all major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS) has been reported to be exploited in the wild. The vulnerability allows unauthorized users to gain root privileges.
‘Polkit’ is a component for controlling system-wide privileges in Unix-like operating systems, whereas ‘pkexec’ is a module designed to allow an authorized user to execute a program as another user.
Due to the low complexity of the vulnerability exploitation, and the fact that it affects all major Linux distributions, it is critical to patch it as soon as possible.
The Vulnerability
- CVE-2021-4034 (CVSS 3.1: 7.8, High Severity) – Exploited in the wild, A local privilege escalation vulnerability was found on polkit’s ‘pkexec’ utility. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Affected Products
- All major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS) with unpached ‘pkexec’ component. This can be checked by comparing the installed ‘pkexec’ component with the patched component available on the project’s gitlab.
Mitigation
CYREBRO recommends following these steps:
- Make sure Linux is up-to-date.
- Determine whether the installed ‘pkexec’ is pached by navigating to the patched ‘pkexec’ version’s gitlab and comparing the installed file to the patched file available on that page.
- If ‘pkexec’ is unpached, apply the patched version presented in the project’s gitlab.
Workaround
A temporary workaround exists in case mitigation is currently not an option.
- It is possible to remove the ‘setuid’ bit from /usr/bin/pkexec via:
- chmod 755 /usr/bin/pkexec.
- Another option is to delete /usr/bin/pkexec until fixed packages can be installed.
References: Bleeping Computer | Qualys | NVD | Polkit Gitlab.