HCL SW Blogs
Select Page

On January 25, the Qualys Research Team has announced the discovery of a major memory corruption vulnerability in the PolKit’s pkexec command, dubbed as “PwnKit” and tracked under CVE-2021-4034. PolKit is a component installed on all the major Linux Distributions that provides functionalities to control system-wide privileges in the Unix-like systems. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. In addition to the ease of exploitation, the most concerning aspect is that threat actors can exploit the bug without leaving a trace on the compromised endpoint. Qualys has been engaged in responsible vulnerability disclosure and has coordinated with both vendor and open-source distributions to announce the vulnerability.

Here is what you need to know:

  • This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec. It is actively being targeted.
  • CISA added this vulnerability (CVE-2021-4034) in its Known Exploited Vulnerabilities catalog in June 2022.
  • The US cybersecurity agency also gave all Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until July 18, to patch their Linux servers to block exploitation attempts.
  • BigFix has remediation and mitigation fixlets available (see below).

About PolKit and PwnKit

PolKit, formerly called PolicyKit, is a component installed by default on all the major Linux distributions. It provides an organized way for non-privileged processes to communicate with privileged ones. In addition to that, PolKit also includes a command, pkexec, that allows an authorized user to execute a command as another user. If username is not specified, then the program will be executed as the administrative super user, root.

The PwnKit flaw lies in the way pkexec handles the calling parameters. The command does not perform any validation of the arguments passed to the calling program. As a result of that, in case no argument is passed in input, the command tries to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Use BigFix to remediate or mitigate the PwnKit vulnerability

Remediation:

All the major vendors have already released an update for PolKit that address the exploitable vulnerability. BigFix has already published fixlets for all the supported Linux Operating Systems, and the recommendation is to deploy that fixlet on all the endpoint affected by this vulnerability.

Mitigation:

A temporary mitigation solution is available using BigFix.  Mitigation is advised if the OS cannot be patched, no patch has been released for your OS, BigFix has not yet provided a patch for the OS, or the OS support reached its end of life.

The mitigation consists of removing the SUID-bit from pkexec file. This solution however may impact other applications running on the device, so it must be used carefully and tested accordingly before applying in a production environment. Given the severity and the worldwide presence of this vulnerability, BigFix has also provided fixlets to mitigate the vulnerability for systems that are not officially supported, including:

  • Debian 10 “Buster”
  • CentOS v.6 and v.8
  • Ubuntu v. 14.04 and v. 16.04

The following fixlets are available for download on bigfix.me:

Conclusion

CISA strongly recommended all US Organizations from the public and private sectors to prioritize the remediation of the vulnerabilities listed in its KEV (Knows Exploited Vulnerabilities) catalog, including the PwnKit. The BigFix console offers the functionalities required to immediately identify all the PwnKit vulnerable endpoints and deploy the update to resolve the vulnerability.  

Additionally, the latest version of BigFix Insights for Vulnerability Remediation is making the remediation process even faster and easier! Searching by CVE-2021-4034, customers can easily get the list of cross-OS patches resolving those vulnerabilities and leverage the automation capabilities to deploy in a single action all the updates on all the relevant endpoints.

Act now. 

For more information about BigFix, visit https://www.hcltechsw.com/bigfix/home

Comment wrap
Further Reading
Continuous Business Benefit Realization with HCL BigFix
Automation | December 13, 2022
Continuous Business Benefit Realization With HCL BigFix
With all my discussions with clients and partners, IT organizations of all sizes are continually challenged to reduce costs and simplify operations.
Preview of BigFix CyberFOCUS Analytics 1.0
Automation | November 7, 2022
Preview of BigFix CyberFOCUS Analytics 1.0 
The BigFix CyberFOCUS Analytics solution is designed to impact big unresolved problems that are the intersection of SecOps, ITOps and the C-Suite.  
FOCUS on Business Management of Cyber Risk
Automation | November 7, 2022
The 100% Secure Computers: FOCUS on Business Management of Cyber Risk
BigFix's FOCUS concepts provide a guide about how your organization strategizes about how cybersecurity and empowers you to find and implement controls that balance the needs of business and security simultaneously.
Close
Filters result by
Sort:
|