On January 25, the Qualys Research Team has announced the discovery of a major memory corruption vulnerability in the PolKit’s pkexec command, dubbed as “PwnKit” and tracked under CVE-2021-4034. PolKit is a component installed on all the major Linux Distributions that provides functionalities to control system-wide privileges in the Unix-like systems. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. In addition to the ease of exploitation, the most concerning aspect is that threat actors can exploit the bug without leaving a trace on the compromised endpoint. Qualys has been engaged in responsible vulnerability disclosure and has coordinated with both vendor and open-source distributions to announce the vulnerability.
Here is what you need to know:
- This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec. It is actively being targeted.
- CISA added this vulnerability (CVE-2021-4034) in its Known Exploited Vulnerabilities catalog in June 2022.
- The US cybersecurity agency also gave all Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until July 18, to patch their Linux servers to block exploitation attempts.
- BigFix has remediation and mitigation fixlets available (see below).
About PolKit and PwnKit
PolKit, formerly called PolicyKit, is a component installed by default on all the major Linux distributions. It provides an organized way for non-privileged processes to communicate with privileged ones. In addition to that, PolKit also includes a command, pkexec, that allows an authorized user to execute a command as another user. If username is not specified, then the program will be executed as the administrative super user, root.
The PwnKit flaw lies in the way pkexec handles the calling parameters. The command does not perform any validation of the arguments passed to the calling program. As a result of that, in case no argument is passed in input, the command tries to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Use BigFix to remediate or mitigate the PwnKit vulnerability
All the major vendors have already released an update for PolKit that address the exploitable vulnerability. BigFix has already published fixlets for all the supported Linux Operating Systems, and the recommendation is to deploy that fixlet on all the endpoint affected by this vulnerability.
A temporary mitigation solution is available using BigFix. Mitigation is advised if the OS cannot be patched, no patch has been released for your OS, BigFix has not yet provided a patch for the OS, or the OS support reached its end of life.
The mitigation consists of removing the SUID-bit from pkexec file. This solution however may impact other applications running on the device, so it must be used carefully and tested accordingly before applying in a production environment. Given the severity and the worldwide presence of this vulnerability, BigFix has also provided fixlets to mitigate the vulnerability for systems that are not officially supported, including:
- Debian 10 “Buster”
- CentOS v.6 and v.8
- Ubuntu v. 14.04 and v. 16.04
The following fixlets are available for download on bigfix.me:
- Mitigation fixlet: https://bigfix.me/fixlet/details/26905. Mitigate the vulnerability by running a command that removes the SUID-bit from the pkexec file.
- Undo-Mitigation Fixlet: https://bigfix.me/fixlet/details/26904. Restore the default permission on the pkexec file. This is a rollback of the previous command.
CISA strongly recommended all US Organizations from the public and private sectors to prioritize the remediation of the vulnerabilities listed in its KEV (Knows Exploited Vulnerabilities) catalog, including the PwnKit. The BigFix console offers the functionalities required to immediately identify all the PwnKit vulnerable endpoints and deploy the update to resolve the vulnerability.
Additionally, the latest version of BigFix Insights for Vulnerability Remediation is making the remediation process even faster and easier! Searching by CVE-2021-4034, customers can easily get the list of cross-OS patches resolving those vulnerabilities and leverage the automation capabilities to deploy in a single action all the updates on all the relevant endpoints.
For more information about BigFix, visit https://www.hcltechsw.com/bigfix/home