Researchers on Tuesday found a memory corruption vulnerability in PolicyKit (now known as polkit), a Set User ID (SUID) root program that’s installed by default on every Linux variant — a vulnerability they say has been hiding in plain sight for more than 12 years.
In a blog post, Qualys researchers said this easily exploited local privilege escalation vulnerability (CVE-2021-4034), dubbed PwnKit, lets any unprivileged user gain full root privileges on a vulnerable host by exploiting the vulnerability in its default configuration.
The researchers explained that polkit offers an organized way for non-privileged processes to communicate with privileged processes. It’s also possible to use polkit to execute command with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.
This discovery was important and caused concern among security researchers because a successful exploitation of the PwnKit vulnerability lets any unprivileged user gain root privileges on a vulnerable host. The Qualys researchers said they were able to obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. The researchers said other Linux distributions are likely vulnerable and probably exploitable.
News of PwnKit raised eyebrows at the highest levels of the intelligence community. Rob Joyce, director of the National Security Agency’s Cybersecurity Directorate, raised these concerns in a tweet on Wednesday:
“CVE-2021-4034 in a system tool called Polkit has me concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP or use the simple chmod 0755 /usr/bin/pkexec mitigation. There are working POCs in the wild.”
An open source vulnerability like this is an issue for both cloud and on-premises systems, with both needing to be patched or mitigated to prevent it from being exploited, said Bud Broomhead, CEO at Viakoo. However, in terms of scale of impact, Broomhead said it’s a much bigger issue (order of magnitude bigger) for on-premises systems because of the number of them and how they are dispersed across an organization. Broomhead said patching cloud-based systems can be done more quickly with fewer people.
“This is a big deal,” Broomhead said. “Unlike fully proprietary systems where a single manufacturer can issue a single patch to address a vulnerability, a single open source vulnerability can be present in multiple systems, including proprietary ones, which then requires multiple manufacturers to separately develop, test, and distribute a patch. For both the manufacturer, and end user, this adds enormous time and complexity to implementing a security fix for a known vulnerability."
John Hammond, senior security researcher at Huntress, added that this latest Polkit pkexec vulnerability has certainly caught the attention of security practitioners. Hammond said the attack vector offers an extremely easy method for privilege escalation — allowing a low-privilege user account to readily become the administrator or super user account "root."
“What’s so concerning with this vulnerability and exploit is just how simple it is to perform; the attack can be staged in even a single script,” Hammond said. “This adds a lot of pressure to the frowned-upon bad practice of redirecting code right into the Linux shell — something suggested by lots of different applications to make installation more convenient."
Hammond added that much like another headline-making vulnerability uncovered by the Qualys team, (a buffer overflow in the sudo utility dubbed "Baron Samedit"), this weakness has been present in a practically ubiquitous Linux utility for more than a decade. Before Qualys discovered the flaw in polkit, Hammond said the attack vector itself had been publicly known and discussed for several years.
“It's scary to think of this attack vector being used alongside the Log4shell exploit,” Hammond said. “By weaponizing both an easy initial access vector and easy privilege escalation vector, mass compromise of Linux machines could be trivial. Perhaps if the two vulnerabilities were discovered and disclosed at the same time, December of 2021 would have been vastly different for the cybersecurity industry.”