Threat Advisory: Ongoing HermeticWiper Situation. Read More ➞
Threat Advisory: PwnKit - Local Privilege Escalation Vulnerability in Major Linux Distributions

Threat Advisory: PwnKit – Local Privilege Escalation Vulnerability in Major Linux Distributions

Updated: 01/26/2022 17:54

Severity: HIGH


A vulnerability was discovered in Polkit pkexec, a SUID-root program that is included on every major Linux distribution by default. This vulnerability enables local privilege escalation to root on the victim host. Proof-of-concepts (PoCs) have been published for this vulnerability but ‘in-the-wild’ exploitation has not yet been observed.

Affected Distributions

This issue is affecting every major Linux distribution by default. Any Linux distribution with Polkit pkexec installed is vulnerable to this exploit.


  • It is recommended to prioritize patching for this vulnerability across all Linux systems. Major Linux distribution vendors have begun releasing updates that patch and mitigate this vulnerability and Polkit also released patches on their GitLab that mitigate this vulnerability [Source 3].
  • If patching is not immediately available, some mitigation steps are provided by Red Hat [Source 4]
  • It is also possible to mitigate exploitation of this vulnerability by removing the SUID bit from pkexec. It should be noted that this mitigation may also interrupt legitimate processes/usage of pkexec [Source 5]. The following sample commands could be used to mitigate this vulnerability but might need to be adjusted to your environment:
  • o chmod 0755 /usr/bin/pkexec
  • o chmod 0755 /usr/share/pkexec


  • A ReliaQuest GreyMatter Verify Simulation (CVE-2021-4034 – Local Privilege Escalation) is available to determine if a given host is vulnerable to this threat.
  • Given the attack pattern, Endpoint Detection and Response Content (EDR) and Logging is the best means of getting insight into potential exploitation of this vulnerability. ReliaQuest has created the Detect use-case, ‘RQ-SH-002664-02 – Pkexec Spawning Child Process as Root (CVE-2021-4034)’. Some sources have mentioned that exploitation will generate an ‘auth.log’ event but it is also possible to run the exploit without the audit log from getting created [Source 5, 6].
  • Indicators of Compromise (IoCs) have not been identified for this vulnerability.

MITRE techniques

T1068 – Exploitation for Privilege Escalation









If you have any questions or would like to learn more about this advisory, please reach out to your ReliaQuest representative.

More Articles

Threat Advisory: WhisperGate Malware – Attacks Against Ukrainian Systems

Category: Malware TLP Level: TLP:WHITE Severity: High Published: True Campaign Active: 2022-01-15 Campaign Identified: 2022-01-16 Campaign Updated: 2022-01-16 Campaign Details: Microsoft published a report describing a malware campaign given the name “WhisperGate” that is targeting Ukrainian systems including government agencies and technology organizations. This malware takes destructive actions on the host in order to render […]

An Update on the ReliaQuest Response to the Log4j2 Vulnerability

Updated 12/29 A zero-day vulnerability involving the Log4j 2 utility was publicly disclosed on December 9, 2021, via the Apache GitHub. Log4j 2 is an open-source Java logging library integrated in many enterprise applications, as well as open-source software and other services. The widespread use and configuration variables make this is a high impact threat. ReliaQuest has […]

Mining for Better Threat Intelligence: Cryptominer Pools

Cryptomining has become a popular method for attackers to profit from compromised systems. By installing cryptocurrency mining software on a host, attackers can utilize the host’s CPU and GPU resources to “mine” cryptocurrency, which can then be exchanged for non-digital currency or used for purchases. The attack has become so prevalent, it has earned its […]