Threat Advisory: PwnKit – Local Privilege Escalation Vulnerability in Major Linux Distributions

Threat Advisory: PwnKit - Local Privilege Escalation Vulnerability in Major Linux Distributions

Updated: 01/26/2022 17:54

Severity: HIGH

Background

A vulnerability was discovered in Polkit pkexec, a SUID-root program that is included on every major Linux distribution by default. This vulnerability enables local privilege escalation to root on the victim host. Proof-of-concepts (PoCs) have been published for this vulnerability but ‘in-the-wild’ exploitation has not yet been observed.

Affected Distributions

This issue is affecting every major Linux distribution by default. Any Linux distribution with Polkit pkexec installed is vulnerable to this exploit.

Mitigations

  • It is recommended to prioritize patching for this vulnerability across all Linux systems. Major Linux distribution vendors have begun releasing updates that patch and mitigate this vulnerability and Polkit also released patches on their GitLab that mitigate this vulnerability [Source 3].
  • If patching is not immediately available, some mitigation steps are provided by Red Hat [Source 4]
  • It is also possible to mitigate exploitation of this vulnerability by removing the SUID bit from pkexec. It should be noted that this mitigation may also interrupt legitimate processes/usage of pkexec [Source 5]. The following sample commands could be used to mitigate this vulnerability but might need to be adjusted to your environment:
  • o chmod 0755 /usr/bin/pkexec
  • o chmod 0755 /usr/share/pkexec

Detections

  • A ReliaQuest GreyMatter Verify Simulation (CVE-2021-4034 – Local Privilege Escalation) is available to determine if a given host is vulnerable to this threat.
  • Given the attack pattern, Endpoint Detection and Response Content (EDR) and Logging is the best means of getting insight into potential exploitation of this vulnerability. ReliaQuest has created the Detect use-case, ‘RQ-SH-002664-02 – Pkexec Spawning Child Process as Root (CVE-2021-4034)’. Some sources have mentioned that exploitation will generate an ‘auth.log’ event but it is also possible to run the exploit without the audit log from getting created [Source 5, 6].
  • Indicators of Compromise (IoCs) have not been identified for this vulnerability.

MITRE techniques

T1068 – Exploitation for Privilege Escalation

Sources

[1] https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

[2] https://access.redhat.com/security/cve/CVE-2021-4034

[3] https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

[4] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

[5] https://isc.sans.edu/diary/rss/28272

[6] https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

 

If you have any questions or would like to learn more about this advisory, please reach out to your ReliaQuest representative.