Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
January 31, 2022
What is Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)?
A privilege escalation vulnerability has been disclosed in Polkit, formerly known as PolicyKit. Polkit is a SUID-root program installed by default on all major Linux distributions that is used for controlling system-wide privileges. The vulnerability exists in the Polkit’s main executable i.e., pkexec processes, leading to memory corruption. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. This has been dubbed as “PwnKit”.
What Are the Risks?
pkexec has been vulnerable since its creation in May 2009. The vulnerability is exploitable in default configurations in most of the Linux platforms, and it is most likely to be exploited as POCs are already available in public. Exploitation happens locally as it requires access to the vulnerable system. It can also be paired with any remote code execution vulnerability to become a part of the critical attack chain.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Do You Need to Worry About it?
Most of the vendors have released security patches, and we strongly advise our customers to install the patches as soon as possible.
https://ubuntu.com/security/CVE-2021-4034
https://access.redhat.com/security/cve/CVE-2021-4034
https://linux.oracle.com/errata/ELSA-2022-0267.html
https://security-tracker.debian.org/tracker/CVE-2021-4034
Mitigation Steps:
- Apply patches released by Polkit’s authors on their GitLab.
- Administrators can temporarily mitigate the exploitation by removing the SUID-bit from pkexec until a patch can be put in place.
For example:
# chmod 0755 /usr/bin/pkexec
- On RedHat:
The following steps can be run as mitigation on systems that don’t have the Secure Boot feature enabled:
- Install required systemtap packages and dependencies aspointed by https://access.redhat.com/solutions/5441
- Install polkit debug info:
debuginfo-install polkit - Create the following systemtap script and name it pkexec-block.stp:
probe process("/usr/bin/pkexec").function("main") {
if (cmdline_arg(1) == "")
raise(9);
} - Load the systemtap module into the running kernel:
stap -g -F -m stap_pkexec_block pkexec_block.stp - Ensure the module is loaded:
lsmod | grep -i stap_pkexec_block
stap_pkexec_block 434176 0 - Once the polkit package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
rmmod stap_pkexec_block
This mitigation doesn’t work for Secure Boot enabled systems as SystemTap would require an external compiling server to be able to sign the generated kernel module
with a key enrolled into the Kernel’s keyring.
Product Coverage:
Indusface AppTrana platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect any arbitrary code execution vulnerabilities paired with the Pwnkit vulnerability.
Indusface WAS performs external scans on the server and the Pwnkit detection will not come into the scope of automated scans. But a vulnerability audit can be used to scan for local exposures by updating the credentials. It is recommended to perform credentialed vulnerability audit scans to detect this vulnerability.
Found this article interesting? Follow Indusface on Facebook, Twitter, and LinkedIn to read more exclusive content we post.
