Local Privilege Escalation Vulnerability in Polkit’s Pkexec

PROVINTELL Cyber Security Polkit's Pkexec CVE-2021-4034

VTA-00404 – Local Privilege Escalation Vulnerability in Polkit’s Pkexec

Recently, a local privilege escalation vulnerability in Polkit’s pkexec component is discovered in the default installations of Ubuntu, Debian, Fedora, and CentOS. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009. The flaw tracked as CVE-2021-4034 and named PwnKit. The security issue has been tracked to the initial commit of pkexec which allows an authorized user to execute commands as another user, doubling as an alternative to sudo. Researcher explains that it is just a memory corruption vulnerability in Polkit’s, which allows any unprivileged local user to gain full root privileges on a vulnerable system using default polkit configuration.


Attack Surfaces:
Endpoint OS

Command and Control, Execution, Privilege Escalation

Abuse Elevation Control Mechanism

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Security Controls, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures:
1. Remove the SUID-bit for pkexec as a temporary mitigation; for example: # chmod 0755 /usr/bin/pkexec
2. All major Linux distributions have released security updates and new fixed version of Polkit.
Ubuntu: https://ubuntu.com/security/notices/USN-5252-1
RedHat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034
SUSE: https://www.suse.com/security/cve/CVE-2021-4034.html
3. Affected user can either download the packages from Linux distribution websites (provided in step 2) or upgrade the package alone (for example on Ubuntu: $ sudo apt install <package name>; On RedHat Or CentOS: $ sudo yum install <package name>) or run system update.

Are your Endpoints secured? Scan your Endpoints now:
1. Register account on Open Threat Exchange (OTX).
2. Download the OTX Endpoint Security.
3. Subscribe to Provintell-Lab’s OTX pulses. 
4. Scan your endpoint for the presence of the IOCs. It’s FREE!

Contributed by: Jyao

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>