Critical bug affects all major Linux distros: multiple exploits already published. Patch now.

Issue allocated CVE-20214-4034 and dubbed "PwnKit"

Critical bug affects all major Linux distros: multiple exploits already published. Patch now.

There is a critical vulnerability in a programme installed by default on every major Linux distribution. Dubbed PwnKit it gives any unprivileged user the ability to easily gain root access in a potential nightmare for security teams hoping to prevent lateral movement by hackers who have gained a toe-hold in their systems.

The vulnerability is in polkit’s pkexec, a SUID-root programme that’s ubiquitous across Linux boxes and used to control system-wide privileges in Unix-like operating systems. It was found by the research team at Qualys.

US National Security Agency (NSA) Cybersecurity Director Rob Joyce noted on Twitter that the bug "has me concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP or use the simple chmod 0755 /usr/bin/pkexec mitigation. There are working POCs in the wild" he added.

It has been allocated CVE-2021-4034.

PwnKit exploit lands within hours

Qualys researchers have been able to verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable they said this week. This vulnerability has been” hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83,  ‘Add a pkexec(1) command).”

Qualys did not release a public exploit but the ease with which the vulnerability can be abused meant that PwnKit exploits had landed within three hours of the company published its findings. As the security team who found it noted: “Although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way; and it is exploitable even if the polkit daemon itself is not running.”

Cybersecurity firm Cyberark has release PwnKit-Hunter: a set of tools that will help determine if your system’s polkit package is vulnerable. The toolkit works for Debian and Ubuntu.

Security firm Trustwave added: "Although Local Privilege Escalation vulnerabilities require access to the vulnerable system, do not discount this vulnerability. When paired with any simple Remote Code Execution (RCE) vulnerability, this becomes a part of a critical attack chain. Given the massive attack surface that affects most every Linux distribution, this vulnerability will have legs that make it a threat well into 2022.

Follow The Stack on LinkedIn

Red Hat noted: "The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."

Ubuntu has also pushed a patch and mitigation advice.

(Users should urgently update their sytems to the following package versions: Ubuntu 16.04 --policykit-1 - 0.105-14.1ubuntu0.5+esm1; Ubuntu 14.04 to policykit-1 - 0.105-4ubuntu3.14.04.6+esm1).

What is “PwnKit-Hunter” and how it can help me?

IT teams would be forgiven for being bone-weary of the latest vulnerability hype, particularly amid reports that even the Log4j bugs did not get exploited at the scale many  predicted. PwnKit (allocated CVE-2021-4034) looks like a particularly convenient tool for anyone with malicious intent, as well as Red Teamers, and given the rapidity with which security researchers were spinning up PwnKit exploits mitigation should be prioritised.

Australian security researcher Ryan Mallon appears to have spotted the issue as far back as 2013.

https://twitter.com/ryiron/status/1486207182404472832

Qualys provides technical details on the vulnerability here.

See also: Thousands of AWS customers are leaking data: CIDR block scan + a little MASSCAN reveals