The Qualys Research Team has disclosed a 12-year-old memory corruption vulnerability in polkit’s pkexec. The vulnerability is tracked as CVE-2021-4034 allows any unprivileged user to gain full root privileges on a vulnerable Linux machine. The research team confirmed that it has successfully tested this vulnerability on Ubuntu, Debian, Fedora, and CentOS with the default configuration. Since Plokit is part of the default packages on most Linux distributions, we can say that the whole Linux community is under threat. It is essential to fix the CVE-2021-4034 vulnerability as the flaw is being exploited in the wild. In this post, let’s see how to fix Polkit privilege escalation vulnerability in Linux machines.
What Is Polkit?
Polkit is formally known as PolicyKit, is a component for controlling system-wide privileges in Unix-like operating systems. It is developed to establish communication between non-privileged and privileged processes in an organized way. Pkexec is a command utility in Polkit used to execute commands with elevated privileges. A user can use pkexec as an alternative to sudo. If an unprivileged user wants to execute a command with root privileges, the user needs to prefix pkexec to the command intended to be executed. Pkexec command allows an unauthorized user to execute a command as another user. If no username is specified, the command will be executed as root.
To be more clear, Polkit is a small toolkit used for defining and handling authorizations on Unix/Linux platforms. It helps the unprivileged process to securely communicate with the privileged process. In essence, it stops unprivileged users from executing admin tasks. When a user tries to run a privileged task from $ prompt on Linux systems, the system will ask to enter a superuser password. That system is actually the Polkit service which is running under the line of control. It is installed by default on many Linux distributions. It’s used by the system, so any Linux distribution that uses systemd that also uses polkit.
About The Polkit Privilege Escalation Vulnerability (CVE-2021-4034):
The vulnerability is due to improper handling of command-line arguments by the pkexec tool. The report says, is a memory corruption vulnerability exists in polkit’s pkexec command that allows an unauthorized user to execute a command as another user. Successful exploitation of this vulnerability allows any unprivileged user to gain full root privileges on the vulnerable Linux machine. Since Polkit is part of the basic installation package in most of the Linux distributions, the whole Linux platform is considered vulnerable to the Polkit privilege escalation vulnerability.
The best thing about the flaw is that the flaw is not remotely exploitable. The attacker should have access to the machine to exploit the vulnerability.
|Associated CVE ID||CVE-2021-4034|
|Description||A local privilege escalation in Polkit’s pkexec|
|Associated ZDI ID||–|
|Attack Vector (AV)||Local|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||Low|
|User Interaction (UI)||None|
This is the second privilege escalation vulnerability in Polkit after the discloser of CVE-2021-3560 in June 2021.
Linux Distributions Affected By The Polkit Privilege Escalation Vulnerability (CVE-2021-4034):
The flaw is successfully tested on Ubuntu, Debian, Fedora, and CentOS with default configuration. Since Polkit is part of the default installation package in most of the Linux distributions and all Polkit versions from 2009 onwards are vulnerable., the whole Linux platform is considered vulnerable to the Polkit privilege escalation vulnerability.
Major Linux Distributions Affected By The Polkit Privilege Escalation Vulnerability Are:
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Virtualization 4
- Ubuntu 21.10
- Ubuntu 20.04
- Ubuntu 18.04
- Ubuntu 16.04
- Ubuntu 14.04
- HPE Helion Openstack 8
- SUSE CaaS Platform 4.0
- SUSE Enterprise Storage 6
- SUSE Enterprise Storage 7
- SUSE Linux Enterprise High Performance Computing 15
- SUSE Linux Enterprise Micro 5
- SUSE Linux Enterprise Module for Basesystem 15
- SUSE Linux Enterprise Server 12
- SUSE Linux Enterprise Server 15
- SUSE Linux Enterprise Server for SAP Applications 12
- SUSE Linux Enterprise Server for SAP Applications 15
- SUSE Linux Enterprise Software Development Kit 12
- SUSE Manager Proxy 4
- SUSE OpenStack Cloud 8
- SUSE OpenStack Cloud 9
- SUSE OpenStack Cloud Crowbar 8
- SUSE OpenStack Cloud Crowbar 9
- openSUSE Leap 15
Note: SUSE Linux Enterprise 11 is not affected, as it uses the older generation PolicyKit-1.
How To Test The Polkit Privilege Escalation Vulnerability (CVE-2021-4034)?
It is easy to test the Polkit privilege escalation vulnerability using the readily available exploit. The exploit is available on Github.
Just you need to download the exploit, compel and execute it. Follow these simple four commands to exploit the Polkit vulnerability. These commends will take you to the ‘#’ root prompt if the system is vulnerable.
How To Test The Polkit Privilege Escalation Vulnerability (CVE-2021-4034)?
- Install Git
$ sudo apt install git (On Ubuntu)
$ sudo yum install git (On RHEL)
- Clone the exploit script from Github
$ git clone https://github.com/berdav/CVE-2021-4034.git
- Change directory into ‘CVE-2021-4034’
$ cd CVE-2021-4034/
- Compile the script using ‘make’ command
- Test the Polkit Privilege Escalation Vulnerability
How To Discover Assets Vulnerable To Polkit Privilege Escalation Vulnerability?
Testing each machine on the network is a laborious task, and manual testing is impossible for large companies. The companies should use automated scripts, vulnerability scanner applications, or orchestration solutions like Ansible to detect Polkit privilege escalation vulnerable assets.
RedHat has created a detection script to determine if your system is vulnerable to Polkit privilege escalation vulnerability. Additionally, RedHat has developed an Ansible Playbook, which helps implement the mitigation on the vulnerable hosts.
Qualys VMDR is another good solution to discover the vulnerable assets on the network. Qualys has developed a query for Qualys VMDR users. Run this query in Qualys VMDR to discover assets vulnerable to Polkit privilege escalation vulnerability.
How To Fix The Polkit Privilege Escalation Vulnerability (CVE-2021-4034)?
All major Linux distributions have released security updates and new fixed version of Polkit. Please don’t miss to see the advisories released by the Linux Distributions for more information.
The procedure to fix the Plokit privilege escalation vulnerability is very simple. You can either download the packages (fixed the flaw) from the Linux distribution websites (Provided in the previous section) or upgrade the package alone. Or run the system update. The problem could be fixed after running the system update.
Use This Command To Update The Polkit Package On Ubuntu:
$ sudo apt install <package name>
Use This Command To Update The Polkit Package On RedHat Or CentOS:
$ sudo yum install <package name>
Use These Command If You Want To Update The System:
$ sudo apt update && sudo apt upgrade $ sudo yum update && sudo yum upgrade
Those who can’t apply the patches, there is a workaround for them. Run this command to strip pkexec of the setuid bit.
$ chmod 0755 /usr/bin/pkexec
We hope this post would help you know How to Fix the Polkit Privilege Escalation Vulnerability (CVE-2021-4034) in in Linus machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.