CVE-2021-4034:A local privilege escalation vulnerability in polkit's pkexec utility (CVE-2021-4034), also known as PwnKit, allows unprivileged users to gain administrative rights on Linux systems.

splash
Back

Description Preview

The pkexec utility, part of the polkit authentication framework, contains a critical vulnerability that allows local users to escalate privileges to root. The vulnerability stems from improper handling of command parameters, causing pkexec to potentially execute environment variables as commands. An attacker can craft specific environment variables to trigger arbitrary code execution with elevated privileges. This vulnerability affects most major Linux distributions and has been actively exploited in the wild. Security researchers from Qualys discovered and named this vulnerability "PwnKit."

Overview

CVE-2021-4034 (PwnKit) is a memory corruption vulnerability in the pkexec component of polkit, a system service that manages system-wide privileges in Unix-like operating systems. The vulnerability exists because pkexec fails to properly validate the number of arguments passed to it and attempts to execute environment variables as commands. This vulnerability is particularly dangerous because:

  • It affects virtually all Linux distributions
  • It has existed in the polkit codebase since May 2009 (version 0.113)
  • It can be exploited by any local user without authentication
  • Exploitation leads to complete system compromise (root privileges)
  • The attack vector involves out-of-bounds reads (CWE-125) and buffer overflows (CWE-787)

Remediation

To mitigate this vulnerability, system administrators should:

  1. Apply vendor-supplied security patches immediately:

    • Update the polkit package to the patched version provided by your distribution
    • Most major Linux distributions have released security updates

  2. If patching is not immediately possible, consider these temporary mitigations:

    • Remove the SUID bit from the pkexec binary: chmod 0755 /usr/bin/pkexec
    • This will prevent pkexec from running with elevated privileges but may impact system functionality

  3. Monitor systems for signs of exploitation:

    • Check for unauthorized privilege escalation
    • Review system logs for suspicious pkexec activity
    • Implement network monitoring for indicators of compromise

  4. Follow distribution-specific guidance:

    • Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
    • SUSE: https://www.suse.com/support/kb/doc/?id=000020564

References

  1. Qualys Security Advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
  2. Red Hat Security Bulletin: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
  3. Polkit patch commit: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
  4. Technical analysis: https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
  5. Exploit details: http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
  6. SUSE KB article: https://www.suse.com/support/kb/doc/?id=000020564
  7. Siemens advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
  8. Oracle security advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date
Feb 7, 2022
CISA KEV Date
Jun 27, 2022
140days early
Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Finance and Insurance
    Finance and Insurance
  5. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Utilities
    Utilities
  8. Educational Services
    Educational Services
  9. Retail Trade
    Retail Trade
  10. Other Services (except Public Administration)
    Other Services (except Public Administration)
  11. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  12. Information
    Information
  13. Management of Companies & Enterprises
    Management of Companies & Enterprises
  14. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  15. Accommodation & Food Services
    Accommodation & Food Services
  16. Wholesale Trade
    Wholesale Trade
  17. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  18. Construction
    Construction
  19. Mining
    Mining
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background