The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Voyager18 (research)

CVE-2021-4034 - how to fix the PwnKit vulnerability

CVE-2021-4034 - also known as PwnKit - gives attackers root privileges on machines running most major distributions of the Linux operating system. Here's what you need to know.

Orani Amroussi | January 27, 2022

Linux users had cause for concern recently when a 12-year-old vulnerability was discovered in the system tool Polkit. CVE-2021-4034 - also known as PwnKit - gives attackers root privileges on machines running most major distributions of the operating system. 

The PwnKit vulnerability was first discovered by Qualys in November and disclosed more recently after being patched in most Linux distributions. 

Here’s what you need to know:

What is the PwnKit vulnerability?

CVE-2021-4034 allows non-privileged processes to interact with privileged processes within the Linux operating system. Using a component called Pkexec, attackers can execute commands with higher privileges. Hackers are able to target this memory-corruption vulnerability that has resided within Pkexec since 2009, and which can be exploited all the way to root. Exploitation is easy, and reportedly 100% reliable. 

According to Qualys, the most likely attack comes as an internal threat - an attacker can easily increase his access level from low privileges to full root privileges. As an external attack, a malicious actor needs only to gain a foothold on a system via another vulnerability or disclosed credentials, before they can obtain full root privileges via this vulnerability. 

Does it affect me?

Probably yes, most major distributions (Ubuntu, Debian, RedHat etc.) released their patches. In addition, according to Qualys’ report, this vulnerability affects all versions of Pkexec since its release in May 2009 ! So, again, you’re probably affected.

Has PwnKit been actively exploited in the wild?

There’s still no evidence or reports of exploitation by threat actors. However, a day after Qualys’ report, a PoC and exploits were published by security researchers. It’s just a matter of time for this vulnerability and it is strongly recommended to prioritize its remediation/mitigation.

Fixing the PwnKit vulnerability

Fortunately, this vulnerability is a Local exploit which mitigates some risk. Until patches are broadly available, SysAdmins can remove the SUID bit from pkexec (using: # chmod 0755 /usr/bin/pkexec ) to temporarily mitigate the problem - you can find further instructions in the Vulcan Remedy Cloud. 

Going forward, improved auditing will help catch and correct vulnerabilities before they are used in the wild and improved integration with vulnerability and patch management tools will make OSS based systems even more secure and easy to maintain. 

Organizations should restrict local access to vulnerable systems where possible and apply patches as soon as possible. In the meantime, removing the SUID bit from the psexec binary can serve as a temporary mitigation.

At Vulcan Cyber we work around the clock to monitor new threat intelligence indications and trends. Stay up to date with all the latest vulnerabilities with the Vulcan Remedy Cloud.