NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2021-4034 PwnKit

Feb 03, 2022

What is PwnKit (CVE-2021-4034)?

CVE-2021-4034 known as PwnKit is a local privilege escalation vulnerability found in the ‘pkexec’ command line utility. Pkexec is a SUID-root program deployed by default on all major Linux distributions as part of PolKit (policy kit), which manages process privileges. 

Pkexec fails to properly count the number of arguments passed to it, which results in an out-of-bounds write vulnerability that enables an attacker to inject crafted payloads into environment variables that facilitate arbitrary code execution. Successful execution of arbitrary code on vulnerable systems results in trivial privilege escalation as ‘root’.

How bad is this? 

CVE CVSSv3 Score
CVE-2021-4034 7.8


Active exploitation today: Exploited in the wild, proof of concept code publicly available. 

Severity: Critical

  • Local privilege escalation
  • Results in trivial ‘root’ access on vulnerable systems
  • Likely to be chained with other vulnerabilities (Log4Shell), malware, and rootkits

Who is affected by this? 

  • Ubuntu 14.04, 16.04, 18.04 and 20.04
  • Debian 9 and 10
  • RHEL 6, 7 and 8
  • Amazon Linux AMI 2

How are they exploited? 

Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. However, the exploit is relatively simple and the payload executed via ‘execve()’ injects NULL arguments and crafted environment variables when executing ‘pkexec’, which ultimately causes an error, leading to memory corruption, resulting in the execution of unauthorized code as ‘root’.

Am I at Risk? 

If PolicyKit is not installed on your system, then you are not affected by PwnKit. However, PolicyKit is installed by default on nearly all major Linux operating systems, with the exception of Debian. On Debian platforms PolictyKit is a dependency to other packages and is most likely present.

To determine if you’re at risk, execute the following command:

$ dpkg -s policykit-1 | grep Version
Version: 0.105-30ubuntu0.1

The below table provides detailed information on fixed versions of polkit, any version older than the fixed version is vulnerable.

Linux Version Fixed Polkit Version
Ubuntu 21.10 policykit-1 – 0.105-31ubuntu0.1
Ubuntu 20.04 policykit-1 – 0.105-26ubuntu1.2
Ubuntu 18.04 policykit-1 – 0.105-20ubuntu0.18.04.6
Debian Stretch 0.105-18+deb9u2
Debian Buster 0.105-25+deb10u1
Debian Bullseye 0.105-31+deb11u1
Red Hat Enterprise 6 polkit-0.96-11.el6_10.2.src.rpm
Red Hat Enterprise 7 polkit-0.112-26.el7_9.1.src.rpm
Red Hat Enterprise 8 polkit-0.115-13.el8_5.1.src.rpm


How do I protect myself? 

It is recommended that polkit is immediately updated to the fixed version listed above.

To mitigate the issue without updating polkit, it is possible to remove the setuid permission from pkexec, however this could impact services that rely on pkexec for root privileges. To change the permissions execute the following command.

$chmod 0755 $(which pkexec)

Additional Resources: 

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All