Just in Time Bulletin: CVE-2021-4034 PwnKit
What is PwnKit (CVE-2021-4034)?
CVE-2021-4034 known as PwnKit is a local privilege escalation vulnerability found in the ‘pkexec’ command line utility. Pkexec is a SUID-root program deployed by default on all major Linux distributions as part of PolKit (policy kit), which manages process privileges.
Pkexec fails to properly count the number of arguments passed to it, which results in an out-of-bounds write vulnerability that enables an attacker to inject crafted payloads into environment variables that facilitate arbitrary code execution. Successful execution of arbitrary code on vulnerable systems results in trivial privilege escalation as ‘root’.
How bad is this?
Active exploitation today: Exploited in the wild, proof of concept code publicly available.
- Local privilege escalation
- Results in trivial ‘root’ access on vulnerable systems
- Likely to be chained with other vulnerabilities (Log4Shell), malware, and rootkits
Who is affected by this?
- Ubuntu 14.04, 16.04, 18.04 and 20.04
- Debian 9 and 10
- RHEL 6, 7 and 8
- Amazon Linux AMI 2
How are they exploited?
Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. However, the exploit is relatively simple and the payload executed via ‘execve()’ injects NULL arguments and crafted environment variables when executing ‘pkexec’, which ultimately causes an error, leading to memory corruption, resulting in the execution of unauthorized code as ‘root’.
Am I at Risk?
If PolicyKit is not installed on your system, then you are not affected by PwnKit. However, PolicyKit is installed by default on nearly all major Linux operating systems, with the exception of Debian. On Debian platforms PolictyKit is a dependency to other packages and is most likely present.
To determine if you’re at risk, execute the following command:
$ dpkg -s policykit-1 | grep Version
The below table provides detailed information on fixed versions of polkit, any version older than the fixed version is vulnerable.
|Linux Version||Fixed Polkit Version|
|Ubuntu 21.10||policykit-1 – 0.105-31ubuntu0.1|
|Ubuntu 20.04||policykit-1 – 0.105-26ubuntu1.2|
|Ubuntu 18.04||policykit-1 – 0.105-20ubuntu0.18.04.6|
|Red Hat Enterprise 6||polkit-0.96-11.el6_10.2.src.rpm|
|Red Hat Enterprise 7||polkit-0.112-26.el7_9.1.src.rpm|
|Red Hat Enterprise 8||polkit-0.115-13.el8_5.1.src.rpm|
How do I protect myself?
It is recommended that polkit is immediately updated to the fixed version listed above.
To mitigate the issue without updating polkit, it is possible to remove the setuid permission from pkexec, however this could impact services that rely on pkexec for root privileges. To change the permissions execute the following command.
$chmod 0755 $(which pkexec)
- RadHat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
- Ubuntu: https://ubuntu.com/security/notices/USN-5252-1
- Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034