An easily exploited flaw in a program found in every major Linux distribution is the latest serious security issue that has arisen in the open-source space in recent weeks.
Researchers at cybersecurity vendor Qualys this week disclosed the memory corruption vulnerability in polkit’s pkexec, which if exploited by a bad actor can enable an unprivileged user to gain full root privileges on a system, giving the unprivileged user administrative rights.
The vulnerability, tracked as CVE-2021-4034, has “been hiding in plain sight” for more than 12 years and infects all versions of polkit’s pkexec since it was first developed in 2009, Bharat Jogi, director of vulnerability and threat research at Qualys, wrote in a blog post.
Polkit’s (formerly PolicyKit) pkexec is a component used to control system-wide privileges in Unix-like operating systems, enabling non-privileged processes to communicate with privileged processes in an organized fashion. It also can be used to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.
The flaw can’t be exploited remotely, but if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited, according to Qualys. Red Hat rated the severity of the flaw a 7.8 out of 10 on the CVSS scale.
Every Linux Distribution is Vulnerable
The pkexec component is widely used; it’s installed as a default in every major Linux distribution and Qualys was able to verify the vulnerability, develop an exploit and gain full root privileges on installations of Ubuntu, Debian, Fedora and CenOS, Jogi wrote, adding that “other Linux distributions are likely vulnerable and probably exploitable.”
He wrote that Qualys won’t publish exploit code for the vulnerability – dubbed PwnKit – but said that “given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days of this blog’s post date.”
Vulnerabilities like PwnKit – which have been present for more than a decade and are ubiquitous in Linux distributions and, therefore, enterprises – pose a significant challenge for security teams, according to Greg Fitzgerald, co-founder and chief experience officer for cybersecurity firm Sevco Security. The priority for organizations should be to patch their Linux machines, but it’s not an easy task.
“That’s all well and good for the machines that IT and security teams know about, but there are not many companies with an accurate IT asset inventory that dates back more than a decade,” Fitzgerald told eSecurity Planet. “The unfortunate reality is that many organizations that patch all of the machines they’re aware of will still be susceptible to this vulnerability because they do not have an accurate inventory of their IT assets. You can’t apply a patch to an asset you don’t know is on your network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”
Patching Open-Source Systems a Challenge
Bud Broomhead, CEO of cybersecurity company VIakoo, told eSecurity Planet that patching a flaw on open-source systems can be challenging for enterprises.
‘a single open-source vulnerability can be present in multiple systems’
“Unlike fully proprietary systems where a single manufacturer can issue a single patch to address a vulnerability, a single open-source vulnerability can be present in multiple systems – including proprietary ones – which then requires multiple manufacturers to separately develop, test and distribute a patch,” Broomhead said. “For both the manufacturer and end user, this adds enormous time and complexity to implementing a security fix for a known vulnerability.”
Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, said that a vulnerability that gives root access on a Linux system is bad, but that “fortunately, this vulnerability is a local exploit, which mitigates some risk. Until patches are broadly available, SysAdmins can remove the SUID bit from pkexec – using: # chmod 0755 /usr/bin/pkexec — to temporarily mitigate the problem.”
Also read: Best Patch Management Software for 2022
Flaw Found in November
Qualys discovered the vulnerability in November 2021 and notified Red Hat. This week the announcement of PwnKit was made in coordination with Red Hat and other distributors.
“Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately,” Jogi wrote. “We expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.”
The PwnKit flaw comes in the wake of other recent disclosures about security issues involving open-source software. At the top of the list is the critical remote execution flaw in Log4j – the flaw is dubbed Log4Shell – that was revealed in December and has been targeted by state-sponsored hacking groups looking to leverage the vulnerability to stage attacks.
In the Wake of Log4j
Like polkit’s pkexec, Log4j – a Java logging tool – has broad enterprise use across data centers and cloud-based services that could be exposed to the zero-day vulnerability. Log4j is a free and widely distributed open-source tool from the Apache Software Foundation and the flaw affects versions 2.0 through 2.14.1. Log4Shell is tracked as CVE-2021-44228.
In addition, a report released this month by CrowdStrike found that incidents of malware targeting Linux-based Internet of Things (IoT) devices grew by more than a third year-to-year in 2021, with the primary goal being to compromise the devices, pull them into botnets and use them for distributed denial-of-service (DDoS) attacks.
“With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors,” a CrowdStrike researcher wrote in a blog post.
Open Source in the Crosshairs
“Threat actors find open-source systems extremely attractive,” Viakoo’s Broomhead said. “Vulnerabilities that exploit open-source systems – like the recent Log4j vulnerability – require patches and updates to be developed by multiple device or system manufacturers, and threat actors are betting on some manufacturers being slow in releasing fixes and some end users being slow in updating their devices.”
He said what enterprises need is a software bill of materials to make finding vulnerable systems easier, automated deployment of security fixes and extending the zero-trust architecture to IoT and operational technology (OT) systems, which “can add additional security to prevent vulnerabilities from being exploited.”
Vulcan Cyber’s Bar-Dayan said the “open-source software model is a two-edged blade. On one side, everyone can look at the code and audit it to identify and patch vulnerabilities. On the other side, threat actors can look at the code and find subtle issues that everyone else has missed. The advantages of this model have historically outweighed the disadvantages, with many eyes on the code and patches frequently appearing very rapidly after a vulnerability comes to light.”
Improved auditing will help catch and correct vulnerabilities before they are used in the wild, and improved integration with vulnerability and patch management tools will make OSS-based systems even more secure and easy to maintain, he said.