The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added PwnKit as a high-severity Linux vulnerability to its list of actively exploited bugs.
Recorded as CVE-2021-4034, with a CVSS score of 7.8/10, PwnKit was discovered by Qualys in November 2021 and can be used by hackers to gain full root control over major Linux distributions.
The flaw is located in Polkit’s pkexec component used by most distributions (Ubuntu, Debian, CentOS, and others):
“[the command] allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.”
PwnKit is a memory corruption of the Polkit service that is particularly easy to exploit. You only have to decompress a light archive and use a couple of command lines to gain root access with compatible machines. All Polkit versions are affected.
See the Best Open Source Security Tools
An Old Vulnerability Surfaces
Qualys researchers found that the flaw has existed for 13 years, since pkexec’s first release in May 2009. There are tons of ready-to-use POCs (proof of concepts) available on GitHub. Anyone can download and install the binary, and when I say “anyone,” I’m not exaggerating, as technical background is not required to use the kit.
After that, you usually get a binary you can execute to become a root user.
Unless hackers are particularly sloppy or under time pressure, the exploit will not leave too many traces. The only inconvenience is that it requires initial access, which can be achieved by exploiting another vulnerability first, but hackers can use the least privileged accounts like the nobody user to root the machine.
PwnKit is written in C, so you need to compile it before usage:
gcc -w cve-2021-4034.c -o cve-2021-4034
However, even if gcc is not installed on the victim’s computer, hackers can compile it elsewhere or use pre-compiled binaries available publicly.
CISA ordered federal agencies to patch the flaw within 3 weeks.
How to protect against PwnKit
Users and admins must absolutely patch their system if it’s not already. The following command line checks if Polkit is installed on the system:
Even if the package is not directly installed, it is often required by other dependencies, so it’s unlikely you don’t have it on your system, but check it anyway.
Alternatively, you can use the following if you have a non-standard configuration:
sudo chmod -s $(which pkexec)
Then you can update your system:
sudo apt update && sudo apt upgrade && sudo reboot
Note that the above command line is very generic and the syntax may vary from one distribution to another. DevOps should also patch cloud-based services for all instances.
Read next: 13 Best Vulnerability Scanner Tools
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.