Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Vulnerability Management, Cyber Security

PwnKit / CVE-2021-4034 – Local Privilege Escalation in pkexec

PwnKit / CVE-2021-4034 – Local Privilege Escalation in pkexec
Written by

Sophie Heath, Steve Velcev

Published on

20 Jan 2022

PwnKit / CVE-2021-4034 – Local Privilege Escalation in pkexec

 

What is it?

PwnKit, discovered by the Qualys Research Team, is a local privilege escalation vulnerability affecting a widespread Linux component, Polkit’s pkexec.

Polkit’s pkexec is a tool originally intended to control the running of privileged processes. This vulnerability exploits this functionality to allow an unprivileged user on a Linux based system to escalate their access to the level of the root user.

What’s the risk/impact?

PwnKit requires authenticated user access to a system in order to exploit. Once this access is obtained, any standard user account can escalate to full root privileges on the system. This could lead to the gathering of confidential information, as well as retrieving the details of privileged accounts that could allow further access to an internal network.

Most alarmingly, this vulnerability is very simple to exploit. Below is a proof-of-concept developed by a SureCloud security consultant. It shows just how easily the PwnKit vulnerability can be used to escalate privileges on an Ubuntu system that is missing the necessary patch or mitigations.

Am I impacted?

PwnKit affects all versions of pkexec and it is installed by default on all major Linux distributions, including (but not limited to) Ubuntu, Debian, Fedora, RHEL and CentOS. If you are using a Linux distribution and have not patched or removed this package, it should be assumed that you are vulnerable.

Note: Polkit is also found within non-Linux operating systems such as Solaris and BSD, but their exploitability has not been fully investigated at the time of writing. However, it is noted that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.

How to identify?

Since this vulnerability affects almost all major distributions of Linux, it is essential that an organization identifies all assets that run a Linux based operating system. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83,  “Add a pkexec(1) command”).

There are several ways to identify which systems might be running Linux based operating systems within in your environment and products. This can be performed via:

  • Asset inventories
  • Network scanners: e.g. Tenable Nessus, Qualys, SureCloud Platform, or an nmap scan with the -O flag enabled for Operating System fingerprinting.
  • Some Linux-based systems can be identified by their time to live values when sending a ping to each systems IP address. Linux systems have a default TTL value of 64.

Once Linux systems have been identified, each should be checked for the presence of the Polkit pkexec package within the “bin” directories.

Detection

This vulnerability is not exploitable remotely and requires an attacker to have local access to a vulnerable system, whether that be with valid user credentials or via a separate attack vector.

Exploitation of this vulnerability may also leave traces in the system logs. Either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content” messages, may indicate exploitation.

Therefore, these log entries can be used for alerting, but keep in mind that it is possible to exploit the vulnerability without the above log entries being generated. Hence, patches and mitigations should be applied as soon as possible.

How to fix?

Given the breadth of the attack surface for PwnKit across most Linux-based systems, users should apply patches or mitigations for this vulnerability immediately. This vulnerability was reported to Linux vendors on November 18, 2021, following which patches have already been issued by Red Hat and Ubuntu.

Ubuntu has already pushed updates for PolicyKit to address this vulnerability in versions 14.04 and 16.04 ESM (extended security maintenance) as well as in more recent versions 18.04, 20.04, and 21.04. Users just need to run a standard system update and then reboot the system for the changes to take effect.

Red Hat has also released a security update for Polkit on Workstation and Enterprise products for supported architectures, as well as for extended life cycle support, TUS, and AUS.

We expect all other vendors to release patches for this vulnerability very shortly.

If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation. Please note that this change might affect your system in adverse ways, so apply this workaround with caution. It is also advised that regression testing of the system be done in order to ensure nothing critical has been broken as a result of the change.

Example SUID-bit command:

# chmod 0755 /usr/bin/pkexec